I want to send an email to users letting them know that their password is about to expire (we have them set to expire after 30 days, so this happens frequently). Tinkering with our Tiger server, it seems that mkpassdb doesn’t provide any useful data. Neither does pwpolicy. Using:
pwpolicy -a adminusr -p adminpwd -u sbrown -getpolicy
always returns (no matter what user or expiration)
expirationDateGMT=12/31/69
as its result. Is there any easy way to get this information that works with Tiger? Am I not using pwpolicy correctly?
BTW, I saw a post here where someone mentions that with AD, UAM, and ActiveX it may be possible to get this info, but we aren’t using AD.
Read on for one possible answer…
(Ed. note. OK, so I messed this one up the first time around. Now that I got my head around it, here is the correct answer!)
Well, there are a few different things going on here…
As you suspected you are looking at the wrong policy with pwpolicy. The expirationDateGMT policy doesn’t seem to reflect much. If you were to set an explicit expiration date it would be visible in the hardExpireDateGMT, but that isn’t really what you seem to be after either.
Take a look at the maxMinutesUntilChangePassoword policy. This determines how long, in minutes, the password can last.
The next part of the puzzle is the creation date of the password. You can get this info from the user’s KDC principal:
<code>dhcp172-21s10n104:~ tigertestadmin$ sudo kadmin.local -q "getprinc p10014" | grep Last pass Last password change: Tue Nov 29 08:19:12 EST 2005</code>
If you leave the grep off of the end you will see the entire user pricipal. Also note that I’m using kadmin.local here since I’m operating directly on the server. Remote queries will need to use regular kadmin and provide some kerb authentication. (An interesting side note when looking at the full principal is the “Expiration date:” property, that is the only property that is populated with info from the PasswordService.)
To figure out how long the password has left to live you need to convert the stamp and current date to minutes and then compare them to see how close you are to the maxMinutesUntilChangePassoword policy setting.
Hopefully this sets you off in the proper direction. There are tons of date conversion scripts in Google, but does anyone have a favorite they would like to share in the comments below?
