sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-13 13:18:06 +03:00
Code

more updates. Conversion almost done. 2 more man pages

Browse Source 
(then all the ASCII stuff)
This commit is contained in:
Gerald Carter -
parent 71029da7dd
commit 7247027e83
11 changed files with 3536 additions and 2075 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

303
docs/docbook/manpages/rpcclient.1.sgml
View File

@ -1,137 +1,270 @@
Namerpcclient - developer's tool to testing client side MS-RPC functions Synopsisrpcclient[-d
<!--
I am looking for help to finish SGML.
-->
<!-- manual page source format generated by PolyglotMan v3.0.9
available via anonymous ftp from ftp.cs.berkeley.edu:/ucb/people/phelps/tcltk/rman.tar.Z -->
<RefEntry ID="RPCCLIENT"."8">
<RefMeta><RefEntryTitle>"RPCCLIENT"</RefEntryTitle><ManVolNum>"8"</ManVolNum></RefMeta>
<RefNameDiv><Title>Name</Title>rpcclient </RefEntry><RefPurpose> developer's tool to testing client side MS-RPC functions </RefSect1>
<RefSynopsisDiv><Title>Synopsis</Title><ItemizedList MARK=Bullet>
<Term><B>rpcclient</B></Term><ListItem><Para>[-d
debuglevel] [-S server] [-l logbasename] [-n netbios name] [-N] [-m maxprotocol]
[-I destIP] [-E] [-U username] [-W workgroup] [-c `command string`] [-t terminalcode]
[-i scope] [-O socket options] [-s smb.conf] Descriptionrpcclientis a utility
[-i scope] [-O socket options] [-s smb.conf] </Para></ListItem>
</ItemizedList>
</RefSect1>
<RefSect1><Title>Description</Title><ItemizedList MARK=Bullet>
<Term><B>rpcclient</B></Term><ListItem><Para>is a utility
for developers for executing various MS-RPC functions. It's primary use is
for testing Samba's own MS-RPC server implementation, however many administrators
have written scripts around it to manage Windows NT clients from their
UNIX workstation. Options
-d debuglevelset the debuglevel. Debug level 0 is
UNIX workstation. </Para></ListItem>
</ItemizedList>
</RefSect1>
<RefSect1><Title>Options</Title>
<Para><ItemizedList MARK=Bullet>
<Term><B>-d debuglevel</B></Term><ListItem><Para>set the debuglevel. Debug level 0 is
the lowest and 100 being the highest. This should be set to 100 if you are
planning on submitting a bug report to the Samba team (see BUGS.txt). -S
serverNetBIOS name of Server to which you wish to connect. The server can
planning on submitting a bug report to the Samba team (see BUGS.txt). </Para></ListItem>
<Term><B>-S
server</B></Term><ListItem><Para>NetBIOS name of Server to which you wish to connect. The server can
be any SMB/CIFS server. The name is resolved using either the "name resolve
order = " line or by using the -R option. -l logbasenameFile name for log/debug
order = " line or by using the <B>-R</B> option. </Para></ListItem>
<Term><B>-l logbasename</B></Term><ListItem><Para>File name for log/debug
files. .client will be appended. The log file is never removed by the client.
-n netbios nameNetBIOS name of the local machine. This option is only needed
</Para></ListItem>
<Term><B>-n netbios name</B></Term><ListItem><Para>NetBIOS name of the local machine. This option is only needed
if your Samba client cannot find it automatically. Samba should use the
uppercase of the machine's hostname. -Ntells rpcclient not to ask for a password.
rpcclient will prompt the user by default. -I destIPThe IP address of the
server specified with the -S option. Only needed when the server's NetBIOS
uppercase of the machine's hostname. </Para></ListItem>
<Term><B>-N</B></Term><ListItem><Para>tells rpcclient not to ask for a password.
rpcclient will prompt the user by default. </Para></ListItem>
<Term><B>-I destIP</B></Term><ListItem><Para>The IP address of the
server specified with the <B>-S</B> option. Only needed when the server's NetBIOS
name cannot be resolved using WINS or broadcast and isn't found in the LMHOSTS
file. -Ecauses regedit to write messages to stderr instead of stdout. -U username[%pass]Sets
file. </Para></ListItem>
<Term><B>-E</B></Term><ListItem><Para>causes regedit to write messages to stderr instead of stdout. </Para></ListItem>
<Term><B>-U username[%pass]</B></Term><ListItem><Para>Sets
the SMB username or username and password. If %pass is not specified, The
user will be prompted. The client will first check the USER environment
variable, then the LOGNAME variable and if either exist, the string is
uppercased. Anything in these variables following a % sign will be treated
as the password. If these environmental variables are not found, the username
GUEST is used. If the password is not included in these environment variables
(using the %pass syntax), rpcclient will look for a PASSWD environment
variable from which to read the password. A third option is to use a credentials
file which contains the plaintext of the username and password. This option
GUEST is used. </Para></ListItem>
<Term>If the password is not included in these environment variables
</Term><ListItem><Para>(using the %pass syntax), rpcclient will look for a PASSWD environment
variable from which to read the password. </Para></ListItem>
<Term>A third option is to use a credentials
file which contains </Term><ListItem><Para>the plaintext of the username and password. This option
is mainly provided for scripts where the admin doesn't desire to pass the
credentials on the command line or via environment variables. If this method
is used, make certain that the permissions on the file restrict access
from unwanted users. See the -A for more details. Be cautious about including
passwords in scripts or in the CWPASSWD environment variable. Also, on many
from unwanted users. See the <B>-A</B> for more details. </Para></ListItem>
<Term>Be cautious about including
passwords in scripts or in the </Term><ListItem><Para>CWPASSWD environment variable. Also, on many
systems the command line of a running process may be seen via the CWps
command to be safe always allow smbclient to prompt for a password and
type it in directly. -A <filename>This option allows you to specify a file
type it in directly. </Para></ListItem>
<Term><B>-A &lt;filename&gt;</B></Term><ListItem><Para>This option allows you to specify a file
from which to read the username and password used in the connection. The
format of the file is CWusername = <value>
CWpassword = <value>
Make certain that the permissions on the file restrict access from unwanted
users. -W domainSet the SMB domain of the username. This overrides the default
format of the file is </Para></ListItem>
<Term>CWusername = &lt;value&gt; </Term><ListItem><Para><BR>
CWpassword = &lt;value&gt; <BR>
</Para></ListItem>
<Term>Make certain that the permissions on the file restrict access from </Term><ListItem><Para>unwanted
users. </Para></ListItem>
<Term><B>-W domain</B></Term><ListItem><Para>Set the SMB domain of the username. This overrides the default
domain which is the domain of the server specified with the bt(-S) option.
If the domain specified is the same as the server's NetBIOS name, it causes
the client to log on using the server's local SAM (as opposed to the Domain
SAM). -Poperate in promptless mode. Without this mode (the default) rpcclient
displays a prompt of the form '[domain\username@host]$' -c 'command string'execute
semicolon separated commands (listed below)) -t terminalcodeThis tells the
SAM). </Para></ListItem>
<Term><B>-P</B></Term><ListItem><Para>operate in promptless mode. Without this mode (the default) rpcclient
displays a prompt of the form '[domain\username@host]$' </Para></ListItem>
<Term><B>-c 'command string'</B></Term><ListItem><Para>execute
semicolon separated commands (listed below)) </Para></ListItem>
<Term><B>-t terminalcode</B></Term><ListItem><Para>This tells the
Samba client how to interpret the incoming filenames, in regards to character
sets. The list here is not complete. For a complete list see your local Samba
source. Some valid options are sjis, euc, jis7, jis8, junet and hex. -O socket
optionsThese socket options are the same as in smb.conf (under the bt(socket
options = ) section). -s smb.confSpecifies the location of the all important
smb.conf file. -i scopeDefines the NetBIOS scope. For more information on NetBIOS
scopes, see rfc1001 and rfc1002. NetBIOS scopes are rarely used.
Commands
SPOOLSS
CommandsspoolenumExecute an EnumPrinters call. This lists the various installed
source. Some valid options are sjis, euc, jis7, jis8, junet and hex. </Para></ListItem>
<Term><B>-O socket
options</B></Term><ListItem><Para>These socket options are the same as in smb.conf (under the bt(socket
options = ) section). </Para></ListItem>
<Term><B>-s smb.conf</B></Term><ListItem><Para>Specifies the location of the all important
smb.conf file. </Para></ListItem>
<Term><B>-i scope</B></Term><ListItem><Para>Defines the NetBIOS scope. For more information on NetBIOS
scopes, see rfc1001 and rfc1002. NetBIOS scopes are rarely used. </Para></ListItem>
</ItemizedList>
<Para></RefSect1>
<RefSect1><Title>Commands</Title>
<Para><ItemizedList MARK=Bullet>
<Term><B>SPOOLSS
Commands</B></Term><ListItem><Para></Para></ListItem>
<Term>spoolenum</Term><ListItem><Para>Execute an EnumPrinters call. This lists the various installed
and share printers. Refer to the MS Platform SDK documentation for more
details of the various flags and calling options.
spoolenumports <level>Executes
details of the various flags and calling options. </Para></ListItem>
</ItemizedList>
<Para><ItemizedList MARK=Bullet>
<Term>spoolenumports &lt;level&gt;</Term><ListItem><Para>Executes
an EnumPorts call using the specified info level. Currently only info level
1 and 2 are supported.
spoolenumdataEnumerate all printer setting data stored
1 and 2 are supported. </Para></ListItem>
</ItemizedList>
<Para><ItemizedList MARK=Bullet>
<Term>spoolenumdata</Term><ListItem><Para>Enumerate all printer setting data stored
on the server. On Windows NT clients, these values are stored in the registry,
while Samba servers store them in the printers TDB. This command corresponds
to the MS Platform SDK EnumPorts function.
spooljobs <printer>List the jobs
to the MS Platform SDK EnumPorts function. </Para></ListItem>
</ItemizedList>
<Para><ItemizedList MARK=Bullet>
<Term>spooljobs &lt;printer&gt;</Term><ListItem><Para>List the jobs
and status of a given printer. This command corresponds to the MS Platform
SDK EnumJobs function.
spoolopen <printer>Execute an OpenPrinterEx() and ClosePrinter()
RPC against a given printer.
spoolgetdataRetrive the data for a given printer
setting. See the spoolenumdata command for more information. This command
corresponds to the GetPrinterData() MS Platform SDK function.
spoolgetprinter
<printer>Retrieve the current printer information. This command sorresponds
to the GetPrinter() MS Platform SDK function.
spoolgetprinterdriver <printer>Retrive
SDK EnumJobs function. </Para></ListItem>
</ItemizedList>
<Para><ItemizedList MARK=Bullet>
<Term>spoolopen &lt;printer&gt;</Term><ListItem><Para>Execute an OpenPrinterEx() and ClosePrinter()
RPC against a given printer. </Para></ListItem>
</ItemizedList>
<Para><ItemizedList MARK=Bullet>
<Term>spoolgetdata</Term><ListItem><Para>Retrive the data for a given printer
setting. See the <B>spoolenumdata</B> command for more information. This command
corresponds to the GetPrinterData() MS Platform SDK function. </Para></ListItem>
</ItemizedList>
<Para><ItemizedList MARK=Bullet>
<Term>spoolgetprinter
&lt;printer&gt;</Term><ListItem><Para>Retrieve the current printer information. This command sorresponds
to the GetPrinter() MS Platform SDK function. </Para></ListItem>
</ItemizedList>
<Para><ItemizedList MARK=Bullet>
<Term>spoolgetprinterdriver &lt;printer&gt;</Term><ListItem><Para>Retrive
the printer driver information (such as driver file, config file, dependent
files, etc...) for the given printer. This command corresponds to the GetPrinterDriver()
MS Platform SDK function.
spoolgetprinterdriverdir <arch>Execute a GetPrinterDriverDirectory()
MS Platform SDK function. </Para></ListItem>
</ItemizedList>
<Para><ItemizedList MARK=Bullet>
<Term>spoolgetprinterdriverdir &lt;arch&gt;</Term><ListItem><Para>Execute a GetPrinterDriverDirectory()
RPC to retreive the SMB share name and subdirectory for storing printer
driver files for a given architecture. Possible values for <arch> are "Windows
driver files for a given architecture. Possible values for &lt;arch&gt; are "Windows
4.0" (for Windows 95/98), "Windows NT x86", "Windows NT PowerPC", "Windows
Alpha_AXP", and "Windows NT R4000".
<drivername> <port>" .YODLTAGEND. Add a
Alpha_AXP", and "Windows NT R4000". </Para></ListItem>
</ItemizedList>
<Para> &lt;drivername&gt; &lt;port&gt;" .YODLTAGEND. Add a
printer on the remote server. This printer will be automatically shared.
Be aware that the printer driver must already be installed on the server
(see addprinterdriver) and the <port> must be a valid port name.
spooladdprinterdriver
<arch> <config>Execute an AddPrinterDriver() RPC to install the printer driver
(see <B>addprinterdriver</B>) and the &lt;port&gt; must be a valid port name.
<Para><ItemizedList MARK=Bullet>
<Term>spooladdprinterdriver
&lt;arch&gt; &lt;config&gt;</Term><ListItem><Para>Execute an AddPrinterDriver() RPC to install the printer driver
information on the server. Note that the driver files should already exist
in the directort returned by spoolgetprinterdriverdir. Possible values
for <arch> are the same as those for the spooolgetprintedriverdir command.
The <config> parameter is defined as follows:
<Long Printer Name>:<Driver File
Name>:<Data File Name>:<Config File Name>:<Help File Name>:<Language Monitor Name>:<Default
Data Type>:<Comma Separated list of Files>
Any empty fields should be enter
as the string "NULL".
Samba does not need to support the concept of Print
Monitors since these only apply to local printers whose driver can make
in the directort returned by <B>spoolgetprinterdriverdir</B>. Possible values
for &lt;arch&gt; are the same as those for the <B>spooolgetprintedriverdir</B> command.
The &lt;config&gt; parameter is defined as follows: </Para></ListItem>
</ItemizedList>
<Para><ItemizedList MARK=Bullet>
<Term>&lt;Long Printer Name&gt;:&lt;Driver File
Name&gt;:&lt;Data File Name&gt;:&lt;Config File Name&gt;:&lt;Help File Name&gt;:&lt;Language Monitor Name&gt;:&lt;Default
Data Type&gt;:&lt;Comma Separated list of Files&gt; </Term><ListItem><Para></Para></ListItem>
</ItemizedList>
<Para><ItemizedList MARK=Bullet>
<Term>Any empty fields should be enter
as the string "NULL". </Term><ListItem><Para></Para></ListItem>
</ItemizedList>
<Para><ItemizedList MARK=Bullet>
<Term>Samba does not need to support the concept of Print
Monitors </Term><ListItem><Para>since these only apply to local printers whose driver can make
use of a bi-directional link for communication. This field should be "NULL".
On a remote NT print server, the Print Monitor for a driver must already
be installed prior to adding the driver or else the RPC will fail.
General
CommandssetSet miscellaneous rpcclient command line options during a running
session.
useConnect to a rmeote SMB server. rpcclient has the ability to
maintain connections to multiple server simulaneously.
helpPrint a listing
of all known commands or extended help on a particular command.
quitExit
rpcclient.
Bugsrpcclient is designed as a developer testing tool and may
be installed prior to adding the driver or else the RPC will fail. </Para></ListItem>
</ItemizedList>
<Para><ItemizedList MARK=Bullet>
<Term><B>General
Commands</B></Term><ListItem><Para></Para></ListItem>
<Term>set</Term><ListItem><Para>Set miscellaneous rpcclient command line options during a running
session. </Para></ListItem>
</ItemizedList>
<Para><ItemizedList MARK=Bullet>
<Term>use</Term><ListItem><Para>Connect to a rmeote SMB server. <B>rpcclient</B> has the ability to
maintain connections to multiple server simulaneously. </Para></ListItem>
</ItemizedList>
<Para><ItemizedList MARK=Bullet>
<Term>help</Term><ListItem><Para>Print a listing
of all known commands or extended help on a particular command. </Para></ListItem>
</ItemizedList>
<Para><ItemizedList MARK=Bullet>
<Term>quit</Term><ListItem><Para>Exit
rpcclient. </Para></ListItem>
</ItemizedList>
<Para></RefSect1>
<RefSect1><Title>Bugs</Title>rpcclient is designed as a developer testing tool and may
not be robust in certain areas (such as command line parsing). It has been
known to generate a core dump upon failures when invalid parameters where
passed to the interpreter.
From Luke Leighton's original rpcclient man page:
<Para>From Luke Leighton's original rpcclient man page:
"WARNING! The MSRPC over SMB code has been developed from examining Network
traces. No documentation is available from the original creators (Microsoft)
on how MSRPC over SMB works, or how the individual MSRPC services work.
Microsoft's implementation of these services has been demonstrated (and
reported) to be... a bit flakey in places.
The development of Samba's implementation
<Para>The development of Samba's implementation
is also a bit rough, and as more of the services are understood, it can
even result in versions of smbd(8) and rpcclient that are incompatible
even result in versions of <B><Command>smbd(8)</B></Command> and rpcclient that are incompatible
for some commands or services. Additionally, the developers are sending
reports to Microsoft, and problems found or reported to Microsoft are
fixed in Service Packs, which may result in incompatibilities."
See Alsosamba
(7) AuthorSamba is written by The Samba Team as Open Source. This man page
was written by Matthew Geddes, Luke Kenneth Casson, and Gerald Carter.
<Para></RefSect1>
<RefSect1><Title>See Also</Title><B><Command>samba
(7)</B></Command> </RefSect1>
<RefSect1><Title>Author</Title>Samba is written by The Samba Team as Open Source. This man page
was written by Matthew Geddes, Luke Kenneth Casson, and Gerald Carter. </RefSect1>
</RefEntry>

352
docs/docbook/manpages/smbcacls.1.sgml
View File

@ -1,105 +1,255 @@
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
<refentry id="smbcacls">
Namesmbcacls - Set or get ACLs on an NT file or directory
Synopsis
smbcacls
//server/share filename [-U username] [-A acls] [-M acls] [-D acls] [-S acls]
[-C name] [-G name] [-n] [-h]
Description
The smbcacls program manipulates
NT Access Control Lists (ACLs) on SMB file shares.
Options
The following
options are available to the smbcacls program. The format of ACLs is described
in the section ACL FORMAT
-A aclsAdd the ACLs specified to the ACL list.
Existing access control entries are unchanged. -M aclsModify the mask value
(permissions) for the ACLs specified on the command line. An error will
be printed for each ACL specified that was not already present in the ACL
list. -D aclsDelete any ACLs specfied on the command line. An error will
be printed for each ACL specified that was not already present in the ACL
list. -S aclsThis command sets the ACLs on the file with only the ones specified
on the command line. All other ACLs are erased. Note that the ACL specified
must contain at least a revision, type, owner and group for the call to
succeed. -U usernameSpecifies a username used to connect to the specified
service. The username may be of the form CWusername in which case the user
is prompted to enter in a password and the workgroup specified in the smb.conf
file is used, or CWusername%password or CWDOMAIN\username%password and the
password and workgroup names are used as provided. -C nameThe owner of a
file or directory can be changed to the name given using the -C option.
The name can be a sid in the form CWS-1-x-y-z or a name resolved against the
server specified in the first argument. This command is a shortcut for CW-M
OWNER:name. -G nameThe group owner of a file or directory can be changed
to the name given using the -G option. The name can be a sid in the form
CWS-1-x-y-z or a name resolved against the server specified in the first argument.
This command is a shortcut for CW-M GROUP:name. -nThis option displays all
ACL information in numeric format. The default is to convert SIDs to names
and ACE types and masks to a readable string format. -hPrint usage information
on the smbcacls program
Acl Format
The format of an ACL is one or more ACL
entries separated by either commas or newlines. An ACL entry is one of
the following:
<refmeta>
<refentrytitle>smbcacls</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
REVISION:<revision number>
OWNER:<sid or name>
GROUP:<sid or name>
ACL:<sid or name>:<type>/<flags>/<mask>
The revision of the ACL specifies the internal Windows NT ACL revision
for the security descriptor. If not specified it defaults to 1. Using values
other than 1 may cause strange behaviour.
The owner and group specify the
owner and group sids for the object. If a SID in the format CWS-1-x-y-z is
specified this is used, otherwise the name specified is resolved using
the server on which the file or directory resides.
ACLs specify permissions
granted to the SID. This SID again can be specified in CWS-1-x-y-z format or
as a name in which case it is resolved against the server on which the
file or directory resides. The type, flags and mask values determine the
type of access granted to the SID.
The type can be either 0 or 1 corresponding
to ALLOWED or DENIED access to the SID. The flags values are generally
zero for file ACLs and either 9 or 2 for directory ACLs. Some common flags
are:
#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1
#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2
#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4
#define SEC_ACE_FLAG_INHERIT_ONLY 0x8
At present flags can only be specified as decimal or hexadecimal values.
The mask is a value which expresses the access right granted to the SID.
It can be given as a decimal or hexadecimal value, or by using one of the
following text strings which map to the NT file permissions of the same
name.
CWR Allow read access CWW Allow write access CWX Execute permission
on the object CWD Delete the object CWP Change permissions CWO Take ownership
<refnamediv>
<refname>smbcacls</refname>
<refpurpose>Set or get ACLs on an NT file or directory names</refpurpose>
</refnamediv>
The following combined permissions can be specified:
CWREAD Equivalent
to CWRX permissions CWCHANGE Equivalent to CWRXWD permissions CWFULL
Equivalent to CWRWXDPO permissions
Exit Status
The smbcacls program sets
the exit status depending on the success or otherwise of the operations
performed. The exit status may be one of the following values.
If the operation
succeded, smbcacls returns and exit status of 0. If smbcacls couldn't connect
to the specified server, or there was an error getting or setting the ACLs,
an exit status of 1 is returned. If there was an error parsing any command
line arguments, an exit status of 2 is returned.
Author
The original Samba
software and related utilities were created by Andrew Tridgell. Samba is
now developed by the Samba Team as an Open Source project.
smbcacls was
written by Andrew Tridgell and Tim Potter.
<refsynopsisdiv>
<cmdsynopsis>
<command>nmblookup</command>
<arg choice="req">//server/share</arg>
<arg choice="req">filename</arg>
<arg choice="opt">-U username</arg>
<arg choice="opt">-A acls</arg>
<arg choice="opt">-M acls</arg>
<arg choice="opt">-D acls</arg>
<arg choice="opt">-S acls</arg>
<arg choice="opt">-C name</arg>
<arg choice="opt">-G name</arg>
<arg choice="opt">-n</arg>
<arg choice="opt">-h</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para>This tool is part of the <ulink url="samba.7.html">
Samba</ulink> suite.</para>
<para>The smbcacls program manipulates NT Access Control Lists
(ACLs) on SMB file shares. </para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<para>The following options are available to the smbcacls program.
The format of ACLs is described in the section ACL FORMAT </para>
<variablelist>
<varlistentry>
<term>-A acls</term>
<listitem><para>Add the ACLs specified to the ACL list. Existing
access control entries are unchanged. </para></listitem>
</varlistentry>
<varlistentry>
<term>-M acls</term>
<listitem><para>Modify the mask value (permissions) for the ACLs
specified on the command line. An error will be printed for each
ACL specified that was not already present in the ACL list
</para></listitem>
</varlistentry>
<varlistentry>
<term>-D acls</term>
<listitem><para>Delete any ACLs specfied on the command line.
An error will be printed for each ACL specified that was not
already present in the ACL list. </para></listitem>
</varlistentry>
<varlistentry>
<term>-S acls</term>
<listitem><para>This command sets the ACLs on the file with
only the ones specified on the command line. All other ACLs are
erased. Note that the ACL specified must contain at least a revision,
type, owner and group for the call to succeed. </para></listitem>
</varlistentry>
<varlistentry>
<term>-U username</term>
<listitem><para>Specifies a username used to connect to the
specified service. The username may be of the form "username" in
which case the user is prompted to enter in a password and the
workgroup specified in the <filename>smb.conf</filename> file is
used, or "username%password" or "DOMAIN\username%password" and the
password and workgroup names are used as provided. </para></listitem>
</varlistentry>
<varlistentry>
<term>-C name</term>
<listitem><para>The owner of a file or directory can be changed
to the name given using the <parameter>-C</parameter> option.
The name can be a sid in the form S-1-x-y-z or a name resolved
against the server specified in the first argument. </para>
<para>This command is a shortcut for -M OWNER:name.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-G name</term>
<listitem><para>The group owner of a file or directory can
be changed to the name given using the <parameter>-G</parameter>
option. The name can be a sid in the form S-1-x-y-z or a name
resolved against the server specified n the first argument.
</para>
<para>This command is a shortcut for -M GROUP:name.</para></listitem>
</varlistentry>
<varlistentry>
<term>-n</term>
<listitem><para>This option displays all ACL information in numeric
format. The default is to convert SIDs to names and ACE types
and masks to a readable string format. </para></listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem><para>Print usage information on the <command>smbcacls
</command> program.</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>ACL FORMAT</title>
<para>The format of an ACL is one or more ACL entries separated by
either commas or newlines. An ACL entry is one of the following: </para>
<para><programlisting>
REVISION:&lt;revision number&gt;
OWNER:&lt;sid or name&gt;
GROUP:&lt;sid or name&gt;
ACL:&lt;sid or name&gt;:&lt;type&gt;/&lt;flags&gt;/&lt;mask&gt;
</programlisting></para>
<para>The revision of the ACL specifies the internal Windows
NT ACL revision for the security descriptor.
If not specified it defaults to 1. Using values other than 1 may
cause strange behaviour. </para>
<para>The owner and group specify the owner and group sids for the
object. If a SID in the format CWS-1-x-y-z is specified this is used,
otherwise the name specified is resolved using the server on which
the file or directory resides. </para>
<para>ACLs specify permissions granted to the SID. This SID again
can be specified in CWS-1-x-y-z format or as a name in which case
it is resolved against the server on which the file or directory
resides. The type, flags and mask values determine the type of
access granted to the SID. </para>
<para>The type can be either 0 or 1 corresponding to ALLOWED or
DENIED access to the SID. The flags values are generally
zero for file ACLs and either 9 or 2 for directory ACLs. Some
common flags are: </para>
<itemizedlist>
<listitem><para>#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1</para></listitem>
<listitem><para>#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2</para></listitem>
<listitem><para>#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4
</para></listitem>
<listitem><para>#define SEC_ACE_FLAG_INHERIT_ONLY 0x8</para>
</listitem>
</itemizedlist>
<para>At present flags can only be specified as decimal or
hexadecimal values.</para>
<para>The mask is a value which expresses the access right
granted to the SID. It can be given as a decimal or hexadecimal value,
or by using one of the following text strings which map to the NT
file permissions of the same name. </para>
<itemizedlist>
<listitem><para><emphasis>R</emphasis> - Allow read access </para></listitem>
<listitem><para><emphasis>W</emphasis> - Allow write access</para></listitem>
<listitem><para><emphasis>X</emphasis> - Execute permission on the object</para></listitem>
<listitem><para><emphasis>D</emphasis> - Delete the object</para></listitem>
<listitem><para><emphasis>P</emphasis> - Change permissions</para></listitem>
<listitem><para><emphasis>O</emphasis> - Take ownership</para></listitem>
</itemizedlist>
<para>The following combined permissions can be specified:</para>
<itemizedlist>
<listitem><para><emphasis>READ</emphasis> - Equivalent to 'RX'
permissions</para></listitem>
<listitem><para><emphasis>CHANGE</emphasis> - Equivalent to 'RXWD' permissions
</para></listitem>
<listitem><para><emphasis>FULL</emphasis> - Equivalent to 'RWXDPO'
permissions</para></listitem>
</itemizedlist>
</refsect1>
<refsect1>
<title>EXIT STATUS</title>
<para>The <command>smbcacls</command> program sets the exit status
depending on the success or otherwise of the operations performed.
The exit status may be one of the following values. </para>
<para>If the operation succeded, smbcacls returns and exit
status of 0. If smbcacls couldn't connect to the specified server,
or there was an error getting or setting the ACLs, an exit status
of 1 is returned. If there was an error parsing any command line
arguments, an exit status of 2 is returned. </para>
</refsect1>
<refsect1>
<title>VERSION</title>
<para>This man page is correct for version 2.2 of
the Samba suite.</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para>The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.</para>
<para><command>smbcacls</command> was written by Andrew Tridgell
and Tim Potter.</para>
<para>The conversion to DocBook for Samba 2.2 was done
by Gerald Carter</para>
</refsect1>
</refentry>

744
docs/docbook/manpages/smbclient.1.sgml
View File

@ -1,408 +1,634 @@
<!--
Namesmbclient - ftp-like client to access SMB/CIFS resources on servers
Synopsis
smbclient
I am looking for help to finish SGML.
-->
<!-- manual page source format generated by PolyglotMan v3.0.9
available via anonymous ftp from ftp.cs.berkeley.edu:/ucb/people/phelps/tcltk/rman.tar.Z -->
<RefEntry ID="smbclient.">
<RefMeta><RefEntryTitle>"smbclient</RefEntryTitle><ManVolNum>"</ManVolNum></RefMeta>
<Para><RefNameDiv><Title>Name</Title>smbclient </RefEntry><RefPurpose> ftp-like client to access SMB/CIFS resources on servers
<Para></RefSect1>
<RefSynopsisDiv><Title>Synopsis</Title>
<Para><B>smbclient</B>
servicename [-s smb.conf] [-O socket options][-R name resolve order] [-M NetBIOS
name] [-i scope] [-N] [-n NetBIOS name] [-d debuglevel] [-P] [-p port] [-l log
basename] [-h] [-I dest IP] [-E] [-U username] [-L NetBIOS name] [-t terminal
code] [-m max protocol] [-b buffersize] [-W workgroup] [-T<c|x>IXFqgbNan] [-D directory]
code] [-m max protocol] [-b buffersize] [-W workgroup] [-T&lt;c|x&gt;IXFqgbNan] [-D directory]
[-c command string]
Description
This program is part of the Samba suite.
smbclient
<Para></RefSect1>
<RefSect1><Title>Description</Title>
<Para>This program is part of the <B>Samba</B> suite.
<Para><B>smbclient</B>
is a client that can 'talk' to an SMB/CIFS server. It offers an interface
similar to that of the ftp program (see ftp (1)). Operations include things
similar to that of the ftp program (see <B><Command>ftp (1)</B></Command>). Operations include things
like getting files from the server to the local machine, putting files
from the local machine to the server, retrieving directory information
from the server and so on.
Options
servicenameservicename is the name of
<Para></RefSect1>
<RefSect1><Title>Options</Title>
<Para><ItemizedList MARK=Bullet>
<Term><B>servicename</B></Term><ListItem><Para>servicename is the name of
the service you want to use on the server. A service name takes the form
CW//server/service where server is the NetBIOS name of the SMB/CIFS server
offering the desired service and service is the name of the service offered.
Thus to connect to the service printer on the SMB/CIFS server smbserver,
you would use the servicename CW//smbserver/printer Note that the server
name required is NOT necessarily the IP (DNS) host name of the server !
CW//server/service where <I>server</I> is the NetBIOS name of the SMB/CIFS server
offering the desired service and <I>service</I> is the name of the service offered.
Thus to connect to the service <I>printer</I> on the SMB/CIFS server <I>smbserver</I>,
you would use the servicename </Para></ListItem>
<Term>CW//smbserver/printer </Term><ListItem><Para></Para></ListItem>
<Term>Note that the server
name required is NOT necessarily the IP (DNS) </Term><ListItem><Para>host name of the server !
The name required is a NetBIOS server name, which may or may not be the
same as the IP hostname of the machine running the server. The server name
is looked up according to either the -R parameter to smbclient or using
the name resolve order parameter in the smb.conf file, allowing an administrator
to change the order and methods by which server names are looked up. passwordpassword
same as the IP hostname of the machine running the server. </Para></ListItem>
<Term>The server name
is looked up according to either the </Term><ListItem><Para><B>-R</B> parameter to <B>smbclient</B> or using
the <B>name resolve order</B> parameter in the smb.conf file, allowing an administrator
to change the order and methods by which server names are looked up. </Para></ListItem>
<Term><B>password</B></Term><ListItem><Para>password
is the password required to access the specified service on the specified
server. If this parameter is supplied, the -N option (suppress password prompt)
is assumed. There is no default password. If no password is supplied on the
command line (either by using this parameter or adding a password to the
-U option (see below)) and the -N option is not specified, the client will
server. If this parameter is supplied, the <B>-N</B> option (suppress password prompt)
is assumed. </Para></ListItem>
<Term>There is no default password. If no password is supplied on the
</Term><ListItem><Para>command line (either by using this parameter or adding a password to the
<B>-U</B> option (see below)) and the <B>-N</B> option is not specified, the client will
prompt for a password, even if the desired service does not require one.
(If no password is required, simply press ENTER to provide a null password.)
Note: Some servers (including OS/2 and Windows for Workgroups) insist on
</Para></ListItem>
<Term>Note: Some servers (including OS/2 and Windows for Workgroups) insist </Term><ListItem><Para>on
an uppercase password. Lowercase or mixed case passwords may be rejected
by these servers. Be cautious about including passwords in scripts. -s smb.confThis
by these servers. </Para></ListItem>
<Term>Be cautious about including passwords in scripts. </Term><ListItem><Para></Para></ListItem>
<Term><B>-s smb.conf</B></Term><ListItem><Para>This
parameter specifies the pathname to the Samba configuration file, smb.conf.
This file controls all aspects of the Samba setup on the machine and smbclient
also needs to read this file. -O socket optionsTCP socket options to set
on the client socket. See the socket options parameter in the smb.conf (5)
manpage for the list of valid options. -R name resolve orderThis option allows
also needs to read this file. </Para></ListItem>
<Term><B>-O socket options</B></Term><ListItem><Para>TCP socket options to set
on the client socket. See the socket options parameter in the <B><Command>smb.conf (5)</B></Command>
manpage for the list of valid options. </Para></ListItem>
<Term><B>-R name resolve order</B></Term><ListItem><Para>This option allows
the user of smbclient to determine what name resolution services to use
when looking up the NetBIOS name of the host being connected to. The options
are :"lmhosts", "host", "wins" and "bcast". They cause names to be resolved
as follows : olmhosts : Lookup an IP address in the Samba lmhosts file.
The lmhosts file is stored in the same directory as the smb.conf file. ohost
when looking up the NetBIOS name of the host being connected to. </Para></ListItem>
<Term>The options
are :"lmhosts", "host", "wins" and "bcast". They cause </Term><ListItem><Para>names to be resolved
as follows : </Para></ListItem>
<Term>o</Term><ListItem><Para><B>lmhosts</B> : Lookup an IP address in the Samba lmhosts file.
The lmhosts file is stored in the same directory as the <B>smb.conf</B> file. </Para></ListItem>
<Term>o</Term><ListItem><Para><B>host</B>
: Do a standard host name to IP address resolution, using the system /etc/hosts,
NIS, or DNS lookups. This method of name resolution is operating system
depended for instance on IRIX or Solaris this may be controlled by the
/etc/nsswitch.conf file). owins : Query a name with the IP address listed
in the wins server parameter in the smb.conf file. If no WINS server has
been specified this method will be ignored. obcast : Do a broadcast on each
of the known local interfaces listed in the interfaces parameter in the
<I>/etc/nsswitch.conf</I> file). </Para></ListItem>
<Term>o</Term><ListItem><Para><B>wins</B> : Query a name with the IP address listed
in the <B>wins server</B> parameter in the smb.conf file. If no WINS server has
been specified this method will be ignored. </Para></ListItem>
<Term>o</Term><ListItem><Para><B>bcast</B> : Do a broadcast on each
of the known local interfaces listed in the <B>interfaces</B> parameter in the
smb.conf file. This is the least reliable of the name resolution methods
as it depends on the target host being on a locally connected subnet. If
this parameter is not set then the name resolve order defined in the smb.conf
file parameter (name resolve order) will be used. The default order is
lmhosts, host, wins, bcast and without this parameter or any entry in the
"name resolve order" parameter of the smb.conf file the name resolution
methods will be attempted in this order. -M NetBIOS nameThis options allows
as it depends on the target host being on a locally connected subnet. </Para></ListItem>
<Term>If
this parameter is not set then the name resolve order defined </Term><ListItem><Para>in the <B>smb.conf</B>
file parameter (<B>name resolve order</B>) will be used. </Para></ListItem>
<Term>The default order is
lmhosts, host, wins, bcast and without this </Term><ListItem><Para>parameter or any entry in the
<B>"name resolve order"</B> parameter of the <B>smb.conf</B> file the name resolution
methods will be attempted in this order. </Para></ListItem>
<Term><B>-M NetBIOS name</B></Term><ListItem><Para>This options allows
you to send messages, using the "WinPopup" protocol, to another computer.
Once a connection is established you then type your message, pressing ^D
(control-D) to end. If the receiving computer is running WinPopup the user
will receive the message and probably a beep. If they are not running WinPopup
the message will be lost, and no error message will occur. The message is
also automatically truncated if the message is over 1600 bytes, as this
is the limit of the protocol. One useful trick is to cat the message through
smbclient. For example: CWcat mymessage.txt | smbclient -M FRED will send the
message in the file mymessage.txt to the machine FRED. You may also find
the -U and -I options useful, as they allow you to control the FROM and TO
parts of the message. See the message command parameter in the smb.conf (5)
(control-D) to end. </Para></ListItem>
<Term>If the receiving computer is running WinPopup the user
will receive </Term><ListItem><Para>the message and probably a beep. If they are not running WinPopup
the message will be lost, and no error message will occur. </Para></ListItem>
<Term>The message is
also automatically truncated if the message is over </Term><ListItem><Para>1600 bytes, as this
is the limit of the protocol. </Para></ListItem>
<Term>One useful trick is to cat the message through
<B>smbclient</B>. </Term><ListItem><Para>For example: </Para></ListItem>
<Term>CWcat mymessage.txt | smbclient -M FRED </Term><ListItem><Para></Para></ListItem>
<Term>will send the
message in the file <I>mymessage.txt</I> to the machine FRED. </Term><ListItem><Para></Para></ListItem>
<Term>You may also find
the <B>-U</B> and <B>-I</B> options useful, as they allow </Term><ListItem><Para>you to control the FROM and TO
parts of the message. </Para></ListItem>
<Term>See the <B>message command</B> </Term><ListItem><Para>parameter in the <B><Command>smb.conf (5)</B></Command>
for a description of how to handle incoming WinPopup messages in Samba.
Note: Copy WinPopup into the startup group on your WfWg PCs if you want
them to always be able to receive messages. -i scopeThis specifies a NetBIOS
</Para></ListItem>
<Term>Note: Copy WinPopup into the startup group on your WfWg PCs if you </Term><ListItem><Para>want
them to always be able to receive messages. </Para></ListItem>
<Term><B>-i scope</B></Term><ListItem><Para>This specifies a NetBIOS
scope that smbclient will use to communicate with when generating NetBIOS
names. For details on the use of NetBIOS scopes, see rfc1001.txt and rfc1002.txt.
NetBIOS scopes are very rarely used, only set this parameter if you are
NetBIOS scopes are <I>very</I> rarely used, only set this parameter if you are
the system administrator in charge of all the NetBIOS systems you communicate
with. -NIf specified, this parameter suppresses the normal password prompt
with. </Para></ListItem>
<Term><B>-N</B></Term><ListItem><Para>If specified, this parameter suppresses the normal password prompt
from the client to the user. This is useful when accessing a service that
does not require a password. Unless a password is specified on the command
line or this parameter is specified, the client will request a password.
-n NetBIOS nameBy default, the client will use the local machine's hostname
does not require a password. </Para></ListItem>
<Term>Unless a password is specified on the command
line or this parameter </Term><ListItem><Para>is specified, the client will request a password.
</Para></ListItem>
<Term><B>-n NetBIOS name</B></Term><ListItem><Para>By default, the client will use the local machine's hostname
(in uppercase) as its NetBIOS name. This parameter allows you to override
the host name and use whatever NetBIOS name you wish. -d debugleveldebuglevel
is an integer from 0 to 10, or the letter 'A'. The default value if this parameter
is not specified is zero. The higher this value, the more detail will be
logged to the log files about the activities of the client. At level 0,
the host name and use whatever NetBIOS name you wish. </Para></ListItem>
<Term><B>-d debuglevel</B></Term><ListItem><Para>debuglevel
is an integer from 0 to 10, or the letter 'A'. </Para></ListItem>
<Term>The default value if this parameter
is not specified is zero. </Term><ListItem><Para></Para></ListItem>
<Term>The higher this value, the more detail will be
logged to the log files </Term><ListItem><Para>about the activities of the client. At level 0,
only critical errors and serious warnings will be logged. Level 1 is a reasonable
level for day to day running - it generates a small amount of information
about operations carried out. Levels above 1 will generate considerable
amounts of log data, and should only be used when investigating a problem.
about operations carried out. </Para></ListItem>
<Term>Levels above 1 will generate considerable
amounts of log data, and </Term><ListItem><Para>should only be used when investigating a problem.
Levels above 3 are designed for use only by developers and generate HUGE
amounts of log data, most of which is extremely cryptic. If debuglevel is
set to the letter 'A', then all debug messages will be printed. This setting
is for developers only (and people who really want to know how the code
works internally). Note that specifying this parameter here will override
the log level parameter in the smb.conf (5) file. -PThis option is no longer
set to the letter 'A', then <I>all</I> debug messages will be printed. This setting
is for developers only (and people who <I>really</I> want to know how the code
works internally). </Para></ListItem>
<Term>Note that specifying this parameter here will override
the <B>log </B></Term><ListItem><Para>level parameter in the <B><Command>smb.conf (5)</B></Command> file. </Para></ListItem>
<Term><B>-P</B></Term><ListItem><Para>This option is no longer
used. The code in Samba2.0 now lets the server decide the device type, so
no printer specific flag is needed. -p portThis number is the TCP port number
no printer specific flag is needed. </Para></ListItem>
<Term><B>-p port</B></Term><ListItem><Para>This number is the TCP port number
that will be used when making connections to the server. The standard (well-known)
TCP port number for an SMB/CIFS server is 139, which is the default. -l logfilenameIf
TCP port number for an SMB/CIFS server is 139, which is the default. </Para></ListItem>
<Term><B>-l logfilename</B></Term><ListItem><Para>If
specified, logfilename specifies a base filename into which operational
data from the running client will be logged. The default base name is specified
at compile time. The base name is used to generate actual log file names.
For example, if the name specified was "log", the debug file would be CWlog.client.
The log file generated is never removed by the client. -hPrint the usage
message for the client. -I IP addressIP address is the address of the server
to connect to. It should be specified in standard "a.b.c.d" notation. Normally
the client would attempt to locate a named SMB/CIFS server by looking it
up via the NetBIOS name resolution mechanism described above in the name
resolve order parameter above. Using this parameter will force the client
data from the running client will be logged. </Para></ListItem>
<Term>The default base name is specified
at compile time. </Term><ListItem><Para></Para></ListItem>
<Term>The base name is used to generate actual log file names.
For example, </Term><ListItem><Para>if the name specified was "log", the debug file would be CWlog.client.
</Para></ListItem>
<Term>The log file generated is never removed by the client. </Term><ListItem><Para></Para></ListItem>
<Term><B>-h</B></Term><ListItem><Para>Print the usage
message for the client. </Para></ListItem>
<Term><B>-I IP address</B></Term><ListItem><Para>IP address is the address of the server
to connect to. It should be specified in standard "a.b.c.d" notation. </Para></ListItem>
<Term>Normally
the client would attempt to locate a named SMB/CIFS server by </Term><ListItem><Para>looking it
up via the NetBIOS name resolution mechanism described above in the <B>name
resolve order</B> parameter above. Using this parameter will force the client
to assume that the server is on the machine with the specified IP address
and the NetBIOS name component of the resource being connected to will
be ignored. There is no default for this parameter. If not supplied, it will
be determined automatically by the client as described above. -EThis parameter
be ignored. </Para></ListItem>
<Term>There is no default for this parameter. If not supplied, it will
be </Term><ListItem><Para>determined automatically by the client as described above. </Para></ListItem>
<Term><B>-E</B></Term><ListItem><Para>This parameter
causes the client to write messages to the standard error stream (stderr)
rather than to the standard output stream. By default, the client writes
messages to standard output - typically the user's tty. -U usernameThis specifies
rather than to the standard output stream. </Para></ListItem>
<Term>By default, the client writes
messages to standard output - typically </Term><ListItem><Para>the user's tty. </Para></ListItem>
<Term><B>-U username</B></Term><ListItem><Para>This specifies
the user name that will be used by the client to make a connection, assuming
your server is not a downlevel server that is running a protocol level
that uses passwords on shares, not on usernames. Some servers are fussy
about the case of this name, and some insist that it must be a valid NetBIOS
name. If no username is supplied, it will default to an uppercase version
of the environment variable CWUSER or CWLOGNAME in that order. If no username
that uses passwords on shares, not on usernames. </Para></ListItem>
<Term>Some servers are fussy
about the case of this name, and some insist </Term><ListItem><Para>that it must be a valid NetBIOS
name. </Para></ListItem>
<Term>If no username is supplied, it will default to an uppercase version
of </Term><ListItem><Para>the environment variable CWUSER or CWLOGNAME in that order. If no username
is supplied and neither environment variable exists the username "GUEST"
will be used. If the CWUSER environment variable contains a '%' character,
everything after that will be treated as a password. This allows you to
will be used. </Para></ListItem>
<Term>If the CWUSER environment variable contains a '%' character,
</Term><ListItem><Para>everything after that will be treated as a password. This allows you to
set the environment variable to be CWUSER=username%password so that a password
is not passed on the command line (where it may be seen by the ps command).
You can specify a domain name as part of the username by using a username
of the form "DOMAIN/user" or "DOMAIN\user". If the service you are connecting
to requires a password, it can be supplied using the -U option, by appending
</Para></ListItem>
<Term>You can specify a domain name as part of the username by using a </Term><ListItem><Para>username
of the form "DOMAIN/user" or "DOMAIN\user". </Para></ListItem>
<Term>If the service you are connecting
to requires a password, it can be </Term><ListItem><Para>supplied using the <B>-U</B> option, by appending
a percent symbol ("%") then the password to username. For example, to attach
to a service as user CW"fred" with password CW"secret", you would specify.
CW-U fred%secret
on the command line. Note that there are no spaces around the percent symbol.
If you specify the password as part of username then the -N option (suppress
password prompt) is assumed. If you specify the password as a parameter
AND as part of username then the password as part of username will take
<BR>
</Para></ListItem>
<Term>CW-U fred%secret </Term><ListItem><Para><BR>
</Para></ListItem>
<Term>on the command line. Note that there are no spaces around the percent </Term><ListItem><Para>symbol.
</Para></ListItem>
<Term>If you specify the password as part of username then the <B>-N</B> option </Term><ListItem><Para>(suppress
password prompt) is assumed. </Para></ListItem>
<Term>If you specify the password as a parameter
<I>AND</I> as part of username </Term><ListItem><Para>then the password as part of username will take
precedence. Putting nothing before or nothing after the percent symbol will
cause an empty username or an empty password to be used, respectively. The
password may also be specified by setting up an environment variable called
cause an empty username or an empty password to be used, respectively. </Para></ListItem>
<Term>The
password may also be specified by setting up an environment </Term><ListItem><Para>variable called
CWPASSWD that contains the users password. Note that this may be very insecure
on some systems but on others allows users to script smbclient commands
without having a password appear in the command line of a process listing.
A third option is to use a credentials file which contains the plaintext
</Para></ListItem>
<Term>A third option is to use a credentials file which contains </Term><ListItem><Para>the plaintext
of the username and password. This option is mainly provided for scripts
where the admin doesn't desire to pass the credentials on the command line
or via environment variables. If this method is used, make certain that
the permissions on the file restrict access from unwanted users. See the
-A for more details. Note: Some servers (including OS/2 and Windows for Workgroups)
insist on an uppercase password. Lowercase or mixed case passwords may be
rejected by these servers. Be cautious about including passwords in scripts
or in the CWPASSWD environment variable. Also, on many systems the command
<B>-A</B> for more details. </Para></ListItem>
<Term>Note: Some servers (including OS/2 and Windows for Workgroups)
insist </Term><ListItem><Para>on an uppercase password. Lowercase or mixed case passwords may be
rejected by these servers. </Para></ListItem>
<Term>Be cautious about including passwords in scripts
or in the </Term><ListItem><Para>CWPASSWD environment variable. Also, on many systems the command
line of a running process may be seen via the CWps command to be safe always
allow smbclient to prompt for a password and type it in directly. -A <filename>This
allow smbclient to prompt for a password and type it in directly. </Para></ListItem>
<Term><B>-A &lt;filename&gt;</B></Term><ListItem><Para>This
option allows you to specify a file from which to read the username and
password used in the connection. The format of the file is CWusername =
<value>
CWpassword = <value
Make certain that the permissions on the file restrict access from unwanted
users. -LThis option allows you to look at what services are available on
password used in the connection. The format of the file is </Para></ListItem>
<Term>CWusername =
&lt;value&gt; </Term><ListItem><Para><BR>
CWpassword = &lt;value <BR>
</Para></ListItem>
<Term>Make certain that the permissions on the file restrict access from </Term><ListItem><Para>unwanted
users. </Para></ListItem>
<Term><B>-L</B></Term><ListItem><Para>This option allows you to look at what services are available on
a server. You use it as CW"smbclient -L host" and a list should appear. The
-I option may be useful if your NetBIOS names don't match your tcp/ip dns
host names or if you are trying to reach a host on another network. -t terminal
codeThis option tells smbclient how to interpret filenames coming from
<B>-I</B> option may be useful if your NetBIOS names don't match your tcp/ip dns
host names or if you are trying to reach a host on another network. </Para></ListItem>
<Term><B>-t terminal
code</B></Term><ListItem><Para>This option tells smbclient how to interpret filenames coming from
the remote server. Usually Asian language multibyte UNIX implementations
use different character sets than SMB/CIFS servers (EUC instead of SJIS
use different character sets than SMB/CIFS servers (<I>EUC</I> instead of <I>SJIS</I>
for example). Setting this parameter will let smbclient convert between
the UNIX filenames and the SMB filenames correctly. This option has not
been seriously tested and may have some problems. The terminal codes include
CWsjis, CWeuc, CWjis7, CWjis8, CWjunet, CWhex, CWcap. This is not a complete
list, check the Samba source code for the complete list. -m max protocol
levelWith the new code in Samba2.0, smbclient always attempts to connect
been seriously tested and may have some problems. </Para></ListItem>
<Term>The terminal codes include
CWsjis, CWeuc, CWjis7, CWjis8, </Term><ListItem><Para>CWjunet, CWhex, CWcap. This is not a complete
list, check the Samba source code for the complete list. </Para></ListItem>
<Term><B>-m max protocol
level</B></Term><ListItem><Para>With the new code in Samba2.0, <B>smbclient</B> always attempts to connect
at the maximum protocols level the server supports. This parameter is preserved
for backwards compatibility, but any string following the -m will be ignored.
-b buffersizeThis option changes the transmit/send buffer size when getting
for backwards compatibility, but any string following the <B>-m</B> will be ignored.
</Para></ListItem>
<Term><B>-b buffersize</B></Term><ListItem><Para>This option changes the transmit/send buffer size when getting
or putting a file from/to the server. The default is 65520 bytes. Setting
this value smaller (to 1200 bytes) has been observed to speed up file transfers
to and from a Win9x server. -W WORKGROUPOverride the default workgroup specified
in the workgroup parameter of the smb.conf file for this connection. This
may be needed to connect to some servers. -T tar optionssmbclient may be
used to create tar (1) compatible backups of all the files on an SMB/CIFS
share. The secondary tar flags that can be given to this option are : cCreate
to and from a Win9x server. </Para></ListItem>
<Term><B>-W WORKGROUP</B></Term><ListItem><Para>Override the default workgroup specified
in the <B>workgroup</B> parameter of the <B>smb.conf</B> file for this connection. This
may be needed to connect to some servers. </Para></ListItem>
<Term><B>-T tar options</B></Term><ListItem><Para>smbclient may be
used to create <B><Command>tar (1)</B></Command> compatible backups of all the files on an SMB/CIFS
share. The secondary tar flags that can be given to this option are : </Para></ListItem>
<Term><B>c</B></Term><ListItem><Para>Create
a tar file on UNIX. Must be followed by the name of a tar file, tape device
or CW"-" for standard output. If using standard output you must turn the
log level to its lowest value CW-d0 to avoid corrupting your tar file. This
flag is mutually exclusive with the x flag. xExtract (restore) a local tar
file back to a share. Unless the -D option is given, the tar files will be
flag is mutually exclusive with the <B>x</B> flag. </Para></ListItem>
<Term><B>x</B></Term><ListItem><Para>Extract (restore) a local tar
file back to a share. Unless the <B>-D</B> option is given, the tar files will be
restored from the top level of the share. Must be followed by the name of
the tar file, device or CW"-" for standard input. Mutually exclusive with
the c flag. Restored files have their creation times (mtime) set to the
the <B>c</B> flag. Restored files have their creation times (mtime) set to the
date saved in the tar file. Directories currently do not get their creation
dates restored properly. IInclude files and directories. Is the default behavior
dates restored properly. </Para></ListItem>
<Term><B>I</B></Term><ListItem><Para>Include files and directories. Is the default behavior
when filenames are specified above. Causes tar files to be included in an
extract or create (and therefore everything else to be excluded). See example
below. Filename globbing works in one of two ways. See r below. XExclude
below. Filename globbing works in one of two ways. See <B>r</B> below. </Para></ListItem>
<Term><B>X</B></Term><ListItem><Para>Exclude
files and directories. Causes tar files to be excluded from an extract or
create. See example below. Filename globbing works in one of two ways now.
See r below. bBlocksize. Must be followed by a valid (greater than zero)
See <B>r</B> below. </Para></ListItem>
<Term><B>b</B></Term><ListItem><Para>Blocksize. Must be followed by a valid (greater than zero)
blocksize. Causes tar file to be written out in blocksize*TBLOCK (usually
512 byte) blocks. gIncremental. Only back up files that have the archive
bit set. Useful only with the c flag. qQuiet. Keeps tar from printing diagnostics
as it works. This is the same as tarmode quiet. rRegular expression include
512 byte) blocks. </Para></ListItem>
<Term><B>g</B></Term><ListItem><Para>Incremental. Only back up files that have the archive
bit set. Useful only with the <B>c</B> flag. </Para></ListItem>
<Term><B>q</B></Term><ListItem><Para>Quiet. Keeps tar from printing diagnostics
as it works. This is the same as tarmode quiet. </Para></ListItem>
<Term><B>r</B></Term><ListItem><Para>Regular expression include
or exclude. Uses regular regular expression matching for excluding or
excluding files if compiled with HAVE_REGEX_H. However this mode can be
very slow. If not compiled with HAVE_REGEX_H, does a limited wildcard match
on * and ?. NNewer than. Must be followed by the name of a file whose date
on * and ?. </Para></ListItem>
<Term><B>N</B></Term><ListItem><Para>Newer than. Must be followed by the name of a file whose date
is compared against files found on the share during a create. Only files
newer than the file specified are backed up to the tar file. Useful only
with the c flag. aSet archive bit. Causes the archive bit to be reset when
a file is backed up. Useful with the g and c flags. Tar Long File Names smbclient's
tar option now supports long file names both on backup and restore. However,
with the <B>c</B> flag. </Para></ListItem>
<Term><B>a</B></Term><ListItem><Para>Set archive bit. Causes the archive bit to be reset when
a file is backed up. Useful with the <B>g</B> and <B>c</B> flags. </Para></ListItem>
<Term><I>Tar Long File Names</I> </Term><ListItem><Para></Para></ListItem>
<Term>smbclient's
tar option now supports long file names both on backup and </Term><ListItem><Para>restore. However,
the full path name of the file must be less than 1024 bytes. Also, when
a tar archive is created, smbclient's tar option places all files in the
archive with relative names, not absolute names. Tar Filenames All file
names can be given as DOS path names (with CW\ as the component separator)
or as UNIX path names (with CW/ as the component separator). Examples oRestore
from tar file backup.tar into myshare on mypc (no password on share). CWsmbclient
//mypc/myshare "" -N -Tx backup.tar oRestore everything except users/docs
CWsmbclient //mypc/myshare "" -N -TXx backup.tar users/docs oCreate a tar
file of the files beneath users/docs. CWsmbclient //mypc/myshare "" -N -Tc
backup.tar users/docs oCreate the same tar file as above, but now use a
DOS path name. CWsmbclient //mypc/myshare "" -N -tc backup.tar users\edocs oCreate
a tar file of all the files and directories in the share. CWsmbclient //mypc/myshare
"" -N -Tc backup.tar * -D initial directoryChange to initial directory before
starting. Probably only of any use with the tar -T option. -c command stringcommand
archive with relative names, not absolute names. </Para></ListItem>
<Term><I>Tar Filenames</I> </Term><ListItem><Para></Para></ListItem>
<Term>All file
names can be given as DOS path names (with CW\ as the </Term><ListItem><Para>component separator)
or as UNIX path names (with CW/ as the component separator). </Para></ListItem>
<Term><I>Examples</I> </Term><ListItem><Para></Para></ListItem>
<Term>o</Term><ListItem><Para>Restore
from tar file backup.tar into myshare on mypc (no password on share). </Para></ListItem>
<Term>CWsmbclient
//mypc/myshare "" -N -Tx backup.tar </Term><ListItem><Para></Para></ListItem>
<Term>o</Term><ListItem><Para>Restore everything except users/docs
</Para></ListItem>
<Term>CWsmbclient //mypc/myshare "" -N -TXx backup.tar users/docs </Term><ListItem><Para></Para></ListItem>
<Term>o</Term><ListItem><Para>Create a tar
file of the files beneath users/docs. </Para></ListItem>
<Term>CWsmbclient //mypc/myshare "" -N -Tc
backup.tar users/docs </Term><ListItem><Para></Para></ListItem>
<Term>o</Term><ListItem><Para>Create the same tar file as above, but now use a
DOS path name. </Para></ListItem>
<Term>CWsmbclient //mypc/myshare "" -N -tc backup.tar users\edocs </Term><ListItem><Para></Para></ListItem>
<Term>o</Term><ListItem><Para>Create
a tar file of all the files and directories in the share. </Para></ListItem>
<Term>CWsmbclient //mypc/myshare
"" -N -Tc backup.tar * </Term><ListItem><Para></Para></ListItem>
<Term><B>-D initial directory</B></Term><ListItem><Para>Change to initial directory before
starting. Probably only of any use with the tar <B>-T</B> option. </Para></ListItem>
<Term><B>-c command string</B></Term><ListItem><Para>command
string is a semicolon separated list of commands to be executed instead
of prompting from stdin. -N is implied by -c. This is particularly useful in
scripts and for printing stdin to the server, e.g. CW-c 'print -'.
Operations
Once
of prompting from stdin. <B>-N</B> is implied by <B>-c</B>. </Para></ListItem>
<Term>This is particularly useful in
scripts and for printing stdin to the </Term><ListItem><Para>server, e.g. CW-c 'print -'. </Para></ListItem>
</ItemizedList>
<Para></RefSect1>
<RefSect1><Title>Operations</Title>
<Para>Once
the client is running, the user is presented with a prompt :
CWsmb:\>
The
backslash ("\") indicates the current working directory on the server, and
will change if the current working directory is changed.
The prompt indicates
<Para>CWsmb:\&gt;
<Para>The
backslash ("\") <ItemizedList MARK=Bullet>
<Term>indicates the current working directory on the </Term><ListItem><Para>server, and
will change if the current working directory is changed. </Para></ListItem>
</ItemizedList>
<Para>The prompt indicates
that the client is ready and waiting to carry out a user command. Each command
is a single word, optionally followed by parameters specific to that command.
Command and parameters are space-delimited unless these notes specifically
state otherwise. All commands are case-insensitive. Parameters to commands
may or may not be case sensitive, depending on the command.
You can specify
<Para>You can specify
file names which have spaces in them by quoting the name with double quotes,
for example "a long file name".
Parameters shown in square brackets (e.g.,
"[parameter]") are optional. If not given, the command will use suitable
defaults. Parameters shown in angle brackets (e.g., "<parameter>") are required.
Note that all commands operating on the server are actually performed by
<Para>Parameters shown in square brackets (e.g.,
"[parameter]") are optional. If not given, the command will use suitable
defaults. Parameters shown in angle brackets (e.g., "&lt;parameter&gt;") are required.
<Para>Note that all commands operating on the server are actually performed by
issuing a request to the server. Thus the behavior may vary from server
to server, depending on how the server was implemented.
The commands available
<Para>The commands available
are given here in alphabetical order.
? [command]If "command" is specified,
the ? command will display a brief informative message about the specified
<Para><ItemizedList MARK=Bullet>
<Term><B>? [command]</B></Term><ListItem><Para>If "command" is specified,
the <B>?</B> command will display a brief informative message about the specified
command. If no command is specified, a list of available commands will
be displayed. ! [shell command]If "shell command" is specified, the ! command
be displayed. </Para></ListItem>
<Term><B>! [shell command]</B></Term><ListItem><Para>If "shell command" is specified, the <B>!</B> command
will execute a shell locally and run the specified shell command. If no
command is specified, a local shell will be run. cd [directory name]If "directory
command is specified, a local shell will be run. </Para></ListItem>
<Term><B>cd [directory name]</B></Term><ListItem><Para>If "directory
name" is specified, the current working directory on the server will be
changed to the directory specified. This operation will fail if for any
reason the specified directory is inaccessible. If no directory name is
specified, the current working directory on the server will be reported.
del <mask>The client will request that the server attempt to delete all files
matching "mask" from the current working directory on the server. dir <mask>A
reason the specified directory is inaccessible. </Para></ListItem>
<Term>If no directory name is
specified, the current working directory on </Term><ListItem><Para>the server will be reported.
</Para></ListItem>
<Term><B>del &lt;mask&gt;</B></Term><ListItem><Para>The client will request that the server attempt to delete all files
matching "mask" from the current working directory on the server. </Para></ListItem>
<Term><B>dir &lt;mask&gt;</B></Term><ListItem><Para>A
list of the files matching "mask" in the current working directory on the
server will be retrieved from the server and displayed. exitTerminate the
connection with the server and exit from the program. get <remote file name>
[local file name]Copy the file called "remote file name" from the server
server will be retrieved from the server and displayed. </Para></ListItem>
<Term><B>exit</B></Term><ListItem><Para>Terminate the
connection with the server and exit from the program. </Para></ListItem>
<Term><B>get &lt;remote file name&gt;
[local file name]</B></Term><ListItem><Para>Copy the file called "remote file name" from the server
to the machine running the client. If specified, name the local copy "local
file name". Note that all transfers in smbclient are binary. See also the
lowercase command. help [command]See the ? command above. lcd [directory
name]If "directory name" is specified, the current working directory on
<B>lowercase</B> command. </Para></ListItem>
<Term><B>help [command]</B></Term><ListItem><Para>See the <B>?</B> command above. </Para></ListItem>
<Term><B>lcd [directory
name]</B></Term><ListItem><Para>If "directory name" is specified, the current working directory on
the local machine will be changed to the directory specified. This operation
will fail if for any reason the specified directory is inaccessible. If
no directory name is specified, the name of the current working directory
on the local machine will be reported. lowercaseToggle lowercasing of filenames
for the get and mget commands. When lowercasing is toggled ON, local filenames
are converted to lowercase when using the get and mget commands. This is
will fail if for any reason the specified directory is inaccessible. </Para></ListItem>
<Term>If
no directory name is specified, the name of the current working </Term><ListItem><Para>directory
on the local machine will be reported. </Para></ListItem>
<Term><B>lowercase</B></Term><ListItem><Para>Toggle lowercasing of filenames
for the <B>get</B> and <B>mget</B> commands. </Para></ListItem>
<Term>When lowercasing is toggled ON, local filenames
are converted to </Term><ListItem><Para>lowercase when using the <B>get</B> and <B>mget</B> commands. This is
often useful when copying (say) MSDOS files from a server, because lowercase
filenames are the norm on UNIX systems. ls <mask>See the dir command above.
mask <mask>This command allows the user to set up a mask which will be used
during recursive operation of the mget and mput commands. The masks specified
to the mget and mput commands act as filters for directories rather than
files when recursion is toggled ON. The mask specified with the .B mask command
is necessary to filter files within those directories. For example, if the
mask specified in an mget command is "source*" and the mask specified with
the mask command is "*.c" and recursion is toggled ON, the mget command
filenames are the norm on UNIX systems. </Para></ListItem>
<Term><B>ls &lt;mask&gt;</B></Term><ListItem><Para>See the <B>dir</B> command above.
</Para></ListItem>
<Term><B>mask &lt;mask&gt;</B></Term><ListItem><Para>This command allows the user to set up a mask which will be used
during recursive operation of the <B>mget</B> and <B>mput</B> commands. </Para></ListItem>
<Term>The masks specified
to the <B>mget</B> and </Term><ListItem><Para><B>mput</B> commands act as filters for directories rather than
files when recursion is toggled ON. </Para></ListItem>
<Term>The mask specified with the .B mask command
is necessary to filter </Term><ListItem><Para>files within those directories. For example, if the
mask specified in an <B>mget</B> command is "source*" and the mask specified with
the mask command is "*.c" and recursion is toggled ON, the <B>mget</B> command
will retrieve all files matching "*.c" in all directories below and including
all directories matching "source*" in the current working directory. Note
that the value for mask defaults to blank (equivalent to "*") and remains
all directories matching "source*" in the current working directory. </Para></ListItem>
<Term>Note
that the value for mask defaults to blank (equivalent to "*") and </Term><ListItem><Para>remains
so until the mask command is used to change it. It retains the most recently
specified value indefinitely. To avoid unexpected results it would be wise
to change the value of .I mask back to "*" after using the mget or mput
commands. md <directory name>See the mkdir command. mget <mask>Copy all files
matching mask from the server to the machine running the client. Note that
mask is interpreted differently during recursive operation and non-recursive
operation - refer to the recurse and mask commands for more information.
Note that all transfers in .B smbclient are binary. See also the lowercase
command. mkdir <directory name>Create a new directory on the server (user
access privileges permitting) with the specified name. mput <mask>Copy all
to change the value of .I mask back to "*" after using the <B>mget</B> or <B>mput</B>
commands. </Para></ListItem>
<Term><B>md &lt;directory name&gt;</B></Term><ListItem><Para>See the <B>mkdir</B> command. </Para></ListItem>
<Term><B>mget &lt;mask&gt;</B></Term><ListItem><Para>Copy all files
matching mask from the server to the machine running the client. </Para></ListItem>
<Term>Note that
mask is interpreted differently during recursive operation </Term><ListItem><Para>and non-recursive
operation - refer to the <B>recurse</B> and <B>mask</B> commands for more information.
Note that all transfers in .B smbclient are binary. See also the <B>lowercase</B>
command. </Para></ListItem>
<Term><B>mkdir &lt;directory name&gt;</B></Term><ListItem><Para>Create a new directory on the server (user
access privileges permitting) with the specified name. </Para></ListItem>
<Term><B>mput &lt;mask&gt;</B></Term><ListItem><Para>Copy all
files matching mask in the current working directory on the local machine
to the current working directory on the server. Note that mask is interpreted
differently during recursive operation and non-recursive operation - refer
to the recurse and mask commands for more information. Note that all transfers
in .B smbclient are binary. print <file name>Print the specified file from
the local machine through a printable service on the server. See also the
printmode command. printmode <graphics or text>Set the print mode to suit
to the current working directory on the server. </Para></ListItem>
<Term>Note that mask is interpreted
differently during recursive operation </Term><ListItem><Para>and non-recursive operation - refer
to the <B>recurse</B> and <B>mask</B> commands for more information. Note that all transfers
in .B smbclient are binary. </Para></ListItem>
<Term><B>print &lt;file name&gt;</B></Term><ListItem><Para>Print the specified file from
the local machine through a printable service on the server. </Para></ListItem>
<Term>See also the
<B>printmode</B> command. </Term><ListItem><Para></Para></ListItem>
<Term><B>printmode &lt;graphics or text&gt;</B></Term><ListItem><Para>Set the print mode to suit
either binary data (such as graphical information) or text. Subsequent print
commands will use the currently set print mode. promptToggle prompting for
filenames during operation of the mget and mput commands. When toggled ON,
the user will be prompted to confirm the transfer of each file during these
commands will use the currently set print mode. </Para></ListItem>
<Term><B>prompt</B></Term><ListItem><Para>Toggle prompting for
filenames during operation of the <B>mget</B> and <B>mput</B> commands. </Para></ListItem>
<Term>When toggled ON,
the user will be prompted to confirm the transfer of </Term><ListItem><Para>each file during these
commands. When toggled OFF, all specified files will be transferred without
prompting. put <local file name> [remote file name]Copy the file called "local
prompting. </Para></ListItem>
<Term><B>put &lt;local file name&gt; [remote file name]</B></Term><ListItem><Para>Copy the file called "local
file name" from the machine running the client to the server. If specified,
name the remote copy "remote file name". Note that all transfers in smbclient
are binary. See also the lowercase command. queueDisplays the print queue,
showing the job id, name, size and current status. quitSee the exit command.
rd <directory name>See the rmdir command. recurseToggle directory recursion
for the commands mget and mput. When toggled ON, these commands will process
all directories in the source directory (i.e., the directory they are copying
are binary. See also the <B>lowercase</B> command. </Para></ListItem>
<Term><B>queue</B></Term><ListItem><Para>Displays the print queue,
showing the job id, name, size and current status. </Para></ListItem>
<Term><B>quit</B></Term><ListItem><Para>See the <B>exit</B> command.
</Para></ListItem>
<Term><B>rd &lt;directory name&gt;</B></Term><ListItem><Para>See the <B>rmdir</B> command. </Para></ListItem>
<Term><B>recurse</B></Term><ListItem><Para>Toggle directory recursion
for the commands <B>mget</B> and <B>mput</B>. </Para></ListItem>
<Term>When toggled ON, these commands will process
all directories in the </Term><ListItem><Para>source directory (i.e., the directory they are copying
.IR from ) and will recurse into any that match the mask specified to the
command. Only files that match the mask specified using the mask command
will be retrieved. See also the mask command. When recursion is toggled OFF,
only files from the current working directory on the source machine that
match the mask specified to the mget or mput commands will be copied, and
any mask specified using the mask command will be ignored. rm <mask>Remove
command. Only files that match the mask specified using the <B>mask</B> command
will be retrieved. See also the <B>mask</B> command. </Para></ListItem>
<Term>When recursion is toggled OFF,
only files from the current working </Term><ListItem><Para>directory on the source machine that
match the mask specified to the <B>mget</B> or <B>mput</B> commands will be copied, and
any mask specified using the <B>mask</B> command will be ignored. </Para></ListItem>
<Term><B>rm &lt;mask&gt;</B></Term><ListItem><Para>Remove
all files matching mask from the current working directory on the server.
rmdir <directory name>Remove the specified directory (user access privileges
permitting) from the server. tar <c|x>[IXbgNa]Performs a tar operation - see
the -T command line option above. Behavior may be affected by the tarmode
</Para></ListItem>
<Term><B>rmdir &lt;directory name&gt;</B></Term><ListItem><Para>Remove the specified directory (user access privileges
permitting) from the server. </Para></ListItem>
<Term><B>tar &lt;c|x&gt;[IXbgNa]</B></Term><ListItem><Para>Performs a tar operation - see
the <B>-T</B> command line option above. Behavior may be affected by the <B>tarmode</B>
command (see below). Using g (incremental) and N (newer) will affect tarmode
settings. Note that using the "-" option with tar x may not work - use the
command line option instead. blocksize <blocksize>Blocksize. Must be followed
command line option instead. </Para></ListItem>
<Term><B>blocksize &lt;blocksize&gt;</B></Term><ListItem><Para>Blocksize. Must be followed
by a valid (greater than zero) blocksize. Causes tar file to be written
out in blocksize*TBLOCK (usually 512 byte) blocks. tarmode <full|inc|reset|noreset>Changes
out in blocksize*TBLOCK (usually 512 byte) blocks. </Para></ListItem>
<Term><B>tarmode &lt;full|inc|reset|noreset&gt;</B></Term><ListItem><Para>Changes
tar's behavior with regard to archive bits. In full mode, tar will back up
everything regardless of the archive bit setting (this is the default mode).
In incremental mode, tar will only back up files with the archive bit set.
In reset mode, tar will reset the archive bit on all files it backs up
(implies read/write share). setmode <filename> <perm=[+|\-]rsha>A version of the
DOS attrib command to set file permissions. For example: CWsetmode myfile
+r would make myfile read only.
Notes
Some servers are fussy about the case
(implies read/write share). </Para></ListItem>
<Term><B>setmode &lt;filename&gt; &lt;perm=[+|\-]rsha&gt;</B></Term><ListItem><Para>A version of the
DOS attrib command to set file permissions. For example: </Para></ListItem>
<Term>CWsetmode myfile
+r </Term><ListItem><Para></Para></ListItem>
<Term>would make myfile read only. </Term><ListItem><Para></Para></ListItem>
</ItemizedList>
<Para></RefSect1>
<RefSect1><Title>Notes</Title>
<Para>Some servers are fussy about the case
of supplied usernames, passwords, share names (AKA service names) and machine
names. If you fail to connect try giving all parameters in uppercase.
It
is often necessary to use the -n option when connecting to some types of
names. <ItemizedList MARK=Bullet>
<Term>If you </Term><ListItem><Para>fail to connect try giving all parameters in uppercase. </Para></ListItem>
</ItemizedList>
<Para>It
is often necessary to use the <B>-n</B> option when connecting to some types of
servers. For example OS/2 LanManager insists on a valid NetBIOS name being
used, so you need to supply a valid name that would be known to the server.
smbclient supports long file names where the server supports the LANMAN2
<Para>smbclient supports long file names where the server supports the LANMAN2
protocol or above.
Environment Variables
The variable USER may contain the
<Para></RefSect1>
<RefSect1><Title>Environment Variables</Title>
<Para>The variable <B>USER</B> may contain the
username of the person using the client. This information is used only
if the protocol level is high enough to support session-level passwords.
The variable PASSWD may contain the password of the person using the client.
<Para>The variable <B>PASSWD</B> may contain the password of the person using the client.
This information is used only if the protocol level is high enough to
support session-level passwords.
Installation
The location of the client program
<Para></RefSect1>
<RefSect1><Title>Installation</Title>
<Para>The location of the client program
is a matter for individual system administrators. The following are thus
suggestions only.
It is recommended that the smbclient software be installed
<Para>It is recommended that the smbclient software be installed
in the /usr/local/samba/bin or /usr/samba/bin directory, this directory
readable by all, writeable only by root. The client program itself should
be executable by all. The client should NOT be setuid or setgid!
The client
be executable by all. The client should <I>NOT</I> be setuid or setgid!
<Para>The client
log files should be put in a directory readable and writeable only by the
user.
To test the client, you will need to know the name of a running SMB/CIFS
server. It is possible to run smbd (8) an ordinary user - running that server
<Para>To test the client, you will need to know the name of a running SMB/CIFS
server. It is possible to run <B><Command>smbd (8)</B></Command> an ordinary user - running that server
as a daemon on a user-accessible port (typically any port number over 1024)
would provide a suitable test server.
Diagnostics
Most diagnostics issued
<Para></RefSect1>
<RefSect1><Title>Diagnostics</Title>
<Para>Most diagnostics issued
by the client are logged in a specified log file. The log file name is specified
at compile time, but may be overridden on the command line.
The number and
<Para>The number and
nature of diagnostics available depends on the debug level used by the
client. If you have problems, set the debug level to 3 and peruse the log
files.
Version
This man page is correct for version 2.0 of the Samba suite.
Author
The original Samba software and related utilities were created by
Andrew Tridgell samba@samba.org. Samba is now developed by the Samba Team
<Para></RefSect1>
<RefSect1><Title>Version</Title>
<Para>This man page is correct for version 2.0 of the Samba suite.
<Para></RefSect1>
<RefSect1><Title>Author</Title>
<Para>The original Samba software and related utilities were created by
Andrew Tridgell <I>samba@samba.org</I>. Samba is now developed by the Samba Team
as an Open Source project similar to the way the Linux kernel is developed.
The original Samba man pages were written by Karl Auer. The man page sources
<Para>The original Samba man pages were written by Karl Auer. The man page sources
were converted to YODL format (another excellent piece of Open Source software,
available at ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba2.0
release by Jeremy Allison. samba@samba.org.
See samba (7) to find out how
available at <B>ftp://ftp.icce.rug.nl/pub/unix/</B>) and updated for the Samba2.0
release by Jeremy Allison. <I>samba@samba.org</I>.
<Para>See <B><Command>samba (7)</B></Command> to find out how
to get a full list of contributors and details on how to submit bug reports,
comments etc.
comments etc. </RefSect1>
</RefEntry>

330
docs/docbook/manpages/smbpasswd.5.sgml
View File

@ -1,136 +1,204 @@
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
<refentry id="smbpasswd">
Namesmbpasswd - The Samba encrypted password file
Synopsis
smbpasswd is the
Samba encrypted password file.
Description
This file is part of the Samba
suite.
smbpasswd is the Samba encrypted password file. It contains the username,
Unix user id and the SMB hashed passwords of the user, as well as account
flag information and the time the password was last changed. This file format
has been evolving with Samba and has had several different formats in the
past.
File Format
The format of the smbpasswd file used by Samba 2.0 is very
similar to the familiar Unix passwd (5) file. It is an ASCII file containing
one line for each user. Each field within each line is separated from the
next by a colon. Any entry beginning with # is ignored. The smbpasswd file
contains the following information for each user:
name
This is the user name. It must be a name that already exists in the standard
UNIX passwd file. uid
This is the UNIX uid. It must match the uid field for the same user entry
in the standard UNIX passwd file. If this does not match then Samba will
refuse to recognize this smbpasswd file entry as being valid for a user.
Lanman Password Hash
This is the LANMAN hash of the users password, encoded as 32 hex digits.
The LANMAN hash is created by DES encrypting a well known string with the
users password as the DES key. This is the same password used by Windows
95/98 machines. Note that this password hash is regarded as weak as it is
vulnerable to dictionary attacks and if two users choose the same password
this entry will be identical (i.e. the password is not "salted" as the UNIX
password is). If the user has a null password this field will contain the
characters CW"NO PASSWORD" as the start of the hex string. If the hex string
is equal to 32 CW'X' characters then the users account is marked as disabled
and the user will not be able to log onto the Samba server. WARNING !!. Note
that, due to the challenge-response nature of the SMB/CIFS authentication
protocol, anyone with a knowledge of this password hash will be able to
impersonate the user on the network. For this reason these hashes are known
as "plain text equivalent" and must NOT be made available to anyone but
the root user. To protect these passwords the smbpasswd file is placed in
a directory with read and traverse access only to the root user and the
smbpasswd file itself must be set to be read/write only by root, with no
other access. NT Password Hash
This is the Windows NT hash of the users password, encoded as 32 hex digits.
The Windows NT hash is created by taking the users password as represented
in 16-bit, little-endian UNICODE and then applying the MD4 (internet rfc1321)
hashing algorithm to it. This password hash is considered more secure than
the Lanman Password Hash as it preserves the case of the password and uses
a much higher quality hashing algorithm. However, it is still the case that
if two users choose the same password this entry will be identical (i.e.
the password is not "salted" as the UNIX password is). WARNING !!. Note that,
due to the challenge-response nature of the SMB/CIFS authentication protocol,
anyone with a knowledge of this password hash will be able to impersonate
the user on the network. For this reason these hashes are known as "plain
text equivalent" and must NOT be made available to anyone but the root
user. To protect these passwords the smbpasswd file is placed in a directory
with read and traverse access only to the root user and the smbpasswd file
itself must be set to be read/write only by root, with no other access.
Account Flags
This section contains flags that describe the attributes of the users account.
In the Samba2.0 release this field is bracketed by CW'[' and CW']' characters
and is always 13 characters in length (including the CW'[' and CW']' characters).
The contents of this field may be any of the characters. o'U' This means this
is a "User" account, i.e. an ordinary user. Only User and Workstation Trust
accounts are currently supported in the smbpasswd file. o'N' This means the
account has no password (the passwords in the fields Lanman Password Hash
and NT Password Hash are ignored). Note that this will only allow users
to log on with no password if the null passwords parameter is set in the
smb.conf (5) config file. o'D' This means the account is disabled and no SMB/CIFS
logins will be allowed for this user. o'W' This means this account is a "Workstation
Trust" account. This kind of account is used in the Samba PDC code stream
to allow Windows NT Workstations and Servers to join a Domain hosted by
a Samba PDC. Other flags may be added as the code is extended in future.
The rest of this field space is filled in with spaces. Last Change Time
This field consists of the time the account was last modified. It consists
of the characters CWLCT- (standing for "Last Change Time") followed by a
numeric encoding of the UNIX time in seconds since the epoch (1970) that
the last change was made. Following fields
All other colon separated fields are ignored at this time.
Notes
In previous
versions of Samba (notably the 1.9.18 series) this file did not contain the
Account Flags or Last Change Time fields. The Samba 2.0 code will read and
write these older password files but will not be able to modify the old
entries to add the new fields. New entries added with smbpasswd (8) will
contain the new fields in the added accounts however. Thus an older smbpasswd
file used with Samba 2.0 may end up with some accounts containing the new
fields and some not.
In order to convert from an old-style smbpasswd file
to a new style, run the script convert_smbpasswd, installed in the Samba
CWbin/ directory (the same place that the smbd and nmbd binaries are installed)
as follows:
<refmeta>
<refentrytitle>smbpasswd</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
cat old_smbpasswd_file | convert_smbpasswd > new_smbpasswd_file
<refnamediv>
<refname>smbpasswd</refname>
<refpurpose>The Samba encrypted password file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<para><filename>smbpasswd</filename></para>
</refsynopsisdiv>
The convert_smbpasswd script reads from stdin and writes to stdout so
as not to overwrite any files by accident.
Once this script has been run,
check the contents of the new smbpasswd file to ensure that it has not
been damaged by the conversion script (which uses awk), and then replace
the CW<old smbpasswd file> with the CW<new smbpasswd file>.
Version
This man
page is correct for version 2.0 of the Samba suite.
See Also
smbpasswd (8),
samba (7), and the Internet RFC1321 for details on the MD4 algorithm.
Author
The
original Samba software and related utilities were created by Andrew Tridgell
samba@samba.org. Samba is now developed by the Samba Team as an Open Source
project similar to the way the Linux kernel is developed.
The original Samba
man pages were written by Karl Auer. The man page sources were converted
to YODL format (another excellent piece of Open Source software, available
at ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba2.0 release by
Jeremy Allison, samba@samba.org.
See samba (7) to find out how to get a full
list of contributors and details on how to submit bug reports, comments
etc.
<refsect1>
<title>DESCRIPTION</title>
<para>This tool is part of the <ulink url="samba.7.html">
Samba</ulink> suite.</para>
<para>smbpasswd is the Samba encrypted password file. It contains
the username, Unix user id and the SMB hashed passwords of the
user, as well as account flag information and the time the
password was last changed. This file format has been evolving with
Samba and has had several different formats in the past. </para>
</refsect1>
<refsect1>
<title>FILE FORMAT</title>
<para>The format of the smbpasswd file used by Samba 2.2
is very similar to the familiar Unix <filename>passwd(5)</filename>
file. It is an ASCII file containing one line for each user. Each field
ithin each line is separated from the next by a colon. Any entry
beginning with '#' is ignored. The smbpasswd file contains the
following information for each user: </para>
<variablelist>
<varlistentry>
<term>name</term>
<listitem><para> This is the user name. It must be a name that
already exists in the standard UNIX passwd file. </para>
</listitem>
</varlistentry>
<varlistentry>
<term>uid</term>
<listitem><para>This is the UNIX uid. It must match the uid
field for the same user entry in the standard UNIX passwd file.
If this does not match then Samba will refuse to recognize
this smbpasswd file entry as being valid for a user.
</para></listitem>
</varlistentry>
<varlistentry>
<term>Lanman Password Hash</term>
<listitem><para>This is the LANMAN hash of the users password,
encoded as 32 hex digits. The LANMAN hash is created by DES
encrypting a well known string with the users password as the
DES key. This is the same password used by Windows 95/98 machines.
Note that this password hash is regarded as weak as it is
vulnerable to dictionary attacks and if two users choose the
same password this entry will be identical (i.e. the password
is not "salted" as the UNIX password is). If the user has a
null password this field will contain the characters "NO PASSWORD"
as the start of the hex string. If the hex string is equal to
32 'X' characters then the users account is marked as
<constant>disabled</constant> and the user will not be able to
log onto the Samba server. </para>
<para><emphasis>WARNING !!</emphasis> Note that, due to
the challenge-response nature of the SMB/CIFS authentication
protocol, anyone with a knowledge of this password hash will
be able to impersonate the user on the network. For this
reason these hashes are known as <emphasis>plain text
equivalents</emphasis> and must <emphasis>NOT</emphasis> be made
available to anyone but the root user. To protect these passwords
the smbpasswd file is placed in a directory with read and
traverse access only to the root user and the smbpasswd file
itself must be set to be read/write only by root, with no
other access. </para></listitem>
</varlistentry>
<varlistentry>
<term>NT Password Hash</term>
<listitem><para>This is the Windows NT hash of the users
password, encoded as 32 hex digits. The Windows NT hash is
created by taking the users password as represented in
16-bit, little-endian UNICODE and then applying the MD4
(internet rfc1321) hashing algorithm to it. </para>
<para>This password hash is considered more secure than
the Lanman Password Hash as it preserves the case of the
password and uses a much higher quality hashing algorithm.
However, it is still the case that if two users choose the same
password this entry will be identical (i.e. the password is
not "salted" as the UNIX password is). </para>
<para><emphasis>WARNING !!</emphasis>. Note that, due to
the challenge-response nature of the SMB/CIFS authentication
protocol, anyone with a knowledge of this password hash will
be able to impersonate the user on the network. For this
reason these hashes are known as <emphasis>plain text
equivalents</emphasis> and must <emphasis>NOT</emphasis> be made
available to anyone but the root user. To protect these passwords
the smbpasswd file is placed in a directory with read and
traverse access only to the root user and the smbpasswd file
itself must be set to be read/write only by root, with no
other access. </para></listitem>
</varlistentry>
<varlistentry>
<term>Account Flags</term>
<listitem><para>This section contains flags that describe
the attributes of the users account. In the Samba 2.2 release
this field is bracketed by '[' and ']' characters and is always
13 characters in length (including the '[' and ']' characters).
The contents of this field may be any of the characters.
</para>
<itemizedlist>
<listitem><para><emphasis>U</emphasis> - This means
this is a "User" account, i.e. an ordinary user. Only User
and Workstation Trust accounts are currently supported
in the smbpasswd file. </para></listitem>
<listitem><para><emphasis>N</emphasis> - This means the
account has no password (the passwords in the fields Lanman
Password Hash and NT Password Hash are ignored). Note that this
will only allow users to log on with no password if the <parameter>
null passwords</parameter> parameter is set in the <ulink
url="smb.conf.5.html#NULLPASSWORDS"><filename>smb.conf(5)
</filename></ulink> config file. </para></listitem>
<listitem><para><emphasis>D</emphasis> - This means the account
is disabled and no SMB/CIFS logins will be allowed for
this user. </para></listitem>
<listitem><para><emphasis>W</emphasis> - This means this account
is a "Workstation Trust" account. This kind of account is used
in the Samba PDC code stream to allow Windows NT Workstations
and Servers to join a Domain hosted by a Samba PDC. </para>
</listitem>
</itemizedlist>
<para>Other flags may be added as the code is extended in future.
The rest of this field space is filled in with spaces. </para>
</listitem>
</varlistentry>
<varlistentry>
<term>Last Change Time</term>
<listitem><para>This field consists of the time the account was
last modified. It consists of the characters 'LCT-' (standing for
"Last Change Time") followed by a numeric encoding of the UNIX time
in seconds since the epoch (1970) that the last change was made.
</para></listitem>
</varlistentry>
</variablelist>
<para>All other colon separated fields are ignored at this time.</para>
</refsect1>
<refsect1>
<title>VERSION</title>
<para>This man page is correct for version 2.2 of
the Samba suite.</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><ulink url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink>,
<ulink url="samba.7.html">samba(7)</ulink>, and
the Internet RFC1321 for details on the MD4 algorithm.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para>The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.</para>
<para>The original Samba man pages were written by Karl Auer.
The man page sources were converted to YODL format (another
excellent piece of Open Source software, available at
<ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
release by Jeremy Allison. The conversion to DocBook for
Samba 2.2 was done by Gerald Carter</para>
</refsect1>
</refentry>

572
docs/docbook/manpages/smbpasswd.8.sgml
View File

@ -1,165 +1,409 @@
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
<refentry id="smbpasswd">
Namesmbpasswd - change a users SMB password
Synopsis
smbpasswd [-a] [-x] [-d]
[-e] [-D debug level] [-n] [-r remote_machine] [-R name resolve order] [-m] [-j
DOMAIN] [-U username] [-h] [-s] username
Description
This program is part of
the Samba suite.
The smbpasswd program has several different functions,
depending on whether it is run by the root user or not. When run as a normal
user it allows the user to change the password used for their SMB sessions
on any machines that store SMB passwords.
By default (when run with no arguments)
it will attempt to change the current users SMB password on the local machine.
This is similar to the way the passwd (1) program works. smbpasswd differs
from how the passwd program works however in that it is not setuid root
but works in a client-server mode and communicates with a locally running
smbd. As a consequence in order for this to succeed the smbd daemon must
be running on the local machine. On a UNIX machine the encrypted SMB passwords
are usually stored in the smbpasswd (5) file.
When run by an ordinary user
with no options. smbpasswd will prompt them for their old smb password and
then ask them for their new password twice, to ensure that the new password
was typed correctly. No passwords will be echoed on the screen whilst being
typed. If you have a blank smb password (specified by the string "NO PASSWORD"
in the smbpasswd file) then just press the <Enter> key when asked for your
old password.
smbpasswd can also be used by a normal user to change their
SMB password on remote machines, such as Windows NT Primary Domain Controllers.
See the (-r) and -U options below.
When run by root, smbpasswd allows new
users to be added and deleted in the smbpasswd file, as well as allows
changes to the attributes of the user in this file to be made. When run
by root, smbpasswd accesses the local smbpasswd file directly, thus enabling
changes to be made even if smbd is not running.
Options
-aThis option specifies
that the username following should be added to the local smbpasswd file,
with the new password typed (type <Enter> for the old password). This option
is ignored if the username following already exists in the smbpasswd file
and it is treated like a regular change password command. Note that the
user to be added must already exist in the system password file (usually
/etc/passwd) else the request to add the user will fail. This option is
only available when running smbpasswd as root. -xThis option specifies that
the username following should be deleted from the local smbpasswd file.
This option is only available when running smbpasswd as root. -dThis option
specifies that the username following should be disabled in the local smbpasswd
file. This is done by writing a 'D' flag into the account control space in
the smbpasswd file. Once this is done all attempts to authenticate via SMB
using this username will fail. If the smbpasswd file is in the 'old' format
(pre-Samba 2.0 format) there is no space in the users password entry to write
this information and so the user is disabled by writing 'X' characters into
the password space in the smbpasswd file. See smbpasswd (5) for details
on the 'old' and new password file formats. This option is only available
when running smbpasswd as root. -eThis option specifies that the username
following should be enabled in the local smbpasswd file, if the account
was previously disabled. If the account was not disabled this option has
no effect. Once the account is enabled then the user will be able to authenticate
via SMB once again. If the smbpasswd file is in the 'old' format then smbpasswd
will prompt for a new password for this user, otherwise the account will
be enabled by removing the 'D' flag from account control space in the smbpasswd
file. See smbpasswd (5) for details on the 'old' and new password file formats.
This option is only available when running smbpasswd as root. -D debugleveldebuglevel
is an integer from 0 to 10. The default value if this parameter is not
specified is zero. The higher this value, the more detail will be logged
to the log files about the activities of smbpasswd. At level 0, only critical
errors and serious warnings will be logged. Levels above 1 will generate
considerable amounts of log data, and should only be used when investigating
a problem. Levels above 3 are designed for use only by developers and generate
HUGE amounts of log data, most of which is extremely cryptic. -nThis option
specifies that the username following should have their password set to
null (i.e. a blank password) in the local smbpasswd file. This is done by
writing the string "NO PASSWORD" as the first part of the first password
stored in the smbpasswd file. Note that to allow users to logon to a Samba
server once the password has been set to "NO PASSWORD" in the smbpasswd
file the administrator must set the following parameter in the [global]
section of the smb.conf file : null passwords = true This option is only
available when running smbpasswd as root. -r remote machine nameThis option
allows a user to specify what machine they wish to change their password
on. Without this parameter smbpasswd defaults to the local host. The "remote
machine name" is the NetBIOS name of the SMB/CIFS server to contact to
attempt the password change. This name is resolved into an IP address using
the standard name resolution mechanism in all programs of the Samba suite.
See the -R name resolve order parameter for details on changing this resolving
mechanism. The username whose password is changed is that of the current
UNIX logged on user. See the -U username parameter for details on changing
the password for a different username. Note that if changing a Windows NT
Domain password the remote machine specified must be the Primary Domain
Controller for the domain (Backup Domain Controllers only have a read-only
copy of the user account database and will not allow the password change).
Note that Windows 95/98 do not have a real password database so it is not
possible to change passwords specifying a Win95/98 machine as remote machine
target. -R name resolve orderThis option allows the user of smbclient to
determine what name resolution services to use when looking up the NetBIOS
name of the host being connected to. The options are :"lmhosts", "host",
"wins" and "bcast". They cause names to be resolved as follows : olmhosts
: Lookup an IP address in the Samba lmhosts file. ohost : Do a standard
host name to IP address resolution, using the system /etc/hosts, NIS, or
DNS lookups. This method of name resolution is operating system dependent.
For instance on IRIX or Solaris, this may be controlled by the /etc/nsswitch.conf
file). owins : Query a name with the IP address listed in the wins server
parameter in the smb.conf file. If no WINS server has been specified this
method will be ignored. obcast : Do a broadcast on each of the known local
interfaces listed in the interfaces parameter in the smb.conf file. This
is the least reliable of the name resolution methods as it depends on the
target host being on a locally connected subnet. If this parameter is not
set then the name resolve order defined in the smb.conf file parameter
name resolve order will be used. The default order is lmhosts, host, wins,
bcast and without this parameter or any entry in the smb.conf file the
name resolution methods will be attempted in this order. -mThis option tells
smbpasswd that the account being changed is a MACHINE account. Currently
this is used when Samba is being used as an NT Primary Domain Controller.
PDC support is not a supported feature in Samba2.0 but will become supported
in a later release. If you wish to know more about using Samba as an NT
PDC then please subscribe to the mailing list samba-ntdom@samba.org. This
option is only available when running smbpasswd as root. -j DOMAINThis option
is used to add a Samba server into a Windows NT Domain, as a Domain member
capable of authenticating user accounts to any Domain Controller in the
same way as a Windows NT Server. See the security=domain option in the smb.conf
(5) man page. In order to be used in this way, the Administrator for the
Windows NT Domain must have used the program "Server Manager for Domains"
to add the primary NetBIOS name of the Samba server as a member of the
Domain. After this has been done, to join the Domain invoke smbpasswd with
this parameter. smbpasswd will then look up the Primary Domain Controller
for the Domain (found in the smb.conf file in the parameter password server
and change the machine account password used to create the secure Domain
communication. This password is then stored by smbpasswd in a file, read
only by root, called CW<Domain>.<Machine>.mac where CW<Domain> is the name of the
Domain we are joining and CW<Machine> is the primary NetBIOS name of the
machine we are running on. Once this operation has been performed the smb.conf
file may be updated to set the security=domain option and all future logins
to the Samba server will be authenticated to the Windows NT PDC. Note that
even though the authentication is being done to the PDC all users accessing
the Samba server must still have a valid UNIX account on that machine. This
option is only available when running smbpasswd as root. -U usernameThis
option may only be used in conjunction with the -r option. When changing
a password on a remote machine it allows the user to specify the user name
on that machine whose password will be changed. It is present to allow users
who have different user names on different systems to change these passwords.
-hThis option prints the help string for smbpasswd, selecting the correct
one for running as root or as an ordinary user. -sThis option causes smbpasswd
to be silent (i.e. not issue prompts) and to read it's old and new passwords
from standard input, rather than from CW/dev/tty (like the passwd (1)
program does). This option is to aid people writing scripts to drive smbpasswd
usernameThis specifies the username for all of the root only options to
operate on. Only root can specify this parameter as only root has the permission
needed to modify attributes directly in the local smbpasswd file. NotesSince
smbpasswd works in client-server mode communicating with a local smbd for
a non-root user then the smbd daemon must be running for this to work. A
common problem is to add a restriction to the hosts that may access the
smbd running on the local machine by specifying a "allow hosts" or "deny
hosts" entry in the smb.conf file and neglecting to allow "localhost" access
to the smbd. In addition, the smbpasswd command is only useful if Samba
has been set up to use encrypted passwords. See the file ENCRYPTION.txt in
the docs directory for details on how to do this. VersionThis man page is
correct for version 2.0 of the Samba suite. AuthorThe original Samba software
and related utilities were created by Andrew Tridgell samba@samba.org. Samba
is now developed by the Samba Team as an Open Source project similar to
the way the Linux kernel is developed. The original Samba man pages were
written by Karl Auer. The man page sources were converted to YODL format
(another excellent piece of Open Source software, available at ftp://ftp.icce.rug.nl/pub/unix/)
and updated for the Samba2.0 release by Jeremy Allison. samba@samba.org. See
samba (7) to find out how to get a full list of contributors and details
on how to submit bug reports, comments etc.
<refmeta>
<refentrytitle>smbpasswd</refentrytitle>
<manvolnum>8</manvolnum>
</refmeta>
<refnamediv>
<refname>smbpasswd</refname>
<refpurpose>change a users SMB password</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>smbpasswd</command>
<arg choice="opt">-a</arg>
<arg choice="opt">-x</arg>
<arg choice="opt">-d</arg>
<arg choice="opt">-e</arg>
<arg choice="opt">-D debuglevel</arg>
<arg choice="opt">-n</arg>
<arg choice="opt">-r &lt;remote machine&gt;</arg>
<arg choice="opt">-R &lt;name resolve order&gt;</arg>
<arg choice="opt">-m</arg>
<arg choice="opt">-j DOMAIN</arg>
<arg choice="opt">-U username</arg>
<arg choice="opt">-h</arg>
<arg choice="opt">-s</arg>
<arg choice="opt">username</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para>This tool is part of the <ulink url="samba.7.html">
Samba</ulink> suite.</para>
<para>The smbpasswd program has several different
functions, depending on whether it is run by the <emphasis>root</emphasis>
user or not. When run as a normal user it allows the user to change
the password used for their SMB sessions on any machines that store
SMB passwords. </para>
<para>By default (when run with no arguments) it will attempt to
change the current users SMB password on the local machine. This is
similar to the way the <command>passwd(1)</command> program works.
<command>smbpasswd</command> differs from how the passwd program works
however in that it is not <emphasis>setuid root</emphasis> but works in
a client-server mode and communicates with a locally running
<command>smbd(8)</command>. As a consequence in order for this to
succeed the smbd daemon must be running on the local machine. On a
UNIX machine the encrypted SMB passwords are usually stored in
the <filename>smbpasswd(5)</filename> file. </para>
<para>When run by an ordinary user with no options. smbpasswd
will prompt them for their old smb password and then ask them
for their new password twice, to ensure that the new password
was typed correctly. No passwords will be echoed on the screen
whilst being typed. If you have a blank smb password (specified by
the string "NO PASSWORD" in the smbpasswd file) then just press
the &lt;Enter&gt; key when asked for your old password. </para>
<para>smbpasswd can also be used by a normal user to change their
SMB password on remote machines, such as Windows NT Primary Domain
Controllers. See the (-r) and -U options below. </para>
<para>When run by root, smbpasswd allows new users to be added
and deleted in the smbpasswd file, as well as allows changes to
the attributes of the user in this file to be made. When run by root,
<command>smbpasswd</command> accesses the local smbpasswd file
directly, thus enabling changes to be made even if smbd is not
running. </para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-a</term>
<listitem><para>This option specifies that the username
following should be added to the local smbpasswd file, with the
new password typed (type &lt;Enter&gt; for the old password). This
option is ignored if the username following already exists in
the smbpasswd file and it is treated like a regular change
password command. Note that the user to be added must already exist
in the system password file (usually <filename>/etc/passwd</filename>)
else the request to add the user will fail. </para>
<para>This option is only available when running smbpasswd
as root. </para></listitem>
</varlistentry>
<varlistentry>
<term>-x</term>
<listitem><para>This option specifies that the username
following should be deleted from the local smbpasswd file.
</para>
<para>This option is only available when running smbpasswd as
root.</para></listitem>
</varlistentry>
<varlistentry>
<term>-d</term>
<listitem><para>This option specifies that the username following
should be <constant>disabled</constant> in the local smbpasswd
file. This is done by writing a <constant>'D'</constant> flag
into the account control space in the smbpasswd file. Once this
is done all attempts to authenticate via SMB using this username
will fail. </para>
<para>If the smbpasswd file is in the 'old' format (pre-Samba 2.0
format) there is no space in the users password entry to write
this information and so the user is disabled by writing 'X' characters
into the password space in the smbpasswd file. See <command>smbpasswd(5)
</command> for details on the 'old' and new password file formats.
</para>
<para>This option is only available when running smbpasswd as
root.</para></listitem>
</varlistentry>
<varlistentry>
<term>-e</term>
<listitem><para>This option specifies that the username following
should be <constant>enabled</constant> in the local smbpasswd file,
if the account was previously disabled. If the account was not
disabled this option has no effect. Once the account is enabled then
the user will be able to authenticate via SMB once again. </para>
<para>If the smbpasswd file is in the 'old' format, then <command>
smbpasswd</command> will prompt for a new password for this user,
otherwise the account will be enabled by removing the <constant>'D'
</constant> flag from account control space in the <filename>
smbpasswd</filename> file. See <command>smbpasswd (5)</command> for
details on the 'old' and new password file formats. </para>
<para>This option is only available when running smbpasswd as root.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-D debuglevel</term>
<listitem><para><parameter>debuglevel</parameter> is an integer
from 0 to 10. The default value if this parameter is not specified
is zero. </para>
<para>The higher this value, the more detail will be logged to the
log files about the activities of smbpasswd. At level 0, only
critical errors and serious warnings will be logged. </para>
<para>Levels above 1 will generate considerable amounts of log
data, and should only be used when investigating a problem. Levels
above 3 are designed for use only by developers and generate
HUGE amounts of log data, most of which is extremely cryptic.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-n</term>
<listitem><para>This option specifies that the username following
should have their password set to null (i.e. a blank password) in
the local smbpasswd file. This is done by writing the string "NO
PASSWORD" as the first part of the first password stored in the
smbpasswd file. </para>
<para>Note that to allow users to logon to a Samba server once
the password has been set to "NO PASSWORD" in the smbpasswd
file the administrator must set the following parameter in the [global]
section of the <filename>smb.conf</filename> file : </para>
<para><command>null passwords = yes</command></para>
<para>This option is only available when running smbpasswd as
root.</para></listitem>
</varlistentry>
<varlistentry>
<term>-r remote machine name</term>
<listitem><para>This option allows a user to specify what machine
they wish to change their password on. Without this parameter
smbpasswd defaults to the local host. The <replaceable>remote
machine name</replaceable> is the NetBIOS name of the SMB/CIFS
server to contact to attempt the password change. This name is
resolved into an IP address using the standard name resolution
mechanism in all programs of the Samba suite. See the <parameter>-R
name resolve order</parameter> parameter for details on changing
this resolving mechanism. </para>
<para>The username whose password is changed is that of the
current UNIX logged on user. See the <parameter>-U username</parameter>
parameter for details on changing the password for a different
username. </para>
<para>Note that if changing a Windows NT Domain password the
remote machine specified must be the Primary Domain Controller for
the domain (Backup Domain Controllers only have a read-only
copy of the user account database and will not allow the password
change).</para>
<para><emphasis>Note</emphasis> that Windows 95/98 do not have
a real password database so it is not possible to change passwords
specifying a Win95/98 machine as remote machine target. </para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R name resolve order</term>
<listitem><para>This option allows the user of smbclient to determine
what name resolution services to use when looking up the NetBIOS
name of the host being connected to. </para>
<para>The options are :"lmhosts", "host", "wins" and "bcast". They cause
names to be resolved as follows : </para>
<itemizedlist>
<listitem><para><constant>lmhosts</constant> : Lookup an IP
address in the Samba lmhosts file. If the line in lmhosts has
no name type attached to the NetBIOS name (see the <ulink
url="lmhosts.5.html">lmhosts(5)</ulink> for details) then
any name type matches for lookup.</para></listitem>
<listitem><para><constant>host</constant> : Do a standard host
name to IP address resolution, using the system <filename>/etc/hosts
</filename>, NIS, or DNS lookups. This method of name resolution
is operating system depended for instance on IRIX or Solaris this
may be controlled by the <filename>/etc/nsswitch.conf</filename>
file). Note that this method is only used if the NetBIOS name
type being queried is the 0x20 (server) name type, otherwise
it is ignored.</para></listitem>
<listitem><para><constant>wins</constant> : Query a name with
the IP address listed in the <parameter>wins server</parameter>
parameter. If no WINS server has been specified this method
will be ignored.</para></listitem>
<listitem><para><constant>bcast</constant> : Do a broadcast on
each of the known local interfaces listed in the
<parameter>interfaces</parameter> parameter. This is the least
reliable of the name resolution methods as it depends on the
target host being on a locally connected subnet.</para></listitem>
</itemizedlist>
<para>The default order is <command>lmhosts, host, wins, bcast</command>
and without this parameter or any entry in the
<filename>smb.conf</filename> file the name resolution methods will
be attempted in this order. </para></listitem>
</varlistentry>
<varlistentry>
<term>-m</term>
<listitem><para>This option tells smbpasswd that the account
being changed is a MACHINE account. Currently this is used
when Samba is being used as an NT Primary Domain Controller.</para>
<para>This option is only available when running smbpasswd as root.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-j DOMAIN</term>
<listitem><para>This option is used to add a Samba server
into a Windows NT Domain, as a Domain member capable of authenticating
user accounts to any Domain Controller in the same way as a Windows
NT Server. See the <command>security = domain</command> option in
the <filename>smb.conf(5)</filename> man page. </para>
<para>In order to be used in this way, the Administrator for
the Windows NT Domain must have used the program "Server Manager
for Domains" to add the primary NetBIOS name of the Samba server
as a member of the Domain. </para>
<para>After this has been done, to join the Domain invoke <command>
smbpasswd</command> with this parameter. smbpasswd will then
look up the Primary Domain Controller for the Domain (found in
the <filename>smb.conf</filename> file in the parameter
<parameter>password server</parameter> and change the machine account
password used to create the secure Domain communication. This
password is then stored by smbpasswd in a TDB, writeable only by root,
called <filename>secrets.tdb</filename> </para>
<para>Once this operation has been performed the <filename>
smb.conf</filename> file may be updated to set the <command>
security = domain</command> option and all future logins
to the Samba server will be authenticated to the Windows NT
PDC. </para>
<para>Note that even though the authentication is being
done to the PDC all users accessing the Samba server must still
have a valid UNIX account on that machine. </para>
<para>This option is only available when running smbpasswd as root.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-U username</term>
<listitem><para>This option may only be used in conjunction
with the <parameter>-r</parameter> option. When changing
a password on a remote machine it allows the user to specify
the user name on that machine whose password will be changed. It
is present to allow users who have different user names on
different systems to change these passwords. </para></listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem><para>This option prints the help string for <command>
smbpasswd</command>, selecting the correct one for running as root
or as an ordinary user. </para></listitem>
</varlistentry>
<varlistentry>
<term>-s</term>
<listitem><para>This option causes smbpasswd to be silent (i.e.
not issue prompts) and to read it's old and new passwords from
standard input, rather than from <filename>/dev/tty</filename>
(like the <command>passwd(1)</command> program does). This option
is to aid people writing scripts to drive smbpasswd</para>
</listitem>
</varlistentry>
<varlistentry>
<term>username</term>
<listitem><para>This specifies the username for all of the
<emphasis>root only</emphasis> options to operate on. Only root
can specify this parameter as only root has the permission needed
to modify attributes directly in the local smbpasswd file.
</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>NOTES</title>
<para>Since <command>smbpasswd</command> works in client-server
mode communicating with a local smbd for a non-root user then
the smbd daemon must be running for this to work. A common problem
is to add a restriction to the hosts that may access the <command>
smbd</command> running on the local machine by specifying a
<parameter>allow hosts</parameter> or <parameter>deny hosts</parameter>
entry in the <filename>smb.conf</filename> file and neglecting to
allow "localhost" access to the smbd. </para>
<para>In addition, the smbpasswd command is only useful if Samba
has been set up to use encrypted passwords. See the file
<filename>ENCRYPTION.txt</filename> in the docs directory for details
on how to do this. </para>
</refsect1>
<refsect1>
<title>VERSION</title>
<para>This man page is correct for version 2.2 of
the Samba suite.</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><ulink url="smbpasswd.5.html"><filename>smbpasswd(5)</filename></ulink>,
<ulink url="samba.7.html">samba(7)</ulink>
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para>The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.</para>
<para>The original Samba man pages were written by Karl Auer.
The man page sources were converted to YODL format (another
excellent piece of Open Source software, available at
<ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
release by Jeremy Allison. The conversion to DocBook for
Samba 2.2 was done by Gerald Carter</para>
</refsect1>
</refentry>

531
docs/htmldocs/smbcacls.1.html
View File

@ -1,161 +1,378 @@
<html><head><title>smbcacls (1)</title>
</head>
<body>
<hr>
<h1>smbcacls (1)</h1>
<h2>Samba</h2>
<h2>22 Dec 2000</h2>
<p><a name="NAME"></a>
<h2>NAME</h2>
smbcacls - Set or get ACLs on an NT file or directory
<p><a name="SYNOPSIS"></a>
<h2>SYNOPSIS</h2>
<p><strong>smbcacls</strong> //server/share filename [<a href="smbcacls.1.html#minusU">-U username</a>]
[<a href="smbcacls.1.html#minusA">-A acls</a>] [<a href="smbcacls.1.html#minusM">-M acls</a>]
[<a href="smbcacls.1.html#minusD">-D acls</a>] [<a href="smbcacls.1.html#minusS">-S acls</a>]
[<a href="smbcacls.1.html#minusC">-C name</a>] [<a href="smbcacls.1.html#minusG">-G name</a>]
[<a href="smbcacls.1.html#minusn">-n</a>] [<a href="smbcacls.1.html#minush">-h</a>]
<p><a name="DESCRIPTION"></a>
<h2>DESCRIPTION</h2>
<p>The <strong>smbcacls</strong> program manipulates NT Access Control Lists (ACLs) on
SMB file shares.
<p><a name="OPTIONS"></a>
<h2>OPTIONS</h2>
<p>The following options are available to the <strong>smbcacls</strong> program. The
format of ACLs is described in the section <a href="smbcacls.1.html#ACLFORMAT">ACL FORMAT</a>
<p><dl>
<p><a name="minusA"></a>
<p></p><dt><strong><strong>-A acls</strong></strong><dd>
<p>Add the ACLs specified to the ACL list. Existing access control entries
are unchanged.
<p><a name="minusM"></a>
<p></p><dt><strong><strong>-M acls</strong></strong><dd>
<p>Modify the mask value (permissions) for the ACLs specified on the command
line. An error will be printed for each ACL specified that was not already
present in the ACL list.
<p><a name="minusD"></a>
<p></p><dt><strong><strong>-D acls</strong></strong><dd>
<p>Delete any ACLs specfied on the command line. An error will be printed for
each ACL specified that was not already present in the ACL list.
<p><a name="minusS"></a>
<p></p><dt><strong><strong>-S acls</strong></strong><dd>
<p>This command sets the ACLs on the file with only the ones specified on the
command line. All other ACLs are erased. Note that the ACL specified must
contain at least a revision, type, owner and group for the call to succeed.
<p><a name="minusU"></a>
<p></p><dt><strong><strong>-U username</strong></strong><dd>
<p>Specifies a username used to connect to the specified service. The
username may be of the form <code>username</code> in which case the user is
prompted to enter in a password and the workgroup specified in the
<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file is used, or <code>username%password</code>
or <code>DOMAIN\username%password</code> and the password and workgroup names are
used as provided.
<p><a name="minusC"></a>
<p></p><dt><strong><strong>-C name</strong></strong><dd>
<p>The owner of a file or directory can be changed to the name given
using the -C option. The name can be a sid in the form <code>S-1-x-y-z</code> or a
name resolved against the server specified in the first argument.
<p>This command is a shortcut for <code>-M OWNER:name</code>.
<p><a name="minusG"></a>
<p></p><dt><strong><strong>-G name</strong></strong><dd>
<p>The group owner of a file or directory can be changed to the name given
using the -G option. The name can be a sid in the form <code>S-1-x-y-z</code> or a
name resolved against the server specified in the first argument.
<p>This command is a shortcut for <code>-M GROUP:name</code>.
<p><a name="minusn"></a>
<p></p><dt><strong><strong>-n</strong></strong><dd>
<p>This option displays all ACL information in numeric format. The default is
to convert SIDs to names and ACE types and masks to a readable string
format.
<p><a name="minush"></a>
<p></p><dt><strong><strong>-h</strong></strong><dd>
<p>Print usage information on the <strong>smbcacls</strong> program
<p></dl>
<p><a name="ACLFORMAT"></a>
<h2>ACL FORMAT</h2>
<p>The format of an ACL is one or more ACL entries separated by either
commas or newlines. An ACL entry is one of the following:
<p><pre>
<HTML
><HEAD
><TITLE
>smbcacls</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
><BODY
CLASS="REFENTRY"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><H1
><A
NAME="SMBCACLS"
>smbcacls</A
></H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5"
></A
><H2
>Name</H2
>smbcacls&nbsp;--&nbsp;Set or get ACLs on an NT file or directory names</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN8"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>nmblookup</B
> {//server/share} {filename} [-U username] [-A acls] [-M acls] [-D acls] [-S acls] [-C name] [-G name] [-n] [-h]</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN22"
></A
><H2
>DESCRIPTION</H2
><P
>This tool is part of the <A
HREF="samba.7.html"
TARGET="_top"
> Samba</A
> suite.</P
><P
>The smbcacls program manipulates NT Access Control Lists
(ACLs) on SMB file shares. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN27"
></A
><H2
>OPTIONS</H2
><P
>The following options are available to the smbcacls program.
The format of ACLs is described in the section ACL FORMAT </P
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>-A acls</DT
><DD
><P
>Add the ACLs specified to the ACL list. Existing
access control entries are unchanged. </P
></DD
><DT
>-M acls</DT
><DD
><P
>Modify the mask value (permissions) for the ACLs
specified on the command line. An error will be printed for each
ACL specified that was not already present in the ACL list
</P
></DD
><DT
>-D acls</DT
><DD
><P
>Delete any ACLs specfied on the command line.
An error will be printed for each ACL specified that was not
already present in the ACL list. </P
></DD
><DT
>-S acls</DT
><DD
><P
>This command sets the ACLs on the file with
only the ones specified on the command line. All other ACLs are
erased. Note that the ACL specified must contain at least a revision,
type, owner and group for the call to succeed. </P
></DD
><DT
>-U username</DT
><DD
><P
>Specifies a username used to connect to the
specified service. The username may be of the form "username" in
which case the user is prompted to enter in a password and the
workgroup specified in the <TT
CLASS="FILENAME"
>smb.conf</TT
> file is
used, or "username%password" or "DOMAIN\username%password" and the
password and workgroup names are used as provided. </P
></DD
><DT
>-C name</DT
><DD
><P
>The owner of a file or directory can be changed
to the name given using the <TT
CLASS="PARAMETER"
><I
>-C</I
></TT
> option.
The name can be a sid in the form S-1-x-y-z or a name resolved
against the server specified in the first argument. </P
><P
>This command is a shortcut for -M OWNER:name.
</P
></DD
><DT
>-G name</DT
><DD
><P
>The group owner of a file or directory can
be changed to the name given using the <TT
CLASS="PARAMETER"
><I
>-G</I
></TT
>
option. The name can be a sid in the form S-1-x-y-z or a name
resolved against the server specified n the first argument.
</P
><P
>This command is a shortcut for -M GROUP:name.</P
></DD
><DT
>-n</DT
><DD
><P
>This option displays all ACL information in numeric
format. The default is to convert SIDs to names and ACE types
and masks to a readable string format. </P
></DD
><DT
>-h</DT
><DD
><P
>Print usage information on the <B
CLASS="COMMAND"
>smbcacls
</B
> program.</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN73"
></A
><H2
>ACL FORMAT</H2
><P
>The format of an ACL is one or more ACL entries separated by
either commas or newlines. An ACL entry is one of the following: </P
><P
><PRE
CLASS="PROGRAMLISTING"
>
REVISION:&lt;revision number&gt;
OWNER:&lt;sid or name&gt;
GROUP:&lt;sid or name&gt;
ACL:&lt;sid or name&gt;:&lt;type&gt;/&lt;flags&gt;/&lt;mask&gt;
</pre>
<p>The revision of the ACL specifies the internal Windows NT ACL revision for
the security descriptor. If not specified it defaults to 1. Using values
other than 1 may cause strange behaviour.
<p>The owner and group specify the owner and group sids for the object. If a
SID in the format <code>S-1-x-y-z</code> is specified this is used, otherwise
the name specified is resolved using the server on which the file or
directory resides.
<p>ACLs specify permissions granted to the SID. This SID again can be
specified in <code>S-1-x-y-z</code> format or as a name in which case it is resolved
against the server on which the file or directory resides. The type, flags
and mask values determine the type of access granted to the SID.
<p>The type can be either 0 or 1 corresponding to ALLOWED or DENIED access to
the SID. The flags values are generally zero for file ACLs and either 9 or
2 for directory ACLs. Some common flags are:
<p><pre>
#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1
#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2
#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4
#define SEC_ACE_FLAG_INHERIT_ONLY 0x8
</pre>
<p>At present flags can only be specified as decimal or hexadecimal values.
<p>The mask is a value which expresses the access right granted to the SID.
It can be given as a decimal or hexadecimal value, or by using one of the
following text strings which map to the NT file permissions of the same
name.
<p><dl>
<p><p></p><dt><strong></strong><dd> <code>R</code> Allow read access
<p><p></p><dt><strong></strong><dd> <code>W</code> Allow write access
<p><p></p><dt><strong></strong><dd> <code>X</code> Execute permission on the object
<p><p></p><dt><strong></strong><dd> <code>D</code> Delete the object
<p><p></p><dt><strong></strong><dd> <code>P</code> Change permissions
<p><p></p><dt><strong></strong><dd> <code>O</code> Take ownership
<p></dl>
<p>The following combined permissions can be specified:
<p><dl>
<p><p></p><dt><strong></strong><dd> <code>READ</code>
<p>Equivalent to <code>RX</code> permissions
<p><p></p><dt><strong></strong><dd> <code>CHANGE</code>
<p>Equivalent to <code>RXWD</code> permissions
<p><p></p><dt><strong></strong><dd> <code>FULL</code>
<p>Equivalent to <code>RWXDPO</code> permissions
<p></dl>
<p><a name="EXITSTATUS"></a>
<h2>EXIT STATUS</h2>
<p>The <strong>smbcacls</strong> program sets the exit status depending on the success or
otherwise of the operations performed. The exit status may be one of the
following values.
<p>If the operation succeded, <strong>smbcacls</strong> returns and exit status of 0. If
<strong>smbcacls</strong> couldn't connect to the specified server, or there was an
error getting or setting the ACLs, an exit status of 1 is returned. If
there was an error parsing any command line arguments, an exit status of 2
is returned.
<p><a name="AUTHOR"></a>
<h2>AUTHOR</h2>
<p>The original Samba software and related utilities were created by
Andrew Tridgell. Samba is now developed by the Samba Team as an Open
Source project.
<p><strong>smbcacls</strong> was written by Andrew Tridgell and Tim Potter.
</body>
</html>
</PRE
></P
><P
>The revision of the ACL specifies the internal Windows
NT ACL revision for the security descriptor.
If not specified it defaults to 1. Using values other than 1 may
cause strange behaviour. </P
><P
>The owner and group specify the owner and group sids for the
object. If a SID in the format CWS-1-x-y-z is specified this is used,
otherwise the name specified is resolved using the server on which
the file or directory resides. </P
><P
>ACLs specify permissions granted to the SID. This SID again
can be specified in CWS-1-x-y-z format or as a name in which case
it is resolved against the server on which the file or directory
resides. The type, flags and mask values determine the type of
access granted to the SID. </P
><P
>The type can be either 0 or 1 corresponding to ALLOWED or
DENIED access to the SID. The flags values are generally
zero for file ACLs and either 9 or 2 for directory ACLs. Some
common flags are: </P
><P
></P
><UL
><LI
><P
>#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1</P
></LI
><LI
><P
>#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2</P
></LI
><LI
><P
>#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4
</P
></LI
><LI
><P
>#define SEC_ACE_FLAG_INHERIT_ONLY 0x8</P
></LI
></UL
><P
>At present flags can only be specified as decimal or
hexadecimal values.</P
><P
>The mask is a value which expresses the access right
granted to the SID. It can be given as a decimal or hexadecimal value,
or by using one of the following text strings which map to the NT
file permissions of the same name. </P
><P
></P
><UL
><LI
><P
><I
CLASS="EMPHASIS"
>R</I
> - Allow read access </P
></LI
><LI
><P
><I
CLASS="EMPHASIS"
>W</I
> - Allow write access</P
></LI
><LI
><P
><I
CLASS="EMPHASIS"
>X</I
> - Execute permission on the object</P
></LI
><LI
><P
><I
CLASS="EMPHASIS"
>D</I
> - Delete the object</P
></LI
><LI
><P
><I
CLASS="EMPHASIS"
>P</I
> - Change permissions</P
></LI
><LI
><P
><I
CLASS="EMPHASIS"
>O</I
> - Take ownership</P
></LI
></UL
><P
>The following combined permissions can be specified:</P
><P
></P
><UL
><LI
><P
><I
CLASS="EMPHASIS"
>READ</I
> - Equivalent to 'RX'
permissions</P
></LI
><LI
><P
><I
CLASS="EMPHASIS"
>CHANGE</I
> - Equivalent to 'RXWD' permissions
</P
></LI
><LI
><P
><I
CLASS="EMPHASIS"
>FULL</I
> - Equivalent to 'RWXDPO'
permissions</P
></LI
></UL
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN123"
></A
><H2
>EXIT STATUS</H2
><P
>The <B
CLASS="COMMAND"
>smbcacls</B
> program sets the exit status
depending on the success or otherwise of the operations performed.
The exit status may be one of the following values. </P
><P
>If the operation succeded, smbcacls returns and exit
status of 0. If smbcacls couldn't connect to the specified server,
or there was an error getting or setting the ACLs, an exit status
of 1 is returned. If there was an error parsing any command line
arguments, an exit status of 2 is returned. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN128"
></A
><H2
>VERSION</H2
><P
>This man page is correct for version 2.2 of
the Samba suite.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN131"
></A
><H2
>AUTHOR</H2
><P
>The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.</P
><P
><B
CLASS="COMMAND"
>smbcacls</B
> was written by Andrew Tridgell
and Tim Potter.</P
><P
>The conversion to DocBook for Samba 2.2 was done
by Gerald Carter</P
></DIV
></BODY
></HTML
>

521
docs/htmldocs/smbpasswd.5.html
View File

@ -1,195 +1,326 @@
<html><head><title>smbpasswd (5)</title>
<link rev="made" href="mailto:samba@samba.org">
</head>
<body>
<hr>
<h1>smbpasswd (5)</h1>
<h2>Samba</h2>
<h2>23 Oct 1998</h2>
<p><a name="NAME"></a>
<h2>NAME</h2>
smbpasswd - The Samba encrypted password file
<p><a name="SYNOPSIS"></a>
<h2>SYNOPSIS</h2>
<p>smbpasswd is the <strong>Samba</strong> encrypted password file.
<p><a name="DESCRIPTION"></a>
<h2>DESCRIPTION</h2>
<p>This file is part of the <strong>Samba</strong> suite.
<p>smbpasswd is the <strong>Samba</strong> encrypted password file. It contains
the username, Unix user id and the SMB hashed passwords of the
user, as well as account flag information and the time the password
was last changed. This file format has been evolving with Samba
and has had several different formats in the past.
<p><a name="FILEFORMAT"></a>
<h2>FILE FORMAT</h2>
<p>The format of the smbpasswd file used by Samba 2.0 is very similar to
the familiar Unix <strong>passwd (5)</strong> file. It is an ASCII file containing
one line for each user. Each field within each line is separated from
the next by a colon. Any entry beginning with # is ignored. The
smbpasswd file contains the following information for each user:
<p><dl>
<p><a name="name"></a>
<p></p><dt><strong><strong>name</strong></strong><dd> <br> <br>
<p>This is the user name. It must be a name that already exists
in the standard UNIX passwd file.
<p><a name="uid"></a>
<p></p><dt><strong><strong>uid</strong></strong><dd> <br> <br>
<p>This is the UNIX uid. It must match the uid field for the same
user entry in the standard UNIX passwd file. If this does not
match then Samba will refuse to recognize this <strong>smbpasswd</strong> file entry
as being valid for a user.
<p><a name="LanmanPasswordHash"></a>
<p></p><dt><strong><strong>Lanman Password Hash</strong></strong><dd> <br> <br>
<p>This is the <em>LANMAN</em> hash of the users password, encoded as 32 hex
digits. The <em>LANMAN</em> hash is created by DES encrypting a well known
string with the users password as the DES key. This is the same
password used by Windows 95/98 machines. Note that this password hash
is regarded as weak as it is vulnerable to dictionary attacks and if
two users choose the same password this entry will be identical (i.e.
the password is not <em>"salted"</em> as the UNIX password is). If the
user has a null password this field will contain the characters
<code>"NO PASSWORD"</code> as the start of the hex string. If the hex string
is equal to 32 <code>'X'</code> characters then the users account is marked as
<em>disabled</em> and the user will not be able to log onto the Samba
server.
<p><em>WARNING !!</em>. Note that, due to the challenge-response nature of the
SMB/CIFS authentication protocol, anyone with a knowledge of this
password hash will be able to impersonate the user on the network.
For this reason these hashes are known as <em>"plain text equivalent"</em>
and must <em>NOT</em> be made available to anyone but the root user. To
protect these passwords the <strong>smbpasswd</strong> file is placed in a
directory with read and traverse access only to the root user and the
<strong>smbpasswd</strong> file itself must be set to be read/write only by root,
with no other access.
<p><a name="NTPasswordHash"></a>
<p></p><dt><strong><strong>NT Password Hash</strong></strong><dd> <br> <br>
<p>This is the <em>Windows NT</em> hash of the users password, encoded as 32
hex digits. The <em>Windows NT</em> hash is created by taking the users
password as represented in 16-bit, little-endian UNICODE and then
applying the <em>MD4</em> (internet rfc1321) hashing algorithm to it.
<p>This password hash is considered more secure than the <a href="smbpasswd.5.html#LanmanPasswordHash"><strong>Lanman
Password Hash</strong></a> as it preserves the case of the
password and uses a much higher quality hashing algorithm. However, it
is still the case that if two users choose the same password this
entry will be identical (i.e. the password is not <em>"salted"</em> as the
UNIX password is).
<p><em>WARNING !!</em>. Note that, due to the challenge-response nature of the
SMB/CIFS authentication protocol, anyone with a knowledge of this
password hash will be able to impersonate the user on the network.
For this reason these hashes are known as <em>"plain text equivalent"</em>
and must <em>NOT</em> be made available to anyone but the root user. To
protect these passwords the <strong>smbpasswd</strong> file is placed in a
directory with read and traverse access only to the root user and the
<strong>smbpasswd</strong> file itself must be set to be read/write only by root,
with no other access.
<p><a name="AccountFlags"></a>
<p></p><dt><strong><strong>Account Flags</strong></strong><dd> <br> <br>
<p>This section contains flags that describe the attributes of the users
account. In the <strong>Samba2.0</strong> release this field is bracketed by <code>'['</code>
and <code>']'</code> characters and is always 13 characters in length (including
the <code>'['</code> and <code>']'</code> characters). The contents of this field may be
any of the characters.
<p><dl>
<p><a name="capU"></a>
<li > <strong>'U'</strong> This means this is a <em>"User"</em> account, i.e. an ordinary
user. Only <strong>User</strong> and <a href="smbpasswd.5.html#capW"><strong>Workstation Trust</strong></a> accounts are
currently supported in the <strong>smbpasswd</strong> file.
<p><a name="capN"></a>
<li > <strong>'N'</strong> This means the account has <em>no</em> password (the passwords
in the fields <a href="smbpasswd.5.html#LanmanPasswordHash"><strong>Lanman Password Hash</strong></a> and
<a href="smbpasswd.5.html#NTPasswordHash"><strong>NT Password Hash</strong></a> are ignored). Note that this
will only allow users to log on with no password if the
<a href="smb.conf.5.html#nullpasswords"><strong>null passwords</strong></a> parameter is set
in the <a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a> config file.
<p><a name="capD"></a>
<li > <strong>'D'</strong> This means the account is disabled and no SMB/CIFS logins
will be allowed for this user.
<p><a name="capW"></a>
<li > <strong>'W'</strong> This means this account is a <em>"Workstation Trust"</em> account.
This kind of account is used in the Samba PDC code stream to allow Windows
NT Workstations and Servers to join a Domain hosted by a Samba PDC.
<p></dl>
<p>Other flags may be added as the code is extended in future. The rest of
this field space is filled in with spaces.
<p><a name="LastChangeTime"></a>
<p></p><dt><strong><strong>Last Change Time</strong></strong><dd> <br> <br>
<p>This field consists of the time the account was last modified. It consists of
the characters <code>LCT-</code> (standing for <em>"Last Change Time"</em>) followed by a numeric
encoding of the UNIX time in seconds since the epoch (1970) that the last change
was made.
<p><p></p><dt><strong><strong>Following fields</strong></strong><dd> <br> <br>
<p>All other colon separated fields are ignored at this time.
<p></dl>
<p><a name="NOTES"></a>
<h2>NOTES</h2>
<p>In previous versions of Samba (notably the 1.9.18 series) this file
did not contain the <a href="smbpasswd.5.html#AccountFlags"><strong>Account Flags</strong></a> or
<a href="smbpasswd.5.html#LastChangeTime"><strong>Last Change Time</strong></a> fields. The Samba 2.0
code will read and write these older password files but will not be able to
modify the old entries to add the new fields. New entries added with
<a href="smbpasswd.8.html"><strong>smbpasswd (8)</strong></a> will contain the new fields
in the added accounts however. Thus an older <strong>smbpasswd</strong> file used
with Samba 2.0 may end up with some accounts containing the new fields
and some not.
<p>In order to convert from an old-style <strong>smbpasswd</strong> file to a new
style, run the script <strong>convert_smbpasswd</strong>, installed in the
Samba <code>bin/</code> directory (the same place that the <a href="smbd.8.html"><strong>smbd</strong></a>
and <a href="nmbd.8.html"><strong>nmbd</strong></a> binaries are installed) as follows:
<p><pre>
cat old_smbpasswd_file | convert_smbpasswd &gt; new_smbpasswd_file
</pre>
<p>The <strong>convert_smbpasswd</strong> script reads from stdin and writes to stdout
so as not to overwrite any files by accident.
<p>Once this script has been run, check the contents of the new smbpasswd
file to ensure that it has not been damaged by the conversion script
(which uses <strong>awk</strong>), and then replace the <code>&lt;old smbpasswd file&gt;</code>
with the <code>&lt;new smbpasswd file&gt;</code>.
<p><a name="VERSION"></a>
<h2>VERSION</h2>
<p>This man page is correct for version 2.0 of the Samba suite.
<p><a name="SEEALSO"></a>
<h2>SEE ALSO</h2>
<p><a href="smbpasswd.8.html"><strong>smbpasswd (8)</strong></a>, <a href="samba.7.html"><strong>samba
(7)</strong></a>, and the Internet RFC1321 for details on the MD4
algorithm.
<p><a name="AUTHOR"></a>
<h2>AUTHOR</h2>
<p>The original Samba software and related utilities were created by
Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed
by the Samba Team as an Open Source project similar to the way the
Linux kernel is developed.
<p>The original Samba man pages were written by Karl Auer. The man page
sources were converted to YODL format (another excellent piece of Open
Source software, available at
<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>)
and updated for the Samba2.0 release by Jeremy
Allison, <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>.
<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full
list of contributors and details on how to submit bug reports,
comments etc.
</body>
</html>
<HTML
><HEAD
><TITLE
>smbpasswd</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
><BODY
CLASS="REFENTRY"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><H1
><A
NAME="SMBPASSWD"
>smbpasswd</A
></H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5"
></A
><H2
>Name</H2
>smbpasswd&nbsp;--&nbsp;The Samba encrypted password file</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN8"
></A
><H2
>Synopsis</H2
><P
><TT
CLASS="FILENAME"
>smbpasswd</TT
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11"
></A
><H2
>DESCRIPTION</H2
><P
>This tool is part of the <A
HREF="samba.7.html"
TARGET="_top"
> Samba</A
> suite.</P
><P
>smbpasswd is the Samba encrypted password file. It contains
the username, Unix user id and the SMB hashed passwords of the
user, as well as account flag information and the time the
password was last changed. This file format has been evolving with
Samba and has had several different formats in the past. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN16"
></A
><H2
>FILE FORMAT</H2
><P
>The format of the smbpasswd file used by Samba 2.2
is very similar to the familiar Unix <TT
CLASS="FILENAME"
>passwd(5)</TT
>
file. It is an ASCII file containing one line for each user. Each field
ithin each line is separated from the next by a colon. Any entry
beginning with '#' is ignored. The smbpasswd file contains the
following information for each user: </P
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>name</DT
><DD
><P
> This is the user name. It must be a name that
already exists in the standard UNIX passwd file. </P
></DD
><DT
>uid</DT
><DD
><P
>This is the UNIX uid. It must match the uid
field for the same user entry in the standard UNIX passwd file.
If this does not match then Samba will refuse to recognize
this smbpasswd file entry as being valid for a user.
</P
></DD
><DT
>Lanman Password Hash</DT
><DD
><P
>This is the LANMAN hash of the users password,
encoded as 32 hex digits. The LANMAN hash is created by DES
encrypting a well known string with the users password as the
DES key. This is the same password used by Windows 95/98 machines.
Note that this password hash is regarded as weak as it is
vulnerable to dictionary attacks and if two users choose the
same password this entry will be identical (i.e. the password
is not "salted" as the UNIX password is). If the user has a
null password this field will contain the characters "NO PASSWORD"
as the start of the hex string. If the hex string is equal to
32 'X' characters then the users account is marked as
<TT
CLASS="CONSTANT"
>disabled</TT
> and the user will not be able to
log onto the Samba server. </P
><P
><I
CLASS="EMPHASIS"
>WARNING !!</I
> Note that, due to
the challenge-response nature of the SMB/CIFS authentication
protocol, anyone with a knowledge of this password hash will
be able to impersonate the user on the network. For this
reason these hashes are known as <I
CLASS="EMPHASIS"
>plain text
equivalents</I
> and must <I
CLASS="EMPHASIS"
>NOT</I
> be made
available to anyone but the root user. To protect these passwords
the smbpasswd file is placed in a directory with read and
traverse access only to the root user and the smbpasswd file
itself must be set to be read/write only by root, with no
other access. </P
></DD
><DT
>NT Password Hash</DT
><DD
><P
>This is the Windows NT hash of the users
password, encoded as 32 hex digits. The Windows NT hash is
created by taking the users password as represented in
16-bit, little-endian UNICODE and then applying the MD4
(internet rfc1321) hashing algorithm to it. </P
><P
>This password hash is considered more secure than
the Lanman Password Hash as it preserves the case of the
password and uses a much higher quality hashing algorithm.
However, it is still the case that if two users choose the same
password this entry will be identical (i.e. the password is
not "salted" as the UNIX password is). </P
><P
><I
CLASS="EMPHASIS"
>WARNING !!</I
>. Note that, due to
the challenge-response nature of the SMB/CIFS authentication
protocol, anyone with a knowledge of this password hash will
be able to impersonate the user on the network. For this
reason these hashes are known as <I
CLASS="EMPHASIS"
>plain text
equivalents</I
> and must <I
CLASS="EMPHASIS"
>NOT</I
> be made
available to anyone but the root user. To protect these passwords
the smbpasswd file is placed in a directory with read and
traverse access only to the root user and the smbpasswd file
itself must be set to be read/write only by root, with no
other access. </P
></DD
><DT
>Account Flags</DT
><DD
><P
>This section contains flags that describe
the attributes of the users account. In the Samba 2.2 release
this field is bracketed by '[' and ']' characters and is always
13 characters in length (including the '[' and ']' characters).
The contents of this field may be any of the characters.
</P
><P
></P
><UL
><LI
><P
><I
CLASS="EMPHASIS"
>U</I
> - This means
this is a "User" account, i.e. an ordinary user. Only User
and Workstation Trust accounts are currently supported
in the smbpasswd file. </P
></LI
><LI
><P
><I
CLASS="EMPHASIS"
>N</I
> - This means the
account has no password (the passwords in the fields Lanman
Password Hash and NT Password Hash are ignored). Note that this
will only allow users to log on with no password if the <TT
CLASS="PARAMETER"
><I
> null passwords</I
></TT
> parameter is set in the <A
HREF="smb.conf.5.html#NULLPASSWORDS"
TARGET="_top"
><TT
CLASS="FILENAME"
>smb.conf(5)
</TT
></A
> config file. </P
></LI
><LI
><P
><I
CLASS="EMPHASIS"
>D</I
> - This means the account
is disabled and no SMB/CIFS logins will be allowed for
this user. </P
></LI
><LI
><P
><I
CLASS="EMPHASIS"
>W</I
> - This means this account
is a "Workstation Trust" account. This kind of account is used
in the Samba PDC code stream to allow Windows NT Workstations
and Servers to join a Domain hosted by a Samba PDC. </P
></LI
></UL
><P
>Other flags may be added as the code is extended in future.
The rest of this field space is filled in with spaces. </P
></DD
><DT
>Last Change Time</DT
><DD
><P
>This field consists of the time the account was
last modified. It consists of the characters 'LCT-' (standing for
"Last Change Time") followed by a numeric encoding of the UNIX time
in seconds since the epoch (1970) that the last change was made.
</P
></DD
></DL
></DIV
><P
>All other colon separated fields are ignored at this time.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN73"
></A
><H2
>VERSION</H2
><P
>This man page is correct for version 2.2 of
the Samba suite.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN76"
></A
><H2
>SEE ALSO</H2
><P
><A
HREF="smbpasswd.8.html"
TARGET="_top"
><B
CLASS="COMMAND"
>smbpasswd(8)</B
></A
>,
<A
HREF="samba.7.html"
TARGET="_top"
>samba(7)</A
>, and
the Internet RFC1321 for details on the MD4 algorithm.
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN82"
></A
><H2
>AUTHOR</H2
><P
>The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.</P
><P
>The original Samba man pages were written by Karl Auer.
The man page sources were converted to YODL format (another
excellent piece of Open Source software, available at
<A
HREF="ftp://ftp.icce.rug.nl/pub/unix/"
TARGET="_top"
> ftp://ftp.icce.rug.nl/pub/unix/</A
>) and updated for the Samba 2.0
release by Jeremy Allison. The conversion to DocBook for
Samba 2.2 was done by Gerald Carter</P
></DIV
></BODY
></HTML
>

917
docs/htmldocs/smbpasswd.8.html
View File

@ -1,281 +1,636 @@
<html><head><title>smbpasswd (8)</title>
<link rev="made" href="mailto:samba@samba.org">
</head>
<body>
<hr>
<h1>smbpasswd (8)</h1>
<h2>Samba</h2>
<h2>23 Oct 1998</h2>
<p><a name="NAME"></a>
<h2>NAME</h2>
smbpasswd - change a users SMB password
<p><a name="SYNOPSIS"></a>
<h2>SYNOPSIS</h2>
<p><strong>smbpasswd</strong> [<a href="smbpasswd.8.html#minusa">-a</a>] [<a href="smbpasswd.8.html#minusx">-x</a>] [<a href="smbpasswd.8.html#minusd">-d</a>] [<a href="smbpasswd.8.html#minuse">-e</a>] [<a href="smbpasswd.8.html#minusD">-D debug level</a>] [<a href="smbpasswd.8.html#minusn">-n</a>] [<a href="smbpasswd.8.html#minusr">-r remote_machine</a>] [<a href="smbpasswd.8.html#minusR">-R name resolve order</a>] [<a href="smbpasswd.8.html#minusm">-m</a>] [<a href="smbpasswd.8.html#minusj">-j DOMAIN</a>] [<a href="smbpasswd.8.html#minusU">-U username</a>] [<a href="smbpasswd.8.html#minush">-h</a>] [<a href="smbpasswd.8.html#minuss">-s</a>] <a href="smbpasswd.8.html#username">username</a>
<p><a name="DESCRIPTION"></a>
<h2>DESCRIPTION</h2>
<p>This program is part of the <strong>Samba</strong> suite.
<p>The <strong>smbpasswd</strong> program has several different functions, depending
on whether it is run by the <em>root</em> user or not. When run as a normal
user it allows the user to change the password used for their SMB
sessions on any machines that store SMB passwords.
<p>By default (when run with no arguments) it will attempt to change the
current users SMB password on the local machine. This is similar to
the way the <strong>passwd (1)</strong> program works. <strong>smbpasswd</strong> differs from how
the <strong>passwd</strong> program works however in that it is not <em>setuid root</em>
but works in a client-server mode and communicates with a locally
running <a href="smbd.8.html"><strong>smbd</strong></a>. As a consequence in order for this
to succeed the <a href="smbd.8.html"><strong>smbd</strong></a> daemon must be running on
the local machine. On a UNIX machine the encrypted SMB passwords are
usually stored in the <a href="smbpasswd.5.html"><strong>smbpasswd (5)</strong></a> file.
<p>When run by an ordinary user with no options. <strong>smbpasswd</strong> will
prompt them for their old smb password and then ask them for their new
password twice, to ensure that the new password was typed
correctly. No passwords will be echoed on the screen whilst being
typed. If you have a blank smb password (specified by the string "NO
PASSWORD" in the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file) then just
press the &lt;Enter&gt; key when asked for your old password.
<p><strong>smbpasswd</strong> can also be used by a normal user to change their SMB
password on remote machines, such as Windows NT Primary Domain
Controllers. See the <a href="smbpasswd.8.html#minusr">(<strong>-r</strong>)</a> and
<a href="smbpasswd.8.html#minusU"><strong>-U</strong></a> options below.
<p>When run by root, <strong>smbpasswd</strong> allows new users to be added and
deleted in the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file, as well as
allows changes to the attributes of the user in this file to be made. When
run by root, <strong>smbpasswd</strong> accesses the local
<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file directly, thus enabling
changes to be made even if <a href="smbd.8.html"><strong>smbd</strong></a> is not running.
<p><a name="OPTIONS"></a>
<h2>OPTIONS</h2>
<p><dl>
<p><a name="minusa"></a>
<p></p><dt><strong><strong>-a</strong></strong><dd> This option specifies that the username following should
be added to the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file, with
the new password typed (type &lt;Enter&gt; for the old password). This
option is ignored if the username following already exists in the
<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file and it is treated like a
regular change password command. Note that the user to be added
<strong>must</strong> already exist in the system password file (usually /etc/passwd)
else the request to add the user will fail.
<p>This option is only available when running <strong>smbpasswd</strong> as
root.
<p><a name="minusx"></a>
<p></p><dt><strong><strong>-x</strong></strong><dd> This option specifies that the username following should
be deleted from the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file.
<p>This option is only available when running <strong>smbpasswd</strong> as
root.
<p><a name="minusd"></a>
<p></p><dt><strong><strong>-d</strong></strong><dd> This option specifies that the username following should be
<em>disabled</em> in the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file.
This is done by writing a <em>'D'</em> flag into the account control space
in the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. Once this is done
all attempts to authenticate via SMB using this username will fail.
<p>If the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file is in the 'old'
format (pre-Samba 2.0 format) there is no space in the users password
entry to write this information and so the user is disabled by writing
'X' characters into the password space in the
<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. See <a href="smbpasswd.5.html"><strong>smbpasswd
(5)</strong></a> for details on the 'old' and new password file
formats.
<p>This option is only available when running <strong>smbpasswd</strong> as root.
<p><a name="minuse"></a>
<p></p><dt><strong><strong>-e</strong></strong><dd> This option specifies that the username following should be
<em>enabled</em> in the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file,
if the account was previously disabled. If the account was not
disabled this option has no effect. Once the account is enabled
then the user will be able to authenticate via SMB once again.
<p>If the smbpasswd file is in the 'old' format then <strong>smbpasswd</strong> will
prompt for a new password for this user, otherwise the account will be
enabled by removing the <em>'D'</em> flag from account control space in the
<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. See <a href="smbpasswd.5.html"><strong>smbpasswd
(5)</strong></a> for details on the 'old' and new password file
formats.
<p>This option is only available when running <strong>smbpasswd</strong> as root.
<p><a name="minusD"></a>
<p></p><dt><strong><strong>-D debuglevel</strong></strong><dd> debuglevel is an integer from 0
to 10. The default value if this parameter is not specified is zero.
<p>The higher this value, the more detail will be logged to the log files
about the activities of smbpasswd. At level 0, only critical errors
and serious warnings will be logged.
<p>Levels above 1 will generate considerable amounts of log data, and
should only be used when investigating a problem. Levels above 3 are
designed for use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic.
<p><a name="minusn"></a>
<p></p><dt><strong><strong>-n</strong></strong><dd> This option specifies that the username following should
have their password set to null (i.e. a blank password) in the local
<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. This is done by writing the
string "NO PASSWORD" as the first part of the first password stored in
the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file.
<p>Note that to allow users to logon to a Samba server once the password
has been set to "NO PASSWORD" in the
<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file the administrator must set
the following parameter in the [global] section of the
<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file :
<p><a href="smb.conf.5.html#nullpasswords">null passwords = true</a>
<p>This option is only available when running <strong>smbpasswd</strong> as root.
<p><a name="minusr"></a>
<p></p><dt><strong><strong>-r remote machine name</strong></strong><dd> This option allows a
user to specify what machine they wish to change their password
on. Without this parameter <strong>smbpasswd</strong> defaults to the local
host. The <em>"remote machine name"</em> is the NetBIOS name of the
SMB/CIFS server to contact to attempt the password change. This name
is resolved into an IP address using the standard name resolution
mechanism in all programs of the <a href="samba.7.html"><strong>Samba</strong></a>
suite. See the <a href="smbpasswd.8.html#minusR"><strong>-R name resolve order</strong></a> parameter for details on changing this resolving
mechanism.
<p>The username whose password is changed is that of the current UNIX
logged on user. See the <a href="smbpasswd.8.html#minusU"><strong>-U username</strong></a>
parameter for details on changing the password for a different
username.
<p>Note that if changing a Windows NT Domain password the remote machine
specified must be the Primary Domain Controller for the domain (Backup
Domain Controllers only have a read-only copy of the user account
database and will not allow the password change).
<p><em>Note</em> that Windows 95/98 do not have a real password database
so it is not possible to change passwords specifying a Win95/98
machine as remote machine target.
<p><a name="minusR"></a>
<p></p><dt><strong><strong>-R name resolve order</strong></strong><dd> This option allows the user of
smbclient to determine what name resolution services to use when
looking up the NetBIOS name of the host being connected to.
<p>The options are :<a href="smbpasswd.8.html#lmhosts">"lmhosts"</a>, <a href="smbpasswd.8.html#host">"host"</a>,
<a href="smbpasswd.8.html#wins">"wins"</a> and <a href="smbpasswd.8.html#bcast">"bcast"</a>. They cause names to be
resolved as follows :
<p><dl>
<p><a name="lmhosts"></a>
<li > <strong>lmhosts</strong> : Lookup an IP address in the Samba lmhosts file.
<p><a name="host"></a>
<li > <strong>host</strong> : Do a standard host name to IP address resolution,
using the system /etc/hosts, NIS, or DNS lookups. This method of name
resolution is operating system dependent. For instance on IRIX or
Solaris, this may be controlled by the <em>/etc/nsswitch.conf</em> file).
<p><a name="wins"></a>
<li > <strong>wins</strong> : Query a name with the IP address listed in the
<a href="smb.conf.5.html#winsserver"><strong>wins server</strong></a> parameter in the
<a href="smb.conf.5.html"><strong>smb.conf file</strong></a>. If
no WINS server has been specified this method will be ignored.
<p><a name="bcast"></a>
<li > <strong>bcast</strong> : Do a broadcast on each of the known local interfaces
listed in the <a href="smb.conf.5.html#interfaces"><strong>interfaces</strong></a> parameter
in the smb.conf file. This is the least reliable of the name resolution
methods as it depends on the target host being on a locally connected
subnet.
<p></dl>
<p>If this parameter is not set then the name resolve order defined
in the <a href="smb.conf.5.html"><strong>smb.conf</strong></a> file parameter
<a href="smb.conf.5.html#nameresolveorder"><strong>name resolve order</strong></a>
will be used.
<p>The default order is lmhosts, host, wins, bcast and without this
parameter or any entry in the <a href="smb.conf.5.html"><strong>smb.conf</strong></a>
file the name resolution methods will be attempted in this order.
<p><a name="minusm"></a>
<p></p><dt><strong><strong>-m</strong></strong><dd> This option tells <strong>smbpasswd</strong> that the account being
changed is a <em>MACHINE</em> account. Currently this is used when Samba is
being used as an NT Primary Domain Controller. PDC support is not a
supported feature in Samba2.0 but will become supported in a later
release. If you wish to know more about using Samba as an NT PDC then
please subscribe to the mailing list
<a href="mailto:samba-ntdom@samba.org"><em>samba-ntdom@samba.org</em></a>.
<p>This option is only available when running <strong>smbpasswd</strong> as root.
<p><a name="minusj"></a>
<p></p><dt><strong><strong>-j DOMAIN</strong></strong><dd> This option is used to add a Samba server into a
Windows NT Domain, as a Domain member capable of authenticating user
accounts to any Domain Controller in the same way as a Windows NT
Server. See the <a href="smb.conf.5.html#security"><strong>security=domain</strong></a>
option in the <a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a> man page.
<p>In order to be used in this way, the Administrator for the Windows
NT Domain must have used the program <em>"Server Manager for Domains"</em>
to add the <a href="smb.conf.5.html#netbiosname">primary NetBIOS name</a> of
the Samba server as a member of the Domain.
<p>After this has been done, to join the Domain invoke <strong>smbpasswd</strong> with
this parameter. <strong>smbpasswd</strong> will then look up the Primary Domain
Controller for the Domain (found in the
<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file in the parameter
<a href="smb.conf.5.html#passwordserver"><strong>password server</strong></a> and change
the machine account password used to create the secure Domain
communication. This password is then stored by <strong>smbpasswd</strong> in a
file, read only by root, called <code>&lt;Domain&gt;.&lt;Machine&gt;.mac</code> where
<code>&lt;Domain&gt;</code> is the name of the Domain we are joining and <code>&lt;Machine&gt;</code>
is the primary NetBIOS name of the machine we are running on.
<p>Once this operation has been performed the
<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file may be updated to set the
<a href="smb.conf.5.html#security"><strong>security=domain</strong></a> option and all
future logins to the Samba server will be authenticated to the Windows
NT PDC.
<p>Note that even though the authentication is being done to the PDC all
users accessing the Samba server must still have a valid UNIX account
on that machine.
<p>This option is only available when running <strong>smbpasswd</strong> as root.
<p><a name="minusU"></a>
<p></p><dt><strong><strong>-U username</strong></strong><dd> This option may only be used in
conjunction with the <a href="smbpasswd.8.html#minusr"><strong>-r</strong></a>
option. When changing a password on a remote machine it allows the
user to specify the user name on that machine whose password will be
changed. It is present to allow users who have different user names on
different systems to change these passwords.
<p><a name="minush"></a>
<p></p><dt><strong><strong>-h</strong></strong><dd> This option prints the help string for <strong>smbpasswd</strong>,
selecting the correct one for running as root or as an ordinary user.
<p><a name="minuss"></a>
<p></p><dt><strong><strong>-s</strong></strong><dd> This option causes <strong>smbpasswd</strong> to be silent (i.e. not
issue prompts) and to read it's old and new passwords from standard
input, rather than from <code>/dev/tty</code> (like the <strong>passwd (1)</strong> program
does). This option is to aid people writing scripts to drive <strong>smbpasswd</strong>
<p><a name="username"></a>
<p></p><dt><strong><strong>username</strong></strong><dd> This specifies the username for all of the <em>root
only</em> options to operate on. Only root can specify this parameter as
only root has the permission needed to modify attributes directly
in the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file.
<p><a name="NOTES"></a>
<h2>NOTES</h2>
<p>Since <strong>smbpasswd</strong> works in client-server mode communicating with a
local <a href="smbd.8.html"><strong>smbd</strong></a> for a non-root user then the <strong>smbd</strong>
daemon must be running for this to work. A common problem is to add a
restriction to the hosts that may access the <strong>smbd</strong> running on the
local machine by specifying a <a href="smb.conf.5.html#allowhosts"><strong>"allow
hosts"</strong></a> or <a href="smb.conf.5.html#denyhosts"><strong>"deny
hosts"</strong></a> entry in the
<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file and neglecting to allow
<em>"localhost"</em> access to the <strong>smbd</strong>.
<p>In addition, the <strong>smbpasswd</strong> command is only useful if <strong>Samba</strong> has
been set up to use encrypted passwords. See the file <strong>ENCRYPTION.txt</strong>
in the docs directory for details on how to do this.
<p><a name="VERSION"></a>
<h2>VERSION</h2>
<p>This man page is correct for version 2.0 of the Samba suite.
<p><a name="AUTHOR"></a>
<h2>AUTHOR</h2>
<p>The original Samba software and related utilities were created by
Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed
by the Samba Team as an Open Source project similar to the way the
Linux kernel is developed.
<p>The original Samba man pages were written by Karl Auer. The man page
sources were converted to YODL format (another excellent piece of Open
Source software, available at
<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>)
and updated for the Samba2.0 release by Jeremy Allison.
<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>.
<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full
list of contributors and details on how to submit bug reports,
comments etc.
</body>
</html>
<HTML
><HEAD
><TITLE
>smbpasswd</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
><BODY
CLASS="REFENTRY"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><H1
><A
NAME="SMBPASSWD"
>smbpasswd</A
></H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5"
></A
><H2
>Name</H2
>smbpasswd&nbsp;--&nbsp;change a users SMB password</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN8"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>smbpasswd</B
> [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r &lt;remote machine&gt;] [-R &lt;name resolve order&gt;] [-m] [-j DOMAIN] [-U username] [-h] [-s] [username]</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN25"
></A
><H2
>DESCRIPTION</H2
><P
>This tool is part of the <A
HREF="samba.7.html"
TARGET="_top"
> Samba</A
> suite.</P
><P
>The smbpasswd program has several different
functions, depending on whether it is run by the <I
CLASS="EMPHASIS"
>root</I
>
user or not. When run as a normal user it allows the user to change
the password used for their SMB sessions on any machines that store
SMB passwords. </P
><P
>By default (when run with no arguments) it will attempt to
change the current users SMB password on the local machine. This is
similar to the way the <B
CLASS="COMMAND"
>passwd(1)</B
> program works.
<B
CLASS="COMMAND"
>smbpasswd</B
> differs from how the passwd program works
however in that it is not <I
CLASS="EMPHASIS"
>setuid root</I
> but works in
a client-server mode and communicates with a locally running
<B
CLASS="COMMAND"
>smbd(8)</B
>. As a consequence in order for this to
succeed the smbd daemon must be running on the local machine. On a
UNIX machine the encrypted SMB passwords are usually stored in
the <TT
CLASS="FILENAME"
>smbpasswd(5)</TT
> file. </P
><P
>When run by an ordinary user with no options. smbpasswd
will prompt them for their old smb password and then ask them
for their new password twice, to ensure that the new password
was typed correctly. No passwords will be echoed on the screen
whilst being typed. If you have a blank smb password (specified by
the string "NO PASSWORD" in the smbpasswd file) then just press
the &lt;Enter&gt; key when asked for your old password. </P
><P
>smbpasswd can also be used by a normal user to change their
SMB password on remote machines, such as Windows NT Primary Domain
Controllers. See the (-r) and -U options below. </P
><P
>When run by root, smbpasswd allows new users to be added
and deleted in the smbpasswd file, as well as allows changes to
the attributes of the user in this file to be made. When run by root,
<B
CLASS="COMMAND"
>smbpasswd</B
> accesses the local smbpasswd file
directly, thus enabling changes to be made even if smbd is not
running. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN41"
></A
><H2
>OPTIONS</H2
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>-a</DT
><DD
><P
>This option specifies that the username
following should be added to the local smbpasswd file, with the
new password typed (type &lt;Enter&gt; for the old password). This
option is ignored if the username following already exists in
the smbpasswd file and it is treated like a regular change
password command. Note that the user to be added must already exist
in the system password file (usually <TT
CLASS="FILENAME"
>/etc/passwd</TT
>)
else the request to add the user will fail. </P
><P
>This option is only available when running smbpasswd
as root. </P
></DD
><DT
>-x</DT
><DD
><P
>This option specifies that the username
following should be deleted from the local smbpasswd file.
</P
><P
>This option is only available when running smbpasswd as
root.</P
></DD
><DT
>-d</DT
><DD
><P
>This option specifies that the username following
should be <TT
CLASS="CONSTANT"
>disabled</TT
> in the local smbpasswd
file. This is done by writing a <TT
CLASS="CONSTANT"
>'D'</TT
> flag
into the account control space in the smbpasswd file. Once this
is done all attempts to authenticate via SMB using this username
will fail. </P
><P
>If the smbpasswd file is in the 'old' format (pre-Samba 2.0
format) there is no space in the users password entry to write
this information and so the user is disabled by writing 'X' characters
into the password space in the smbpasswd file. See <B
CLASS="COMMAND"
>smbpasswd(5)
</B
> for details on the 'old' and new password file formats.
</P
><P
>This option is only available when running smbpasswd as
root.</P
></DD
><DT
>-e</DT
><DD
><P
>This option specifies that the username following
should be <TT
CLASS="CONSTANT"
>enabled</TT
> in the local smbpasswd file,
if the account was previously disabled. If the account was not
disabled this option has no effect. Once the account is enabled then
the user will be able to authenticate via SMB once again. </P
><P
>If the smbpasswd file is in the 'old' format, then <B
CLASS="COMMAND"
> smbpasswd</B
> will prompt for a new password for this user,
otherwise the account will be enabled by removing the <TT
CLASS="CONSTANT"
>'D'
</TT
> flag from account control space in the <TT
CLASS="FILENAME"
> smbpasswd</TT
> file. See <B
CLASS="COMMAND"
>smbpasswd (5)</B
> for
details on the 'old' and new password file formats. </P
><P
>This option is only available when running smbpasswd as root.
</P
></DD
><DT
>-D debuglevel</DT
><DD
><P
><TT
CLASS="PARAMETER"
><I
>debuglevel</I
></TT
> is an integer
from 0 to 10. The default value if this parameter is not specified
is zero. </P
><P
>The higher this value, the more detail will be logged to the
log files about the activities of smbpasswd. At level 0, only
critical errors and serious warnings will be logged. </P
><P
>Levels above 1 will generate considerable amounts of log
data, and should only be used when investigating a problem. Levels
above 3 are designed for use only by developers and generate
HUGE amounts of log data, most of which is extremely cryptic.
</P
></DD
><DT
>-n</DT
><DD
><P
>This option specifies that the username following
should have their password set to null (i.e. a blank password) in
the local smbpasswd file. This is done by writing the string "NO
PASSWORD" as the first part of the first password stored in the
smbpasswd file. </P
><P
>Note that to allow users to logon to a Samba server once
the password has been set to "NO PASSWORD" in the smbpasswd
file the administrator must set the following parameter in the [global]
section of the <TT
CLASS="FILENAME"
>smb.conf</TT
> file : </P
><P
><B
CLASS="COMMAND"
>null passwords = yes</B
></P
><P
>This option is only available when running smbpasswd as
root.</P
></DD
><DT
>-r remote machine name</DT
><DD
><P
>This option allows a user to specify what machine
they wish to change their password on. Without this parameter
smbpasswd defaults to the local host. The <TT
CLASS="REPLACEABLE"
><I
>remote
machine name</I
></TT
> is the NetBIOS name of the SMB/CIFS
server to contact to attempt the password change. This name is
resolved into an IP address using the standard name resolution
mechanism in all programs of the Samba suite. See the <TT
CLASS="PARAMETER"
><I
>-R
name resolve order</I
></TT
> parameter for details on changing
this resolving mechanism. </P
><P
>The username whose password is changed is that of the
current UNIX logged on user. See the <TT
CLASS="PARAMETER"
><I
>-U username</I
></TT
>
parameter for details on changing the password for a different
username. </P
><P
>Note that if changing a Windows NT Domain password the
remote machine specified must be the Primary Domain Controller for
the domain (Backup Domain Controllers only have a read-only
copy of the user account database and will not allow the password
change).</P
><P
><I
CLASS="EMPHASIS"
>Note</I
> that Windows 95/98 do not have
a real password database so it is not possible to change passwords
specifying a Win95/98 machine as remote machine target. </P
></DD
><DT
>-R name resolve order</DT
><DD
><P
>This option allows the user of smbclient to determine
what name resolution services to use when looking up the NetBIOS
name of the host being connected to. </P
><P
>The options are :"lmhosts", "host", "wins" and "bcast". They cause
names to be resolved as follows : </P
><P
></P
><UL
><LI
><P
><TT
CLASS="CONSTANT"
>lmhosts</TT
> : Lookup an IP
address in the Samba lmhosts file. If the line in lmhosts has
no name type attached to the NetBIOS name (see the <A
HREF="lmhosts.5.html"
TARGET="_top"
>lmhosts(5)</A
> for details) then
any name type matches for lookup.</P
></LI
><LI
><P
><TT
CLASS="CONSTANT"
>host</TT
> : Do a standard host
name to IP address resolution, using the system <TT
CLASS="FILENAME"
>/etc/hosts
</TT
>, NIS, or DNS lookups. This method of name resolution
is operating system depended for instance on IRIX or Solaris this
may be controlled by the <TT
CLASS="FILENAME"
>/etc/nsswitch.conf</TT
>
file). Note that this method is only used if the NetBIOS name
type being queried is the 0x20 (server) name type, otherwise
it is ignored.</P
></LI
><LI
><P
><TT
CLASS="CONSTANT"
>wins</TT
> : Query a name with
the IP address listed in the <TT
CLASS="PARAMETER"
><I
>wins server</I
></TT
>
parameter. If no WINS server has been specified this method
will be ignored.</P
></LI
><LI
><P
><TT
CLASS="CONSTANT"
>bcast</TT
> : Do a broadcast on
each of the known local interfaces listed in the
<TT
CLASS="PARAMETER"
><I
>interfaces</I
></TT
> parameter. This is the least
reliable of the name resolution methods as it depends on the
target host being on a locally connected subnet.</P
></LI
></UL
><P
>The default order is <B
CLASS="COMMAND"
>lmhosts, host, wins, bcast</B
>
and without this parameter or any entry in the
<TT
CLASS="FILENAME"
>smb.conf</TT
> file the name resolution methods will
be attempted in this order. </P
></DD
><DT
>-m</DT
><DD
><P
>This option tells smbpasswd that the account
being changed is a MACHINE account. Currently this is used
when Samba is being used as an NT Primary Domain Controller.</P
><P
>This option is only available when running smbpasswd as root.
</P
></DD
><DT
>-j DOMAIN</DT
><DD
><P
>This option is used to add a Samba server
into a Windows NT Domain, as a Domain member capable of authenticating
user accounts to any Domain Controller in the same way as a Windows
NT Server. See the <B
CLASS="COMMAND"
>security = domain</B
> option in
the <TT
CLASS="FILENAME"
>smb.conf(5)</TT
> man page. </P
><P
>In order to be used in this way, the Administrator for
the Windows NT Domain must have used the program "Server Manager
for Domains" to add the primary NetBIOS name of the Samba server
as a member of the Domain. </P
><P
>After this has been done, to join the Domain invoke <B
CLASS="COMMAND"
> smbpasswd</B
> with this parameter. smbpasswd will then
look up the Primary Domain Controller for the Domain (found in
the <TT
CLASS="FILENAME"
>smb.conf</TT
> file in the parameter
<TT
CLASS="PARAMETER"
><I
>password server</I
></TT
> and change the machine account
password used to create the secure Domain communication. This
password is then stored by smbpasswd in a TDB, writeable only by root,
called <TT
CLASS="FILENAME"
>secrets.tdb</TT
> </P
><P
>Once this operation has been performed the <TT
CLASS="FILENAME"
> smb.conf</TT
> file may be updated to set the <B
CLASS="COMMAND"
> security = domain</B
> option and all future logins
to the Samba server will be authenticated to the Windows NT
PDC. </P
><P
>Note that even though the authentication is being
done to the PDC all users accessing the Samba server must still
have a valid UNIX account on that machine. </P
><P
>This option is only available when running smbpasswd as root.
</P
></DD
><DT
>-U username</DT
><DD
><P
>This option may only be used in conjunction
with the <TT
CLASS="PARAMETER"
><I
>-r</I
></TT
> option. When changing
a password on a remote machine it allows the user to specify
the user name on that machine whose password will be changed. It
is present to allow users who have different user names on
different systems to change these passwords. </P
></DD
><DT
>-h</DT
><DD
><P
>This option prints the help string for <B
CLASS="COMMAND"
> smbpasswd</B
>, selecting the correct one for running as root
or as an ordinary user. </P
></DD
><DT
>-s</DT
><DD
><P
>This option causes smbpasswd to be silent (i.e.
not issue prompts) and to read it's old and new passwords from
standard input, rather than from <TT
CLASS="FILENAME"
>/dev/tty</TT
>
(like the <B
CLASS="COMMAND"
>passwd(1)</B
> program does). This option
is to aid people writing scripts to drive smbpasswd</P
></DD
><DT
>username</DT
><DD
><P
>This specifies the username for all of the
<I
CLASS="EMPHASIS"
>root only</I
> options to operate on. Only root
can specify this parameter as only root has the permission needed
to modify attributes directly in the local smbpasswd file.
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN171"
></A
><H2
>NOTES</H2
><P
>Since <B
CLASS="COMMAND"
>smbpasswd</B
> works in client-server
mode communicating with a local smbd for a non-root user then
the smbd daemon must be running for this to work. A common problem
is to add a restriction to the hosts that may access the <B
CLASS="COMMAND"
> smbd</B
> running on the local machine by specifying a
<TT
CLASS="PARAMETER"
><I
>allow hosts</I
></TT
> or <TT
CLASS="PARAMETER"
><I
>deny hosts</I
></TT
>
entry in the <TT
CLASS="FILENAME"
>smb.conf</TT
> file and neglecting to
allow "localhost" access to the smbd. </P
><P
>In addition, the smbpasswd command is only useful if Samba
has been set up to use encrypted passwords. See the file
<TT
CLASS="FILENAME"
>ENCRYPTION.txt</TT
> in the docs directory for details
on how to do this. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN181"
></A
><H2
>VERSION</H2
><P
>This man page is correct for version 2.2 of
the Samba suite.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN184"
></A
><H2
>SEE ALSO</H2
><P
><A
HREF="smbpasswd.5.html"
TARGET="_top"
><TT
CLASS="FILENAME"
>smbpasswd(5)</TT
></A
>,
<A
HREF="samba.7.html"
TARGET="_top"
>samba(7)</A
>
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN190"
></A
><H2
>AUTHOR</H2
><P
>The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.</P
><P
>The original Samba man pages were written by Karl Auer.
The man page sources were converted to YODL format (another
excellent piece of Open Source software, available at
<A
HREF="ftp://ftp.icce.rug.nl/pub/unix/"
TARGET="_top"
> ftp://ftp.icce.rug.nl/pub/unix/</A
>) and updated for the Samba 2.0
release by Jeremy Allison. The conversion to DocBook for
Samba 2.2 was done by Gerald Carter</P
></DIV
></BODY
></HTML
>

369
docs/manpages/smbcacls.1
View File

@ -1,192 +1,191 @@
.TH "smbcacls " "1" "22 Dec 2000" "Samba" "SAMBA"
.PP
.SH "NAME"
smbcacls \- Set or get ACLs on an NT file or directory
.PP
.SH "SYNOPSIS"
.PP
\fBsmbcacls\fP //server/share filename [-U username]
[-A acls] [-M acls]
[-D acls] [-S acls]
[-C name] [-G name]
[-n] [-h]
.PP
.SH "DESCRIPTION"
.PP
The \fBsmbcacls\fP program manipulates NT Access Control Lists (ACLs) on
SMB file shares\&.
.PP
.SH "OPTIONS"
.PP
The following options are available to the \fBsmbcacls\fP program\&. The
format of ACLs is described in the section ACL FORMAT
.PP
.IP
.IP "\fB-A acls\fP"
.IP
Add the ACLs specified to the ACL list\&. Existing access control entries
are unchanged\&.
.IP
.IP "\fB-M acls\fP"
.IP
Modify the mask value (permissions) for the ACLs specified on the command
line\&. An error will be printed for each ACL specified that was not already
present in the ACL list\&.
.IP
.IP "\fB-D acls\fP"
.IP
Delete any ACLs specfied on the command line\&. An error will be printed for
each ACL specified that was not already present in the ACL list\&.
.IP
.IP "\fB-S acls\fP"
.IP
This command sets the ACLs on the file with only the ones specified on the
command line\&. All other ACLs are erased\&. Note that the ACL specified must
contain at least a revision, type, owner and group for the call to succeed\&.
.IP
.IP "\fB-U username\fP"
.IP
Specifies a username used to connect to the specified service\&. The
username may be of the form \f(CWusername\fP in which case the user is
prompted to enter in a password and the workgroup specified in the
\fBsmb\&.conf\fP file is used, or \f(CWusername%password\fP
or \f(CWDOMAIN\eusername%password\fP and the password and workgroup names are
used as provided\&.
.IP
.IP "\fB-C name\fP"
.IP
The owner of a file or directory can be changed to the name given
using the -C option\&. The name can be a sid in the form \f(CWS-1-x-y-z\fP or a
name resolved against the server specified in the first argument\&.
.IP
This command is a shortcut for \f(CW-M OWNER:name\fP\&.
.IP
.IP "\fB-G name\fP"
.IP
The group owner of a file or directory can be changed to the name given
using the -G option\&. The name can be a sid in the form \f(CWS-1-x-y-z\fP or a
name resolved against the server specified in the first argument\&.
.IP
This command is a shortcut for \f(CW-M GROUP:name\fP\&.
.IP
.IP "\fB-n\fP"
.IP
This option displays all ACL information in numeric format\&. The default is
to convert SIDs to names and ACE types and masks to a readable string
format\&.
.IP
.IP "\fB-h\fP"
.IP
Print usage information on the \fBsmbcacls\fP program
.IP
.PP
.SH "ACL FORMAT"
.PP
The format of an ACL is one or more ACL entries separated by either
commas or newlines\&. An ACL entry is one of the following:
.PP
.\" This manpage has been automatically generated by docbook2man-spec
.\" from a DocBook document. docbook2man-spec can be found at:
.\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/>
.\" Please send any bug reports, improvements, comments, patches,
.\" etc. to Steve Cheng <steve@ggi-project.org>.
.TH "SMBCACLS" "1" "22 February 2001" "" ""
.SH NAME
smbcacls \- Set or get ACLs on an NT file or directory names
.SH SYNOPSIS
.sp
\fBnmblookup\fR \fB//server/share\fR \fBfilename\fR [ \fB-U username\fR ] [ \fB-A acls\fR ] [ \fB-M acls\fR ] [ \fB-D acls\fR ] [ \fB-S acls\fR ] [ \fB-C name\fR ] [ \fB-G name\fR ] [ \fB-n\fR ] [ \fB-h\fR ]
.SH "DESCRIPTION"
.PP
This tool is part of the Samba <URL:samba.7.html> suite.
.PP
The smbcacls program manipulates NT Access Control Lists
(ACLs) on SMB file shares.
.SH "OPTIONS"
.PP
The following options are available to the smbcacls program.
The format of ACLs is described in the section ACL FORMAT
.TP
\fB-A acls\fR
Add the ACLs specified to the ACL list. Existing
access control entries are unchanged.
.TP
\fB-M acls\fR
Modify the mask value (permissions) for the ACLs
specified on the command line. An error will be printed for each
ACL specified that was not already present in the ACL list
.TP
\fB-D acls\fR
Delete any ACLs specfied on the command line.
An error will be printed for each ACL specified that was not
already present in the ACL list.
.TP
\fB-S acls\fR
This command sets the ACLs on the file with
only the ones specified on the command line. All other ACLs are
erased. Note that the ACL specified must contain at least a revision,
type, owner and group for the call to succeed.
.TP
\fB-U username\fR
Specifies a username used to connect to the
specified service. The username may be of the form "username" in
which case the user is prompted to enter in a password and the
workgroup specified in the \fIsmb.conf\fR file is
used, or "username%password" or "DOMAIN\\username%password" and the
password and workgroup names are used as provided.
.TP
\fB-C name\fR
The owner of a file or directory can be changed
to the name given using the \fI-C\fR option.
The name can be a sid in the form S-1-x-y-z or a name resolved
against the server specified in the first argument.
.nf
This command is a shortcut for -M OWNER:name.
.TP
\fB-G name\fR
The group owner of a file or directory can
be changed to the name given using the \fI-G\fR
option. The name can be a sid in the form S-1-x-y-z or a name
resolved against the server specified n the first argument.
This command is a shortcut for -M GROUP:name.
.TP
\fB-n\fR
This option displays all ACL information in numeric
format. The default is to convert SIDs to names and ACE types
and masks to a readable string format.
.TP
\fB-h\fR
Print usage information on the \fBsmbcacls
\fRprogram.
.SH "ACL FORMAT"
.PP
The format of an ACL is one or more ACL entries separated by
either commas or newlines. An ACL entry is one of the following:
.PP
.sp
.nf
REVISION:<revision number>
OWNER:<sid or name>
GROUP:<sid or name>
ACL:<sid or name>:<type>/<flags>/<mask>
.fi
.PP
The revision of the ACL specifies the internal Windows NT ACL revision for
the security descriptor\&. If not specified it defaults to 1\&. Using values
other than 1 may cause strange behaviour\&.
.PP
The owner and group specify the owner and group sids for the object\&. If a
SID in the format \f(CWS-1-x-y-z\fP is specified this is used, otherwise
the name specified is resolved using the server on which the file or
directory resides\&.
.PP
ACLs specify permissions granted to the SID\&. This SID again can be
specified in \f(CWS-1-x-y-z\fP format or as a name in which case it is resolved
against the server on which the file or directory resides\&. The type, flags
and mask values determine the type of access granted to the SID\&.
.PP
The type can be either 0 or 1 corresponding to ALLOWED or DENIED access to
the SID\&. The flags values are generally zero for file ACLs and either 9 or
2 for directory ACLs\&. Some common flags are:
.PP
.nf
#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1
#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2
#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4
#define SEC_ACE_FLAG_INHERIT_ONLY 0x8
.fi
.PP
At present flags can only be specified as decimal or hexadecimal values\&.
.PP
The mask is a value which expresses the access right granted to the SID\&.
It can be given as a decimal or hexadecimal value, or by using one of the
following text strings which map to the NT file permissions of the same
name\&.
.PP
.IP
.IP ""
\f(CWR\fP Allow read access
.IP
.IP ""
\f(CWW\fP Allow write access
.IP
.IP ""
\f(CWX\fP Execute permission on the object
.IP
.IP ""
\f(CWD\fP Delete the object
.IP
.IP ""
\f(CWP\fP Change permissions
.IP
.IP ""
\f(CWO\fP Take ownership
.IP
.PP
.sp
.fi
.PP
The revision of the ACL specifies the internal Windows
NT ACL revision for the security descriptor.
If not specified it defaults to 1. Using values other than 1 may
cause strange behaviour.
.PP
The owner and group specify the owner and group sids for the
object. If a SID in the format CWS-1-x-y-z is specified this is used,
otherwise the name specified is resolved using the server on which
the file or directory resides.
.PP
ACLs specify permissions granted to the SID. This SID again
can be specified in CWS-1-x-y-z format or as a name in which case
it is resolved against the server on which the file or directory
resides. The type, flags and mask values determine the type of
access granted to the SID.
.PP
The type can be either 0 or 1 corresponding to ALLOWED or
DENIED access to the SID. The flags values are generally
zero for file ACLs and either 9 or 2 for directory ACLs. Some
common flags are:
.TP 0.2i
\(bu
#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1
.TP 0.2i
\(bu
#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2
.TP 0.2i
\(bu
#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4
.TP 0.2i
\(bu
#define SEC_ACE_FLAG_INHERIT_ONLY 0x8
.PP
At present flags can only be specified as decimal or
hexadecimal values.
.PP
.PP
The mask is a value which expresses the access right
granted to the SID. It can be given as a decimal or hexadecimal value,
or by using one of the following text strings which map to the NT
file permissions of the same name.
.PP
.TP 0.2i
\(bu
\fBR\fR - Allow read access
.TP 0.2i
\(bu
\fBW\fR - Allow write access
.TP 0.2i
\(bu
\fBX\fR - Execute permission on the object
.TP 0.2i
\(bu
\fBD\fR - Delete the object
.TP 0.2i
\(bu
\fBP\fR - Change permissions
.TP 0.2i
\(bu
\fBO\fR - Take ownership
.PP
The following combined permissions can be specified:
.PP
.IP
.IP ""
\f(CWREAD\fP
.IP
Equivalent to \f(CWRX\fP permissions
.IP
.IP ""
\f(CWCHANGE\fP
.IP
Equivalent to \f(CWRXWD\fP permissions
.IP
.IP ""
\f(CWFULL\fP
.IP
Equivalent to \f(CWRWXDPO\fP permissions
.IP
.PP
.SH "EXIT STATUS"
.PP
The \fBsmbcacls\fP program sets the exit status depending on the success or
otherwise of the operations performed\&. The exit status may be one of the
following values\&.
.PP
If the operation succeded, \fBsmbcacls\fP returns and exit status of 0\&. If
\fBsmbcacls\fP couldn\'t connect to the specified server, or there was an
error getting or setting the ACLs, an exit status of 1 is returned\&. If
there was an error parsing any command line arguments, an exit status of 2
is returned\&.
.PP
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by
Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open
Source project\&.
.PP
\fBsmbcacls\fP was written by Andrew Tridgell and Tim Potter\&.
.PP
.TP 0.2i
\(bu
\fBREAD\fR - Equivalent to 'RX'
permissions
.TP 0.2i
\(bu
\fBCHANGE\fR - Equivalent to 'RXWD' permissions
.TP 0.2i
\(bu
\fBFULL\fR - Equivalent to 'RWXDPO'
permissions
.SH "EXIT STATUS"
.PP
The \fBsmbcacls\fR program sets the exit status
depending on the success or otherwise of the operations performed.
The exit status may be one of the following values.
.PP
If the operation succeded, smbcacls returns and exit
status of 0. If smbcacls couldn't connect to the specified server,
or there was an error getting or setting the ACLs, an exit status
of 1 is returned. If there was an error parsing any command line
arguments, an exit status of 2 is returned.
.SH "VERSION"
.PP
This man page is correct for version 2.2 of
the Samba suite.
.SH "AUTHOR"
.PP
The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.
.PP
\fBsmbcacls\fR was written by Andrew Tridgell
and Tim Potter.
.PP
The conversion to DocBook for Samba 2.2 was done
by Gerald Carter

365
docs/manpages/smbpasswd.5
View File

@ -1,214 +1,159 @@
.TH "smbpasswd " "5" "23 Oct 1998" "Samba" "SAMBA"
.PP
.SH "NAME"
.\" This manpage has been automatically generated by docbook2man-spec
.\" from a DocBook document. docbook2man-spec can be found at:
.\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/>
.\" Please send any bug reports, improvements, comments, patches,
.\" etc. to Steve Cheng <steve@ggi-project.org>.
.TH "SMBPASSWD" "5" "22 February 2001" "" ""
.SH NAME
smbpasswd \- The Samba encrypted password file
.PP
.SH "SYNOPSIS"
.PP
smbpasswd is the \fBSamba\fP encrypted password file\&.
.PP
.SH "DESCRIPTION"
.PP
This file is part of the \fBSamba\fP suite\&.
.PP
smbpasswd is the \fBSamba\fP encrypted password file\&. It contains
the username, Unix user id and the SMB hashed passwords of the
user, as well as account flag information and the time the password
was last changed\&. This file format has been evolving with Samba
and has had several different formats in the past\&.
.PP
.SH "FILE FORMAT"
.PP
The format of the smbpasswd file used by Samba 2\&.0 is very similar to
the familiar Unix \fBpasswd (5)\fP file\&. It is an ASCII file containing
one line for each user\&. Each field within each line is separated from
the next by a colon\&. Any entry beginning with # is ignored\&. The
smbpasswd file contains the following information for each user:
.PP
.IP
.IP "\fBname\fP"
.br
.br
.IP
This is the user name\&. It must be a name that already exists
in the standard UNIX passwd file\&.
.IP
.IP "\fBuid\fP"
.br
.br
.IP
This is the UNIX uid\&. It must match the uid field for the same
user entry in the standard UNIX passwd file\&. If this does not
match then Samba will refuse to recognize this \fBsmbpasswd\fP file entry
as being valid for a user\&.
.IP
.IP "\fBLanman Password Hash\fP"
.br
.br
.IP
This is the \fILANMAN\fP hash of the users password, encoded as 32 hex
digits\&. The \fILANMAN\fP hash is created by DES encrypting a well known
string with the users password as the DES key\&. This is the same
password used by Windows 95/98 machines\&. Note that this password hash
is regarded as weak as it is vulnerable to dictionary attacks and if
two users choose the same password this entry will be identical (i\&.e\&.
the password is not \fI"salted"\fP as the UNIX password is)\&. If the
user has a null password this field will contain the characters
\f(CW"NO PASSWORD"\fP as the start of the hex string\&. If the hex string
is equal to 32 \f(CW\'X\'\fP characters then the users account is marked as
\fIdisabled\fP and the user will not be able to log onto the Samba
server\&.
.IP
\fIWARNING !!\fP\&. Note that, due to the challenge-response nature of the
SMB/CIFS authentication protocol, anyone with a knowledge of this
password hash will be able to impersonate the user on the network\&.
For this reason these hashes are known as \fI"plain text equivalent"\fP
and must \fINOT\fP be made available to anyone but the root user\&. To
protect these passwords the \fBsmbpasswd\fP file is placed in a
directory with read and traverse access only to the root user and the
\fBsmbpasswd\fP file itself must be set to be read/write only by root,
with no other access\&.
.IP
.IP "\fBNT Password Hash\fP"
.br
.br
.IP
This is the \fIWindows NT\fP hash of the users password, encoded as 32
hex digits\&. The \fIWindows NT\fP hash is created by taking the users
password as represented in 16-bit, little-endian UNICODE and then
applying the \fIMD4\fP (internet rfc1321) hashing algorithm to it\&.
.IP
This password hash is considered more secure than the \fBLanman
Password Hash\fP as it preserves the case of the
password and uses a much higher quality hashing algorithm\&. However, it
is still the case that if two users choose the same password this
entry will be identical (i\&.e\&. the password is not \fI"salted"\fP as the
UNIX password is)\&.
.IP
\fIWARNING !!\fP\&. Note that, due to the challenge-response nature of the
SMB/CIFS authentication protocol, anyone with a knowledge of this
password hash will be able to impersonate the user on the network\&.
For this reason these hashes are known as \fI"plain text equivalent"\fP
and must \fINOT\fP be made available to anyone but the root user\&. To
protect these passwords the \fBsmbpasswd\fP file is placed in a
directory with read and traverse access only to the root user and the
\fBsmbpasswd\fP file itself must be set to be read/write only by root,
with no other access\&.
.IP
.IP "\fBAccount Flags\fP"
.br
.br
.IP
This section contains flags that describe the attributes of the users
account\&. In the \fBSamba2\&.0\fP release this field is bracketed by \f(CW\'[\'\fP
and \f(CW\']\'\fP characters and is always 13 characters in length (including
the \f(CW\'[\'\fP and \f(CW\']\'\fP characters)\&. The contents of this field may be
any of the characters\&.
.IP
.IP
.IP o
\fB\'U\'\fP This means this is a \fI"User"\fP account, i\&.e\&. an ordinary
user\&. Only \fBUser\fP and \fBWorkstation Trust\fP accounts are
currently supported in the \fBsmbpasswd\fP file\&.
.IP
.IP o
\fB\'N\'\fP This means the account has \fIno\fP password (the passwords
in the fields \fBLanman Password Hash\fP and
\fBNT Password Hash\fP are ignored)\&. Note that this
will only allow users to log on with no password if the
\fBnull passwords\fP parameter is set
in the \fBsmb\&.conf (5)\fP config file\&.
.IP
.IP o
\fB\'D\'\fP This means the account is disabled and no SMB/CIFS logins
will be allowed for this user\&.
.IP
.IP o
\fB\'W\'\fP This means this account is a \fI"Workstation Trust"\fP account\&.
This kind of account is used in the Samba PDC code stream to allow Windows
NT Workstations and Servers to join a Domain hosted by a Samba PDC\&.
.IP
.IP
Other flags may be added as the code is extended in future\&. The rest of
this field space is filled in with spaces\&.
.IP
.IP "\fBLast Change Time\fP"
.br
.br
.IP
This field consists of the time the account was last modified\&. It consists of
the characters \f(CWLCT-\fP (standing for \fI"Last Change Time"\fP) followed by a numeric
encoding of the UNIX time in seconds since the epoch (1970) that the last change
was made\&.
.IP
.IP "\fBFollowing fields\fP"
.br
.br
.IP
All other colon separated fields are ignored at this time\&.
.IP
.PP
.SH "NOTES"
.PP
In previous versions of Samba (notably the 1\&.9\&.18 series) this file
did not contain the \fBAccount Flags\fP or
\fBLast Change Time\fP fields\&. The Samba 2\&.0
code will read and write these older password files but will not be able to
modify the old entries to add the new fields\&. New entries added with
\fBsmbpasswd (8)\fP will contain the new fields
in the added accounts however\&. Thus an older \fBsmbpasswd\fP file used
with Samba 2\&.0 may end up with some accounts containing the new fields
and some not\&.
.PP
In order to convert from an old-style \fBsmbpasswd\fP file to a new
style, run the script \fBconvert_smbpasswd\fP, installed in the
Samba \f(CWbin/\fP directory (the same place that the \fBsmbd\fP
and \fBnmbd\fP binaries are installed) as follows:
.PP
.SH SYNOPSIS
.PP
\fIsmbpasswd\fR
.SH "DESCRIPTION"
.PP
This tool is part of the Samba <URL:samba.7.html> suite.
.PP
smbpasswd is the Samba encrypted password file. It contains
the username, Unix user id and the SMB hashed passwords of the
user, as well as account flag information and the time the
password was last changed. This file format has been evolving with
Samba and has had several different formats in the past.
.SH "FILE FORMAT"
.PP
The format of the smbpasswd file used by Samba 2.2
is very similar to the familiar Unix \fIpasswd(5)\fR
file. It is an ASCII file containing one line for each user. Each field
ithin each line is separated from the next by a colon. Any entry
beginning with '#' is ignored. The smbpasswd file contains the
following information for each user:
.TP
\fBname\fR
This is the user name. It must be a name that
already exists in the standard UNIX passwd file.
.TP
\fBuid\fR
This is the UNIX uid. It must match the uid
field for the same user entry in the standard UNIX passwd file.
If this does not match then Samba will refuse to recognize
this smbpasswd file entry as being valid for a user.
.TP
\fBLanman Password Hash\fR
This is the LANMAN hash of the users password,
encoded as 32 hex digits. The LANMAN hash is created by DES
encrypting a well known string with the users password as the
DES key. This is the same password used by Windows 95/98 machines.
Note that this password hash is regarded as weak as it is
vulnerable to dictionary attacks and if two users choose the
same password this entry will be identical (i.e. the password
is not "salted" as the UNIX password is). If the user has a
null password this field will contain the characters "NO PASSWORD"
as the start of the hex string. If the hex string is equal to
32 'X' characters then the users account is marked as
disabled and the user will not be able to
log onto the Samba server.
.nf
\fBWARNING !!\fR Note that, due to
the challenge-response nature of the SMB/CIFS authentication
protocol, anyone with a knowledge of this password hash will
be able to impersonate the user on the network. For this
reason these hashes are known as \fBplain text
equivalents\fR and must \fBNOT\fR be made
available to anyone but the root user. To protect these passwords
the smbpasswd file is placed in a directory with read and
traverse access only to the root user and the smbpasswd file
itself must be set to be read/write only by root, with no
other access.
.TP
\fBNT Password Hash\fR
This is the Windows NT hash of the users
password, encoded as 32 hex digits. The Windows NT hash is
created by taking the users password as represented in
16-bit, little-endian UNICODE and then applying the MD4
(internet rfc1321) hashing algorithm to it.
This password hash is considered more secure than
the Lanman Password Hash as it preserves the case of the
password and uses a much higher quality hashing algorithm.
However, it is still the case that if two users choose the same
password this entry will be identical (i.e. the password is
not "salted" as the UNIX password is).
cat old_smbpasswd_file | convert_smbpasswd > new_smbpasswd_file
.fi
.PP
The \fBconvert_smbpasswd\fP script reads from stdin and writes to stdout
so as not to overwrite any files by accident\&.
.PP
Once this script has been run, check the contents of the new smbpasswd
file to ensure that it has not been damaged by the conversion script
(which uses \fBawk\fP), and then replace the \f(CW<old smbpasswd file>\fP
with the \f(CW<new smbpasswd file>\fP\&.
.PP
.SH "VERSION"
.PP
This man page is correct for version 2\&.0 of the Samba suite\&.
.PP
.SH "SEE ALSO"
.PP
\fBsmbpasswd (8)\fP, \fBsamba
(7)\fP, and the Internet RFC1321 for details on the MD4
algorithm\&.
.PP
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by
Andrew Tridgell samba@samba\&.org\&. Samba is now developed
by the Samba Team as an Open Source project similar to the way the
Linux kernel is developed\&.
.PP
The original Samba man pages were written by Karl Auer\&. The man page
sources were converted to YODL format (another excellent piece of Open
Source software, available at
\fBftp://ftp\&.icce\&.rug\&.nl/pub/unix/\fP)
and updated for the Samba2\&.0 release by Jeremy
Allison, samba@samba\&.org\&.
.PP
See \fBsamba (7)\fP to find out how to get a full
list of contributors and details on how to submit bug reports,
comments etc\&.
\fBWARNING !!\fR. Note that, due to
the challenge-response nature of the SMB/CIFS authentication
protocol, anyone with a knowledge of this password hash will
be able to impersonate the user on the network. For this
reason these hashes are known as \fBplain text
equivalents\fR and must \fBNOT\fR be made
available to anyone but the root user. To protect these passwords
the smbpasswd file is placed in a directory with read and
traverse access only to the root user and the smbpasswd file
itself must be set to be read/write only by root, with no
other access.
.TP
\fBAccount Flags\fR
This section contains flags that describe
the attributes of the users account. In the Samba 2.2 release
this field is bracketed by '[' and ']' characters and is always
13 characters in length (including the '[' and ']' characters).
The contents of this field may be any of the characters.
.RS
.TP 0.2i
\(bu
\fBU\fR - This means
this is a "User" account, i.e. an ordinary user. Only User
and Workstation Trust accounts are currently supported
in the smbpasswd file.
.TP 0.2i
\(bu
\fBN\fR - This means the
account has no password (the passwords in the fields Lanman
Password Hash and NT Password Hash are ignored). Note that this
will only allow users to log on with no password if the \fI null passwords\fR parameter is set in the \fIsmb.conf(5)
\fR <URL:smb.conf.5.html#NULLPASSWORDS> config file.
.TP 0.2i
\(bu
\fBD\fR - This means the account
is disabled and no SMB/CIFS logins will be allowed for
this user.
.TP 0.2i
\(bu
\fBW\fR - This means this account
is a "Workstation Trust" account. This kind of account is used
in the Samba PDC code stream to allow Windows NT Workstations
and Servers to join a Domain hosted by a Samba PDC.
.RE
.PP
Other flags may be added as the code is extended in future.
The rest of this field space is filled in with spaces.
.PP
.TP
\fBLast Change Time\fR
This field consists of the time the account was
last modified. It consists of the characters 'LCT-' (standing for
"Last Change Time") followed by a numeric encoding of the UNIX time
in seconds since the epoch (1970) that the last change was made.
.PP
All other colon separated fields are ignored at this time.
.PP
.SH "VERSION"
.PP
This man page is correct for version 2.2 of
the Samba suite.
.SH "SEE ALSO"
.PP
\fBsmbpasswd(8)\fR <URL:smbpasswd.8.html>,
samba(7) <URL:samba.7.html>, and
the Internet RFC1321 for details on the MD4 algorithm.
.SH "AUTHOR"
.PP
The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.
.PP
The original Samba man pages were written by Karl Auer.
The man page sources were converted to YODL format (another
excellent piece of Open Source software, available at
ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the Samba 2.0
release by Jeremy Allison. The conversion to DocBook for
Samba 2.2 was done by Gerald Carter

607
docs/manpages/smbpasswd.8
View File

@ -1,308 +1,301 @@
.TH "smbpasswd " "8" "23 Oct 1998" "Samba" "SAMBA"
.PP
.SH "NAME"
.\" This manpage has been automatically generated by docbook2man-spec
.\" from a DocBook document. docbook2man-spec can be found at:
.\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/>
.\" Please send any bug reports, improvements, comments, patches,
.\" etc. to Steve Cheng <steve@ggi-project.org>.
.TH "SMBPASSWD" "8" "22 February 2001" "" ""
.SH NAME
smbpasswd \- change a users SMB password
.PP
.SH "SYNOPSIS"
.PP
\fBsmbpasswd\fP [-a] [-x] [-d] [-e] [-D debug level] [-n] [-r remote_machine] [-R name resolve order] [-m] [-j DOMAIN] [-U username] [-h] [-s] username
.PP
.SH "DESCRIPTION"
.PP
This program is part of the \fBSamba\fP suite\&.
.PP
The \fBsmbpasswd\fP program has several different functions, depending
on whether it is run by the \fIroot\fP user or not\&. When run as a normal
user it allows the user to change the password used for their SMB
sessions on any machines that store SMB passwords\&.
.PP
By default (when run with no arguments) it will attempt to change the
current users SMB password on the local machine\&. This is similar to
the way the \fBpasswd (1)\fP program works\&. \fBsmbpasswd\fP differs from how
the \fBpasswd\fP program works however in that it is not \fIsetuid root\fP
but works in a client-server mode and communicates with a locally
running \fBsmbd\fP\&. As a consequence in order for this
to succeed the \fBsmbd\fP daemon must be running on
the local machine\&. On a UNIX machine the encrypted SMB passwords are
usually stored in the \fBsmbpasswd (5)\fP file\&.
.PP
When run by an ordinary user with no options\&. \fBsmbpasswd\fP will
prompt them for their old smb password and then ask them for their new
password twice, to ensure that the new password was typed
correctly\&. No passwords will be echoed on the screen whilst being
typed\&. If you have a blank smb password (specified by the string "NO
PASSWORD" in the \fBsmbpasswd\fP file) then just
press the <Enter> key when asked for your old password\&.
.PP
\fBsmbpasswd\fP can also be used by a normal user to change their SMB
password on remote machines, such as Windows NT Primary Domain
Controllers\&. See the (\fB-r\fP) and
\fB-U\fP options below\&.
.PP
When run by root, \fBsmbpasswd\fP allows new users to be added and
deleted in the \fBsmbpasswd\fP file, as well as
allows changes to the attributes of the user in this file to be made\&. When
run by root, \fBsmbpasswd\fP accesses the local
\fBsmbpasswd\fP file directly, thus enabling
changes to be made even if \fBsmbd\fP is not running\&.
.PP
.SH "OPTIONS"
.PP
.IP
.IP "\fB-a\fP"
This option specifies that the username following should
be added to the local \fBsmbpasswd\fP file, with
the new password typed (type <Enter> for the old password)\&. This
option is ignored if the username following already exists in the
\fBsmbpasswd\fP file and it is treated like a
regular change password command\&. Note that the user to be added
\fBmust\fP already exist in the system password file (usually /etc/passwd)
else the request to add the user will fail\&.
.IP
This option is only available when running \fBsmbpasswd\fP as
root\&.
.IP
.IP "\fB-x\fP"
This option specifies that the username following should
be deleted from the local \fBsmbpasswd\fP file\&.
.IP
This option is only available when running \fBsmbpasswd\fP as
root\&.
.IP
.IP "\fB-d\fP"
This option specifies that the username following should be
\fIdisabled\fP in the local \fBsmbpasswd\fP file\&.
This is done by writing a \fI\'D\'\fP flag into the account control space
in the \fBsmbpasswd\fP file\&. Once this is done
all attempts to authenticate via SMB using this username will fail\&.
.IP
If the \fBsmbpasswd\fP file is in the \'old\'
format (pre-Samba 2\&.0 format) there is no space in the users password
entry to write this information and so the user is disabled by writing
\'X\' characters into the password space in the
\fBsmbpasswd\fP file\&. See \fBsmbpasswd
(5)\fP for details on the \'old\' and new password file
formats\&.
.IP
This option is only available when running \fBsmbpasswd\fP as root\&.
.IP
.IP "\fB-e\fP"
This option specifies that the username following should be
\fIenabled\fP in the local \fBsmbpasswd\fP file,
if the account was previously disabled\&. If the account was not
disabled this option has no effect\&. Once the account is enabled
then the user will be able to authenticate via SMB once again\&.
.IP
If the smbpasswd file is in the \'old\' format then \fBsmbpasswd\fP will
prompt for a new password for this user, otherwise the account will be
enabled by removing the \fI\'D\'\fP flag from account control space in the
\fBsmbpasswd\fP file\&. See \fBsmbpasswd
(5)\fP for details on the \'old\' and new password file
formats\&.
.IP
This option is only available when running \fBsmbpasswd\fP as root\&.
.IP
.IP "\fB-D debuglevel\fP"
debuglevel is an integer from 0
to 10\&. The default value if this parameter is not specified is zero\&.
.IP
The higher this value, the more detail will be logged to the log files
about the activities of smbpasswd\&. At level 0, only critical errors
and serious warnings will be logged\&.
.IP
Levels above 1 will generate considerable amounts of log data, and
should only be used when investigating a problem\&. Levels above 3 are
designed for use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic\&.
.IP
.IP "\fB-n\fP"
This option specifies that the username following should
have their password set to null (i\&.e\&. a blank password) in the local
\fBsmbpasswd\fP file\&. This is done by writing the
string "NO PASSWORD" as the first part of the first password stored in
the \fBsmbpasswd\fP file\&.
.IP
Note that to allow users to logon to a Samba server once the password
has been set to "NO PASSWORD" in the
\fBsmbpasswd\fP file the administrator must set
the following parameter in the [global] section of the
\fBsmb\&.conf\fP file :
.IP
null passwords = true
.IP
This option is only available when running \fBsmbpasswd\fP as root\&.
.IP
.IP "\fB-r remote machine name\fP"
This option allows a
user to specify what machine they wish to change their password
on\&. Without this parameter \fBsmbpasswd\fP defaults to the local
host\&. The \fI"remote machine name"\fP is the NetBIOS name of the
SMB/CIFS server to contact to attempt the password change\&. This name
is resolved into an IP address using the standard name resolution
mechanism in all programs of the \fBSamba\fP
suite\&. See the \fB-R name resolve order\fP parameter for details on changing this resolving
mechanism\&.
.IP
The username whose password is changed is that of the current UNIX
logged on user\&. See the \fB-U username\fP
parameter for details on changing the password for a different
username\&.
.IP
Note that if changing a Windows NT Domain password the remote machine
specified must be the Primary Domain Controller for the domain (Backup
Domain Controllers only have a read-only copy of the user account
database and will not allow the password change)\&.
.IP
\fINote\fP that Windows 95/98 do not have a real password database
so it is not possible to change passwords specifying a Win95/98
machine as remote machine target\&.
.IP
.IP "\fB-R name resolve order\fP"
This option allows the user of
smbclient to determine what name resolution services to use when
looking up the NetBIOS name of the host being connected to\&.
.IP
The options are :"lmhosts", "host",
"wins" and "bcast"\&. They cause names to be
resolved as follows :
.IP
.IP
.IP o
\fBlmhosts\fP : Lookup an IP address in the Samba lmhosts file\&.
.IP
.IP o
\fBhost\fP : Do a standard host name to IP address resolution,
using the system /etc/hosts, NIS, or DNS lookups\&. This method of name
resolution is operating system dependent\&. For instance on IRIX or
Solaris, this may be controlled by the \fI/etc/nsswitch\&.conf\fP file)\&.
.IP
.IP o
\fBwins\fP : Query a name with the IP address listed in the
\fBwins server\fP parameter in the
\fBsmb\&.conf file\fP\&. If
no WINS server has been specified this method will be ignored\&.
.IP
.IP o
\fBbcast\fP : Do a broadcast on each of the known local interfaces
listed in the \fBinterfaces\fP parameter
in the smb\&.conf file\&. This is the least reliable of the name resolution
methods as it depends on the target host being on a locally connected
subnet\&.
.IP
.IP
If this parameter is not set then the name resolve order defined
in the \fBsmb\&.conf\fP file parameter
\fBname resolve order\fP
will be used\&.
.IP
The default order is lmhosts, host, wins, bcast and without this
parameter or any entry in the \fBsmb\&.conf\fP
file the name resolution methods will be attempted in this order\&.
.IP
.IP "\fB-m\fP"
This option tells \fBsmbpasswd\fP that the account being
changed is a \fIMACHINE\fP account\&. Currently this is used when Samba is
being used as an NT Primary Domain Controller\&. PDC support is not a
supported feature in Samba2\&.0 but will become supported in a later
release\&. If you wish to know more about using Samba as an NT PDC then
please subscribe to the mailing list
samba-ntdom@samba\&.org\&.
.IP
This option is only available when running \fBsmbpasswd\fP as root\&.
.IP
.IP "\fB-j DOMAIN\fP"
This option is used to add a Samba server into a
Windows NT Domain, as a Domain member capable of authenticating user
accounts to any Domain Controller in the same way as a Windows NT
Server\&. See the \fBsecurity=domain\fP
option in the \fBsmb\&.conf (5)\fP man page\&.
.IP
In order to be used in this way, the Administrator for the Windows
NT Domain must have used the program \fI"Server Manager for Domains"\fP
to add the primary NetBIOS name of
the Samba server as a member of the Domain\&.
.IP
After this has been done, to join the Domain invoke \fBsmbpasswd\fP with
this parameter\&. \fBsmbpasswd\fP will then look up the Primary Domain
Controller for the Domain (found in the
\fBsmb\&.conf\fP file in the parameter
\fBpassword server\fP and change
the machine account password used to create the secure Domain
communication\&. This password is then stored by \fBsmbpasswd\fP in a
file, read only by root, called \f(CW<Domain>\&.<Machine>\&.mac\fP where
\f(CW<Domain>\fP is the name of the Domain we are joining and \f(CW<Machine>\fP
is the primary NetBIOS name of the machine we are running on\&.
.IP
Once this operation has been performed the
\fBsmb\&.conf\fP file may be updated to set the
\fBsecurity=domain\fP option and all
future logins to the Samba server will be authenticated to the Windows
NT PDC\&.
.IP
Note that even though the authentication is being done to the PDC all
users accessing the Samba server must still have a valid UNIX account
on that machine\&.
.IP
This option is only available when running \fBsmbpasswd\fP as root\&.
.IP
.IP "\fB-U username\fP"
This option may only be used in
conjunction with the \fB-r\fP
option\&. When changing a password on a remote machine it allows the
user to specify the user name on that machine whose password will be
changed\&. It is present to allow users who have different user names on
different systems to change these passwords\&.
.IP
.IP "\fB-h\fP"
This option prints the help string for \fBsmbpasswd\fP,
selecting the correct one for running as root or as an ordinary user\&.
.IP
.IP "\fB-s\fP"
This option causes \fBsmbpasswd\fP to be silent (i\&.e\&. not
issue prompts) and to read it\'s old and new passwords from standard
input, rather than from \f(CW/dev/tty\fP (like the \fBpasswd (1)\fP program
does)\&. This option is to aid people writing scripts to drive \fBsmbpasswd\fP
.IP
.IP "\fBusername\fP"
This specifies the username for all of the \fIroot
only\fP options to operate on\&. Only root can specify this parameter as
only root has the permission needed to modify attributes directly
in the local \fBsmbpasswd\fP file\&.
.IP
.SH "NOTES"
.IP
Since \fBsmbpasswd\fP works in client-server mode communicating with a
local \fBsmbd\fP for a non-root user then the \fBsmbd\fP
daemon must be running for this to work\&. A common problem is to add a
restriction to the hosts that may access the \fBsmbd\fP running on the
local machine by specifying a \fB"allow
hosts"\fP or \fB"deny
hosts"\fP entry in the
\fBsmb\&.conf\fP file and neglecting to allow
\fI"localhost"\fP access to the \fBsmbd\fP\&.
.IP
In addition, the \fBsmbpasswd\fP command is only useful if \fBSamba\fP has
been set up to use encrypted passwords\&. See the file \fBENCRYPTION\&.txt\fP
in the docs directory for details on how to do this\&.
.IP
.SH "VERSION"
.IP
This man page is correct for version 2\&.0 of the Samba suite\&.
.IP
.SH "AUTHOR"
.IP
The original Samba software and related utilities were created by
Andrew Tridgell samba@samba\&.org\&. Samba is now developed
by the Samba Team as an Open Source project similar to the way the
Linux kernel is developed\&.
.IP
The original Samba man pages were written by Karl Auer\&. The man page
sources were converted to YODL format (another excellent piece of Open
Source software, available at
\fBftp://ftp\&.icce\&.rug\&.nl/pub/unix/\fP)
and updated for the Samba2\&.0 release by Jeremy Allison\&.
samba@samba\&.org\&.
.IP
See \fBsamba (7)\fP to find out how to get a full
list of contributors and details on how to submit bug reports,
comments etc\&.
.SH SYNOPSIS
.sp
\fBsmbpasswd\fR [ \fB-a\fR ] [ \fB-x\fR ] [ \fB-d\fR ] [ \fB-e\fR ] [ \fB-D debuglevel\fR ] [ \fB-n\fR ] [ \fB-r <remote machine>\fR ] [ \fB-R <name resolve order>\fR ] [ \fB-m\fR ] [ \fB-j DOMAIN\fR ] [ \fB-U username\fR ] [ \fB-h\fR ] [ \fB-s\fR ] [ \fBusername\fR ]
.SH "DESCRIPTION"
.PP
This tool is part of the Samba <URL:samba.7.html> suite.
.PP
The smbpasswd program has several different
functions, depending on whether it is run by the \fBroot\fR
user or not. When run as a normal user it allows the user to change
the password used for their SMB sessions on any machines that store
SMB passwords.
.PP
By default (when run with no arguments) it will attempt to
change the current users SMB password on the local machine. This is
similar to the way the \fBpasswd(1)\fR program works.
\fBsmbpasswd\fR differs from how the passwd program works
however in that it is not \fBsetuid root\fR but works in
a client-server mode and communicates with a locally running
\fBsmbd(8)\fR. As a consequence in order for this to
succeed the smbd daemon must be running on the local machine. On a
UNIX machine the encrypted SMB passwords are usually stored in
the \fIsmbpasswd(5)\fR file.
.PP
When run by an ordinary user with no options. smbpasswd
will prompt them for their old smb password and then ask them
for their new password twice, to ensure that the new password
was typed correctly. No passwords will be echoed on the screen
whilst being typed. If you have a blank smb password (specified by
the string "NO PASSWORD" in the smbpasswd file) then just press
the <Enter> key when asked for your old password.
.PP
smbpasswd can also be used by a normal user to change their
SMB password on remote machines, such as Windows NT Primary Domain
Controllers. See the (-r) and -U options below.
.PP
When run by root, smbpasswd allows new users to be added
and deleted in the smbpasswd file, as well as allows changes to
the attributes of the user in this file to be made. When run by root,
\fBsmbpasswd\fR accesses the local smbpasswd file
directly, thus enabling changes to be made even if smbd is not
running.
.SH "OPTIONS"
.TP
\fB-a\fR
This option specifies that the username
following should be added to the local smbpasswd file, with the
new password typed (type <Enter> for the old password). This
option is ignored if the username following already exists in
the smbpasswd file and it is treated like a regular change
password command. Note that the user to be added must already exist
in the system password file (usually \fI/etc/passwd\fR)
else the request to add the user will fail.
This option is only available when running smbpasswd
as root.
.TP
\fB-x\fR
This option specifies that the username
following should be deleted from the local smbpasswd file.
This option is only available when running smbpasswd as
root.
.TP
\fB-d\fR
This option specifies that the username following
should be disabled in the local smbpasswd
file. This is done by writing a 'D' flag
into the account control space in the smbpasswd file. Once this
is done all attempts to authenticate via SMB using this username
will fail.
If the smbpasswd file is in the 'old' format (pre-Samba 2.0
format) there is no space in the users password entry to write
this information and so the user is disabled by writing 'X' characters
into the password space in the smbpasswd file. See \fBsmbpasswd(5)
\fRfor details on the 'old' and new password file formats.
This option is only available when running smbpasswd as
root.
.TP
\fB-e\fR
This option specifies that the username following
should be enabled in the local smbpasswd file,
if the account was previously disabled. If the account was not
disabled this option has no effect. Once the account is enabled then
the user will be able to authenticate via SMB once again.
If the smbpasswd file is in the 'old' format, then \fB smbpasswd\fR will prompt for a new password for this user,
otherwise the account will be enabled by removing the 'D'
flag from account control space in the \fI smbpasswd\fR file. See \fBsmbpasswd (5)\fR for
details on the 'old' and new password file formats.
This option is only available when running smbpasswd as root.
.TP
\fB-D debuglevel\fR
\fIdebuglevel\fR is an integer
from 0 to 10. The default value if this parameter is not specified
is zero.
The higher this value, the more detail will be logged to the
log files about the activities of smbpasswd. At level 0, only
critical errors and serious warnings will be logged.
Levels above 1 will generate considerable amounts of log
data, and should only be used when investigating a problem. Levels
above 3 are designed for use only by developers and generate
HUGE amounts of log data, most of which is extremely cryptic.
.TP
\fB-n\fR
This option specifies that the username following
should have their password set to null (i.e. a blank password) in
the local smbpasswd file. This is done by writing the string "NO
PASSWORD" as the first part of the first password stored in the
smbpasswd file.
Note that to allow users to logon to a Samba server once
the password has been set to "NO PASSWORD" in the smbpasswd
file the administrator must set the following parameter in the [global]
section of the \fIsmb.conf\fR file :
\fBnull passwords = yes\fR
This option is only available when running smbpasswd as
root.
.TP
\fB-r remote machine name\fR
This option allows a user to specify what machine
they wish to change their password on. Without this parameter
smbpasswd defaults to the local host. The \fIremote
machine name\fR is the NetBIOS name of the SMB/CIFS
server to contact to attempt the password change. This name is
resolved into an IP address using the standard name resolution
mechanism in all programs of the Samba suite. See the \fI-R
name resolve order\fR parameter for details on changing
this resolving mechanism.
The username whose password is changed is that of the
current UNIX logged on user. See the \fI-U username\fR
parameter for details on changing the password for a different
username.
Note that if changing a Windows NT Domain password the
remote machine specified must be the Primary Domain Controller for
the domain (Backup Domain Controllers only have a read-only
copy of the user account database and will not allow the password
change).
\fBNote\fR that Windows 95/98 do not have
a real password database so it is not possible to change passwords
specifying a Win95/98 machine as remote machine target.
.TP
\fB-R name resolve order\fR
This option allows the user of smbclient to determine
what name resolution services to use when looking up the NetBIOS
name of the host being connected to.
The options are :"lmhosts", "host", "wins" and "bcast". They cause
names to be resolved as follows :
.RS
.TP 0.2i
\(bu
lmhosts : Lookup an IP
address in the Samba lmhosts file. If the line in lmhosts has
no name type attached to the NetBIOS name (see the lmhosts(5) <URL:lmhosts.5.html> for details) then
any name type matches for lookup.
.TP 0.2i
\(bu
host : Do a standard host
name to IP address resolution, using the system \fI/etc/hosts
\fR, NIS, or DNS lookups. This method of name resolution
is operating system depended for instance on IRIX or Solaris this
may be controlled by the \fI/etc/nsswitch.conf\fR
file). Note that this method is only used if the NetBIOS name
type being queried is the 0x20 (server) name type, otherwise
it is ignored.
.TP 0.2i
\(bu
wins : Query a name with
the IP address listed in the \fIwins server\fR
parameter. If no WINS server has been specified this method
will be ignored.
.TP 0.2i
\(bu
bcast : Do a broadcast on
each of the known local interfaces listed in the
\fIinterfaces\fR parameter. This is the least
reliable of the name resolution methods as it depends on the
target host being on a locally connected subnet.
.RE
.PP
The default order is \fBlmhosts, host, wins, bcast\fR
and without this parameter or any entry in the
\fIsmb.conf\fR file the name resolution methods will
be attempted in this order.
.PP
.TP
\fB-m\fR
This option tells smbpasswd that the account
being changed is a MACHINE account. Currently this is used
when Samba is being used as an NT Primary Domain Controller.
This option is only available when running smbpasswd as root.
.TP
\fB-j DOMAIN\fR
This option is used to add a Samba server
into a Windows NT Domain, as a Domain member capable of authenticating
user accounts to any Domain Controller in the same way as a Windows
NT Server. See the \fBsecurity = domain\fR option in
the \fIsmb.conf(5)\fR man page.
In order to be used in this way, the Administrator for
the Windows NT Domain must have used the program "Server Manager
for Domains" to add the primary NetBIOS name of the Samba server
as a member of the Domain.
After this has been done, to join the Domain invoke \fB smbpasswd\fR with this parameter. smbpasswd will then
look up the Primary Domain Controller for the Domain (found in
the \fIsmb.conf\fR file in the parameter
\fIpassword server\fR and change the machine account
password used to create the secure Domain communication. This
password is then stored by smbpasswd in a TDB, writeable only by root,
called \fIsecrets.tdb\fR
Once this operation has been performed the \fI smb.conf\fR file may be updated to set the \fB security = domain\fR option and all future logins
to the Samba server will be authenticated to the Windows NT
PDC.
Note that even though the authentication is being
done to the PDC all users accessing the Samba server must still
have a valid UNIX account on that machine.
This option is only available when running smbpasswd as root.
.TP
\fB-U username\fR
This option may only be used in conjunction
with the \fI-r\fR option. When changing
a password on a remote machine it allows the user to specify
the user name on that machine whose password will be changed. It
is present to allow users who have different user names on
different systems to change these passwords.
.TP
\fB-h\fR
This option prints the help string for \fB smbpasswd\fR, selecting the correct one for running as root
or as an ordinary user.
.TP
\fB-s\fR
This option causes smbpasswd to be silent (i.e.
not issue prompts) and to read it's old and new passwords from
standard input, rather than from \fI/dev/tty\fR
(like the \fBpasswd(1)\fR program does). This option
is to aid people writing scripts to drive smbpasswd
.TP
\fBusername\fR
This specifies the username for all of the
\fBroot only\fR options to operate on. Only root
can specify this parameter as only root has the permission needed
to modify attributes directly in the local smbpasswd file.
.SH "NOTES"
.PP
Since \fBsmbpasswd\fR works in client-server
mode communicating with a local smbd for a non-root user then
the smbd daemon must be running for this to work. A common problem
is to add a restriction to the hosts that may access the \fB smbd\fR running on the local machine by specifying a
\fIallow hosts\fR or \fIdeny hosts\fR
entry in the \fIsmb.conf\fR file and neglecting to
allow "localhost" access to the smbd.
.PP
In addition, the smbpasswd command is only useful if Samba
has been set up to use encrypted passwords. See the file
\fIENCRYPTION.txt\fR in the docs directory for details
on how to do this.
.SH "VERSION"
.PP
This man page is correct for version 2.2 of
the Samba suite.
.SH "SEE ALSO"
.PP
\fIsmbpasswd(5)\fR <URL:smbpasswd.5.html>,
samba(7) <URL:samba.7.html>
.SH "AUTHOR"
.PP
The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.
.PP
The original Samba man pages were written by Karl Auer.
The man page sources were converted to YODL format (another
excellent piece of Open Source software, available at
ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the Samba 2.0
release by Jeremy Allison. The conversion to DocBook for
Samba 2.2 was done by Gerald Carter