I've a Ubuntu desktop client joined to an Active Directory 2008 R2 domain.
I need to use "kinit" command on Linux to determine when a user password will expire. That's my way to go due to other scripts running on system so can't / don't want to change that approach.
However, as far as I saw, kinit returns password expire warning for 7 days or lower. Can I change this attitude? What makes kinit return the password expire warning message for 7 days or shorter timespan?
It probably depends on the setting in Active Directory - it's set in Group Policy, in: Interactive Logon: Prompt user to change password before expiration.
So check with the AD administrator. It is possible to scope this policy to OUs, so if your account resides in a specific OU, it might be possible to set a longer warning there. It's technically possible, at least. There may be operational constraints.
Also, is the machine joined via sssd? It's worth reading this article to see if there's something in sssd.conf that might be overriding the value sent from AD. If it's not set in sssd.conf at all, it'll just be inheriting what AD is sending. https://access.redhat.com/articles/3027531
If the domain admin says it's set to 7 days and won't be changing, it's not clear whether you'd be able to configure sssd.conf to provide a longer warning interval - I doubt it could override AD in that way.
Alternatively, you could do an LDAP query on the AD user account and grab a property called msDS-UserPasswordExpiryTimeComputed - the value there is ticks past the Windows epoch date.
To calculate the date on a Linux system, the Windows epoch date is 1601-01-01T00:00:00Z, which is 11644473600 seconds before the *nix epoch (1970-01-01T00:00:00Z). The Windows ticks are in 100 nanoseconds. So for a simple calculation:
$tickInterval = 10000000
$unixEpochDiff = 11644473600
# interval captured from msDS-UserPasswordExpiryTimeComputed
$ADPasswordExpiryTime = 132985454614249065
$unixTime = ($userPasswordExpiryTime / $tickInterval) - $unixEpochDiff
At present, I have no way of testing an LDAP query from a Linux-based system to AD, but it could be worth a try if nothing else helps.
