diff options
author | Gerald Carter <jerry@samba.org> | 2001-02-23 04:34:24 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2001-02-23 04:34:24 +0000 |
commit | b58b856db5c5c2583a4bbe24ab39726efefb18a6 (patch) | |
tree | 6bec93ee6bfb51723e3ad118621c7c8b6d1fdcab /docs | |
parent | ed77fca1990f96dba6fe9204e551056395c6ed29 (diff) | |
download | samba-b58b856db5c5c2583a4bbe24ab39726efefb18a6.tar.gz samba-b58b856db5c5c2583a4bbe24ab39726efefb18a6.tar.bz2 samba-b58b856db5c5c2583a4bbe24ab39726efefb18a6.zip |
more updates. Conversion almost done. 2 more man pages
(then all the ASCII stuff)
(This used to be commit 7247027e833616bfe9350253cc1e6cdb236b2cdf)
Diffstat (limited to 'docs')
-rw-r--r-- | docs/docbook/manpages/rpcclient.1.sgml | 303 | ||||
-rw-r--r-- | docs/docbook/manpages/smbcacls.1.sgml | 352 | ||||
-rw-r--r-- | docs/docbook/manpages/smbclient.1.sgml | 742 | ||||
-rw-r--r-- | docs/docbook/manpages/smbpasswd.5.sgml | 338 | ||||
-rw-r--r-- | docs/docbook/manpages/smbpasswd.8.sgml | 572 | ||||
-rw-r--r-- | docs/htmldocs/smbcacls.1.html | 531 | ||||
-rw-r--r-- | docs/htmldocs/smbpasswd.5.html | 521 | ||||
-rw-r--r-- | docs/htmldocs/smbpasswd.8.html | 917 | ||||
-rw-r--r-- | docs/manpages/smbcacls.1 | 369 | ||||
-rw-r--r-- | docs/manpages/smbpasswd.5 | 365 | ||||
-rw-r--r-- | docs/manpages/smbpasswd.8 | 607 |
11 files changed, 3539 insertions, 2078 deletions
diff --git a/docs/docbook/manpages/rpcclient.1.sgml b/docs/docbook/manpages/rpcclient.1.sgml index ce395305ea..ef3fb1454e 100644 --- a/docs/docbook/manpages/rpcclient.1.sgml +++ b/docs/docbook/manpages/rpcclient.1.sgml @@ -1,137 +1,270 @@ -Namerpcclient - developer's tool to testing client side MS-RPC functions Synopsisrpcclient[-d +<!-- + + I am looking for help to finish SGML. + +--> +<!-- manual page source format generated by PolyglotMan v3.0.9 + available via anonymous ftp from ftp.cs.berkeley.edu:/ucb/people/phelps/tcltk/rman.tar.Z --> + +<RefEntry ID="RPCCLIENT"."8"> +<RefMeta><RefEntryTitle>"RPCCLIENT"</RefEntryTitle><ManVolNum>"8"</ManVolNum></RefMeta> + +<RefNameDiv><Title>Name</Title>rpcclient </RefEntry><RefPurpose> developer's tool to testing client side MS-RPC functions </RefSect1> + +<RefSynopsisDiv><Title>Synopsis</Title><ItemizedList MARK=Bullet> +<Term><B>rpcclient</B></Term><ListItem><Para>[-d debuglevel] [-S server] [-l logbasename] [-n netbios name] [-N] [-m maxprotocol] [-I destIP] [-E] [-U username] [-W workgroup] [-c `command string`] [-t terminalcode] -[-i scope] [-O socket options] [-s smb.conf] Descriptionrpcclientis a utility +[-i scope] [-O socket options] [-s smb.conf] </Para></ListItem> +</ItemizedList> +</RefSect1> + +<RefSect1><Title>Description</Title><ItemizedList MARK=Bullet> +<Term><B>rpcclient</B></Term><ListItem><Para>is a utility for developers for executing various MS-RPC functions. It's primary use is for testing Samba's own MS-RPC server implementation, however many administrators have written scripts around it to manage Windows NT clients from their -UNIX workstation. Options --d debuglevelset the debuglevel. Debug level 0 is +UNIX workstation. </Para></ListItem> +</ItemizedList> +</RefSect1> + +<RefSect1><Title>Options</Title> + +<Para><ItemizedList MARK=Bullet> +<Term><B>-d debuglevel</B></Term><ListItem><Para>set the debuglevel. Debug level 0 is the lowest and 100 being the highest. This should be set to 100 if you are -planning on submitting a bug report to the Samba team (see BUGS.txt). -S -serverNetBIOS name of Server to which you wish to connect. The server can +planning on submitting a bug report to the Samba team (see BUGS.txt). </Para></ListItem> +<Term><B>-S +server</B></Term><ListItem><Para>NetBIOS name of Server to which you wish to connect. The server can be any SMB/CIFS server. The name is resolved using either the "name resolve - order = " line or by using the -R option. -l logbasenameFile name for log/debug + order = " line or by using the <B>-R</B> option. </Para></ListItem> +<Term><B>-l logbasename</B></Term><ListItem><Para>File name for log/debug files. .client will be appended. The log file is never removed by the client. --n netbios nameNetBIOS name of the local machine. This option is only needed +</Para></ListItem> +<Term><B>-n netbios name</B></Term><ListItem><Para>NetBIOS name of the local machine. This option is only needed if your Samba client cannot find it automatically. Samba should use the -uppercase of the machine's hostname. -Ntells rpcclient not to ask for a password. -rpcclient will prompt the user by default. -I destIPThe IP address of the -server specified with the -S option. Only needed when the server's NetBIOS +uppercase of the machine's hostname. </Para></ListItem> +<Term><B>-N</B></Term><ListItem><Para>tells rpcclient not to ask for a password. +rpcclient will prompt the user by default. </Para></ListItem> +<Term><B>-I destIP</B></Term><ListItem><Para>The IP address of the +server specified with the <B>-S</B> option. Only needed when the server's NetBIOS name cannot be resolved using WINS or broadcast and isn't found in the LMHOSTS -file. -Ecauses regedit to write messages to stderr instead of stdout. -U username[%pass]Sets +file. </Para></ListItem> +<Term><B>-E</B></Term><ListItem><Para>causes regedit to write messages to stderr instead of stdout. </Para></ListItem> +<Term><B>-U username[%pass]</B></Term><ListItem><Para>Sets the SMB username or username and password. If %pass is not specified, The user will be prompted. The client will first check the USER environment variable, then the LOGNAME variable and if either exist, the string is uppercased. Anything in these variables following a % sign will be treated as the password. If these environmental variables are not found, the username -GUEST is used. If the password is not included in these environment variables -(using the %pass syntax), rpcclient will look for a PASSWD environment -variable from which to read the password. A third option is to use a credentials -file which contains the plaintext of the username and password. This option +GUEST is used. </Para></ListItem> +<Term>If the password is not included in these environment variables +</Term><ListItem><Para>(using the %pass syntax), rpcclient will look for a PASSWD environment +variable from which to read the password. </Para></ListItem> +<Term>A third option is to use a credentials +file which contains </Term><ListItem><Para>the plaintext of the username and password. This option is mainly provided for scripts where the admin doesn't desire to pass the credentials on the command line or via environment variables. If this method is used, make certain that the permissions on the file restrict access -from unwanted users. See the -A for more details. Be cautious about including -passwords in scripts or in the CWPASSWD environment variable. Also, on many +from unwanted users. See the <B>-A</B> for more details. </Para></ListItem> +<Term>Be cautious about including +passwords in scripts or in the </Term><ListItem><Para>CWPASSWD environment variable. Also, on many systems the command line of a running process may be seen via the CWps command to be safe always allow smbclient to prompt for a password and -type it in directly. -A <filename>This option allows you to specify a file +type it in directly. </Para></ListItem> +<Term><B>-A <filename></B></Term><ListItem><Para>This option allows you to specify a file from which to read the username and password used in the connection. The -format of the file is CWusername = <value> -CWpassword = <value> -Make certain that the permissions on the file restrict access from unwanted -users. -W domainSet the SMB domain of the username. This overrides the default +format of the file is </Para></ListItem> +<Term>CWusername = <value> </Term><ListItem><Para><BR> +CWpassword = <value> <BR> +</Para></ListItem> +<Term>Make certain that the permissions on the file restrict access from </Term><ListItem><Para>unwanted +users. </Para></ListItem> +<Term><B>-W domain</B></Term><ListItem><Para>Set the SMB domain of the username. This overrides the default domain which is the domain of the server specified with the bt(-S) option. If the domain specified is the same as the server's NetBIOS name, it causes the client to log on using the server's local SAM (as opposed to the Domain -SAM). -Poperate in promptless mode. Without this mode (the default) rpcclient -displays a prompt of the form '[domain\username@host]$' -c 'command string'execute -semicolon separated commands (listed below)) -t terminalcodeThis tells the +SAM). </Para></ListItem> +<Term><B>-P</B></Term><ListItem><Para>operate in promptless mode. Without this mode (the default) rpcclient +displays a prompt of the form '[domain\username@host]$' </Para></ListItem> +<Term><B>-c 'command string'</B></Term><ListItem><Para>execute +semicolon separated commands (listed below)) </Para></ListItem> +<Term><B>-t terminalcode</B></Term><ListItem><Para>This tells the Samba client how to interpret the incoming filenames, in regards to character sets. The list here is not complete. For a complete list see your local Samba -source. Some valid options are sjis, euc, jis7, jis8, junet and hex. -O socket -optionsThese socket options are the same as in smb.conf (under the bt(socket -options = ) section). -s smb.confSpecifies the location of the all important -smb.conf file. -i scopeDefines the NetBIOS scope. For more information on NetBIOS -scopes, see rfc1001 and rfc1002. NetBIOS scopes are rarely used. -Commands -SPOOLSS -CommandsspoolenumExecute an EnumPrinters call. This lists the various installed +source. Some valid options are sjis, euc, jis7, jis8, junet and hex. </Para></ListItem> +<Term><B>-O socket +options</B></Term><ListItem><Para>These socket options are the same as in smb.conf (under the bt(socket +options = ) section). </Para></ListItem> +<Term><B>-s smb.conf</B></Term><ListItem><Para>Specifies the location of the all important +smb.conf file. </Para></ListItem> +<Term><B>-i scope</B></Term><ListItem><Para>Defines the NetBIOS scope. For more information on NetBIOS +scopes, see rfc1001 and rfc1002. NetBIOS scopes are rarely used. </Para></ListItem> +</ItemizedList> + + +<Para></RefSect1> + +<RefSect1><Title>Commands</Title> + +<Para><ItemizedList MARK=Bullet> +<Term><B>SPOOLSS +Commands</B></Term><ListItem><Para></Para></ListItem> +<Term>spoolenum</Term><ListItem><Para>Execute an EnumPrinters call. This lists the various installed and share printers. Refer to the MS Platform SDK documentation for more -details of the various flags and calling options. -spoolenumports <level>Executes +details of the various flags and calling options. </Para></ListItem> +</ItemizedList> + + +<Para><ItemizedList MARK=Bullet> +<Term>spoolenumports <level></Term><ListItem><Para>Executes an EnumPorts call using the specified info level. Currently only info level -1 and 2 are supported. -spoolenumdataEnumerate all printer setting data stored +1 and 2 are supported. </Para></ListItem> +</ItemizedList> + + +<Para><ItemizedList MARK=Bullet> +<Term>spoolenumdata</Term><ListItem><Para>Enumerate all printer setting data stored on the server. On Windows NT clients, these values are stored in the registry, while Samba servers store them in the printers TDB. This command corresponds -to the MS Platform SDK EnumPorts function. -spooljobs <printer>List the jobs +to the MS Platform SDK EnumPorts function. </Para></ListItem> +</ItemizedList> + + +<Para><ItemizedList MARK=Bullet> +<Term>spooljobs <printer></Term><ListItem><Para>List the jobs and status of a given printer. This command corresponds to the MS Platform -SDK EnumJobs function. -spoolopen <printer>Execute an OpenPrinterEx() and ClosePrinter() -RPC against a given printer. -spoolgetdataRetrive the data for a given printer -setting. See the spoolenumdata command for more information. This command -corresponds to the GetPrinterData() MS Platform SDK function. -spoolgetprinter -<printer>Retrieve the current printer information. This command sorresponds -to the GetPrinter() MS Platform SDK function. -spoolgetprinterdriver <printer>Retrive +SDK EnumJobs function. </Para></ListItem> +</ItemizedList> + + +<Para><ItemizedList MARK=Bullet> +<Term>spoolopen <printer></Term><ListItem><Para>Execute an OpenPrinterEx() and ClosePrinter() +RPC against a given printer. </Para></ListItem> +</ItemizedList> + + +<Para><ItemizedList MARK=Bullet> +<Term>spoolgetdata</Term><ListItem><Para>Retrive the data for a given printer +setting. See the <B>spoolenumdata</B> command for more information. This command +corresponds to the GetPrinterData() MS Platform SDK function. </Para></ListItem> +</ItemizedList> + + +<Para><ItemizedList MARK=Bullet> +<Term>spoolgetprinter +<printer></Term><ListItem><Para>Retrieve the current printer information. This command sorresponds +to the GetPrinter() MS Platform SDK function. </Para></ListItem> +</ItemizedList> + + +<Para><ItemizedList MARK=Bullet> +<Term>spoolgetprinterdriver <printer></Term><ListItem><Para>Retrive the printer driver information (such as driver file, config file, dependent files, etc...) for the given printer. This command corresponds to the GetPrinterDriver() -MS Platform SDK function. -spoolgetprinterdriverdir <arch>Execute a GetPrinterDriverDirectory() +MS Platform SDK function. </Para></ListItem> +</ItemizedList> + + +<Para><ItemizedList MARK=Bullet> +<Term>spoolgetprinterdriverdir <arch></Term><ListItem><Para>Execute a GetPrinterDriverDirectory() RPC to retreive the SMB share name and subdirectory for storing printer -driver files for a given architecture. Possible values for <arch> are "Windows +driver files for a given architecture. Possible values for <arch> are "Windows 4.0" (for Windows 95/98), "Windows NT x86", "Windows NT PowerPC", "Windows -Alpha_AXP", and "Windows NT R4000". - <drivername> <port>" .YODLTAGEND. Add a +Alpha_AXP", and "Windows NT R4000". </Para></ListItem> +</ItemizedList> + + +<Para> <drivername> <port>" .YODLTAGEND. Add a printer on the remote server. This printer will be automatically shared. Be aware that the printer driver must already be installed on the server -(see addprinterdriver) and the <port> must be a valid port name. -spooladdprinterdriver -<arch> <config>Execute an AddPrinterDriver() RPC to install the printer driver +(see <B>addprinterdriver</B>) and the <port> must be a valid port name. + +<Para><ItemizedList MARK=Bullet> +<Term>spooladdprinterdriver +<arch> <config></Term><ListItem><Para>Execute an AddPrinterDriver() RPC to install the printer driver information on the server. Note that the driver files should already exist -in the directort returned by spoolgetprinterdriverdir. Possible values -for <arch> are the same as those for the spooolgetprintedriverdir command. -The <config> parameter is defined as follows: -<Long Printer Name>:<Driver File -Name>:<Data File Name>:<Config File Name>:<Help File Name>:<Language Monitor Name>:<Default -Data Type>:<Comma Separated list of Files> -Any empty fields should be enter -as the string "NULL". -Samba does not need to support the concept of Print -Monitors since these only apply to local printers whose driver can make +in the directort returned by <B>spoolgetprinterdriverdir</B>. Possible values +for <arch> are the same as those for the <B>spooolgetprintedriverdir</B> command. +The <config> parameter is defined as follows: </Para></ListItem> +</ItemizedList> + + +<Para><ItemizedList MARK=Bullet> +<Term><Long Printer Name>:<Driver File +Name>:<Data File Name>:<Config File Name>:<Help File Name>:<Language Monitor Name>:<Default +Data Type>:<Comma Separated list of Files> </Term><ListItem><Para></Para></ListItem> +</ItemizedList> + + +<Para><ItemizedList MARK=Bullet> +<Term>Any empty fields should be enter +as the string "NULL". </Term><ListItem><Para></Para></ListItem> +</ItemizedList> + + +<Para><ItemizedList MARK=Bullet> +<Term>Samba does not need to support the concept of Print +Monitors </Term><ListItem><Para>since these only apply to local printers whose driver can make use of a bi-directional link for communication. This field should be "NULL". On a remote NT print server, the Print Monitor for a driver must already -be installed prior to adding the driver or else the RPC will fail. -General -CommandssetSet miscellaneous rpcclient command line options during a running - session. -useConnect to a rmeote SMB server. rpcclient has the ability to -maintain connections to multiple server simulaneously. -helpPrint a listing -of all known commands or extended help on a particular command. -quitExit -rpcclient. -Bugsrpcclient is designed as a developer testing tool and may +be installed prior to adding the driver or else the RPC will fail. </Para></ListItem> +</ItemizedList> + + +<Para><ItemizedList MARK=Bullet> +<Term><B>General +Commands</B></Term><ListItem><Para></Para></ListItem> +<Term>set</Term><ListItem><Para>Set miscellaneous rpcclient command line options during a running + session. </Para></ListItem> +</ItemizedList> + + +<Para><ItemizedList MARK=Bullet> +<Term>use</Term><ListItem><Para>Connect to a rmeote SMB server. <B>rpcclient</B> has the ability to +maintain connections to multiple server simulaneously. </Para></ListItem> +</ItemizedList> + + +<Para><ItemizedList MARK=Bullet> +<Term>help</Term><ListItem><Para>Print a listing +of all known commands or extended help on a particular command. </Para></ListItem> +</ItemizedList> + + +<Para><ItemizedList MARK=Bullet> +<Term>quit</Term><ListItem><Para>Exit +rpcclient. </Para></ListItem> +</ItemizedList> + + +<Para></RefSect1> + +<RefSect1><Title>Bugs</Title>rpcclient is designed as a developer testing tool and may not be robust in certain areas (such as command line parsing). It has been known to generate a core dump upon failures when invalid parameters where passed to the interpreter. -From Luke Leighton's original rpcclient man page: + +<Para>From Luke Leighton's original rpcclient man page: "WARNING! The MSRPC over SMB code has been developed from examining Network traces. No documentation is available from the original creators (Microsoft) on how MSRPC over SMB works, or how the individual MSRPC services work. Microsoft's implementation of these services has been demonstrated (and reported) to be... a bit flakey in places. -The development of Samba's implementation + +<Para>The development of Samba's implementation is also a bit rough, and as more of the services are understood, it can -even result in versions of smbd(8) and rpcclient that are incompatible +even result in versions of <B><Command>smbd(8)</B></Command> and rpcclient that are incompatible for some commands or services. Additionally, the developers are sending reports to Microsoft, and problems found or reported to Microsoft are fixed in Service Packs, which may result in incompatibilities." -See Alsosamba -(7) AuthorSamba is written by The Samba Team as Open Source. This man page -was written by Matthew Geddes, Luke Kenneth Casson, and Gerald Carter.
\ No newline at end of file + +<Para></RefSect1> + +<RefSect1><Title>See Also</Title><B><Command>samba +(7)</B></Command> </RefSect1> + +<RefSect1><Title>Author</Title>Samba is written by The Samba Team as Open Source. This man page +was written by Matthew Geddes, Luke Kenneth Casson, and Gerald Carter. </RefSect1> + +</RefEntry> diff --git a/docs/docbook/manpages/smbcacls.1.sgml b/docs/docbook/manpages/smbcacls.1.sgml index aaddf5c09c..9561099851 100644 --- a/docs/docbook/manpages/smbcacls.1.sgml +++ b/docs/docbook/manpages/smbcacls.1.sgml @@ -1,105 +1,255 @@ +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> +<refentry id="smbcacls"> -Namesmbcacls - Set or get ACLs on an NT file or directory -Synopsis -smbcacls -//server/share filename [-U username] [-A acls] [-M acls] [-D acls] [-S acls] - [-C name] [-G name] [-n] [-h] -Description -The smbcacls program manipulates -NT Access Control Lists (ACLs) on SMB file shares. -Options -The following -options are available to the smbcacls program. The format of ACLs is described -in the section ACL FORMAT --A aclsAdd the ACLs specified to the ACL list. - Existing access control entries are unchanged. -M aclsModify the mask value -(permissions) for the ACLs specified on the command line. An error will -be printed for each ACL specified that was not already present in the ACL -list. -D aclsDelete any ACLs specfied on the command line. An error will -be printed for each ACL specified that was not already present in the ACL -list. -S aclsThis command sets the ACLs on the file with only the ones specified -on the command line. All other ACLs are erased. Note that the ACL specified -must contain at least a revision, type, owner and group for the call to -succeed. -U usernameSpecifies a username used to connect to the specified -service. The username may be of the form CWusername in which case the user -is prompted to enter in a password and the workgroup specified in the smb.conf -file is used, or CWusername%password or CWDOMAIN\username%password and the -password and workgroup names are used as provided. -C nameThe owner of a -file or directory can be changed to the name given using the -C option. -The name can be a sid in the form CWS-1-x-y-z or a name resolved against the -server specified in the first argument. This command is a shortcut for CW-M -OWNER:name. -G nameThe group owner of a file or directory can be changed -to the name given using the -G option. The name can be a sid in the form -CWS-1-x-y-z or a name resolved against the server specified in the first argument. -This command is a shortcut for CW-M GROUP:name. -nThis option displays all -ACL information in numeric format. The default is to convert SIDs to names -and ACE types and masks to a readable string format. -hPrint usage information -on the smbcacls program -Acl Format -The format of an ACL is one or more ACL -entries separated by either commas or newlines. An ACL entry is one of -the following: +<refmeta> + <refentrytitle>smbcacls</refentrytitle> + <manvolnum>1</manvolnum> +</refmeta> - - -REVISION:<revision number> -OWNER:<sid or name> -GROUP:<sid or name> -ACL:<sid or name>:<type>/<flags>/<mask> - - - -The revision of the ACL specifies the internal Windows NT ACL revision -for the security descriptor. If not specified it defaults to 1. Using values -other than 1 may cause strange behaviour. -The owner and group specify the -owner and group sids for the object. If a SID in the format CWS-1-x-y-z is -specified this is used, otherwise the name specified is resolved using -the server on which the file or directory resides. -ACLs specify permissions -granted to the SID. This SID again can be specified in CWS-1-x-y-z format or -as a name in which case it is resolved against the server on which the -file or directory resides. The type, flags and mask values determine the -type of access granted to the SID. -The type can be either 0 or 1 corresponding -to ALLOWED or DENIED access to the SID. The flags values are generally -zero for file ACLs and either 9 or 2 for directory ACLs. Some common flags -are: +<refnamediv> + <refname>smbcacls</refname> + <refpurpose>Set or get ACLs on an NT file or directory names</refpurpose> +</refnamediv> + +<refsynopsisdiv> + <cmdsynopsis> + <command>nmblookup</command> + <arg choice="req">//server/share</arg> + <arg choice="req">filename</arg> + <arg choice="opt">-U username</arg> + <arg choice="opt">-A acls</arg> + <arg choice="opt">-M acls</arg> + <arg choice="opt">-D acls</arg> + <arg choice="opt">-S acls</arg> + <arg choice="opt">-C name</arg> + <arg choice="opt">-G name</arg> + <arg choice="opt">-n</arg> + <arg choice="opt">-h</arg> + </cmdsynopsis> +</refsynopsisdiv> + +<refsect1> + <title>DESCRIPTION</title> + + <para>This tool is part of the <ulink url="samba.7.html"> + Samba</ulink> suite.</para> + + <para>The smbcacls program manipulates NT Access Control Lists + (ACLs) on SMB file shares. </para> +</refsect1> + + +<refsect1> + <title>OPTIONS</title> + + <para>The following options are available to the smbcacls program. + The format of ACLs is described in the section ACL FORMAT </para> + + + <variablelist> + <varlistentry> + <term>-A acls</term> + <listitem><para>Add the ACLs specified to the ACL list. Existing + access control entries are unchanged. </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-M acls</term> + <listitem><para>Modify the mask value (permissions) for the ACLs + specified on the command line. An error will be printed for each + ACL specified that was not already present in the ACL list + </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-D acls</term> + <listitem><para>Delete any ACLs specfied on the command line. + An error will be printed for each ACL specified that was not + already present in the ACL list. </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-S acls</term> + <listitem><para>This command sets the ACLs on the file with + only the ones specified on the command line. All other ACLs are + erased. Note that the ACL specified must contain at least a revision, + type, owner and group for the call to succeed. </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-U username</term> + <listitem><para>Specifies a username used to connect to the + specified service. The username may be of the form "username" in + which case the user is prompted to enter in a password and the + workgroup specified in the <filename>smb.conf</filename> file is + used, or "username%password" or "DOMAIN\username%password" and the + password and workgroup names are used as provided. </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-C name</term> + <listitem><para>The owner of a file or directory can be changed + to the name given using the <parameter>-C</parameter> option. + The name can be a sid in the form S-1-x-y-z or a name resolved + against the server specified in the first argument. </para> + + <para>This command is a shortcut for -M OWNER:name. + </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-G name</term> + <listitem><para>The group owner of a file or directory can + be changed to the name given using the <parameter>-G</parameter> + option. The name can be a sid in the form S-1-x-y-z or a name + resolved against the server specified n the first argument. + </para> + + <para>This command is a shortcut for -M GROUP:name.</para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-n</term> + <listitem><para>This option displays all ACL information in numeric + format. The default is to convert SIDs to names and ACE types + and masks to a readable string format. </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-h</term> + <listitem><para>Print usage information on the <command>smbcacls + </command> program.</para></listitem> + </varlistentry> + </variablelist> +</refsect1> + + +<refsect1> + <title>ACL FORMAT</title> + + <para>The format of an ACL is one or more ACL entries separated by + either commas or newlines. An ACL entry is one of the following: </para> + + <para><programlisting> +REVISION:<revision number> +OWNER:<sid or name> +GROUP:<sid or name> +ACL:<sid or name>:<type>/<flags>/<mask> + </programlisting></para> + + + <para>The revision of the ACL specifies the internal Windows + NT ACL revision for the security descriptor. + If not specified it defaults to 1. Using values other than 1 may + cause strange behaviour. </para> + + <para>The owner and group specify the owner and group sids for the + object. If a SID in the format CWS-1-x-y-z is specified this is used, + otherwise the name specified is resolved using the server on which + the file or directory resides. </para> + + <para>ACLs specify permissions granted to the SID. This SID again + can be specified in CWS-1-x-y-z format or as a name in which case + it is resolved against the server on which the file or directory + resides. The type, flags and mask values determine the type of + access granted to the SID. </para> + + <para>The type can be either 0 or 1 corresponding to ALLOWED or + DENIED access to the SID. The flags values are generally + zero for file ACLs and either 9 or 2 for directory ACLs. Some + common flags are: </para> + + <itemizedlist> + <listitem><para>#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1</para></listitem> + <listitem><para>#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2</para></listitem> + <listitem><para>#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4 + </para></listitem> + <listitem><para>#define SEC_ACE_FLAG_INHERIT_ONLY 0x8</para> + </listitem> + </itemizedlist> + + <para>At present flags can only be specified as decimal or + hexadecimal values.</para> - -#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1 -#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2 -#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4 -#define SEC_ACE_FLAG_INHERIT_ONLY 0x8 - - - -At present flags can only be specified as decimal or hexadecimal values. - -The mask is a value which expresses the access right granted to the SID. -It can be given as a decimal or hexadecimal value, or by using one of the -following text strings which map to the NT file permissions of the same -name. -CWR Allow read access CWW Allow write access CWX Execute permission -on the object CWD Delete the object CWP Change permissions CWO Take ownership - -The following combined permissions can be specified: -CWREAD Equivalent -to CWRX permissions CWCHANGE Equivalent to CWRXWD permissions CWFULL - Equivalent to CWRWXDPO permissions -Exit Status -The smbcacls program sets -the exit status depending on the success or otherwise of the operations -performed. The exit status may be one of the following values. -If the operation -succeded, smbcacls returns and exit status of 0. If smbcacls couldn't connect -to the specified server, or there was an error getting or setting the ACLs, -an exit status of 1 is returned. If there was an error parsing any command -line arguments, an exit status of 2 is returned. -Author -The original Samba -software and related utilities were created by Andrew Tridgell. Samba is -now developed by the Samba Team as an Open Source project. -smbcacls was -written by Andrew Tridgell and Tim Potter.
\ No newline at end of file + <para>The mask is a value which expresses the access right + granted to the SID. It can be given as a decimal or hexadecimal value, + or by using one of the following text strings which map to the NT + file permissions of the same name. </para> + + <itemizedlist> + <listitem><para><emphasis>R</emphasis> - Allow read access </para></listitem> + <listitem><para><emphasis>W</emphasis> - Allow write access</para></listitem> + <listitem><para><emphasis>X</emphasis> - Execute permission on the object</para></listitem> + <listitem><para><emphasis>D</emphasis> - Delete the object</para></listitem> + <listitem><para><emphasis>P</emphasis> - Change permissions</para></listitem> + <listitem><para><emphasis>O</emphasis> - Take ownership</para></listitem> + </itemizedlist> + + + <para>The following combined permissions can be specified:</para> + + + <itemizedlist> + <listitem><para><emphasis>READ</emphasis> - Equivalent to 'RX' + permissions</para></listitem> + <listitem><para><emphasis>CHANGE</emphasis> - Equivalent to 'RXWD' permissions + </para></listitem> + <listitem><para><emphasis>FULL</emphasis> - Equivalent to 'RWXDPO' + permissions</para></listitem> + </itemizedlist> + </refsect1> + +<refsect1> + <title>EXIT STATUS</title> + + <para>The <command>smbcacls</command> program sets the exit status + depending on the success or otherwise of the operations performed. + The exit status may be one of the following values. </para> + + <para>If the operation succeded, smbcacls returns and exit + status of 0. If smbcacls couldn't connect to the specified server, + or there was an error getting or setting the ACLs, an exit status + of 1 is returned. If there was an error parsing any command line + arguments, an exit status of 2 is returned. </para> +</refsect1> + +<refsect1> + <title>VERSION</title> + + <para>This man page is correct for version 2.2 of + the Samba suite.</para> +</refsect1> + +<refsect1> + <title>AUTHOR</title> + + <para>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</para> + + <para><command>smbcacls</command> was written by Andrew Tridgell + and Tim Potter.</para> + + <para>The conversion to DocBook for Samba 2.2 was done + by Gerald Carter</para> +</refsect1> + +</refentry> diff --git a/docs/docbook/manpages/smbclient.1.sgml b/docs/docbook/manpages/smbclient.1.sgml index 314c815970..008a63bf08 100644 --- a/docs/docbook/manpages/smbclient.1.sgml +++ b/docs/docbook/manpages/smbclient.1.sgml @@ -1,408 +1,634 @@ +<!-- -Namesmbclient - ftp-like client to access SMB/CIFS resources on servers -Synopsis -smbclient + I am looking for help to finish SGML. + +--> +<!-- manual page source format generated by PolyglotMan v3.0.9 + available via anonymous ftp from ftp.cs.berkeley.edu:/ucb/people/phelps/tcltk/rman.tar.Z --> + +<RefEntry ID="smbclient."> +<RefMeta><RefEntryTitle>"smbclient</RefEntryTitle><ManVolNum>"</ManVolNum></RefMeta> + + + +<Para><RefNameDiv><Title>Name</Title>smbclient </RefEntry><RefPurpose> ftp-like client to access SMB/CIFS resources on servers + +<Para></RefSect1> + +<RefSynopsisDiv><Title>Synopsis</Title> + +<Para><B>smbclient</B> servicename [-s smb.conf] [-O socket options][-R name resolve order] [-M NetBIOS name] [-i scope] [-N] [-n NetBIOS name] [-d debuglevel] [-P] [-p port] [-l log basename] [-h] [-I dest IP] [-E] [-U username] [-L NetBIOS name] [-t terminal -code] [-m max protocol] [-b buffersize] [-W workgroup] [-T<c|x>IXFqgbNan] [-D directory] +code] [-m max protocol] [-b buffersize] [-W workgroup] [-T<c|x>IXFqgbNan] [-D directory] [-c command string] -Description -This program is part of the Samba suite. -smbclient + +<Para></RefSect1> + +<RefSect1><Title>Description</Title> + +<Para>This program is part of the <B>Samba</B> suite. + +<Para><B>smbclient</B> is a client that can 'talk' to an SMB/CIFS server. It offers an interface -similar to that of the ftp program (see ftp (1)). Operations include things +similar to that of the ftp program (see <B><Command>ftp (1)</B></Command>). Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on. -Options -servicenameservicename is the name of + +<Para></RefSect1> + +<RefSect1><Title>Options</Title> + +<Para><ItemizedList MARK=Bullet> +<Term><B>servicename</B></Term><ListItem><Para>servicename is the name of the service you want to use on the server. A service name takes the form -CW//server/service where server is the NetBIOS name of the SMB/CIFS server -offering the desired service and service is the name of the service offered. -Thus to connect to the service printer on the SMB/CIFS server smbserver, -you would use the servicename CW//smbserver/printer Note that the server -name required is NOT necessarily the IP (DNS) host name of the server ! +CW//server/service where <I>server</I> is the NetBIOS name of the SMB/CIFS server +offering the desired service and <I>service</I> is the name of the service offered. +Thus to connect to the service <I>printer</I> on the SMB/CIFS server <I>smbserver</I>, +you would use the servicename </Para></ListItem> +<Term>CW//smbserver/printer </Term><ListItem><Para></Para></ListItem> +<Term>Note that the server +name required is NOT necessarily the IP (DNS) </Term><ListItem><Para>host name of the server ! The name required is a NetBIOS server name, which may or may not be the -same as the IP hostname of the machine running the server. The server name -is looked up according to either the -R parameter to smbclient or using -the name resolve order parameter in the smb.conf file, allowing an administrator -to change the order and methods by which server names are looked up. passwordpassword +same as the IP hostname of the machine running the server. </Para></ListItem> +<Term>The server name +is looked up according to either the </Term><ListItem><Para><B>-R</B> parameter to <B>smbclient</B> or using +the <B>name resolve order</B> parameter in the smb.conf file, allowing an administrator +to change the order and methods by which server names are looked up. </Para></ListItem> +<Term><B>password</B></Term><ListItem><Para>password is the password required to access the specified service on the specified -server. If this parameter is supplied, the -N option (suppress password prompt) -is assumed. There is no default password. If no password is supplied on the -command line (either by using this parameter or adding a password to the --U option (see below)) and the -N option is not specified, the client will +server. If this parameter is supplied, the <B>-N</B> option (suppress password prompt) +is assumed. </Para></ListItem> +<Term>There is no default password. If no password is supplied on the +</Term><ListItem><Para>command line (either by using this parameter or adding a password to the +<B>-U</B> option (see below)) and the <B>-N</B> option is not specified, the client will prompt for a password, even if the desired service does not require one. (If no password is required, simply press ENTER to provide a null password.) -Note: Some servers (including OS/2 and Windows for Workgroups) insist on +</Para></ListItem> +<Term>Note: Some servers (including OS/2 and Windows for Workgroups) insist </Term><ListItem><Para>on an uppercase password. Lowercase or mixed case passwords may be rejected -by these servers. Be cautious about including passwords in scripts. -s smb.confThis +by these servers. </Para></ListItem> +<Term>Be cautious about including passwords in scripts. </Term><ListItem><Para></Para></ListItem> +<Term><B>-s smb.conf</B></Term><ListItem><Para>This parameter specifies the pathname to the Samba configuration file, smb.conf. This file controls all aspects of the Samba setup on the machine and smbclient -also needs to read this file. -O socket optionsTCP socket options to set -on the client socket. See the socket options parameter in the smb.conf (5) -manpage for the list of valid options. -R name resolve orderThis option allows +also needs to read this file. </Para></ListItem> +<Term><B>-O socket options</B></Term><ListItem><Para>TCP socket options to set +on the client socket. See the socket options parameter in the <B><Command>smb.conf (5)</B></Command> +manpage for the list of valid options. </Para></ListItem> +<Term><B>-R name resolve order</B></Term><ListItem><Para>This option allows the user of smbclient to determine what name resolution services to use -when looking up the NetBIOS name of the host being connected to. The options -are :"lmhosts", "host", "wins" and "bcast". They cause names to be resolved -as follows : olmhosts : Lookup an IP address in the Samba lmhosts file. -The lmhosts file is stored in the same directory as the smb.conf file. ohost +when looking up the NetBIOS name of the host being connected to. </Para></ListItem> +<Term>The options +are :"lmhosts", "host", "wins" and "bcast". They cause </Term><ListItem><Para>names to be resolved +as follows : </Para></ListItem> +<Term>o</Term><ListItem><Para><B>lmhosts</B> : Lookup an IP address in the Samba lmhosts file. +The lmhosts file is stored in the same directory as the <B>smb.conf</B> file. </Para></ListItem> +<Term>o</Term><ListItem><Para><B>host</B> : Do a standard host name to IP address resolution, using the system /etc/hosts, NIS, or DNS lookups. This method of name resolution is operating system depended for instance on IRIX or Solaris this may be controlled by the -/etc/nsswitch.conf file). owins : Query a name with the IP address listed -in the wins server parameter in the smb.conf file. If no WINS server has -been specified this method will be ignored. obcast : Do a broadcast on each -of the known local interfaces listed in the interfaces parameter in the +<I>/etc/nsswitch.conf</I> file). </Para></ListItem> +<Term>o</Term><ListItem><Para><B>wins</B> : Query a name with the IP address listed +in the <B>wins server</B> parameter in the smb.conf file. If no WINS server has +been specified this method will be ignored. </Para></ListItem> +<Term>o</Term><ListItem><Para><B>bcast</B> : Do a broadcast on each +of the known local interfaces listed in the <B>interfaces</B> parameter in the smb.conf file. This is the least reliable of the name resolution methods -as it depends on the target host being on a locally connected subnet. If -this parameter is not set then the name resolve order defined in the smb.conf -file parameter (name resolve order) will be used. The default order is -lmhosts, host, wins, bcast and without this parameter or any entry in the -"name resolve order" parameter of the smb.conf file the name resolution -methods will be attempted in this order. -M NetBIOS nameThis options allows +as it depends on the target host being on a locally connected subnet. </Para></ListItem> +<Term>If +this parameter is not set then the name resolve order defined </Term><ListItem><Para>in the <B>smb.conf</B> +file parameter (<B>name resolve order</B>) will be used. </Para></ListItem> +<Term>The default order is +lmhosts, host, wins, bcast and without this </Term><ListItem><Para>parameter or any entry in the +<B>"name resolve order"</B> parameter of the <B>smb.conf</B> file the name resolution +methods will be attempted in this order. </Para></ListItem> +<Term><B>-M NetBIOS name</B></Term><ListItem><Para>This options allows you to send messages, using the "WinPopup" protocol, to another computer. Once a connection is established you then type your message, pressing ^D -(control-D) to end. If the receiving computer is running WinPopup the user -will receive the message and probably a beep. If they are not running WinPopup -the message will be lost, and no error message will occur. The message is -also automatically truncated if the message is over 1600 bytes, as this -is the limit of the protocol. One useful trick is to cat the message through -smbclient. For example: CWcat mymessage.txt | smbclient -M FRED will send the -message in the file mymessage.txt to the machine FRED. You may also find -the -U and -I options useful, as they allow you to control the FROM and TO -parts of the message. See the message command parameter in the smb.conf (5) +(control-D) to end. </Para></ListItem> +<Term>If the receiving computer is running WinPopup the user +will receive </Term><ListItem><Para>the message and probably a beep. If they are not running WinPopup +the message will be lost, and no error message will occur. </Para></ListItem> +<Term>The message is +also automatically truncated if the message is over </Term><ListItem><Para>1600 bytes, as this +is the limit of the protocol. </Para></ListItem> +<Term>One useful trick is to cat the message through +<B>smbclient</B>. </Term><ListItem><Para>For example: </Para></ListItem> +<Term>CWcat mymessage.txt | smbclient -M FRED </Term><ListItem><Para></Para></ListItem> +<Term>will send the +message in the file <I>mymessage.txt</I> to the machine FRED. </Term><ListItem><Para></Para></ListItem> +<Term>You may also find +the <B>-U</B> and <B>-I</B> options useful, as they allow </Term><ListItem><Para>you to control the FROM and TO +parts of the message. </Para></ListItem> +<Term>See the <B>message command</B> </Term><ListItem><Para>parameter in the <B><Command>smb.conf (5)</B></Command> for a description of how to handle incoming WinPopup messages in Samba. -Note: Copy WinPopup into the startup group on your WfWg PCs if you want -them to always be able to receive messages. -i scopeThis specifies a NetBIOS +</Para></ListItem> +<Term>Note: Copy WinPopup into the startup group on your WfWg PCs if you </Term><ListItem><Para>want +them to always be able to receive messages. </Para></ListItem> +<Term><B>-i scope</B></Term><ListItem><Para>This specifies a NetBIOS scope that smbclient will use to communicate with when generating NetBIOS names. For details on the use of NetBIOS scopes, see rfc1001.txt and rfc1002.txt. -NetBIOS scopes are very rarely used, only set this parameter if you are +NetBIOS scopes are <I>very</I> rarely used, only set this parameter if you are the system administrator in charge of all the NetBIOS systems you communicate -with. -NIf specified, this parameter suppresses the normal password prompt +with. </Para></ListItem> +<Term><B>-N</B></Term><ListItem><Para>If specified, this parameter suppresses the normal password prompt from the client to the user. This is useful when accessing a service that -does not require a password. Unless a password is specified on the command -line or this parameter is specified, the client will request a password. --n NetBIOS nameBy default, the client will use the local machine's hostname +does not require a password. </Para></ListItem> +<Term>Unless a password is specified on the command +line or this parameter </Term><ListItem><Para>is specified, the client will request a password. +</Para></ListItem> +<Term><B>-n NetBIOS name</B></Term><ListItem><Para>By default, the client will use the local machine's hostname (in uppercase) as its NetBIOS name. This parameter allows you to override -the host name and use whatever NetBIOS name you wish. -d debugleveldebuglevel -is an integer from 0 to 10, or the letter 'A'. The default value if this parameter -is not specified is zero. The higher this value, the more detail will be -logged to the log files about the activities of the client. At level 0, +the host name and use whatever NetBIOS name you wish. </Para></ListItem> +<Term><B>-d debuglevel</B></Term><ListItem><Para>debuglevel +is an integer from 0 to 10, or the letter 'A'. </Para></ListItem> +<Term>The default value if this parameter +is not specified is zero. </Term><ListItem><Para></Para></ListItem> +<Term>The higher this value, the more detail will be +logged to the log files </Term><ListItem><Para>about the activities of the client. At level 0, only critical errors and serious warnings will be logged. Level 1 is a reasonable level for day to day running - it generates a small amount of information -about operations carried out. Levels above 1 will generate considerable -amounts of log data, and should only be used when investigating a problem. +about operations carried out. </Para></ListItem> +<Term>Levels above 1 will generate considerable +amounts of log data, and </Term><ListItem><Para>should only be used when investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic. If debuglevel is -set to the letter 'A', then all debug messages will be printed. This setting -is for developers only (and people who really want to know how the code -works internally). Note that specifying this parameter here will override -the log level parameter in the smb.conf (5) file. -PThis option is no longer +set to the letter 'A', then <I>all</I> debug messages will be printed. This setting +is for developers only (and people who <I>really</I> want to know how the code +works internally). </Para></ListItem> +<Term>Note that specifying this parameter here will override +the <B>log </B></Term><ListItem><Para>level parameter in the <B><Command>smb.conf (5)</B></Command> file. </Para></ListItem> +<Term><B>-P</B></Term><ListItem><Para>This option is no longer used. The code in Samba2.0 now lets the server decide the device type, so -no printer specific flag is needed. -p portThis number is the TCP port number +no printer specific flag is needed. </Para></ListItem> +<Term><B>-p port</B></Term><ListItem><Para>This number is the TCP port number that will be used when making connections to the server. The standard (well-known) -TCP port number for an SMB/CIFS server is 139, which is the default. -l logfilenameIf +TCP port number for an SMB/CIFS server is 139, which is the default. </Para></ListItem> +<Term><B>-l logfilename</B></Term><ListItem><Para>If specified, logfilename specifies a base filename into which operational -data from the running client will be logged. The default base name is specified -at compile time. The base name is used to generate actual log file names. -For example, if the name specified was "log", the debug file would be CWlog.client. -The log file generated is never removed by the client. -hPrint the usage -message for the client. -I IP addressIP address is the address of the server -to connect to. It should be specified in standard "a.b.c.d" notation. Normally -the client would attempt to locate a named SMB/CIFS server by looking it -up via the NetBIOS name resolution mechanism described above in the name -resolve order parameter above. Using this parameter will force the client +data from the running client will be logged. </Para></ListItem> +<Term>The default base name is specified +at compile time. </Term><ListItem><Para></Para></ListItem> +<Term>The base name is used to generate actual log file names. +For example, </Term><ListItem><Para>if the name specified was "log", the debug file would be CWlog.client. +</Para></ListItem> +<Term>The log file generated is never removed by the client. </Term><ListItem><Para></Para></ListItem> +<Term><B>-h</B></Term><ListItem><Para>Print the usage +message for the client. </Para></ListItem> +<Term><B>-I IP address</B></Term><ListItem><Para>IP address is the address of the server +to connect to. It should be specified in standard "a.b.c.d" notation. </Para></ListItem> +<Term>Normally +the client would attempt to locate a named SMB/CIFS server by </Term><ListItem><Para>looking it +up via the NetBIOS name resolution mechanism described above in the <B>name +resolve order</B> parameter above. Using this parameter will force the client to assume that the server is on the machine with the specified IP address and the NetBIOS name component of the resource being connected to will -be ignored. There is no default for this parameter. If not supplied, it will -be determined automatically by the client as described above. -EThis parameter +be ignored. </Para></ListItem> +<Term>There is no default for this parameter. If not supplied, it will +be </Term><ListItem><Para>determined automatically by the client as described above. </Para></ListItem> +<Term><B>-E</B></Term><ListItem><Para>This parameter causes the client to write messages to the standard error stream (stderr) -rather than to the standard output stream. By default, the client writes -messages to standard output - typically the user's tty. -U usernameThis specifies +rather than to the standard output stream. </Para></ListItem> +<Term>By default, the client writes +messages to standard output - typically </Term><ListItem><Para>the user's tty. </Para></ListItem> +<Term><B>-U username</B></Term><ListItem><Para>This specifies the user name that will be used by the client to make a connection, assuming your server is not a downlevel server that is running a protocol level -that uses passwords on shares, not on usernames. Some servers are fussy -about the case of this name, and some insist that it must be a valid NetBIOS -name. If no username is supplied, it will default to an uppercase version -of the environment variable CWUSER or CWLOGNAME in that order. If no username +that uses passwords on shares, not on usernames. </Para></ListItem> +<Term>Some servers are fussy +about the case of this name, and some insist </Term><ListItem><Para>that it must be a valid NetBIOS +name. </Para></ListItem> +<Term>If no username is supplied, it will default to an uppercase version +of </Term><ListItem><Para>the environment variable CWUSER or CWLOGNAME in that order. If no username is supplied and neither environment variable exists the username "GUEST" -will be used. If the CWUSER environment variable contains a '%' character, -everything after that will be treated as a password. This allows you to +will be used. </Para></ListItem> +<Term>If the CWUSER environment variable contains a '%' character, +</Term><ListItem><Para>everything after that will be treated as a password. This allows you to set the environment variable to be CWUSER=username%password so that a password is not passed on the command line (where it may be seen by the ps command). -You can specify a domain name as part of the username by using a username -of the form "DOMAIN/user" or "DOMAIN\user". If the service you are connecting -to requires a password, it can be supplied using the -U option, by appending +</Para></ListItem> +<Term>You can specify a domain name as part of the username by using a </Term><ListItem><Para>username +of the form "DOMAIN/user" or "DOMAIN\user". </Para></ListItem> +<Term>If the service you are connecting +to requires a password, it can be </Term><ListItem><Para>supplied using the <B>-U</B> option, by appending a percent symbol ("%") then the password to username. For example, to attach to a service as user CW"fred" with password CW"secret", you would specify. - -CW-U fred%secret -on the command line. Note that there are no spaces around the percent symbol. -If you specify the password as part of username then the -N option (suppress -password prompt) is assumed. If you specify the password as a parameter -AND as part of username then the password as part of username will take + <BR> +</Para></ListItem> +<Term>CW-U fred%secret </Term><ListItem><Para><BR> +</Para></ListItem> +<Term>on the command line. Note that there are no spaces around the percent </Term><ListItem><Para>symbol. +</Para></ListItem> +<Term>If you specify the password as part of username then the <B>-N</B> option </Term><ListItem><Para>(suppress +password prompt) is assumed. </Para></ListItem> +<Term>If you specify the password as a parameter +<I>AND</I> as part of username </Term><ListItem><Para>then the password as part of username will take precedence. Putting nothing before or nothing after the percent symbol will -cause an empty username or an empty password to be used, respectively. The -password may also be specified by setting up an environment variable called +cause an empty username or an empty password to be used, respectively. </Para></ListItem> +<Term>The +password may also be specified by setting up an environment </Term><ListItem><Para>variable called CWPASSWD that contains the users password. Note that this may be very insecure on some systems but on others allows users to script smbclient commands without having a password appear in the command line of a process listing. -A third option is to use a credentials file which contains the plaintext +</Para></ListItem> +<Term>A third option is to use a credentials file which contains </Term><ListItem><Para>the plaintext of the username and password. This option is mainly provided for scripts where the admin doesn't desire to pass the credentials on the command line or via environment variables. If this method is used, make certain that the permissions on the file restrict access from unwanted users. See the --A for more details. Note: Some servers (including OS/2 and Windows for Workgroups) -insist on an uppercase password. Lowercase or mixed case passwords may be -rejected by these servers. Be cautious about including passwords in scripts -or in the CWPASSWD environment variable. Also, on many systems the command +<B>-A</B> for more details. </Para></ListItem> +<Term>Note: Some servers (including OS/2 and Windows for Workgroups) +insist </Term><ListItem><Para>on an uppercase password. Lowercase or mixed case passwords may be +rejected by these servers. </Para></ListItem> +<Term>Be cautious about including passwords in scripts +or in the </Term><ListItem><Para>CWPASSWD environment variable. Also, on many systems the command line of a running process may be seen via the CWps command to be safe always -allow smbclient to prompt for a password and type it in directly. -A <filename>This +allow smbclient to prompt for a password and type it in directly. </Para></ListItem> +<Term><B>-A <filename></B></Term><ListItem><Para>This option allows you to specify a file from which to read the username and -password used in the connection. The format of the file is CWusername = -<value> -CWpassword = <value -Make certain that the permissions on the file restrict access from unwanted -users. -LThis option allows you to look at what services are available on +password used in the connection. The format of the file is </Para></ListItem> +<Term>CWusername = +<value> </Term><ListItem><Para><BR> +CWpassword = <value <BR> +</Para></ListItem> +<Term>Make certain that the permissions on the file restrict access from </Term><ListItem><Para>unwanted +users. </Para></ListItem> +<Term><B>-L</B></Term><ListItem><Para>This option allows you to look at what services are available on a server. You use it as CW"smbclient -L host" and a list should appear. The --I option may be useful if your NetBIOS names don't match your tcp/ip dns -host names or if you are trying to reach a host on another network. -t terminal -codeThis option tells smbclient how to interpret filenames coming from +<B>-I</B> option may be useful if your NetBIOS names don't match your tcp/ip dns +host names or if you are trying to reach a host on another network. </Para></ListItem> +<Term><B>-t terminal +code</B></Term><ListItem><Para>This option tells smbclient how to interpret filenames coming from the remote server. Usually Asian language multibyte UNIX implementations -use different character sets than SMB/CIFS servers (EUC instead of SJIS +use different character sets than SMB/CIFS servers (<I>EUC</I> instead of <I>SJIS</I> for example). Setting this parameter will let smbclient convert between the UNIX filenames and the SMB filenames correctly. This option has not -been seriously tested and may have some problems. The terminal codes include -CWsjis, CWeuc, CWjis7, CWjis8, CWjunet, CWhex, CWcap. This is not a complete -list, check the Samba source code for the complete list. -m max protocol -levelWith the new code in Samba2.0, smbclient always attempts to connect +been seriously tested and may have some problems. </Para></ListItem> +<Term>The terminal codes include +CWsjis, CWeuc, CWjis7, CWjis8, </Term><ListItem><Para>CWjunet, CWhex, CWcap. This is not a complete +list, check the Samba source code for the complete list. </Para></ListItem> +<Term><B>-m max protocol +level</B></Term><ListItem><Para>With the new code in Samba2.0, <B>smbclient</B> always attempts to connect at the maximum protocols level the server supports. This parameter is preserved -for backwards compatibility, but any string following the -m will be ignored. --b buffersizeThis option changes the transmit/send buffer size when getting +for backwards compatibility, but any string following the <B>-m</B> will be ignored. +</Para></ListItem> +<Term><B>-b buffersize</B></Term><ListItem><Para>This option changes the transmit/send buffer size when getting or putting a file from/to the server. The default is 65520 bytes. Setting this value smaller (to 1200 bytes) has been observed to speed up file transfers -to and from a Win9x server. -W WORKGROUPOverride the default workgroup specified -in the workgroup parameter of the smb.conf file for this connection. This -may be needed to connect to some servers. -T tar optionssmbclient may be -used to create tar (1) compatible backups of all the files on an SMB/CIFS -share. The secondary tar flags that can be given to this option are : cCreate +to and from a Win9x server. </Para></ListItem> +<Term><B>-W WORKGROUP</B></Term><ListItem><Para>Override the default workgroup specified +in the <B>workgroup</B> parameter of the <B>smb.conf</B> file for this connection. This +may be needed to connect to some servers. </Para></ListItem> +<Term><B>-T tar options</B></Term><ListItem><Para>smbclient may be +used to create <B><Command>tar (1)</B></Command> compatible backups of all the files on an SMB/CIFS +share. The secondary tar flags that can be given to this option are : </Para></ListItem> +<Term><B>c</B></Term><ListItem><Para>Create a tar file on UNIX. Must be followed by the name of a tar file, tape device or CW"-" for standard output. If using standard output you must turn the log level to its lowest value CW-d0 to avoid corrupting your tar file. This -flag is mutually exclusive with the x flag. xExtract (restore) a local tar -file back to a share. Unless the -D option is given, the tar files will be +flag is mutually exclusive with the <B>x</B> flag. </Para></ListItem> +<Term><B>x</B></Term><ListItem><Para>Extract (restore) a local tar +file back to a share. Unless the <B>-D</B> option is given, the tar files will be restored from the top level of the share. Must be followed by the name of the tar file, device or CW"-" for standard input. Mutually exclusive with -the c flag. Restored files have their creation times (mtime) set to the +the <B>c</B> flag. Restored files have their creation times (mtime) set to the date saved in the tar file. Directories currently do not get their creation -dates restored properly. IInclude files and directories. Is the default behavior +dates restored properly. </Para></ListItem> +<Term><B>I</B></Term><ListItem><Para>Include files and directories. Is the default behavior when filenames are specified above. Causes tar files to be included in an extract or create (and therefore everything else to be excluded). See example -below. Filename globbing works in one of two ways. See r below. XExclude +below. Filename globbing works in one of two ways. See <B>r</B> below. </Para></ListItem> +<Term><B>X</B></Term><ListItem><Para>Exclude files and directories. Causes tar files to be excluded from an extract or create. See example below. Filename globbing works in one of two ways now. -See r below. bBlocksize. Must be followed by a valid (greater than zero) +See <B>r</B> below. </Para></ListItem> +<Term><B>b</B></Term><ListItem><Para>Blocksize. Must be followed by a valid (greater than zero) blocksize. Causes tar file to be written out in blocksize*TBLOCK (usually -512 byte) blocks. gIncremental. Only back up files that have the archive -bit set. Useful only with the c flag. qQuiet. Keeps tar from printing diagnostics -as it works. This is the same as tarmode quiet. rRegular expression include +512 byte) blocks. </Para></ListItem> +<Term><B>g</B></Term><ListItem><Para>Incremental. Only back up files that have the archive +bit set. Useful only with the <B>c</B> flag. </Para></ListItem> +<Term><B>q</B></Term><ListItem><Para>Quiet. Keeps tar from printing diagnostics +as it works. This is the same as tarmode quiet. </Para></ListItem> +<Term><B>r</B></Term><ListItem><Para>Regular expression include or exclude. Uses regular regular expression matching for excluding or excluding files if compiled with HAVE_REGEX_H. However this mode can be very slow. If not compiled with HAVE_REGEX_H, does a limited wildcard match -on * and ?. NNewer than. Must be followed by the name of a file whose date +on * and ?. </Para></ListItem> +<Term><B>N</B></Term><ListItem><Para>Newer than. Must be followed by the name of a file whose date is compared against files found on the share during a create. Only files newer than the file specified are backed up to the tar file. Useful only -with the c flag. aSet archive bit. Causes the archive bit to be reset when -a file is backed up. Useful with the g and c flags. Tar Long File Names smbclient's -tar option now supports long file names both on backup and restore. However, +with the <B>c</B> flag. </Para></ListItem> +<Term><B>a</B></Term><ListItem><Para>Set archive bit. Causes the archive bit to be reset when +a file is backed up. Useful with the <B>g</B> and <B>c</B> flags. </Para></ListItem> +<Term><I>Tar Long File Names</I> </Term><ListItem><Para></Para></ListItem> +<Term>smbclient's +tar option now supports long file names both on backup and </Term><ListItem><Para>restore. However, the full path name of the file must be less than 1024 bytes. Also, when a tar archive is created, smbclient's tar option places all files in the -archive with relative names, not absolute names. Tar Filenames All file -names can be given as DOS path names (with CW\ as the component separator) -or as UNIX path names (with CW/ as the component separator). Examples oRestore -from tar file backup.tar into myshare on mypc (no password on share). CWsmbclient -//mypc/myshare "" -N -Tx backup.tar oRestore everything except users/docs -CWsmbclient //mypc/myshare "" -N -TXx backup.tar users/docs oCreate a tar -file of the files beneath users/docs. CWsmbclient //mypc/myshare "" -N -Tc -backup.tar users/docs oCreate the same tar file as above, but now use a -DOS path name. CWsmbclient //mypc/myshare "" -N -tc backup.tar users\edocs oCreate -a tar file of all the files and directories in the share. CWsmbclient //mypc/myshare -"" -N -Tc backup.tar * -D initial directoryChange to initial directory before -starting. Probably only of any use with the tar -T option. -c command stringcommand +archive with relative names, not absolute names. </Para></ListItem> +<Term><I>Tar Filenames</I> </Term><ListItem><Para></Para></ListItem> +<Term>All file +names can be given as DOS path names (with CW\ as the </Term><ListItem><Para>component separator) +or as UNIX path names (with CW/ as the component separator). </Para></ListItem> +<Term><I>Examples</I> </Term><ListItem><Para></Para></ListItem> +<Term>o</Term><ListItem><Para>Restore +from tar file backup.tar into myshare on mypc (no password on share). </Para></ListItem> +<Term>CWsmbclient +//mypc/myshare "" -N -Tx backup.tar </Term><ListItem><Para></Para></ListItem> +<Term>o</Term><ListItem><Para>Restore everything except users/docs +</Para></ListItem> +<Term>CWsmbclient //mypc/myshare "" -N -TXx backup.tar users/docs </Term><ListItem><Para></Para></ListItem> +<Term>o</Term><ListItem><Para>Create a tar +file of the files beneath users/docs. </Para></ListItem> +<Term>CWsmbclient //mypc/myshare "" -N -Tc +backup.tar users/docs </Term><ListItem><Para></Para></ListItem> +<Term>o</Term><ListItem><Para>Create the same tar file as above, but now use a +DOS path name. </Para></ListItem> +<Term>CWsmbclient //mypc/myshare "" -N -tc backup.tar users\edocs </Term><ListItem><Para></Para></ListItem> +<Term>o</Term><ListItem><Para>Create +a tar file of all the files and directories in the share. </Para></ListItem> +<Term>CWsmbclient //mypc/myshare +"" -N -Tc backup.tar * </Term><ListItem><Para></Para></ListItem> +<Term><B>-D initial directory</B></Term><ListItem><Para>Change to initial directory before +starting. Probably only of any use with the tar <B>-T</B> option. </Para></ListItem> +<Term><B>-c command string</B></Term><ListItem><Para>command string is a semicolon separated list of commands to be executed instead -of prompting from stdin. -N is implied by -c. This is particularly useful in -scripts and for printing stdin to the server, e.g. CW-c 'print -'. -Operations -Once +of prompting from stdin. <B>-N</B> is implied by <B>-c</B>. </Para></ListItem> +<Term>This is particularly useful in +scripts and for printing stdin to the </Term><ListItem><Para>server, e.g. CW-c 'print -'. </Para></ListItem> +</ItemizedList> + + +<Para></RefSect1> + +<RefSect1><Title>Operations</Title> + +<Para>Once the client is running, the user is presented with a prompt : -CWsmb:\> -The -backslash ("\") indicates the current working directory on the server, and -will change if the current working directory is changed. -The prompt indicates + +<Para>CWsmb:\> + +<Para>The +backslash ("\") <ItemizedList MARK=Bullet> +<Term>indicates the current working directory on the </Term><ListItem><Para>server, and +will change if the current working directory is changed. </Para></ListItem> +</ItemizedList> + + +<Para>The prompt indicates that the client is ready and waiting to carry out a user command. Each command is a single word, optionally followed by parameters specific to that command. Command and parameters are space-delimited unless these notes specifically state otherwise. All commands are case-insensitive. Parameters to commands may or may not be case sensitive, depending on the command. -You can specify + +<Para>You can specify file names which have spaces in them by quoting the name with double quotes, for example "a long file name". -Parameters shown in square brackets (e.g., + +<Para>Parameters shown in square brackets (e.g., "[parameter]") are optional. If not given, the command will use suitable -defaults. Parameters shown in angle brackets (e.g., "<parameter>") are required. +defaults. Parameters shown in angle brackets (e.g., "<parameter>") are required. + -Note that all commands operating on the server are actually performed by +<Para>Note that all commands operating on the server are actually performed by issuing a request to the server. Thus the behavior may vary from server to server, depending on how the server was implemented. -The commands available + +<Para>The commands available are given here in alphabetical order. -? [command]If "command" is specified, -the ? command will display a brief informative message about the specified + +<Para><ItemizedList MARK=Bullet> +<Term><B>? [command]</B></Term><ListItem><Para>If "command" is specified, +the <B>?</B> command will display a brief informative message about the specified command. If no command is specified, a list of available commands will -be displayed. ! [shell command]If "shell command" is specified, the ! command +be displayed. </Para></ListItem> +<Term><B>! [shell command]</B></Term><ListItem><Para>If "shell command" is specified, the <B>!</B> command will execute a shell locally and run the specified shell command. If no -command is specified, a local shell will be run. cd [directory name]If "directory +command is specified, a local shell will be run. </Para></ListItem> +<Term><B>cd [directory name]</B></Term><ListItem><Para>If "directory name" is specified, the current working directory on the server will be changed to the directory specified. This operation will fail if for any -reason the specified directory is inaccessible. If no directory name is -specified, the current working directory on the server will be reported. -del <mask>The client will request that the server attempt to delete all files -matching "mask" from the current working directory on the server. dir <mask>A +reason the specified directory is inaccessible. </Para></ListItem> +<Term>If no directory name is +specified, the current working directory on </Term><ListItem><Para>the server will be reported. +</Para></ListItem> +<Term><B>del <mask></B></Term><ListItem><Para>The client will request that the server attempt to delete all files +matching "mask" from the current working directory on the server. </Para></ListItem> +<Term><B>dir <mask></B></Term><ListItem><Para>A list of the files matching "mask" in the current working directory on the -server will be retrieved from the server and displayed. exitTerminate the -connection with the server and exit from the program. get <remote file name> -[local file name]Copy the file called "remote file name" from the server +server will be retrieved from the server and displayed. </Para></ListItem> +<Term><B>exit</B></Term><ListItem><Para>Terminate the +connection with the server and exit from the program. </Para></ListItem> +<Term><B>get <remote file name> +[local file name]</B></Term><ListItem><Para>Copy the file called "remote file name" from the server to the machine running the client. If specified, name the local copy "local file name". Note that all transfers in smbclient are binary. See also the -lowercase command. help [command]See the ? command above. lcd [directory -name]If "directory name" is specified, the current working directory on +<B>lowercase</B> command. </Para></ListItem> +<Term><B>help [command]</B></Term><ListItem><Para>See the <B>?</B> command above. </Para></ListItem> +<Term><B>lcd [directory +name]</B></Term><ListItem><Para>If "directory name" is specified, the current working directory on the local machine will be changed to the directory specified. This operation -will fail if for any reason the specified directory is inaccessible. If -no directory name is specified, the name of the current working directory -on the local machine will be reported. lowercaseToggle lowercasing of filenames -for the get and mget commands. When lowercasing is toggled ON, local filenames -are converted to lowercase when using the get and mget commands. This is +will fail if for any reason the specified directory is inaccessible. </Para></ListItem> +<Term>If +no directory name is specified, the name of the current working </Term><ListItem><Para>directory +on the local machine will be reported. </Para></ListItem> +<Term><B>lowercase</B></Term><ListItem><Para>Toggle lowercasing of filenames +for the <B>get</B> and <B>mget</B> commands. </Para></ListItem> +<Term>When lowercasing is toggled ON, local filenames +are converted to </Term><ListItem><Para>lowercase when using the <B>get</B> and <B>mget</B> commands. This is often useful when copying (say) MSDOS files from a server, because lowercase -filenames are the norm on UNIX systems. ls <mask>See the dir command above. -mask <mask>This command allows the user to set up a mask which will be used -during recursive operation of the mget and mput commands. The masks specified -to the mget and mput commands act as filters for directories rather than -files when recursion is toggled ON. The mask specified with the .B mask command -is necessary to filter files within those directories. For example, if the -mask specified in an mget command is "source*" and the mask specified with -the mask command is "*.c" and recursion is toggled ON, the mget command +filenames are the norm on UNIX systems. </Para></ListItem> +<Term><B>ls <mask></B></Term><ListItem><Para>See the <B>dir</B> command above. +</Para></ListItem> +<Term><B>mask <mask></B></Term><ListItem><Para>This command allows the user to set up a mask which will be used +during recursive operation of the <B>mget</B> and <B>mput</B> commands. </Para></ListItem> +<Term>The masks specified +to the <B>mget</B> and </Term><ListItem><Para><B>mput</B> commands act as filters for directories rather than +files when recursion is toggled ON. </Para></ListItem> +<Term>The mask specified with the .B mask command +is necessary to filter </Term><ListItem><Para>files within those directories. For example, if the +mask specified in an <B>mget</B> command is "source*" and the mask specified with +the mask command is "*.c" and recursion is toggled ON, the <B>mget</B> command will retrieve all files matching "*.c" in all directories below and including -all directories matching "source*" in the current working directory. Note -that the value for mask defaults to blank (equivalent to "*") and remains +all directories matching "source*" in the current working directory. </Para></ListItem> +<Term>Note +that the value for mask defaults to blank (equivalent to "*") and </Term><ListItem><Para>remains so until the mask command is used to change it. It retains the most recently specified value indefinitely. To avoid unexpected results it would be wise -to change the value of .I mask back to "*" after using the mget or mput -commands. md <directory name>See the mkdir command. mget <mask>Copy all files -matching mask from the server to the machine running the client. Note that -mask is interpreted differently during recursive operation and non-recursive -operation - refer to the recurse and mask commands for more information. -Note that all transfers in .B smbclient are binary. See also the lowercase -command. mkdir <directory name>Create a new directory on the server (user -access privileges permitting) with the specified name. mput <mask>Copy all +to change the value of .I mask back to "*" after using the <B>mget</B> or <B>mput</B> +commands. </Para></ListItem> +<Term><B>md <directory name></B></Term><ListItem><Para>See the <B>mkdir</B> command. </Para></ListItem> +<Term><B>mget <mask></B></Term><ListItem><Para>Copy all files +matching mask from the server to the machine running the client. </Para></ListItem> +<Term>Note that +mask is interpreted differently during recursive operation </Term><ListItem><Para>and non-recursive +operation - refer to the <B>recurse</B> and <B>mask</B> commands for more information. +Note that all transfers in .B smbclient are binary. See also the <B>lowercase</B> +command. </Para></ListItem> +<Term><B>mkdir <directory name></B></Term><ListItem><Para>Create a new directory on the server (user +access privileges permitting) with the specified name. </Para></ListItem> +<Term><B>mput <mask></B></Term><ListItem><Para>Copy all files matching mask in the current working directory on the local machine -to the current working directory on the server. Note that mask is interpreted -differently during recursive operation and non-recursive operation - refer -to the recurse and mask commands for more information. Note that all transfers -in .B smbclient are binary. print <file name>Print the specified file from -the local machine through a printable service on the server. See also the -printmode command. printmode <graphics or text>Set the print mode to suit +to the current working directory on the server. </Para></ListItem> +<Term>Note that mask is interpreted +differently during recursive operation </Term><ListItem><Para>and non-recursive operation - refer +to the <B>recurse</B> and <B>mask</B> commands for more information. Note that all transfers +in .B smbclient are binary. </Para></ListItem> +<Term><B>print <file name></B></Term><ListItem><Para>Print the specified file from +the local machine through a printable service on the server. </Para></ListItem> +<Term>See also the +<B>printmode</B> command. </Term><ListItem><Para></Para></ListItem> +<Term><B>printmode <graphics or text></B></Term><ListItem><Para>Set the print mode to suit either binary data (such as graphical information) or text. Subsequent print -commands will use the currently set print mode. promptToggle prompting for -filenames during operation of the mget and mput commands. When toggled ON, -the user will be prompted to confirm the transfer of each file during these +commands will use the currently set print mode. </Para></ListItem> +<Term><B>prompt</B></Term><ListItem><Para>Toggle prompting for +filenames during operation of the <B>mget</B> and <B>mput</B> commands. </Para></ListItem> +<Term>When toggled ON, +the user will be prompted to confirm the transfer of </Term><ListItem><Para>each file during these commands. When toggled OFF, all specified files will be transferred without -prompting. put <local file name> [remote file name]Copy the file called "local +prompting. </Para></ListItem> +<Term><B>put <local file name> [remote file name]</B></Term><ListItem><Para>Copy the file called "local file name" from the machine running the client to the server. If specified, name the remote copy "remote file name". Note that all transfers in smbclient -are binary. See also the lowercase command. queueDisplays the print queue, -showing the job id, name, size and current status. quitSee the exit command. -rd <directory name>See the rmdir command. recurseToggle directory recursion -for the commands mget and mput. When toggled ON, these commands will process -all directories in the source directory (i.e., the directory they are copying +are binary. See also the <B>lowercase</B> command. </Para></ListItem> +<Term><B>queue</B></Term><ListItem><Para>Displays the print queue, +showing the job id, name, size and current status. </Para></ListItem> +<Term><B>quit</B></Term><ListItem><Para>See the <B>exit</B> command. +</Para></ListItem> +<Term><B>rd <directory name></B></Term><ListItem><Para>See the <B>rmdir</B> command. </Para></ListItem> +<Term><B>recurse</B></Term><ListItem><Para>Toggle directory recursion +for the commands <B>mget</B> and <B>mput</B>. </Para></ListItem> +<Term>When toggled ON, these commands will process +all directories in the </Term><ListItem><Para>source directory (i.e., the directory they are copying .IR from ) and will recurse into any that match the mask specified to the -command. Only files that match the mask specified using the mask command -will be retrieved. See also the mask command. When recursion is toggled OFF, -only files from the current working directory on the source machine that -match the mask specified to the mget or mput commands will be copied, and -any mask specified using the mask command will be ignored. rm <mask>Remove +command. Only files that match the mask specified using the <B>mask</B> command +will be retrieved. See also the <B>mask</B> command. </Para></ListItem> +<Term>When recursion is toggled OFF, +only files from the current working </Term><ListItem><Para>directory on the source machine that +match the mask specified to the <B>mget</B> or <B>mput</B> commands will be copied, and +any mask specified using the <B>mask</B> command will be ignored. </Para></ListItem> +<Term><B>rm <mask></B></Term><ListItem><Para>Remove all files matching mask from the current working directory on the server. -rmdir <directory name>Remove the specified directory (user access privileges -permitting) from the server. tar <c|x>[IXbgNa]Performs a tar operation - see -the -T command line option above. Behavior may be affected by the tarmode +</Para></ListItem> +<Term><B>rmdir <directory name></B></Term><ListItem><Para>Remove the specified directory (user access privileges +permitting) from the server. </Para></ListItem> +<Term><B>tar <c|x>[IXbgNa]</B></Term><ListItem><Para>Performs a tar operation - see +the <B>-T</B> command line option above. Behavior may be affected by the <B>tarmode</B> command (see below). Using g (incremental) and N (newer) will affect tarmode settings. Note that using the "-" option with tar x may not work - use the -command line option instead. blocksize <blocksize>Blocksize. Must be followed +command line option instead. </Para></ListItem> +<Term><B>blocksize <blocksize></B></Term><ListItem><Para>Blocksize. Must be followed by a valid (greater than zero) blocksize. Causes tar file to be written -out in blocksize*TBLOCK (usually 512 byte) blocks. tarmode <full|inc|reset|noreset>Changes +out in blocksize*TBLOCK (usually 512 byte) blocks. </Para></ListItem> +<Term><B>tarmode <full|inc|reset|noreset></B></Term><ListItem><Para>Changes tar's behavior with regard to archive bits. In full mode, tar will back up everything regardless of the archive bit setting (this is the default mode). In incremental mode, tar will only back up files with the archive bit set. In reset mode, tar will reset the archive bit on all files it backs up -(implies read/write share). setmode <filename> <perm=[+|\-]rsha>A version of the -DOS attrib command to set file permissions. For example: CWsetmode myfile -+r would make myfile read only. -Notes -Some servers are fussy about the case +(implies read/write share). </Para></ListItem> +<Term><B>setmode <filename> <perm=[+|\-]rsha></B></Term><ListItem><Para>A version of the +DOS attrib command to set file permissions. For example: </Para></ListItem> +<Term>CWsetmode myfile ++r </Term><ListItem><Para></Para></ListItem> +<Term>would make myfile read only. </Term><ListItem><Para></Para></ListItem> +</ItemizedList> + + +<Para></RefSect1> + +<RefSect1><Title>Notes</Title> + +<Para>Some servers are fussy about the case of supplied usernames, passwords, share names (AKA service names) and machine -names. If you fail to connect try giving all parameters in uppercase. -It -is often necessary to use the -n option when connecting to some types of +names. <ItemizedList MARK=Bullet> +<Term>If you </Term><ListItem><Para>fail to connect try giving all parameters in uppercase. </Para></ListItem> +</ItemizedList> + + +<Para>It +is often necessary to use the <B>-n</B> option when connecting to some types of servers. For example OS/2 LanManager insists on a valid NetBIOS name being used, so you need to supply a valid name that would be known to the server. -smbclient supports long file names where the server supports the LANMAN2 + +<Para>smbclient supports long file names where the server supports the LANMAN2 protocol or above. -Environment Variables -The variable USER may contain the + +<Para></RefSect1> + +<RefSect1><Title>Environment Variables</Title> + +<Para>The variable <B>USER</B> may contain the username of the person using the client. This information is used only if the protocol level is high enough to support session-level passwords. -The variable PASSWD may contain the password of the person using the client. + +<Para>The variable <B>PASSWD</B> may contain the password of the person using the client. This information is used only if the protocol level is high enough to support session-level passwords. -Installation -The location of the client program + +<Para></RefSect1> + +<RefSect1><Title>Installation</Title> + +<Para>The location of the client program is a matter for individual system administrators. The following are thus suggestions only. -It is recommended that the smbclient software be installed + +<Para>It is recommended that the smbclient software be installed in the /usr/local/samba/bin or /usr/samba/bin directory, this directory readable by all, writeable only by root. The client program itself should -be executable by all. The client should NOT be setuid or setgid! -The client +be executable by all. The client should <I>NOT</I> be setuid or setgid! + +<Para>The client log files should be put in a directory readable and writeable only by the user. -To test the client, you will need to know the name of a running SMB/CIFS -server. It is possible to run smbd (8) an ordinary user - running that server + +<Para>To test the client, you will need to know the name of a running SMB/CIFS +server. It is possible to run <B><Command>smbd (8)</B></Command> an ordinary user - running that server as a daemon on a user-accessible port (typically any port number over 1024) would provide a suitable test server. -Diagnostics -Most diagnostics issued + +<Para></RefSect1> + +<RefSect1><Title>Diagnostics</Title> + +<Para>Most diagnostics issued by the client are logged in a specified log file. The log file name is specified at compile time, but may be overridden on the command line. -The number and + +<Para>The number and nature of diagnostics available depends on the debug level used by the client. If you have problems, set the debug level to 3 and peruse the log files. -Version -This man page is correct for version 2.0 of the Samba suite. -Author -The original Samba software and related utilities were created by -Andrew Tridgell samba@samba.org. Samba is now developed by the Samba Team +<Para></RefSect1> + +<RefSect1><Title>Version</Title> + +<Para>This man page is correct for version 2.0 of the Samba suite. + + +<Para></RefSect1> + +<RefSect1><Title>Author</Title> + +<Para>The original Samba software and related utilities were created by +Andrew Tridgell <I>samba@samba.org</I>. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed. -The original Samba man pages were written by Karl Auer. The man page sources + +<Para>The original Samba man pages were written by Karl Auer. The man page sources were converted to YODL format (another excellent piece of Open Source software, -available at ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba2.0 -release by Jeremy Allison. samba@samba.org. -See samba (7) to find out how +available at <B>ftp://ftp.icce.rug.nl/pub/unix/</B>) and updated for the Samba2.0 +release by Jeremy Allison. <I>samba@samba.org</I>. + +<Para>See <B><Command>samba (7)</B></Command> to find out how to get a full list of contributors and details on how to submit bug reports, -comments etc.
\ No newline at end of file +comments etc. </RefSect1> + +</RefEntry> diff --git a/docs/docbook/manpages/smbpasswd.5.sgml b/docs/docbook/manpages/smbpasswd.5.sgml index 95495000f3..0e8a704c50 100644 --- a/docs/docbook/manpages/smbpasswd.5.sgml +++ b/docs/docbook/manpages/smbpasswd.5.sgml @@ -1,136 +1,204 @@ +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> +<refentry id="smbpasswd"> -Namesmbpasswd - The Samba encrypted password file -Synopsis -smbpasswd is the -Samba encrypted password file. -Description -This file is part of the Samba -suite. -smbpasswd is the Samba encrypted password file. It contains the username, -Unix user id and the SMB hashed passwords of the user, as well as account -flag information and the time the password was last changed. This file format -has been evolving with Samba and has had several different formats in the -past. -File Format -The format of the smbpasswd file used by Samba 2.0 is very -similar to the familiar Unix passwd (5) file. It is an ASCII file containing -one line for each user. Each field within each line is separated from the -next by a colon. Any entry beginning with # is ignored. The smbpasswd file -contains the following information for each user: -name - -This is the user name. It must be a name that already exists in the standard -UNIX passwd file. uid - -This is the UNIX uid. It must match the uid field for the same user entry -in the standard UNIX passwd file. If this does not match then Samba will -refuse to recognize this smbpasswd file entry as being valid for a user. -Lanman Password Hash - -This is the LANMAN hash of the users password, encoded as 32 hex digits. -The LANMAN hash is created by DES encrypting a well known string with the -users password as the DES key. This is the same password used by Windows -95/98 machines. Note that this password hash is regarded as weak as it is -vulnerable to dictionary attacks and if two users choose the same password -this entry will be identical (i.e. the password is not "salted" as the UNIX -password is). If the user has a null password this field will contain the -characters CW"NO PASSWORD" as the start of the hex string. If the hex string -is equal to 32 CW'X' characters then the users account is marked as disabled -and the user will not be able to log onto the Samba server. WARNING !!. Note -that, due to the challenge-response nature of the SMB/CIFS authentication -protocol, anyone with a knowledge of this password hash will be able to -impersonate the user on the network. For this reason these hashes are known -as "plain text equivalent" and must NOT be made available to anyone but -the root user. To protect these passwords the smbpasswd file is placed in -a directory with read and traverse access only to the root user and the -smbpasswd file itself must be set to be read/write only by root, with no -other access. NT Password Hash - -This is the Windows NT hash of the users password, encoded as 32 hex digits. -The Windows NT hash is created by taking the users password as represented -in 16-bit, little-endian UNICODE and then applying the MD4 (internet rfc1321) -hashing algorithm to it. This password hash is considered more secure than -the Lanman Password Hash as it preserves the case of the password and uses -a much higher quality hashing algorithm. However, it is still the case that -if two users choose the same password this entry will be identical (i.e. -the password is not "salted" as the UNIX password is). WARNING !!. Note that, -due to the challenge-response nature of the SMB/CIFS authentication protocol, -anyone with a knowledge of this password hash will be able to impersonate -the user on the network. For this reason these hashes are known as "plain -text equivalent" and must NOT be made available to anyone but the root -user. To protect these passwords the smbpasswd file is placed in a directory -with read and traverse access only to the root user and the smbpasswd file -itself must be set to be read/write only by root, with no other access. -Account Flags - -This section contains flags that describe the attributes of the users account. -In the Samba2.0 release this field is bracketed by CW'[' and CW']' characters -and is always 13 characters in length (including the CW'[' and CW']' characters). -The contents of this field may be any of the characters. o'U' This means this -is a "User" account, i.e. an ordinary user. Only User and Workstation Trust -accounts are currently supported in the smbpasswd file. o'N' This means the -account has no password (the passwords in the fields Lanman Password Hash -and NT Password Hash are ignored). Note that this will only allow users -to log on with no password if the null passwords parameter is set in the -smb.conf (5) config file. o'D' This means the account is disabled and no SMB/CIFS -logins will be allowed for this user. o'W' This means this account is a "Workstation -Trust" account. This kind of account is used in the Samba PDC code stream -to allow Windows NT Workstations and Servers to join a Domain hosted by -a Samba PDC. Other flags may be added as the code is extended in future. -The rest of this field space is filled in with spaces. Last Change Time - -This field consists of the time the account was last modified. It consists -of the characters CWLCT- (standing for "Last Change Time") followed by a -numeric encoding of the UNIX time in seconds since the epoch (1970) that -the last change was made. Following fields - -All other colon separated fields are ignored at this time. -Notes -In previous -versions of Samba (notably the 1.9.18 series) this file did not contain the -Account Flags or Last Change Time fields. The Samba 2.0 code will read and -write these older password files but will not be able to modify the old -entries to add the new fields. New entries added with smbpasswd (8) will -contain the new fields in the added accounts however. Thus an older smbpasswd -file used with Samba 2.0 may end up with some accounts containing the new -fields and some not. -In order to convert from an old-style smbpasswd file -to a new style, run the script convert_smbpasswd, installed in the Samba -CWbin/ directory (the same place that the smbd and nmbd binaries are installed) -as follows: - - - - - - cat old_smbpasswd_file | convert_smbpasswd > new_smbpasswd_file - - - - - -The convert_smbpasswd script reads from stdin and writes to stdout so -as not to overwrite any files by accident. -Once this script has been run, -check the contents of the new smbpasswd file to ensure that it has not -been damaged by the conversion script (which uses awk), and then replace -the CW<old smbpasswd file> with the CW<new smbpasswd file>. -Version -This man -page is correct for version 2.0 of the Samba suite. -See Also -smbpasswd (8), -samba (7), and the Internet RFC1321 for details on the MD4 algorithm. -Author -The -original Samba software and related utilities were created by Andrew Tridgell -samba@samba.org. Samba is now developed by the Samba Team as an Open Source -project similar to the way the Linux kernel is developed. -The original Samba -man pages were written by Karl Auer. The man page sources were converted -to YODL format (another excellent piece of Open Source software, available -at ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba2.0 release by -Jeremy Allison, samba@samba.org. -See samba (7) to find out how to get a full -list of contributors and details on how to submit bug reports, comments -etc.
\ No newline at end of file +<refmeta> + <refentrytitle>smbpasswd</refentrytitle> + <manvolnum>5</manvolnum> +</refmeta> + + +<refnamediv> + <refname>smbpasswd</refname> + <refpurpose>The Samba encrypted password file</refpurpose> +</refnamediv> + +<refsynopsisdiv> + <para><filename>smbpasswd</filename></para> +</refsynopsisdiv> + +<refsect1> + <title>DESCRIPTION</title> + + <para>This tool is part of the <ulink url="samba.7.html"> + Samba</ulink> suite.</para> + + <para>smbpasswd is the Samba encrypted password file. It contains + the username, Unix user id and the SMB hashed passwords of the + user, as well as account flag information and the time the + password was last changed. This file format has been evolving with + Samba and has had several different formats in the past. </para> +</refsect1> + +<refsect1> + <title>FILE FORMAT</title> + + <para>The format of the smbpasswd file used by Samba 2.2 + is very similar to the familiar Unix <filename>passwd(5)</filename> + file. It is an ASCII file containing one line for each user. Each field + ithin each line is separated from the next by a colon. Any entry + beginning with '#' is ignored. The smbpasswd file contains the + following information for each user: </para> + + <variablelist> + <varlistentry> + <term>name</term> + <listitem><para> This is the user name. It must be a name that + already exists in the standard UNIX passwd file. </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>uid</term> + <listitem><para>This is the UNIX uid. It must match the uid + field for the same user entry in the standard UNIX passwd file. + If this does not match then Samba will refuse to recognize + this smbpasswd file entry as being valid for a user. + </para></listitem> + </varlistentry> + + + <varlistentry> + <term>Lanman Password Hash</term> + <listitem><para>This is the LANMAN hash of the users password, + encoded as 32 hex digits. The LANMAN hash is created by DES + encrypting a well known string with the users password as the + DES key. This is the same password used by Windows 95/98 machines. + Note that this password hash is regarded as weak as it is + vulnerable to dictionary attacks and if two users choose the + same password this entry will be identical (i.e. the password + is not "salted" as the UNIX password is). If the user has a + null password this field will contain the characters "NO PASSWORD" + as the start of the hex string. If the hex string is equal to + 32 'X' characters then the users account is marked as + <constant>disabled</constant> and the user will not be able to + log onto the Samba server. </para> + + <para><emphasis>WARNING !!</emphasis> Note that, due to + the challenge-response nature of the SMB/CIFS authentication + protocol, anyone with a knowledge of this password hash will + be able to impersonate the user on the network. For this + reason these hashes are known as <emphasis>plain text + equivalents</emphasis> and must <emphasis>NOT</emphasis> be made + available to anyone but the root user. To protect these passwords + the smbpasswd file is placed in a directory with read and + traverse access only to the root user and the smbpasswd file + itself must be set to be read/write only by root, with no + other access. </para></listitem> + </varlistentry> + + + <varlistentry> + <term>NT Password Hash</term> + <listitem><para>This is the Windows NT hash of the users + password, encoded as 32 hex digits. The Windows NT hash is + created by taking the users password as represented in + 16-bit, little-endian UNICODE and then applying the MD4 + (internet rfc1321) hashing algorithm to it. </para> + + <para>This password hash is considered more secure than + the Lanman Password Hash as it preserves the case of the + password and uses a much higher quality hashing algorithm. + However, it is still the case that if two users choose the same + password this entry will be identical (i.e. the password is + not "salted" as the UNIX password is). </para> + + <para><emphasis>WARNING !!</emphasis>. Note that, due to + the challenge-response nature of the SMB/CIFS authentication + protocol, anyone with a knowledge of this password hash will + be able to impersonate the user on the network. For this + reason these hashes are known as <emphasis>plain text + equivalents</emphasis> and must <emphasis>NOT</emphasis> be made + available to anyone but the root user. To protect these passwords + the smbpasswd file is placed in a directory with read and + traverse access only to the root user and the smbpasswd file + itself must be set to be read/write only by root, with no + other access. </para></listitem> + </varlistentry> + + + <varlistentry> + <term>Account Flags</term> + <listitem><para>This section contains flags that describe + the attributes of the users account. In the Samba 2.2 release + this field is bracketed by '[' and ']' characters and is always + 13 characters in length (including the '[' and ']' characters). + The contents of this field may be any of the characters. + </para> + + <itemizedlist> + <listitem><para><emphasis>U</emphasis> - This means + this is a "User" account, i.e. an ordinary user. Only User + and Workstation Trust accounts are currently supported + in the smbpasswd file. </para></listitem> + + <listitem><para><emphasis>N</emphasis> - This means the + account has no password (the passwords in the fields Lanman + Password Hash and NT Password Hash are ignored). Note that this + will only allow users to log on with no password if the <parameter> + null passwords</parameter> parameter is set in the <ulink + url="smb.conf.5.html#NULLPASSWORDS"><filename>smb.conf(5) + </filename></ulink> config file. </para></listitem> + + <listitem><para><emphasis>D</emphasis> - This means the account + is disabled and no SMB/CIFS logins will be allowed for + this user. </para></listitem> + + <listitem><para><emphasis>W</emphasis> - This means this account + is a "Workstation Trust" account. This kind of account is used + in the Samba PDC code stream to allow Windows NT Workstations + and Servers to join a Domain hosted by a Samba PDC. </para> + </listitem> + </itemizedlist> + + <para>Other flags may be added as the code is extended in future. + The rest of this field space is filled in with spaces. </para> + </listitem> + </varlistentry> + + + <varlistentry> + <term>Last Change Time</term> + <listitem><para>This field consists of the time the account was + last modified. It consists of the characters 'LCT-' (standing for + "Last Change Time") followed by a numeric encoding of the UNIX time + in seconds since the epoch (1970) that the last change was made. + </para></listitem> + </varlistentry> + </variablelist> + + <para>All other colon separated fields are ignored at this time.</para> +</refsect1> + +<refsect1> + <title>VERSION</title> + + <para>This man page is correct for version 2.2 of + the Samba suite.</para> +</refsect1> + +<refsect1> + <title>SEE ALSO</title> + <para><ulink url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink>, + <ulink url="samba.7.html">samba(7)</ulink>, and + the Internet RFC1321 for details on the MD4 algorithm. + </para> +</refsect1> + +<refsect1> + <title>AUTHOR</title> + + <para>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</para> + + <para>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <ulink url="ftp://ftp.icce.rug.nl/pub/unix/"> + ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</para> +</refsect1> + +</refentry> diff --git a/docs/docbook/manpages/smbpasswd.8.sgml b/docs/docbook/manpages/smbpasswd.8.sgml index 15cb6ffff1..7f7783425a 100644 --- a/docs/docbook/manpages/smbpasswd.8.sgml +++ b/docs/docbook/manpages/smbpasswd.8.sgml @@ -1,165 +1,409 @@ +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> +<refentry id="smbpasswd"> -Namesmbpasswd - change a users SMB password -Synopsis -smbpasswd [-a] [-x] [-d] -[-e] [-D debug level] [-n] [-r remote_machine] [-R name resolve order] [-m] [-j -DOMAIN] [-U username] [-h] [-s] username -Description -This program is part of -the Samba suite. -The smbpasswd program has several different functions, -depending on whether it is run by the root user or not. When run as a normal -user it allows the user to change the password used for their SMB sessions -on any machines that store SMB passwords. -By default (when run with no arguments) -it will attempt to change the current users SMB password on the local machine. -This is similar to the way the passwd (1) program works. smbpasswd differs -from how the passwd program works however in that it is not setuid root -but works in a client-server mode and communicates with a locally running -smbd. As a consequence in order for this to succeed the smbd daemon must -be running on the local machine. On a UNIX machine the encrypted SMB passwords -are usually stored in the smbpasswd (5) file. -When run by an ordinary user -with no options. smbpasswd will prompt them for their old smb password and -then ask them for their new password twice, to ensure that the new password -was typed correctly. No passwords will be echoed on the screen whilst being -typed. If you have a blank smb password (specified by the string "NO PASSWORD" -in the smbpasswd file) then just press the <Enter> key when asked for your -old password. -smbpasswd can also be used by a normal user to change their -SMB password on remote machines, such as Windows NT Primary Domain Controllers. -See the (-r) and -U options below. -When run by root, smbpasswd allows new -users to be added and deleted in the smbpasswd file, as well as allows -changes to the attributes of the user in this file to be made. When run -by root, smbpasswd accesses the local smbpasswd file directly, thus enabling -changes to be made even if smbd is not running. -Options --aThis option specifies -that the username following should be added to the local smbpasswd file, -with the new password typed (type <Enter> for the old password). This option -is ignored if the username following already exists in the smbpasswd file -and it is treated like a regular change password command. Note that the -user to be added must already exist in the system password file (usually -/etc/passwd) else the request to add the user will fail. This option is -only available when running smbpasswd as root. -xThis option specifies that -the username following should be deleted from the local smbpasswd file. -This option is only available when running smbpasswd as root. -dThis option -specifies that the username following should be disabled in the local smbpasswd -file. This is done by writing a 'D' flag into the account control space in -the smbpasswd file. Once this is done all attempts to authenticate via SMB -using this username will fail. If the smbpasswd file is in the 'old' format -(pre-Samba 2.0 format) there is no space in the users password entry to write -this information and so the user is disabled by writing 'X' characters into -the password space in the smbpasswd file. See smbpasswd (5) for details -on the 'old' and new password file formats. This option is only available -when running smbpasswd as root. -eThis option specifies that the username -following should be enabled in the local smbpasswd file, if the account -was previously disabled. If the account was not disabled this option has -no effect. Once the account is enabled then the user will be able to authenticate -via SMB once again. If the smbpasswd file is in the 'old' format then smbpasswd -will prompt for a new password for this user, otherwise the account will -be enabled by removing the 'D' flag from account control space in the smbpasswd -file. See smbpasswd (5) for details on the 'old' and new password file formats. -This option is only available when running smbpasswd as root. -D debugleveldebuglevel -is an integer from 0 to 10. The default value if this parameter is not -specified is zero. The higher this value, the more detail will be logged -to the log files about the activities of smbpasswd. At level 0, only critical -errors and serious warnings will be logged. Levels above 1 will generate -considerable amounts of log data, and should only be used when investigating -a problem. Levels above 3 are designed for use only by developers and generate -HUGE amounts of log data, most of which is extremely cryptic. -nThis option -specifies that the username following should have their password set to -null (i.e. a blank password) in the local smbpasswd file. This is done by -writing the string "NO PASSWORD" as the first part of the first password -stored in the smbpasswd file. Note that to allow users to logon to a Samba -server once the password has been set to "NO PASSWORD" in the smbpasswd -file the administrator must set the following parameter in the [global] -section of the smb.conf file : null passwords = true This option is only -available when running smbpasswd as root. -r remote machine nameThis option -allows a user to specify what machine they wish to change their password -on. Without this parameter smbpasswd defaults to the local host. The "remote -machine name" is the NetBIOS name of the SMB/CIFS server to contact to -attempt the password change. This name is resolved into an IP address using -the standard name resolution mechanism in all programs of the Samba suite. -See the -R name resolve order parameter for details on changing this resolving -mechanism. The username whose password is changed is that of the current -UNIX logged on user. See the -U username parameter for details on changing -the password for a different username. Note that if changing a Windows NT -Domain password the remote machine specified must be the Primary Domain -Controller for the domain (Backup Domain Controllers only have a read-only -copy of the user account database and will not allow the password change). -Note that Windows 95/98 do not have a real password database so it is not -possible to change passwords specifying a Win95/98 machine as remote machine -target. -R name resolve orderThis option allows the user of smbclient to -determine what name resolution services to use when looking up the NetBIOS -name of the host being connected to. The options are :"lmhosts", "host", -"wins" and "bcast". They cause names to be resolved as follows : olmhosts -: Lookup an IP address in the Samba lmhosts file. ohost : Do a standard -host name to IP address resolution, using the system /etc/hosts, NIS, or -DNS lookups. This method of name resolution is operating system dependent. -For instance on IRIX or Solaris, this may be controlled by the /etc/nsswitch.conf -file). owins : Query a name with the IP address listed in the wins server -parameter in the smb.conf file. If no WINS server has been specified this -method will be ignored. obcast : Do a broadcast on each of the known local -interfaces listed in the interfaces parameter in the smb.conf file. This -is the least reliable of the name resolution methods as it depends on the -target host being on a locally connected subnet. If this parameter is not -set then the name resolve order defined in the smb.conf file parameter -name resolve order will be used. The default order is lmhosts, host, wins, -bcast and without this parameter or any entry in the smb.conf file the -name resolution methods will be attempted in this order. -mThis option tells -smbpasswd that the account being changed is a MACHINE account. Currently -this is used when Samba is being used as an NT Primary Domain Controller. -PDC support is not a supported feature in Samba2.0 but will become supported -in a later release. If you wish to know more about using Samba as an NT -PDC then please subscribe to the mailing list samba-ntdom@samba.org. This -option is only available when running smbpasswd as root. -j DOMAINThis option -is used to add a Samba server into a Windows NT Domain, as a Domain member -capable of authenticating user accounts to any Domain Controller in the -same way as a Windows NT Server. See the security=domain option in the smb.conf -(5) man page. In order to be used in this way, the Administrator for the -Windows NT Domain must have used the program "Server Manager for Domains" -to add the primary NetBIOS name of the Samba server as a member of the -Domain. After this has been done, to join the Domain invoke smbpasswd with -this parameter. smbpasswd will then look up the Primary Domain Controller -for the Domain (found in the smb.conf file in the parameter password server -and change the machine account password used to create the secure Domain -communication. This password is then stored by smbpasswd in a file, read -only by root, called CW<Domain>.<Machine>.mac where CW<Domain> is the name of the -Domain we are joining and CW<Machine> is the primary NetBIOS name of the -machine we are running on. Once this operation has been performed the smb.conf -file may be updated to set the security=domain option and all future logins -to the Samba server will be authenticated to the Windows NT PDC. Note that -even though the authentication is being done to the PDC all users accessing -the Samba server must still have a valid UNIX account on that machine. This -option is only available when running smbpasswd as root. -U usernameThis -option may only be used in conjunction with the -r option. When changing -a password on a remote machine it allows the user to specify the user name -on that machine whose password will be changed. It is present to allow users -who have different user names on different systems to change these passwords. --hThis option prints the help string for smbpasswd, selecting the correct -one for running as root or as an ordinary user. -sThis option causes smbpasswd -to be silent (i.e. not issue prompts) and to read it's old and new passwords -from standard input, rather than from CW/dev/tty (like the passwd (1) -program does). This option is to aid people writing scripts to drive smbpasswd -usernameThis specifies the username for all of the root only options to -operate on. Only root can specify this parameter as only root has the permission -needed to modify attributes directly in the local smbpasswd file. NotesSince -smbpasswd works in client-server mode communicating with a local smbd for -a non-root user then the smbd daemon must be running for this to work. A -common problem is to add a restriction to the hosts that may access the -smbd running on the local machine by specifying a "allow hosts" or "deny -hosts" entry in the smb.conf file and neglecting to allow "localhost" access -to the smbd. In addition, the smbpasswd command is only useful if Samba -has been set up to use encrypted passwords. See the file ENCRYPTION.txt in -the docs directory for details on how to do this. VersionThis man page is -correct for version 2.0 of the Samba suite. AuthorThe original Samba software -and related utilities were created by Andrew Tridgell samba@samba.org. Samba -is now developed by the Samba Team as an Open Source project similar to -the way the Linux kernel is developed. The original Samba man pages were -written by Karl Auer. The man page sources were converted to YODL format -(another excellent piece of Open Source software, available at ftp://ftp.icce.rug.nl/pub/unix/) -and updated for the Samba2.0 release by Jeremy Allison. samba@samba.org. See -samba (7) to find out how to get a full list of contributors and details -on how to submit bug reports, comments etc.
\ No newline at end of file +<refmeta> + <refentrytitle>smbpasswd</refentrytitle> + <manvolnum>8</manvolnum> +</refmeta> + + +<refnamediv> + <refname>smbpasswd</refname> + <refpurpose>change a users SMB password</refpurpose> +</refnamediv> + +<refsynopsisdiv> + <cmdsynopsis> + <command>smbpasswd</command> + <arg choice="opt">-a</arg> + <arg choice="opt">-x</arg> + <arg choice="opt">-d</arg> + <arg choice="opt">-e</arg> + <arg choice="opt">-D debuglevel</arg> + <arg choice="opt">-n</arg> + <arg choice="opt">-r <remote machine></arg> + <arg choice="opt">-R <name resolve order></arg> + <arg choice="opt">-m</arg> + <arg choice="opt">-j DOMAIN</arg> + <arg choice="opt">-U username</arg> + <arg choice="opt">-h</arg> + <arg choice="opt">-s</arg> + <arg choice="opt">username</arg> + </cmdsynopsis> +</refsynopsisdiv> + +<refsect1> + <title>DESCRIPTION</title> + + <para>This tool is part of the <ulink url="samba.7.html"> + Samba</ulink> suite.</para> + + <para>The smbpasswd program has several different + functions, depending on whether it is run by the <emphasis>root</emphasis> + user or not. When run as a normal user it allows the user to change + the password used for their SMB sessions on any machines that store + SMB passwords. </para> + + <para>By default (when run with no arguments) it will attempt to + change the current users SMB password on the local machine. This is + similar to the way the <command>passwd(1)</command> program works. + <command>smbpasswd</command> differs from how the passwd program works + however in that it is not <emphasis>setuid root</emphasis> but works in + a client-server mode and communicates with a locally running + <command>smbd(8)</command>. As a consequence in order for this to + succeed the smbd daemon must be running on the local machine. On a + UNIX machine the encrypted SMB passwords are usually stored in + the <filename>smbpasswd(5)</filename> file. </para> + + <para>When run by an ordinary user with no options. smbpasswd + will prompt them for their old smb password and then ask them + for their new password twice, to ensure that the new password + was typed correctly. No passwords will be echoed on the screen + whilst being typed. If you have a blank smb password (specified by + the string "NO PASSWORD" in the smbpasswd file) then just press + the <Enter> key when asked for your old password. </para> + + <para>smbpasswd can also be used by a normal user to change their + SMB password on remote machines, such as Windows NT Primary Domain + Controllers. See the (-r) and -U options below. </para> + + <para>When run by root, smbpasswd allows new users to be added + and deleted in the smbpasswd file, as well as allows changes to + the attributes of the user in this file to be made. When run by root, + <command>smbpasswd</command> accesses the local smbpasswd file + directly, thus enabling changes to be made even if smbd is not + running. </para> +</refsect1> + +<refsect1> + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term>-a</term> + <listitem><para>This option specifies that the username + following should be added to the local smbpasswd file, with the + new password typed (type <Enter> for the old password). This + option is ignored if the username following already exists in + the smbpasswd file and it is treated like a regular change + password command. Note that the user to be added must already exist + in the system password file (usually <filename>/etc/passwd</filename>) + else the request to add the user will fail. </para> + + <para>This option is only available when running smbpasswd + as root. </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-x</term> + <listitem><para>This option specifies that the username + following should be deleted from the local smbpasswd file. + </para> + + <para>This option is only available when running smbpasswd as + root.</para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-d</term> + <listitem><para>This option specifies that the username following + should be <constant>disabled</constant> in the local smbpasswd + file. This is done by writing a <constant>'D'</constant> flag + into the account control space in the smbpasswd file. Once this + is done all attempts to authenticate via SMB using this username + will fail. </para> + + <para>If the smbpasswd file is in the 'old' format (pre-Samba 2.0 + format) there is no space in the users password entry to write + this information and so the user is disabled by writing 'X' characters + into the password space in the smbpasswd file. See <command>smbpasswd(5) + </command> for details on the 'old' and new password file formats. + </para> + + <para>This option is only available when running smbpasswd as + root.</para></listitem> + </varlistentry> + + + <varlistentry> + <term>-e</term> + <listitem><para>This option specifies that the username following + should be <constant>enabled</constant> in the local smbpasswd file, + if the account was previously disabled. If the account was not + disabled this option has no effect. Once the account is enabled then + the user will be able to authenticate via SMB once again. </para> + + <para>If the smbpasswd file is in the 'old' format, then <command> + smbpasswd</command> will prompt for a new password for this user, + otherwise the account will be enabled by removing the <constant>'D' + </constant> flag from account control space in the <filename> + smbpasswd</filename> file. See <command>smbpasswd (5)</command> for + details on the 'old' and new password file formats. </para> + + <para>This option is only available when running smbpasswd as root. + </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-D debuglevel</term> + <listitem><para><parameter>debuglevel</parameter> is an integer + from 0 to 10. The default value if this parameter is not specified + is zero. </para> + + <para>The higher this value, the more detail will be logged to the + log files about the activities of smbpasswd. At level 0, only + critical errors and serious warnings will be logged. </para> + + <para>Levels above 1 will generate considerable amounts of log + data, and should only be used when investigating a problem. Levels + above 3 are designed for use only by developers and generate + HUGE amounts of log data, most of which is extremely cryptic. + </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-n</term> + <listitem><para>This option specifies that the username following + should have their password set to null (i.e. a blank password) in + the local smbpasswd file. This is done by writing the string "NO + PASSWORD" as the first part of the first password stored in the + smbpasswd file. </para> + + <para>Note that to allow users to logon to a Samba server once + the password has been set to "NO PASSWORD" in the smbpasswd + file the administrator must set the following parameter in the [global] + section of the <filename>smb.conf</filename> file : </para> + + <para><command>null passwords = yes</command></para> + + <para>This option is only available when running smbpasswd as + root.</para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-r remote machine name</term> + <listitem><para>This option allows a user to specify what machine + they wish to change their password on. Without this parameter + smbpasswd defaults to the local host. The <replaceable>remote + machine name</replaceable> is the NetBIOS name of the SMB/CIFS + server to contact to attempt the password change. This name is + resolved into an IP address using the standard name resolution + mechanism in all programs of the Samba suite. See the <parameter>-R + name resolve order</parameter> parameter for details on changing + this resolving mechanism. </para> + + <para>The username whose password is changed is that of the + current UNIX logged on user. See the <parameter>-U username</parameter> + parameter for details on changing the password for a different + username. </para> + + <para>Note that if changing a Windows NT Domain password the + remote machine specified must be the Primary Domain Controller for + the domain (Backup Domain Controllers only have a read-only + copy of the user account database and will not allow the password + change).</para> + + <para><emphasis>Note</emphasis> that Windows 95/98 do not have + a real password database so it is not possible to change passwords + specifying a Win95/98 machine as remote machine target. </para> + </listitem> + </varlistentry> + + + <varlistentry> + <term>-R name resolve order</term> + <listitem><para>This option allows the user of smbclient to determine + what name resolution services to use when looking up the NetBIOS + name of the host being connected to. </para> + + <para>The options are :"lmhosts", "host", "wins" and "bcast". They cause + names to be resolved as follows : </para> + <itemizedlist> + <listitem><para><constant>lmhosts</constant> : Lookup an IP + address in the Samba lmhosts file. If the line in lmhosts has + no name type attached to the NetBIOS name (see the <ulink + url="lmhosts.5.html">lmhosts(5)</ulink> for details) then + any name type matches for lookup.</para></listitem> + + <listitem><para><constant>host</constant> : Do a standard host + name to IP address resolution, using the system <filename>/etc/hosts + </filename>, NIS, or DNS lookups. This method of name resolution + is operating system depended for instance on IRIX or Solaris this + may be controlled by the <filename>/etc/nsswitch.conf</filename> + file). Note that this method is only used if the NetBIOS name + type being queried is the 0x20 (server) name type, otherwise + it is ignored.</para></listitem> + + <listitem><para><constant>wins</constant> : Query a name with + the IP address listed in the <parameter>wins server</parameter> + parameter. If no WINS server has been specified this method + will be ignored.</para></listitem> + + <listitem><para><constant>bcast</constant> : Do a broadcast on + each of the known local interfaces listed in the + <parameter>interfaces</parameter> parameter. This is the least + reliable of the name resolution methods as it depends on the + target host being on a locally connected subnet.</para></listitem> + </itemizedlist> + + <para>The default order is <command>lmhosts, host, wins, bcast</command> + and without this parameter or any entry in the + <filename>smb.conf</filename> file the name resolution methods will + be attempted in this order. </para></listitem> + </varlistentry> + + + <varlistentry> + <term>-m</term> + <listitem><para>This option tells smbpasswd that the account + being changed is a MACHINE account. Currently this is used + when Samba is being used as an NT Primary Domain Controller.</para> + + <para>This option is only available when running smbpasswd as root. + </para></listitem> + </varlistentry> + + + <varlistentry> + <term>-j DOMAIN</term> + <listitem><para>This option is used to add a Samba server + into a Windows NT Domain, as a Domain member capable of authenticating + user accounts to any Domain Controller in the same way as a Windows + NT Server. See the <command>security = domain</command> option in + the <filename>smb.conf(5)</filename> man page. </para> + + <para>In order to be used in this way, the Administrator for + the Windows NT Domain must have used the program "Server Manager + for Domains" to add the primary NetBIOS name of the Samba server + as a member of the Domain. </para> + + <para>After this has been done, to join the Domain invoke <command> + smbpasswd</command> with this parameter. smbpasswd will then + look up the Primary Domain Controller for the Domain (found in + the <filename>smb.conf</filename> file in the parameter + <parameter>password server</parameter> and change the machine account + password used to create the secure Domain communication. This + password is then stored by smbpasswd in a TDB, writeable only by root, + called <filename>secrets.tdb</filename> </para> + + <para>Once this operation has been performed the <filename> + smb.conf</filename> file may be updated to set the <command> + security = domain</command> option and all future logins + to the Samba server will be authenticated to the Windows NT + PDC. </para> + + <para>Note that even though the authentication is being + done to the PDC all users accessing the Samba server must still + have a valid UNIX account on that machine. </para> + + + <para>This option is only available when running smbpasswd as root. + </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-U username</term> + <listitem><para>This option may only be used in conjunction + with the <parameter>-r</parameter> option. When changing + a password on a remote machine it allows the user to specify + the user name on that machine whose password will be changed. It + is present to allow users who have different user names on + different systems to change these passwords. </para></listitem> + </varlistentry> + + + <varlistentry> + <term>-h</term> + <listitem><para>This option prints the help string for <command> + smbpasswd</command>, selecting the correct one for running as root + or as an ordinary user. </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-s</term> + <listitem><para>This option causes smbpasswd to be silent (i.e. + not issue prompts) and to read it's old and new passwords from + standard input, rather than from <filename>/dev/tty</filename> + (like the <command>passwd(1)</command> program does). This option + is to aid people writing scripts to drive smbpasswd</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term>username</term> + <listitem><para>This specifies the username for all of the + <emphasis>root only</emphasis> options to operate on. Only root + can specify this parameter as only root has the permission needed + to modify attributes directly in the local smbpasswd file. + </para></listitem> + </varlistentry> + </variablelist> +</refsect1> + + +<refsect1> + <title>NOTES</title> + + <para>Since <command>smbpasswd</command> works in client-server + mode communicating with a local smbd for a non-root user then + the smbd daemon must be running for this to work. A common problem + is to add a restriction to the hosts that may access the <command> + smbd</command> running on the local machine by specifying a + <parameter>allow hosts</parameter> or <parameter>deny hosts</parameter> + entry in the <filename>smb.conf</filename> file and neglecting to + allow "localhost" access to the smbd. </para> + + <para>In addition, the smbpasswd command is only useful if Samba + has been set up to use encrypted passwords. See the file + <filename>ENCRYPTION.txt</filename> in the docs directory for details + on how to do this. </para> +</refsect1> + + +<refsect1> + <title>VERSION</title> + + <para>This man page is correct for version 2.2 of + the Samba suite.</para> +</refsect1> + +<refsect1> + <title>SEE ALSO</title> + <para><ulink url="smbpasswd.5.html"><filename>smbpasswd(5)</filename></ulink>, + <ulink url="samba.7.html">samba(7)</ulink> + </para> +</refsect1> + +<refsect1> + <title>AUTHOR</title> + + <para>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</para> + + <para>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <ulink url="ftp://ftp.icce.rug.nl/pub/unix/"> + ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</para> +</refsect1> + +</refentry> diff --git a/docs/htmldocs/smbcacls.1.html b/docs/htmldocs/smbcacls.1.html index e75a5741e5..36f570f2a0 100644 --- a/docs/htmldocs/smbcacls.1.html +++ b/docs/htmldocs/smbcacls.1.html @@ -1,161 +1,378 @@ - - - - -<html><head><title>smbcacls (1)</title> - -</head> -<body> - -<hr> - -<h1>smbcacls (1)</h1> -<h2>Samba</h2> -<h2>22 Dec 2000</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - smbcacls - Set or get ACLs on an NT file or directory -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><strong>smbcacls</strong> //server/share filename [<a href="smbcacls.1.html#minusU">-U username</a>] -[<a href="smbcacls.1.html#minusA">-A acls</a>] [<a href="smbcacls.1.html#minusM">-M acls</a>] -[<a href="smbcacls.1.html#minusD">-D acls</a>] [<a href="smbcacls.1.html#minusS">-S acls</a>] -[<a href="smbcacls.1.html#minusC">-C name</a>] [<a href="smbcacls.1.html#minusG">-G name</a>] -[<a href="smbcacls.1.html#minusn">-n</a>] [<a href="smbcacls.1.html#minush">-h</a>] -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>The <strong>smbcacls</strong> program manipulates NT Access Control Lists (ACLs) on -SMB file shares. -<p><a name="OPTIONS"></a> -<h2>OPTIONS</h2> - -<p>The following options are available to the <strong>smbcacls</strong> program. The -format of ACLs is described in the section <a href="smbcacls.1.html#ACLFORMAT">ACL FORMAT</a> -<p><dl> -<p><a name="minusA"></a> -<p></p><dt><strong><strong>-A acls</strong></strong><dd> -<p>Add the ACLs specified to the ACL list. Existing access control entries -are unchanged. -<p><a name="minusM"></a> -<p></p><dt><strong><strong>-M acls</strong></strong><dd> -<p>Modify the mask value (permissions) for the ACLs specified on the command -line. An error will be printed for each ACL specified that was not already -present in the ACL list. -<p><a name="minusD"></a> -<p></p><dt><strong><strong>-D acls</strong></strong><dd> -<p>Delete any ACLs specfied on the command line. An error will be printed for -each ACL specified that was not already present in the ACL list. -<p><a name="minusS"></a> -<p></p><dt><strong><strong>-S acls</strong></strong><dd> -<p>This command sets the ACLs on the file with only the ones specified on the -command line. All other ACLs are erased. Note that the ACL specified must -contain at least a revision, type, owner and group for the call to succeed. -<p><a name="minusU"></a> -<p></p><dt><strong><strong>-U username</strong></strong><dd> -<p>Specifies a username used to connect to the specified service. The -username may be of the form <code>username</code> in which case the user is -prompted to enter in a password and the workgroup specified in the -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file is used, or <code>username%password</code> -or <code>DOMAIN\username%password</code> and the password and workgroup names are -used as provided. -<p><a name="minusC"></a> -<p></p><dt><strong><strong>-C name</strong></strong><dd> -<p>The owner of a file or directory can be changed to the name given -using the -C option. The name can be a sid in the form <code>S-1-x-y-z</code> or a -name resolved against the server specified in the first argument. -<p>This command is a shortcut for <code>-M OWNER:name</code>. -<p><a name="minusG"></a> -<p></p><dt><strong><strong>-G name</strong></strong><dd> -<p>The group owner of a file or directory can be changed to the name given -using the -G option. The name can be a sid in the form <code>S-1-x-y-z</code> or a -name resolved against the server specified in the first argument. -<p>This command is a shortcut for <code>-M GROUP:name</code>. -<p><a name="minusn"></a> -<p></p><dt><strong><strong>-n</strong></strong><dd> -<p>This option displays all ACL information in numeric format. The default is -to convert SIDs to names and ACE types and masks to a readable string -format. -<p><a name="minush"></a> -<p></p><dt><strong><strong>-h</strong></strong><dd> -<p>Print usage information on the <strong>smbcacls</strong> program -<p></dl> -<p><a name="ACLFORMAT"></a> -<h2>ACL FORMAT</h2> - -<p>The format of an ACL is one or more ACL entries separated by either -commas or newlines. An ACL entry is one of the following: -<p><pre> +<HTML +><HEAD +><TITLE +>smbcacls</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="SMBCACLS" +>smbcacls</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>smbcacls -- Set or get ACLs on an NT file or directory names</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>nmblookup</B +> {//server/share} {filename} [-U username] [-A acls] [-M acls] [-D acls] [-S acls] [-C name] [-G name] [-n] [-h]</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN22" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +>The smbcacls program manipulates NT Access Control Lists + (ACLs) on SMB file shares. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN27" +></A +><H2 +>OPTIONS</H2 +><P +>The following options are available to the smbcacls program. + The format of ACLs is described in the section ACL FORMAT </P +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>-A acls</DT +><DD +><P +>Add the ACLs specified to the ACL list. Existing + access control entries are unchanged. </P +></DD +><DT +>-M acls</DT +><DD +><P +>Modify the mask value (permissions) for the ACLs + specified on the command line. An error will be printed for each + ACL specified that was not already present in the ACL list + </P +></DD +><DT +>-D acls</DT +><DD +><P +>Delete any ACLs specfied on the command line. + An error will be printed for each ACL specified that was not + already present in the ACL list. </P +></DD +><DT +>-S acls</DT +><DD +><P +>This command sets the ACLs on the file with + only the ones specified on the command line. All other ACLs are + erased. Note that the ACL specified must contain at least a revision, + type, owner and group for the call to succeed. </P +></DD +><DT +>-U username</DT +><DD +><P +>Specifies a username used to connect to the + specified service. The username may be of the form "username" in + which case the user is prompted to enter in a password and the + workgroup specified in the <TT +CLASS="FILENAME" +>smb.conf</TT +> file is + used, or "username%password" or "DOMAIN\username%password" and the + password and workgroup names are used as provided. </P +></DD +><DT +>-C name</DT +><DD +><P +>The owner of a file or directory can be changed + to the name given using the <TT +CLASS="PARAMETER" +><I +>-C</I +></TT +> option. + The name can be a sid in the form S-1-x-y-z or a name resolved + against the server specified in the first argument. </P +><P +>This command is a shortcut for -M OWNER:name. + </P +></DD +><DT +>-G name</DT +><DD +><P +>The group owner of a file or directory can + be changed to the name given using the <TT +CLASS="PARAMETER" +><I +>-G</I +></TT +> + option. The name can be a sid in the form S-1-x-y-z or a name + resolved against the server specified n the first argument. + </P +><P +>This command is a shortcut for -M GROUP:name.</P +></DD +><DT +>-n</DT +><DD +><P +>This option displays all ACL information in numeric + format. The default is to convert SIDs to names and ACE types + and masks to a readable string format. </P +></DD +><DT +>-h</DT +><DD +><P +>Print usage information on the <B +CLASS="COMMAND" +>smbcacls + </B +> program.</P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN73" +></A +><H2 +>ACL FORMAT</H2 +><P +>The format of an ACL is one or more ACL entries separated by + either commas or newlines. An ACL entry is one of the following: </P +><P +><PRE +CLASS="PROGRAMLISTING" +> REVISION:<revision number> OWNER:<sid or name> GROUP:<sid or name> ACL:<sid or name>:<type>/<flags>/<mask> -</pre> - -<p>The revision of the ACL specifies the internal Windows NT ACL revision for -the security descriptor. If not specified it defaults to 1. Using values -other than 1 may cause strange behaviour. -<p>The owner and group specify the owner and group sids for the object. If a -SID in the format <code>S-1-x-y-z</code> is specified this is used, otherwise -the name specified is resolved using the server on which the file or -directory resides. -<p>ACLs specify permissions granted to the SID. This SID again can be -specified in <code>S-1-x-y-z</code> format or as a name in which case it is resolved -against the server on which the file or directory resides. The type, flags -and mask values determine the type of access granted to the SID. -<p>The type can be either 0 or 1 corresponding to ALLOWED or DENIED access to -the SID. The flags values are generally zero for file ACLs and either 9 or -2 for directory ACLs. Some common flags are: -<p><pre> -#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1 -#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2 -#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4 -#define SEC_ACE_FLAG_INHERIT_ONLY 0x8 -</pre> - -<p>At present flags can only be specified as decimal or hexadecimal values. -<p>The mask is a value which expresses the access right granted to the SID. -It can be given as a decimal or hexadecimal value, or by using one of the -following text strings which map to the NT file permissions of the same -name. -<p><dl> -<p><p></p><dt><strong></strong><dd> <code>R</code> Allow read access -<p><p></p><dt><strong></strong><dd> <code>W</code> Allow write access -<p><p></p><dt><strong></strong><dd> <code>X</code> Execute permission on the object -<p><p></p><dt><strong></strong><dd> <code>D</code> Delete the object -<p><p></p><dt><strong></strong><dd> <code>P</code> Change permissions -<p><p></p><dt><strong></strong><dd> <code>O</code> Take ownership -<p></dl> -<p>The following combined permissions can be specified: -<p><dl> -<p><p></p><dt><strong></strong><dd> <code>READ</code> -<p>Equivalent to <code>RX</code> permissions -<p><p></p><dt><strong></strong><dd> <code>CHANGE</code> -<p>Equivalent to <code>RXWD</code> permissions -<p><p></p><dt><strong></strong><dd> <code>FULL</code> -<p>Equivalent to <code>RWXDPO</code> permissions -<p></dl> -<p><a name="EXITSTATUS"></a> -<h2>EXIT STATUS</h2> - -<p>The <strong>smbcacls</strong> program sets the exit status depending on the success or -otherwise of the operations performed. The exit status may be one of the -following values. -<p>If the operation succeded, <strong>smbcacls</strong> returns and exit status of 0. If -<strong>smbcacls</strong> couldn't connect to the specified server, or there was an -error getting or setting the ACLs, an exit status of 1 is returned. If -there was an error parsing any command line arguments, an exit status of 2 -is returned. -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell. Samba is now developed by the Samba Team as an Open -Source project. -<p><strong>smbcacls</strong> was written by Andrew Tridgell and Tim Potter. -</body> -</html> + </PRE +></P +><P +>The revision of the ACL specifies the internal Windows + NT ACL revision for the security descriptor. + If not specified it defaults to 1. Using values other than 1 may + cause strange behaviour. </P +><P +>The owner and group specify the owner and group sids for the + object. If a SID in the format CWS-1-x-y-z is specified this is used, + otherwise the name specified is resolved using the server on which + the file or directory resides. </P +><P +>ACLs specify permissions granted to the SID. This SID again + can be specified in CWS-1-x-y-z format or as a name in which case + it is resolved against the server on which the file or directory + resides. The type, flags and mask values determine the type of + access granted to the SID. </P +><P +>The type can be either 0 or 1 corresponding to ALLOWED or + DENIED access to the SID. The flags values are generally + zero for file ACLs and either 9 or 2 for directory ACLs. Some + common flags are: </P +><P +></P +><UL +><LI +><P +>#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1</P +></LI +><LI +><P +>#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2</P +></LI +><LI +><P +>#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4 + </P +></LI +><LI +><P +>#define SEC_ACE_FLAG_INHERIT_ONLY 0x8</P +></LI +></UL +><P +>At present flags can only be specified as decimal or + hexadecimal values.</P +><P +>The mask is a value which expresses the access right + granted to the SID. It can be given as a decimal or hexadecimal value, + or by using one of the following text strings which map to the NT + file permissions of the same name. </P +><P +></P +><UL +><LI +><P +><I +CLASS="EMPHASIS" +>R</I +> - Allow read access </P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>W</I +> - Allow write access</P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>X</I +> - Execute permission on the object</P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>D</I +> - Delete the object</P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>P</I +> - Change permissions</P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>O</I +> - Take ownership</P +></LI +></UL +><P +>The following combined permissions can be specified:</P +><P +></P +><UL +><LI +><P +><I +CLASS="EMPHASIS" +>READ</I +> - Equivalent to 'RX' + permissions</P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>CHANGE</I +> - Equivalent to 'RXWD' permissions + </P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>FULL</I +> - Equivalent to 'RWXDPO' + permissions</P +></LI +></UL +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN123" +></A +><H2 +>EXIT STATUS</H2 +><P +>The <B +CLASS="COMMAND" +>smbcacls</B +> program sets the exit status + depending on the success or otherwise of the operations performed. + The exit status may be one of the following values. </P +><P +>If the operation succeded, smbcacls returns and exit + status of 0. If smbcacls couldn't connect to the specified server, + or there was an error getting or setting the ACLs, an exit status + of 1 is returned. If there was an error parsing any command line + arguments, an exit status of 2 is returned. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN128" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN131" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +><B +CLASS="COMMAND" +>smbcacls</B +> was written by Andrew Tridgell + and Tim Potter.</P +><P +>The conversion to DocBook for Samba 2.2 was done + by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/smbpasswd.5.html b/docs/htmldocs/smbpasswd.5.html index 2969022790..4ec7b7c86a 100644 --- a/docs/htmldocs/smbpasswd.5.html +++ b/docs/htmldocs/smbpasswd.5.html @@ -1,195 +1,326 @@ - - - - - - -<html><head><title>smbpasswd (5)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>smbpasswd (5)</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - smbpasswd - The Samba encrypted password file -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p>smbpasswd is the <strong>Samba</strong> encrypted password file. -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>This file is part of the <strong>Samba</strong> suite. -<p>smbpasswd is the <strong>Samba</strong> encrypted password file. It contains -the username, Unix user id and the SMB hashed passwords of the -user, as well as account flag information and the time the password -was last changed. This file format has been evolving with Samba -and has had several different formats in the past. -<p><a name="FILEFORMAT"></a> -<h2>FILE FORMAT</h2> - -<p>The format of the smbpasswd file used by Samba 2.0 is very similar to -the familiar Unix <strong>passwd (5)</strong> file. It is an ASCII file containing -one line for each user. Each field within each line is separated from -the next by a colon. Any entry beginning with # is ignored. The -smbpasswd file contains the following information for each user: -<p><dl> -<p><a name="name"></a> -<p></p><dt><strong><strong>name</strong></strong><dd> <br> <br> -<p>This is the user name. It must be a name that already exists - in the standard UNIX passwd file. -<p><a name="uid"></a> -<p></p><dt><strong><strong>uid</strong></strong><dd> <br> <br> -<p>This is the UNIX uid. It must match the uid field for the same - user entry in the standard UNIX passwd file. If this does not - match then Samba will refuse to recognize this <strong>smbpasswd</strong> file entry - as being valid for a user. -<p><a name="LanmanPasswordHash"></a> -<p></p><dt><strong><strong>Lanman Password Hash</strong></strong><dd> <br> <br> -<p>This is the <em>LANMAN</em> hash of the users password, encoded as 32 hex - digits. The <em>LANMAN</em> hash is created by DES encrypting a well known - string with the users password as the DES key. This is the same - password used by Windows 95/98 machines. Note that this password hash - is regarded as weak as it is vulnerable to dictionary attacks and if - two users choose the same password this entry will be identical (i.e. - the password is not <em>"salted"</em> as the UNIX password is). If the - user has a null password this field will contain the characters - <code>"NO PASSWORD"</code> as the start of the hex string. If the hex string - is equal to 32 <code>'X'</code> characters then the users account is marked as - <em>disabled</em> and the user will not be able to log onto the Samba - server. -<p><em>WARNING !!</em>. Note that, due to the challenge-response nature of the - SMB/CIFS authentication protocol, anyone with a knowledge of this - password hash will be able to impersonate the user on the network. - For this reason these hashes are known as <em>"plain text equivalent"</em> - and must <em>NOT</em> be made available to anyone but the root user. To - protect these passwords the <strong>smbpasswd</strong> file is placed in a - directory with read and traverse access only to the root user and the - <strong>smbpasswd</strong> file itself must be set to be read/write only by root, - with no other access. -<p><a name="NTPasswordHash"></a> -<p></p><dt><strong><strong>NT Password Hash</strong></strong><dd> <br> <br> -<p>This is the <em>Windows NT</em> hash of the users password, encoded as 32 - hex digits. The <em>Windows NT</em> hash is created by taking the users - password as represented in 16-bit, little-endian UNICODE and then - applying the <em>MD4</em> (internet rfc1321) hashing algorithm to it. -<p>This password hash is considered more secure than the <a href="smbpasswd.5.html#LanmanPasswordHash"><strong>Lanman - Password Hash</strong></a> as it preserves the case of the - password and uses a much higher quality hashing algorithm. However, it - is still the case that if two users choose the same password this - entry will be identical (i.e. the password is not <em>"salted"</em> as the - UNIX password is). -<p><em>WARNING !!</em>. Note that, due to the challenge-response nature of the - SMB/CIFS authentication protocol, anyone with a knowledge of this - password hash will be able to impersonate the user on the network. - For this reason these hashes are known as <em>"plain text equivalent"</em> - and must <em>NOT</em> be made available to anyone but the root user. To - protect these passwords the <strong>smbpasswd</strong> file is placed in a - directory with read and traverse access only to the root user and the - <strong>smbpasswd</strong> file itself must be set to be read/write only by root, - with no other access. -<p><a name="AccountFlags"></a> -<p></p><dt><strong><strong>Account Flags</strong></strong><dd> <br> <br> -<p>This section contains flags that describe the attributes of the users - account. In the <strong>Samba2.0</strong> release this field is bracketed by <code>'['</code> - and <code>']'</code> characters and is always 13 characters in length (including - the <code>'['</code> and <code>']'</code> characters). The contents of this field may be - any of the characters. -<p><dl> -<p><a name="capU"></a> - <li > <strong>'U'</strong> This means this is a <em>"User"</em> account, i.e. an ordinary - user. Only <strong>User</strong> and <a href="smbpasswd.5.html#capW"><strong>Workstation Trust</strong></a> accounts are - currently supported in the <strong>smbpasswd</strong> file. -<p><a name="capN"></a> - <li > <strong>'N'</strong> This means the account has <em>no</em> password (the passwords - in the fields <a href="smbpasswd.5.html#LanmanPasswordHash"><strong>Lanman Password Hash</strong></a> and - <a href="smbpasswd.5.html#NTPasswordHash"><strong>NT Password Hash</strong></a> are ignored). Note that this - will only allow users to log on with no password if the - <a href="smb.conf.5.html#nullpasswords"><strong>null passwords</strong></a> parameter is set - in the <a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a> config file. -<p><a name="capD"></a> - <li > <strong>'D'</strong> This means the account is disabled and no SMB/CIFS logins - will be allowed for this user. -<p><a name="capW"></a> - <li > <strong>'W'</strong> This means this account is a <em>"Workstation Trust"</em> account. - This kind of account is used in the Samba PDC code stream to allow Windows - NT Workstations and Servers to join a Domain hosted by a Samba PDC. -<p></dl> -<p>Other flags may be added as the code is extended in future. The rest of - this field space is filled in with spaces. -<p><a name="LastChangeTime"></a> -<p></p><dt><strong><strong>Last Change Time</strong></strong><dd> <br> <br> -<p>This field consists of the time the account was last modified. It consists of - the characters <code>LCT-</code> (standing for <em>"Last Change Time"</em>) followed by a numeric - encoding of the UNIX time in seconds since the epoch (1970) that the last change - was made. -<p><p></p><dt><strong><strong>Following fields</strong></strong><dd> <br> <br> -<p>All other colon separated fields are ignored at this time. -<p></dl> -<p><a name="NOTES"></a> -<h2>NOTES</h2> - -<p>In previous versions of Samba (notably the 1.9.18 series) this file -did not contain the <a href="smbpasswd.5.html#AccountFlags"><strong>Account Flags</strong></a> or -<a href="smbpasswd.5.html#LastChangeTime"><strong>Last Change Time</strong></a> fields. The Samba 2.0 -code will read and write these older password files but will not be able to -modify the old entries to add the new fields. New entries added with -<a href="smbpasswd.8.html"><strong>smbpasswd (8)</strong></a> will contain the new fields -in the added accounts however. Thus an older <strong>smbpasswd</strong> file used -with Samba 2.0 may end up with some accounts containing the new fields -and some not. -<p>In order to convert from an old-style <strong>smbpasswd</strong> file to a new -style, run the script <strong>convert_smbpasswd</strong>, installed in the -Samba <code>bin/</code> directory (the same place that the <a href="smbd.8.html"><strong>smbd</strong></a> -and <a href="nmbd.8.html"><strong>nmbd</strong></a> binaries are installed) as follows: -<p><pre> - - - cat old_smbpasswd_file | convert_smbpasswd > new_smbpasswd_file - - -</pre> - -<p>The <strong>convert_smbpasswd</strong> script reads from stdin and writes to stdout -so as not to overwrite any files by accident. -<p>Once this script has been run, check the contents of the new smbpasswd -file to ensure that it has not been damaged by the conversion script -(which uses <strong>awk</strong>), and then replace the <code><old smbpasswd file></code> -with the <code><new smbpasswd file></code>. -<p><a name="VERSION"></a> -<h2>VERSION</h2> - -<p>This man page is correct for version 2.0 of the Samba suite. -<p><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<p><a href="smbpasswd.8.html"><strong>smbpasswd (8)</strong></a>, <a href="samba.7.html"><strong>samba -(7)</strong></a>, and the Internet RFC1321 for details on the MD4 -algorithm. -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p>The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy -Allison, <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -</body> -</html> +<HTML +><HEAD +><TITLE +>smbpasswd</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="SMBPASSWD" +>smbpasswd</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>smbpasswd -- The Samba encrypted password file</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><TT +CLASS="FILENAME" +>smbpasswd</TT +></P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN11" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +>smbpasswd is the Samba encrypted password file. It contains + the username, Unix user id and the SMB hashed passwords of the + user, as well as account flag information and the time the + password was last changed. This file format has been evolving with + Samba and has had several different formats in the past. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN16" +></A +><H2 +>FILE FORMAT</H2 +><P +>The format of the smbpasswd file used by Samba 2.2 + is very similar to the familiar Unix <TT +CLASS="FILENAME" +>passwd(5)</TT +> + file. It is an ASCII file containing one line for each user. Each field + ithin each line is separated from the next by a colon. Any entry + beginning with '#' is ignored. The smbpasswd file contains the + following information for each user: </P +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>name</DT +><DD +><P +> This is the user name. It must be a name that + already exists in the standard UNIX passwd file. </P +></DD +><DT +>uid</DT +><DD +><P +>This is the UNIX uid. It must match the uid + field for the same user entry in the standard UNIX passwd file. + If this does not match then Samba will refuse to recognize + this smbpasswd file entry as being valid for a user. + </P +></DD +><DT +>Lanman Password Hash</DT +><DD +><P +>This is the LANMAN hash of the users password, + encoded as 32 hex digits. The LANMAN hash is created by DES + encrypting a well known string with the users password as the + DES key. This is the same password used by Windows 95/98 machines. + Note that this password hash is regarded as weak as it is + vulnerable to dictionary attacks and if two users choose the + same password this entry will be identical (i.e. the password + is not "salted" as the UNIX password is). If the user has a + null password this field will contain the characters "NO PASSWORD" + as the start of the hex string. If the hex string is equal to + 32 'X' characters then the users account is marked as + <TT +CLASS="CONSTANT" +>disabled</TT +> and the user will not be able to + log onto the Samba server. </P +><P +><I +CLASS="EMPHASIS" +>WARNING !!</I +> Note that, due to + the challenge-response nature of the SMB/CIFS authentication + protocol, anyone with a knowledge of this password hash will + be able to impersonate the user on the network. For this + reason these hashes are known as <I +CLASS="EMPHASIS" +>plain text + equivalents</I +> and must <I +CLASS="EMPHASIS" +>NOT</I +> be made + available to anyone but the root user. To protect these passwords + the smbpasswd file is placed in a directory with read and + traverse access only to the root user and the smbpasswd file + itself must be set to be read/write only by root, with no + other access. </P +></DD +><DT +>NT Password Hash</DT +><DD +><P +>This is the Windows NT hash of the users + password, encoded as 32 hex digits. The Windows NT hash is + created by taking the users password as represented in + 16-bit, little-endian UNICODE and then applying the MD4 + (internet rfc1321) hashing algorithm to it. </P +><P +>This password hash is considered more secure than + the Lanman Password Hash as it preserves the case of the + password and uses a much higher quality hashing algorithm. + However, it is still the case that if two users choose the same + password this entry will be identical (i.e. the password is + not "salted" as the UNIX password is). </P +><P +><I +CLASS="EMPHASIS" +>WARNING !!</I +>. Note that, due to + the challenge-response nature of the SMB/CIFS authentication + protocol, anyone with a knowledge of this password hash will + be able to impersonate the user on the network. For this + reason these hashes are known as <I +CLASS="EMPHASIS" +>plain text + equivalents</I +> and must <I +CLASS="EMPHASIS" +>NOT</I +> be made + available to anyone but the root user. To protect these passwords + the smbpasswd file is placed in a directory with read and + traverse access only to the root user and the smbpasswd file + itself must be set to be read/write only by root, with no + other access. </P +></DD +><DT +>Account Flags</DT +><DD +><P +>This section contains flags that describe + the attributes of the users account. In the Samba 2.2 release + this field is bracketed by '[' and ']' characters and is always + 13 characters in length (including the '[' and ']' characters). + The contents of this field may be any of the characters. + </P +><P +></P +><UL +><LI +><P +><I +CLASS="EMPHASIS" +>U</I +> - This means + this is a "User" account, i.e. an ordinary user. Only User + and Workstation Trust accounts are currently supported + in the smbpasswd file. </P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>N</I +> - This means the + account has no password (the passwords in the fields Lanman + Password Hash and NT Password Hash are ignored). Note that this + will only allow users to log on with no password if the <TT +CLASS="PARAMETER" +><I +> null passwords</I +></TT +> parameter is set in the <A +HREF="smb.conf.5.html#NULLPASSWORDS" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5) + </TT +></A +> config file. </P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>D</I +> - This means the account + is disabled and no SMB/CIFS logins will be allowed for + this user. </P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>W</I +> - This means this account + is a "Workstation Trust" account. This kind of account is used + in the Samba PDC code stream to allow Windows NT Workstations + and Servers to join a Domain hosted by a Samba PDC. </P +></LI +></UL +><P +>Other flags may be added as the code is extended in future. + The rest of this field space is filled in with spaces. </P +></DD +><DT +>Last Change Time</DT +><DD +><P +>This field consists of the time the account was + last modified. It consists of the characters 'LCT-' (standing for + "Last Change Time") followed by a numeric encoding of the UNIX time + in seconds since the epoch (1970) that the last change was made. + </P +></DD +></DL +></DIV +><P +>All other colon separated fields are ignored at this time.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN73" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN76" +></A +><H2 +>SEE ALSO</H2 +><P +><A +HREF="smbpasswd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbpasswd(8)</B +></A +>, + <A +HREF="samba.7.html" +TARGET="_top" +>samba(7)</A +>, and + the Internet RFC1321 for details on the MD4 algorithm. + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN82" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/smbpasswd.8.html b/docs/htmldocs/smbpasswd.8.html index a0f4577b08..8fb2c580e7 100644 --- a/docs/htmldocs/smbpasswd.8.html +++ b/docs/htmldocs/smbpasswd.8.html @@ -1,281 +1,636 @@ - - - - - - -<html><head><title>smbpasswd (8)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>smbpasswd (8)</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - smbpasswd - change a users SMB password -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><strong>smbpasswd</strong> [<a href="smbpasswd.8.html#minusa">-a</a>] [<a href="smbpasswd.8.html#minusx">-x</a>] [<a href="smbpasswd.8.html#minusd">-d</a>] [<a href="smbpasswd.8.html#minuse">-e</a>] [<a href="smbpasswd.8.html#minusD">-D debug level</a>] [<a href="smbpasswd.8.html#minusn">-n</a>] [<a href="smbpasswd.8.html#minusr">-r remote_machine</a>] [<a href="smbpasswd.8.html#minusR">-R name resolve order</a>] [<a href="smbpasswd.8.html#minusm">-m</a>] [<a href="smbpasswd.8.html#minusj">-j DOMAIN</a>] [<a href="smbpasswd.8.html#minusU">-U username</a>] [<a href="smbpasswd.8.html#minush">-h</a>] [<a href="smbpasswd.8.html#minuss">-s</a>] <a href="smbpasswd.8.html#username">username</a> -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>This program is part of the <strong>Samba</strong> suite. -<p>The <strong>smbpasswd</strong> program has several different functions, depending -on whether it is run by the <em>root</em> user or not. When run as a normal -user it allows the user to change the password used for their SMB -sessions on any machines that store SMB passwords. -<p>By default (when run with no arguments) it will attempt to change the -current users SMB password on the local machine. This is similar to -the way the <strong>passwd (1)</strong> program works. <strong>smbpasswd</strong> differs from how -the <strong>passwd</strong> program works however in that it is not <em>setuid root</em> -but works in a client-server mode and communicates with a locally -running <a href="smbd.8.html"><strong>smbd</strong></a>. As a consequence in order for this -to succeed the <a href="smbd.8.html"><strong>smbd</strong></a> daemon must be running on -the local machine. On a UNIX machine the encrypted SMB passwords are -usually stored in the <a href="smbpasswd.5.html"><strong>smbpasswd (5)</strong></a> file. -<p>When run by an ordinary user with no options. <strong>smbpasswd</strong> will -prompt them for their old smb password and then ask them for their new -password twice, to ensure that the new password was typed -correctly. No passwords will be echoed on the screen whilst being -typed. If you have a blank smb password (specified by the string "NO -PASSWORD" in the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file) then just -press the <Enter> key when asked for your old password. -<p><strong>smbpasswd</strong> can also be used by a normal user to change their SMB -password on remote machines, such as Windows NT Primary Domain -Controllers. See the <a href="smbpasswd.8.html#minusr">(<strong>-r</strong>)</a> and -<a href="smbpasswd.8.html#minusU"><strong>-U</strong></a> options below. -<p>When run by root, <strong>smbpasswd</strong> allows new users to be added and -deleted in the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file, as well as -allows changes to the attributes of the user in this file to be made. When -run by root, <strong>smbpasswd</strong> accesses the local -<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file directly, thus enabling -changes to be made even if <a href="smbd.8.html"><strong>smbd</strong></a> is not running. -<p><a name="OPTIONS"></a> -<h2>OPTIONS</h2> - -<p><dl> -<p><a name="minusa"></a> -<p></p><dt><strong><strong>-a</strong></strong><dd> This option specifies that the username following should -be added to the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file, with -the new password typed (type <Enter> for the old password). This -option is ignored if the username following already exists in the -<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file and it is treated like a -regular change password command. Note that the user to be added -<strong>must</strong> already exist in the system password file (usually /etc/passwd) -else the request to add the user will fail. -<p>This option is only available when running <strong>smbpasswd</strong> as -root. -<p><a name="minusx"></a> -<p></p><dt><strong><strong>-x</strong></strong><dd> This option specifies that the username following should -be deleted from the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. -<p>This option is only available when running <strong>smbpasswd</strong> as -root. -<p><a name="minusd"></a> -<p></p><dt><strong><strong>-d</strong></strong><dd> This option specifies that the username following should be -<em>disabled</em> in the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. -This is done by writing a <em>'D'</em> flag into the account control space -in the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. Once this is done -all attempts to authenticate via SMB using this username will fail. -<p>If the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file is in the 'old' -format (pre-Samba 2.0 format) there is no space in the users password -entry to write this information and so the user is disabled by writing -'X' characters into the password space in the -<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. See <a href="smbpasswd.5.html"><strong>smbpasswd -(5)</strong></a> for details on the 'old' and new password file -formats. -<p>This option is only available when running <strong>smbpasswd</strong> as root. -<p><a name="minuse"></a> -<p></p><dt><strong><strong>-e</strong></strong><dd> This option specifies that the username following should be -<em>enabled</em> in the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file, -if the account was previously disabled. If the account was not -disabled this option has no effect. Once the account is enabled -then the user will be able to authenticate via SMB once again. -<p>If the smbpasswd file is in the 'old' format then <strong>smbpasswd</strong> will -prompt for a new password for this user, otherwise the account will be -enabled by removing the <em>'D'</em> flag from account control space in the -<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. See <a href="smbpasswd.5.html"><strong>smbpasswd -(5)</strong></a> for details on the 'old' and new password file -formats. -<p>This option is only available when running <strong>smbpasswd</strong> as root. -<p><a name="minusD"></a> -<p></p><dt><strong><strong>-D debuglevel</strong></strong><dd> debuglevel is an integer from 0 -to 10. The default value if this parameter is not specified is zero. -<p>The higher this value, the more detail will be logged to the log files -about the activities of smbpasswd. At level 0, only critical errors -and serious warnings will be logged. -<p>Levels above 1 will generate considerable amounts of log data, and -should only be used when investigating a problem. Levels above 3 are -designed for use only by developers and generate HUGE amounts of log -data, most of which is extremely cryptic. -<p><a name="minusn"></a> -<p></p><dt><strong><strong>-n</strong></strong><dd> This option specifies that the username following should -have their password set to null (i.e. a blank password) in the local -<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. This is done by writing the -string "NO PASSWORD" as the first part of the first password stored in -the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. -<p>Note that to allow users to logon to a Samba server once the password -has been set to "NO PASSWORD" in the -<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file the administrator must set -the following parameter in the [global] section of the -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file : -<p><a href="smb.conf.5.html#nullpasswords">null passwords = true</a> -<p>This option is only available when running <strong>smbpasswd</strong> as root. -<p><a name="minusr"></a> -<p></p><dt><strong><strong>-r remote machine name</strong></strong><dd> This option allows a -user to specify what machine they wish to change their password -on. Without this parameter <strong>smbpasswd</strong> defaults to the local -host. The <em>"remote machine name"</em> is the NetBIOS name of the -SMB/CIFS server to contact to attempt the password change. This name -is resolved into an IP address using the standard name resolution -mechanism in all programs of the <a href="samba.7.html"><strong>Samba</strong></a> -suite. See the <a href="smbpasswd.8.html#minusR"><strong>-R name resolve order</strong></a> parameter for details on changing this resolving -mechanism. -<p>The username whose password is changed is that of the current UNIX -logged on user. See the <a href="smbpasswd.8.html#minusU"><strong>-U username</strong></a> -parameter for details on changing the password for a different -username. -<p>Note that if changing a Windows NT Domain password the remote machine -specified must be the Primary Domain Controller for the domain (Backup -Domain Controllers only have a read-only copy of the user account -database and will not allow the password change). -<p><em>Note</em> that Windows 95/98 do not have a real password database -so it is not possible to change passwords specifying a Win95/98 -machine as remote machine target. -<p><a name="minusR"></a> -<p></p><dt><strong><strong>-R name resolve order</strong></strong><dd> This option allows the user of -smbclient to determine what name resolution services to use when -looking up the NetBIOS name of the host being connected to. -<p>The options are :<a href="smbpasswd.8.html#lmhosts">"lmhosts"</a>, <a href="smbpasswd.8.html#host">"host"</a>, -<a href="smbpasswd.8.html#wins">"wins"</a> and <a href="smbpasswd.8.html#bcast">"bcast"</a>. They cause names to be -resolved as follows : -<p><dl> -<p><a name="lmhosts"></a> -<li > <strong>lmhosts</strong> : Lookup an IP address in the Samba lmhosts file. -<p><a name="host"></a> -<li > <strong>host</strong> : Do a standard host name to IP address resolution, -using the system /etc/hosts, NIS, or DNS lookups. This method of name -resolution is operating system dependent. For instance on IRIX or -Solaris, this may be controlled by the <em>/etc/nsswitch.conf</em> file). -<p><a name="wins"></a> -<li > <strong>wins</strong> : Query a name with the IP address listed in the -<a href="smb.conf.5.html#winsserver"><strong>wins server</strong></a> parameter in the -<a href="smb.conf.5.html"><strong>smb.conf file</strong></a>. If -no WINS server has been specified this method will be ignored. -<p><a name="bcast"></a> -<li > <strong>bcast</strong> : Do a broadcast on each of the known local interfaces -listed in the <a href="smb.conf.5.html#interfaces"><strong>interfaces</strong></a> parameter -in the smb.conf file. This is the least reliable of the name resolution -methods as it depends on the target host being on a locally connected -subnet. -<p></dl> -<p>If this parameter is not set then the name resolve order defined -in the <a href="smb.conf.5.html"><strong>smb.conf</strong></a> file parameter -<a href="smb.conf.5.html#nameresolveorder"><strong>name resolve order</strong></a> -will be used. -<p>The default order is lmhosts, host, wins, bcast and without this -parameter or any entry in the <a href="smb.conf.5.html"><strong>smb.conf</strong></a> -file the name resolution methods will be attempted in this order. -<p><a name="minusm"></a> -<p></p><dt><strong><strong>-m</strong></strong><dd> This option tells <strong>smbpasswd</strong> that the account being -changed is a <em>MACHINE</em> account. Currently this is used when Samba is -being used as an NT Primary Domain Controller. PDC support is not a -supported feature in Samba2.0 but will become supported in a later -release. If you wish to know more about using Samba as an NT PDC then -please subscribe to the mailing list -<a href="mailto:samba-ntdom@samba.org"><em>samba-ntdom@samba.org</em></a>. -<p>This option is only available when running <strong>smbpasswd</strong> as root. -<p><a name="minusj"></a> -<p></p><dt><strong><strong>-j DOMAIN</strong></strong><dd> This option is used to add a Samba server into a -Windows NT Domain, as a Domain member capable of authenticating user -accounts to any Domain Controller in the same way as a Windows NT -Server. See the <a href="smb.conf.5.html#security"><strong>security=domain</strong></a> -option in the <a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a> man page. -<p>In order to be used in this way, the Administrator for the Windows -NT Domain must have used the program <em>"Server Manager for Domains"</em> -to add the <a href="smb.conf.5.html#netbiosname">primary NetBIOS name</a> of -the Samba server as a member of the Domain. -<p>After this has been done, to join the Domain invoke <strong>smbpasswd</strong> with -this parameter. <strong>smbpasswd</strong> will then look up the Primary Domain -Controller for the Domain (found in the -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file in the parameter -<a href="smb.conf.5.html#passwordserver"><strong>password server</strong></a> and change -the machine account password used to create the secure Domain -communication. This password is then stored by <strong>smbpasswd</strong> in a -file, read only by root, called <code><Domain>.<Machine>.mac</code> where -<code><Domain></code> is the name of the Domain we are joining and <code><Machine></code> -is the primary NetBIOS name of the machine we are running on. -<p>Once this operation has been performed the -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file may be updated to set the -<a href="smb.conf.5.html#security"><strong>security=domain</strong></a> option and all -future logins to the Samba server will be authenticated to the Windows -NT PDC. -<p>Note that even though the authentication is being done to the PDC all -users accessing the Samba server must still have a valid UNIX account -on that machine. -<p>This option is only available when running <strong>smbpasswd</strong> as root. -<p><a name="minusU"></a> -<p></p><dt><strong><strong>-U username</strong></strong><dd> This option may only be used in -conjunction with the <a href="smbpasswd.8.html#minusr"><strong>-r</strong></a> -option. When changing a password on a remote machine it allows the -user to specify the user name on that machine whose password will be -changed. It is present to allow users who have different user names on -different systems to change these passwords. -<p><a name="minush"></a> -<p></p><dt><strong><strong>-h</strong></strong><dd> This option prints the help string for <strong>smbpasswd</strong>, -selecting the correct one for running as root or as an ordinary user. -<p><a name="minuss"></a> -<p></p><dt><strong><strong>-s</strong></strong><dd> This option causes <strong>smbpasswd</strong> to be silent (i.e. not -issue prompts) and to read it's old and new passwords from standard -input, rather than from <code>/dev/tty</code> (like the <strong>passwd (1)</strong> program -does). This option is to aid people writing scripts to drive <strong>smbpasswd</strong> -<p><a name="username"></a> -<p></p><dt><strong><strong>username</strong></strong><dd> This specifies the username for all of the <em>root -only</em> options to operate on. Only root can specify this parameter as -only root has the permission needed to modify attributes directly -in the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. -<p><a name="NOTES"></a> -<h2>NOTES</h2> - -<p>Since <strong>smbpasswd</strong> works in client-server mode communicating with a -local <a href="smbd.8.html"><strong>smbd</strong></a> for a non-root user then the <strong>smbd</strong> -daemon must be running for this to work. A common problem is to add a -restriction to the hosts that may access the <strong>smbd</strong> running on the -local machine by specifying a <a href="smb.conf.5.html#allowhosts"><strong>"allow -hosts"</strong></a> or <a href="smb.conf.5.html#denyhosts"><strong>"deny -hosts"</strong></a> entry in the -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file and neglecting to allow -<em>"localhost"</em> access to the <strong>smbd</strong>. -<p>In addition, the <strong>smbpasswd</strong> command is only useful if <strong>Samba</strong> has -been set up to use encrypted passwords. See the file <strong>ENCRYPTION.txt</strong> -in the docs directory for details on how to do this. -<p><a name="VERSION"></a> -<h2>VERSION</h2> - -<p>This man page is correct for version 2.0 of the Samba suite. -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p>The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy Allison. -<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -</body> -</html> +<HTML +><HEAD +><TITLE +>smbpasswd</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="SMBPASSWD" +>smbpasswd</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>smbpasswd -- change a users SMB password</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>smbpasswd</B +> [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-j DOMAIN] [-U username] [-h] [-s] [username]</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN25" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +>The smbpasswd program has several different + functions, depending on whether it is run by the <I +CLASS="EMPHASIS" +>root</I +> + user or not. When run as a normal user it allows the user to change + the password used for their SMB sessions on any machines that store + SMB passwords. </P +><P +>By default (when run with no arguments) it will attempt to + change the current users SMB password on the local machine. This is + similar to the way the <B +CLASS="COMMAND" +>passwd(1)</B +> program works. + <B +CLASS="COMMAND" +>smbpasswd</B +> differs from how the passwd program works + however in that it is not <I +CLASS="EMPHASIS" +>setuid root</I +> but works in + a client-server mode and communicates with a locally running + <B +CLASS="COMMAND" +>smbd(8)</B +>. As a consequence in order for this to + succeed the smbd daemon must be running on the local machine. On a + UNIX machine the encrypted SMB passwords are usually stored in + the <TT +CLASS="FILENAME" +>smbpasswd(5)</TT +> file. </P +><P +>When run by an ordinary user with no options. smbpasswd + will prompt them for their old smb password and then ask them + for their new password twice, to ensure that the new password + was typed correctly. No passwords will be echoed on the screen + whilst being typed. If you have a blank smb password (specified by + the string "NO PASSWORD" in the smbpasswd file) then just press + the <Enter> key when asked for your old password. </P +><P +>smbpasswd can also be used by a normal user to change their + SMB password on remote machines, such as Windows NT Primary Domain + Controllers. See the (-r) and -U options below. </P +><P +>When run by root, smbpasswd allows new users to be added + and deleted in the smbpasswd file, as well as allows changes to + the attributes of the user in this file to be made. When run by root, + <B +CLASS="COMMAND" +>smbpasswd</B +> accesses the local smbpasswd file + directly, thus enabling changes to be made even if smbd is not + running. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN41" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>-a</DT +><DD +><P +>This option specifies that the username + following should be added to the local smbpasswd file, with the + new password typed (type <Enter> for the old password). This + option is ignored if the username following already exists in + the smbpasswd file and it is treated like a regular change + password command. Note that the user to be added must already exist + in the system password file (usually <TT +CLASS="FILENAME" +>/etc/passwd</TT +>) + else the request to add the user will fail. </P +><P +>This option is only available when running smbpasswd + as root. </P +></DD +><DT +>-x</DT +><DD +><P +>This option specifies that the username + following should be deleted from the local smbpasswd file. + </P +><P +>This option is only available when running smbpasswd as + root.</P +></DD +><DT +>-d</DT +><DD +><P +>This option specifies that the username following + should be <TT +CLASS="CONSTANT" +>disabled</TT +> in the local smbpasswd + file. This is done by writing a <TT +CLASS="CONSTANT" +>'D'</TT +> flag + into the account control space in the smbpasswd file. Once this + is done all attempts to authenticate via SMB using this username + will fail. </P +><P +>If the smbpasswd file is in the 'old' format (pre-Samba 2.0 + format) there is no space in the users password entry to write + this information and so the user is disabled by writing 'X' characters + into the password space in the smbpasswd file. See <B +CLASS="COMMAND" +>smbpasswd(5) + </B +> for details on the 'old' and new password file formats. + </P +><P +>This option is only available when running smbpasswd as + root.</P +></DD +><DT +>-e</DT +><DD +><P +>This option specifies that the username following + should be <TT +CLASS="CONSTANT" +>enabled</TT +> in the local smbpasswd file, + if the account was previously disabled. If the account was not + disabled this option has no effect. Once the account is enabled then + the user will be able to authenticate via SMB once again. </P +><P +>If the smbpasswd file is in the 'old' format, then <B +CLASS="COMMAND" +> smbpasswd</B +> will prompt for a new password for this user, + otherwise the account will be enabled by removing the <TT +CLASS="CONSTANT" +>'D' + </TT +> flag from account control space in the <TT +CLASS="FILENAME" +> smbpasswd</TT +> file. See <B +CLASS="COMMAND" +>smbpasswd (5)</B +> for + details on the 'old' and new password file formats. </P +><P +>This option is only available when running smbpasswd as root. + </P +></DD +><DT +>-D debuglevel</DT +><DD +><P +><TT +CLASS="PARAMETER" +><I +>debuglevel</I +></TT +> is an integer + from 0 to 10. The default value if this parameter is not specified + is zero. </P +><P +>The higher this value, the more detail will be logged to the + log files about the activities of smbpasswd. At level 0, only + critical errors and serious warnings will be logged. </P +><P +>Levels above 1 will generate considerable amounts of log + data, and should only be used when investigating a problem. Levels + above 3 are designed for use only by developers and generate + HUGE amounts of log data, most of which is extremely cryptic. + </P +></DD +><DT +>-n</DT +><DD +><P +>This option specifies that the username following + should have their password set to null (i.e. a blank password) in + the local smbpasswd file. This is done by writing the string "NO + PASSWORD" as the first part of the first password stored in the + smbpasswd file. </P +><P +>Note that to allow users to logon to a Samba server once + the password has been set to "NO PASSWORD" in the smbpasswd + file the administrator must set the following parameter in the [global] + section of the <TT +CLASS="FILENAME" +>smb.conf</TT +> file : </P +><P +><B +CLASS="COMMAND" +>null passwords = yes</B +></P +><P +>This option is only available when running smbpasswd as + root.</P +></DD +><DT +>-r remote machine name</DT +><DD +><P +>This option allows a user to specify what machine + they wish to change their password on. Without this parameter + smbpasswd defaults to the local host. The <TT +CLASS="REPLACEABLE" +><I +>remote + machine name</I +></TT +> is the NetBIOS name of the SMB/CIFS + server to contact to attempt the password change. This name is + resolved into an IP address using the standard name resolution + mechanism in all programs of the Samba suite. See the <TT +CLASS="PARAMETER" +><I +>-R + name resolve order</I +></TT +> parameter for details on changing + this resolving mechanism. </P +><P +>The username whose password is changed is that of the + current UNIX logged on user. See the <TT +CLASS="PARAMETER" +><I +>-U username</I +></TT +> + parameter for details on changing the password for a different + username. </P +><P +>Note that if changing a Windows NT Domain password the + remote machine specified must be the Primary Domain Controller for + the domain (Backup Domain Controllers only have a read-only + copy of the user account database and will not allow the password + change).</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that Windows 95/98 do not have + a real password database so it is not possible to change passwords + specifying a Win95/98 machine as remote machine target. </P +></DD +><DT +>-R name resolve order</DT +><DD +><P +>This option allows the user of smbclient to determine + what name resolution services to use when looking up the NetBIOS + name of the host being connected to. </P +><P +>The options are :"lmhosts", "host", "wins" and "bcast". They cause + names to be resolved as follows : </P +><P +></P +><UL +><LI +><P +><TT +CLASS="CONSTANT" +>lmhosts</TT +> : Lookup an IP + address in the Samba lmhosts file. If the line in lmhosts has + no name type attached to the NetBIOS name (see the <A +HREF="lmhosts.5.html" +TARGET="_top" +>lmhosts(5)</A +> for details) then + any name type matches for lookup.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>host</TT +> : Do a standard host + name to IP address resolution, using the system <TT +CLASS="FILENAME" +>/etc/hosts + </TT +>, NIS, or DNS lookups. This method of name resolution + is operating system depended for instance on IRIX or Solaris this + may be controlled by the <TT +CLASS="FILENAME" +>/etc/nsswitch.conf</TT +> + file). Note that this method is only used if the NetBIOS name + type being queried is the 0x20 (server) name type, otherwise + it is ignored.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>wins</TT +> : Query a name with + the IP address listed in the <TT +CLASS="PARAMETER" +><I +>wins server</I +></TT +> + parameter. If no WINS server has been specified this method + will be ignored.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>bcast</TT +> : Do a broadcast on + each of the known local interfaces listed in the + <TT +CLASS="PARAMETER" +><I +>interfaces</I +></TT +> parameter. This is the least + reliable of the name resolution methods as it depends on the + target host being on a locally connected subnet.</P +></LI +></UL +><P +>The default order is <B +CLASS="COMMAND" +>lmhosts, host, wins, bcast</B +> + and without this parameter or any entry in the + <TT +CLASS="FILENAME" +>smb.conf</TT +> file the name resolution methods will + be attempted in this order. </P +></DD +><DT +>-m</DT +><DD +><P +>This option tells smbpasswd that the account + being changed is a MACHINE account. Currently this is used + when Samba is being used as an NT Primary Domain Controller.</P +><P +>This option is only available when running smbpasswd as root. + </P +></DD +><DT +>-j DOMAIN</DT +><DD +><P +>This option is used to add a Samba server + into a Windows NT Domain, as a Domain member capable of authenticating + user accounts to any Domain Controller in the same way as a Windows + NT Server. See the <B +CLASS="COMMAND" +>security = domain</B +> option in + the <TT +CLASS="FILENAME" +>smb.conf(5)</TT +> man page. </P +><P +>In order to be used in this way, the Administrator for + the Windows NT Domain must have used the program "Server Manager + for Domains" to add the primary NetBIOS name of the Samba server + as a member of the Domain. </P +><P +>After this has been done, to join the Domain invoke <B +CLASS="COMMAND" +> smbpasswd</B +> with this parameter. smbpasswd will then + look up the Primary Domain Controller for the Domain (found in + the <TT +CLASS="FILENAME" +>smb.conf</TT +> file in the parameter + <TT +CLASS="PARAMETER" +><I +>password server</I +></TT +> and change the machine account + password used to create the secure Domain communication. This + password is then stored by smbpasswd in a TDB, writeable only by root, + called <TT +CLASS="FILENAME" +>secrets.tdb</TT +> </P +><P +>Once this operation has been performed the <TT +CLASS="FILENAME" +> smb.conf</TT +> file may be updated to set the <B +CLASS="COMMAND" +> security = domain</B +> option and all future logins + to the Samba server will be authenticated to the Windows NT + PDC. </P +><P +>Note that even though the authentication is being + done to the PDC all users accessing the Samba server must still + have a valid UNIX account on that machine. </P +><P +>This option is only available when running smbpasswd as root. + </P +></DD +><DT +>-U username</DT +><DD +><P +>This option may only be used in conjunction + with the <TT +CLASS="PARAMETER" +><I +>-r</I +></TT +> option. When changing + a password on a remote machine it allows the user to specify + the user name on that machine whose password will be changed. It + is present to allow users who have different user names on + different systems to change these passwords. </P +></DD +><DT +>-h</DT +><DD +><P +>This option prints the help string for <B +CLASS="COMMAND" +> smbpasswd</B +>, selecting the correct one for running as root + or as an ordinary user. </P +></DD +><DT +>-s</DT +><DD +><P +>This option causes smbpasswd to be silent (i.e. + not issue prompts) and to read it's old and new passwords from + standard input, rather than from <TT +CLASS="FILENAME" +>/dev/tty</TT +> + (like the <B +CLASS="COMMAND" +>passwd(1)</B +> program does). This option + is to aid people writing scripts to drive smbpasswd</P +></DD +><DT +>username</DT +><DD +><P +>This specifies the username for all of the + <I +CLASS="EMPHASIS" +>root only</I +> options to operate on. Only root + can specify this parameter as only root has the permission needed + to modify attributes directly in the local smbpasswd file. + </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN171" +></A +><H2 +>NOTES</H2 +><P +>Since <B +CLASS="COMMAND" +>smbpasswd</B +> works in client-server + mode communicating with a local smbd for a non-root user then + the smbd daemon must be running for this to work. A common problem + is to add a restriction to the hosts that may access the <B +CLASS="COMMAND" +> smbd</B +> running on the local machine by specifying a + <TT +CLASS="PARAMETER" +><I +>allow hosts</I +></TT +> or <TT +CLASS="PARAMETER" +><I +>deny hosts</I +></TT +> + entry in the <TT +CLASS="FILENAME" +>smb.conf</TT +> file and neglecting to + allow "localhost" access to the smbd. </P +><P +>In addition, the smbpasswd command is only useful if Samba + has been set up to use encrypted passwords. See the file + <TT +CLASS="FILENAME" +>ENCRYPTION.txt</TT +> in the docs directory for details + on how to do this. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN181" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN184" +></A +><H2 +>SEE ALSO</H2 +><P +><A +HREF="smbpasswd.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smbpasswd(5)</TT +></A +>, + <A +HREF="samba.7.html" +TARGET="_top" +>samba(7)</A +> + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN190" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/manpages/smbcacls.1 b/docs/manpages/smbcacls.1 index 9f5c00c6c4..fd8ca13591 100644 --- a/docs/manpages/smbcacls.1 +++ b/docs/manpages/smbcacls.1 @@ -1,192 +1,191 @@ -.TH "smbcacls " "1" "22 Dec 2000" "Samba" "SAMBA" -.PP -.SH "NAME" -smbcacls \- Set or get ACLs on an NT file or directory -.PP -.SH "SYNOPSIS" -.PP -\fBsmbcacls\fP //server/share filename [-U username] -[-A acls] [-M acls] -[-D acls] [-S acls] -[-C name] [-G name] -[-n] [-h] -.PP -.SH "DESCRIPTION" -.PP -The \fBsmbcacls\fP program manipulates NT Access Control Lists (ACLs) on -SMB file shares\&. -.PP -.SH "OPTIONS" -.PP -The following options are available to the \fBsmbcacls\fP program\&. The -format of ACLs is described in the section ACL FORMAT -.PP -.IP -.IP "\fB-A acls\fP" -.IP -Add the ACLs specified to the ACL list\&. Existing access control entries -are unchanged\&. -.IP -.IP "\fB-M acls\fP" -.IP -Modify the mask value (permissions) for the ACLs specified on the command -line\&. An error will be printed for each ACL specified that was not already -present in the ACL list\&. -.IP -.IP "\fB-D acls\fP" -.IP -Delete any ACLs specfied on the command line\&. An error will be printed for -each ACL specified that was not already present in the ACL list\&. -.IP -.IP "\fB-S acls\fP" -.IP -This command sets the ACLs on the file with only the ones specified on the -command line\&. All other ACLs are erased\&. Note that the ACL specified must -contain at least a revision, type, owner and group for the call to succeed\&. -.IP -.IP "\fB-U username\fP" -.IP -Specifies a username used to connect to the specified service\&. The -username may be of the form \f(CWusername\fP in which case the user is -prompted to enter in a password and the workgroup specified in the -\fBsmb\&.conf\fP file is used, or \f(CWusername%password\fP -or \f(CWDOMAIN\eusername%password\fP and the password and workgroup names are -used as provided\&. -.IP -.IP "\fB-C name\fP" -.IP -The owner of a file or directory can be changed to the name given -using the -C option\&. The name can be a sid in the form \f(CWS-1-x-y-z\fP or a -name resolved against the server specified in the first argument\&. -.IP -This command is a shortcut for \f(CW-M OWNER:name\fP\&. -.IP -.IP "\fB-G name\fP" -.IP -The group owner of a file or directory can be changed to the name given -using the -G option\&. The name can be a sid in the form \f(CWS-1-x-y-z\fP or a -name resolved against the server specified in the first argument\&. -.IP -This command is a shortcut for \f(CW-M GROUP:name\fP\&. -.IP -.IP "\fB-n\fP" -.IP -This option displays all ACL information in numeric format\&. The default is -to convert SIDs to names and ACE types and masks to a readable string -format\&. -.IP -.IP "\fB-h\fP" -.IP -Print usage information on the \fBsmbcacls\fP program -.IP -.PP -.SH "ACL FORMAT" -.PP -The format of an ACL is one or more ACL entries separated by either -commas or newlines\&. An ACL entry is one of the following: -.PP +.\" This manpage has been automatically generated by docbook2man-spec +.\" from a DocBook document. docbook2man-spec can be found at: +.\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/> +.\" Please send any bug reports, improvements, comments, patches, +.\" etc. to Steve Cheng <steve@ggi-project.org>. +.TH "SMBCACLS" "1" "22 February 2001" "" "" +.SH NAME +smbcacls \- Set or get ACLs on an NT file or directory names +.SH SYNOPSIS +.sp +\fBnmblookup\fR \fB//server/share\fR \fBfilename\fR [ \fB-U username\fR ] [ \fB-A acls\fR ] [ \fB-M acls\fR ] [ \fB-D acls\fR ] [ \fB-S acls\fR ] [ \fB-C name\fR ] [ \fB-G name\fR ] [ \fB-n\fR ] [ \fB-h\fR ] +.SH "DESCRIPTION" +.PP +This tool is part of the Samba <URL:samba.7.html> suite. +.PP +The smbcacls program manipulates NT Access Control Lists +(ACLs) on SMB file shares. +.SH "OPTIONS" +.PP +The following options are available to the smbcacls program. +The format of ACLs is described in the section ACL FORMAT +.TP +\fB-A acls\fR +Add the ACLs specified to the ACL list. Existing +access control entries are unchanged. +.TP +\fB-M acls\fR +Modify the mask value (permissions) for the ACLs +specified on the command line. An error will be printed for each +ACL specified that was not already present in the ACL list +.TP +\fB-D acls\fR +Delete any ACLs specfied on the command line. +An error will be printed for each ACL specified that was not +already present in the ACL list. +.TP +\fB-S acls\fR +This command sets the ACLs on the file with +only the ones specified on the command line. All other ACLs are +erased. Note that the ACL specified must contain at least a revision, +type, owner and group for the call to succeed. +.TP +\fB-U username\fR +Specifies a username used to connect to the +specified service. The username may be of the form "username" in +which case the user is prompted to enter in a password and the +workgroup specified in the \fIsmb.conf\fR file is +used, or "username%password" or "DOMAIN\\username%password" and the +password and workgroup names are used as provided. +.TP +\fB-C name\fR +The owner of a file or directory can be changed +to the name given using the \fI-C\fR option. +The name can be a sid in the form S-1-x-y-z or a name resolved +against the server specified in the first argument. -.nf +This command is a shortcut for -M OWNER:name. +.TP +\fB-G name\fR +The group owner of a file or directory can +be changed to the name given using the \fI-G\fR +option. The name can be a sid in the form S-1-x-y-z or a name +resolved against the server specified n the first argument. + +This command is a shortcut for -M GROUP:name. +.TP +\fB-n\fR +This option displays all ACL information in numeric +format. The default is to convert SIDs to names and ACE types +and masks to a readable string format. +.TP +\fB-h\fR +Print usage information on the \fBsmbcacls +\fRprogram. +.SH "ACL FORMAT" +.PP +The format of an ACL is one or more ACL entries separated by +either commas or newlines. An ACL entry is one of the following: +.PP +.sp +.nf REVISION:<revision number> OWNER:<sid or name> GROUP:<sid or name> ACL:<sid or name>:<type>/<flags>/<mask> -.fi - - -.PP -The revision of the ACL specifies the internal Windows NT ACL revision for -the security descriptor\&. If not specified it defaults to 1\&. Using values -other than 1 may cause strange behaviour\&. -.PP -The owner and group specify the owner and group sids for the object\&. If a -SID in the format \f(CWS-1-x-y-z\fP is specified this is used, otherwise -the name specified is resolved using the server on which the file or -directory resides\&. -.PP -ACLs specify permissions granted to the SID\&. This SID again can be -specified in \f(CWS-1-x-y-z\fP format or as a name in which case it is resolved -against the server on which the file or directory resides\&. The type, flags -and mask values determine the type of access granted to the SID\&. -.PP -The type can be either 0 or 1 corresponding to ALLOWED or DENIED access to -the SID\&. The flags values are generally zero for file ACLs and either 9 or -2 for directory ACLs\&. Some common flags are: -.PP - -.nf - -#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1 -#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2 -#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4 -#define SEC_ACE_FLAG_INHERIT_ONLY 0x8 -.fi - - -.PP -At present flags can only be specified as decimal or hexadecimal values\&. -.PP -The mask is a value which expresses the access right granted to the SID\&. -It can be given as a decimal or hexadecimal value, or by using one of the -following text strings which map to the NT file permissions of the same -name\&. -.PP -.IP -.IP "" -\f(CWR\fP Allow read access -.IP -.IP "" -\f(CWW\fP Allow write access -.IP -.IP "" -\f(CWX\fP Execute permission on the object -.IP -.IP "" -\f(CWD\fP Delete the object -.IP -.IP "" -\f(CWP\fP Change permissions -.IP -.IP "" -\f(CWO\fP Take ownership -.IP -.PP + +.sp +.fi +.PP +The revision of the ACL specifies the internal Windows +NT ACL revision for the security descriptor. +If not specified it defaults to 1. Using values other than 1 may +cause strange behaviour. +.PP +The owner and group specify the owner and group sids for the +object. If a SID in the format CWS-1-x-y-z is specified this is used, +otherwise the name specified is resolved using the server on which +the file or directory resides. +.PP +ACLs specify permissions granted to the SID. This SID again +can be specified in CWS-1-x-y-z format or as a name in which case +it is resolved against the server on which the file or directory +resides. The type, flags and mask values determine the type of +access granted to the SID. +.PP +The type can be either 0 or 1 corresponding to ALLOWED or +DENIED access to the SID. The flags values are generally +zero for file ACLs and either 9 or 2 for directory ACLs. Some +common flags are: +.TP 0.2i +\(bu +#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1 +.TP 0.2i +\(bu +#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2 +.TP 0.2i +\(bu +#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4 +.TP 0.2i +\(bu +#define SEC_ACE_FLAG_INHERIT_ONLY 0x8 +.PP +At present flags can only be specified as decimal or +hexadecimal values. +.PP +.PP +The mask is a value which expresses the access right +granted to the SID. It can be given as a decimal or hexadecimal value, +or by using one of the following text strings which map to the NT +file permissions of the same name. +.PP +.TP 0.2i +\(bu +\fBR\fR - Allow read access +.TP 0.2i +\(bu +\fBW\fR - Allow write access +.TP 0.2i +\(bu +\fBX\fR - Execute permission on the object +.TP 0.2i +\(bu +\fBD\fR - Delete the object +.TP 0.2i +\(bu +\fBP\fR - Change permissions +.TP 0.2i +\(bu +\fBO\fR - Take ownership +.PP The following combined permissions can be specified: -.PP -.IP -.IP "" -\f(CWREAD\fP -.IP -Equivalent to \f(CWRX\fP permissions -.IP -.IP "" -\f(CWCHANGE\fP -.IP -Equivalent to \f(CWRXWD\fP permissions -.IP -.IP "" -\f(CWFULL\fP -.IP -Equivalent to \f(CWRWXDPO\fP permissions -.IP -.PP -.SH "EXIT STATUS" -.PP -The \fBsmbcacls\fP program sets the exit status depending on the success or -otherwise of the operations performed\&. The exit status may be one of the -following values\&. -.PP -If the operation succeded, \fBsmbcacls\fP returns and exit status of 0\&. If -\fBsmbcacls\fP couldn\'t connect to the specified server, or there was an -error getting or setting the ACLs, an exit status of 1 is returned\&. If -there was an error parsing any command line arguments, an exit status of 2 -is returned\&. -.PP -.SH "AUTHOR" -.PP -The original Samba software and related utilities were created by -Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open -Source project\&. -.PP -\fBsmbcacls\fP was written by Andrew Tridgell and Tim Potter\&. +.PP +.TP 0.2i +\(bu +\fBREAD\fR - Equivalent to 'RX' +permissions +.TP 0.2i +\(bu +\fBCHANGE\fR - Equivalent to 'RXWD' permissions +.TP 0.2i +\(bu +\fBFULL\fR - Equivalent to 'RWXDPO' +permissions +.SH "EXIT STATUS" +.PP +The \fBsmbcacls\fR program sets the exit status +depending on the success or otherwise of the operations performed. +The exit status may be one of the following values. +.PP +If the operation succeded, smbcacls returns and exit +status of 0. If smbcacls couldn't connect to the specified server, +or there was an error getting or setting the ACLs, an exit status +of 1 is returned. If there was an error parsing any command line +arguments, an exit status of 2 is returned. +.SH "VERSION" +.PP +This man page is correct for version 2.2 of +the Samba suite. +.SH "AUTHOR" +.PP +The original Samba software and related utilities +were created by Andrew Tridgell. Samba is now developed +by the Samba Team as an Open Source project similar +to the way the Linux kernel is developed. +.PP +\fBsmbcacls\fR was written by Andrew Tridgell +and Tim Potter. +.PP +The conversion to DocBook for Samba 2.2 was done +by Gerald Carter diff --git a/docs/manpages/smbpasswd.5 b/docs/manpages/smbpasswd.5 index bc87d134d2..fef3713425 100644 --- a/docs/manpages/smbpasswd.5 +++ b/docs/manpages/smbpasswd.5 @@ -1,214 +1,159 @@ -.TH "smbpasswd " "5" "23 Oct 1998" "Samba" "SAMBA" -.PP -.SH "NAME" +.\" This manpage has been automatically generated by docbook2man-spec +.\" from a DocBook document. docbook2man-spec can be found at: +.\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/> +.\" Please send any bug reports, improvements, comments, patches, +.\" etc. to Steve Cheng <steve@ggi-project.org>. +.TH "SMBPASSWD" "5" "22 February 2001" "" "" +.SH NAME smbpasswd \- The Samba encrypted password file -.PP -.SH "SYNOPSIS" -.PP -smbpasswd is the \fBSamba\fP encrypted password file\&. -.PP -.SH "DESCRIPTION" -.PP -This file is part of the \fBSamba\fP suite\&. -.PP -smbpasswd is the \fBSamba\fP encrypted password file\&. It contains -the username, Unix user id and the SMB hashed passwords of the -user, as well as account flag information and the time the password -was last changed\&. This file format has been evolving with Samba -and has had several different formats in the past\&. -.PP -.SH "FILE FORMAT" -.PP -The format of the smbpasswd file used by Samba 2\&.0 is very similar to -the familiar Unix \fBpasswd (5)\fP file\&. It is an ASCII file containing -one line for each user\&. Each field within each line is separated from -the next by a colon\&. Any entry beginning with # is ignored\&. The -smbpasswd file contains the following information for each user: -.PP -.IP -.IP "\fBname\fP" -.br -.br -.IP -This is the user name\&. It must be a name that already exists -in the standard UNIX passwd file\&. -.IP -.IP "\fBuid\fP" -.br -.br -.IP -This is the UNIX uid\&. It must match the uid field for the same -user entry in the standard UNIX passwd file\&. If this does not -match then Samba will refuse to recognize this \fBsmbpasswd\fP file entry -as being valid for a user\&. -.IP -.IP "\fBLanman Password Hash\fP" -.br -.br -.IP -This is the \fILANMAN\fP hash of the users password, encoded as 32 hex -digits\&. The \fILANMAN\fP hash is created by DES encrypting a well known -string with the users password as the DES key\&. This is the same -password used by Windows 95/98 machines\&. Note that this password hash -is regarded as weak as it is vulnerable to dictionary attacks and if -two users choose the same password this entry will be identical (i\&.e\&. -the password is not \fI"salted"\fP as the UNIX password is)\&. If the -user has a null password this field will contain the characters -\f(CW"NO PASSWORD"\fP as the start of the hex string\&. If the hex string -is equal to 32 \f(CW\'X\'\fP characters then the users account is marked as -\fIdisabled\fP and the user will not be able to log onto the Samba -server\&. -.IP -\fIWARNING !!\fP\&. Note that, due to the challenge-response nature of the -SMB/CIFS authentication protocol, anyone with a knowledge of this -password hash will be able to impersonate the user on the network\&. -For this reason these hashes are known as \fI"plain text equivalent"\fP -and must \fINOT\fP be made available to anyone but the root user\&. To -protect these passwords the \fBsmbpasswd\fP file is placed in a -directory with read and traverse access only to the root user and the -\fBsmbpasswd\fP file itself must be set to be read/write only by root, -with no other access\&. -.IP -.IP "\fBNT Password Hash\fP" -.br -.br -.IP -This is the \fIWindows NT\fP hash of the users password, encoded as 32 -hex digits\&. The \fIWindows NT\fP hash is created by taking the users -password as represented in 16-bit, little-endian UNICODE and then -applying the \fIMD4\fP (internet rfc1321) hashing algorithm to it\&. -.IP -This password hash is considered more secure than the \fBLanman -Password Hash\fP as it preserves the case of the -password and uses a much higher quality hashing algorithm\&. However, it -is still the case that if two users choose the same password this -entry will be identical (i\&.e\&. the password is not \fI"salted"\fP as the -UNIX password is)\&. -.IP -\fIWARNING !!\fP\&. Note that, due to the challenge-response nature of the -SMB/CIFS authentication protocol, anyone with a knowledge of this -password hash will be able to impersonate the user on the network\&. -For this reason these hashes are known as \fI"plain text equivalent"\fP -and must \fINOT\fP be made available to anyone but the root user\&. To -protect these passwords the \fBsmbpasswd\fP file is placed in a -directory with read and traverse access only to the root user and the -\fBsmbpasswd\fP file itself must be set to be read/write only by root, -with no other access\&. -.IP -.IP "\fBAccount Flags\fP" -.br -.br -.IP -This section contains flags that describe the attributes of the users -account\&. In the \fBSamba2\&.0\fP release this field is bracketed by \f(CW\'[\'\fP -and \f(CW\']\'\fP characters and is always 13 characters in length (including -the \f(CW\'[\'\fP and \f(CW\']\'\fP characters)\&. The contents of this field may be -any of the characters\&. -.IP -.IP -.IP o -\fB\'U\'\fP This means this is a \fI"User"\fP account, i\&.e\&. an ordinary -user\&. Only \fBUser\fP and \fBWorkstation Trust\fP accounts are -currently supported in the \fBsmbpasswd\fP file\&. -.IP -.IP o -\fB\'N\'\fP This means the account has \fIno\fP password (the passwords -in the fields \fBLanman Password Hash\fP and -\fBNT Password Hash\fP are ignored)\&. Note that this -will only allow users to log on with no password if the -\fBnull passwords\fP parameter is set -in the \fBsmb\&.conf (5)\fP config file\&. -.IP -.IP o -\fB\'D\'\fP This means the account is disabled and no SMB/CIFS logins -will be allowed for this user\&. -.IP -.IP o -\fB\'W\'\fP This means this account is a \fI"Workstation Trust"\fP account\&. -This kind of account is used in the Samba PDC code stream to allow Windows -NT Workstations and Servers to join a Domain hosted by a Samba PDC\&. -.IP -.IP -Other flags may be added as the code is extended in future\&. The rest of -this field space is filled in with spaces\&. -.IP -.IP "\fBLast Change Time\fP" -.br -.br -.IP -This field consists of the time the account was last modified\&. It consists of -the characters \f(CWLCT-\fP (standing for \fI"Last Change Time"\fP) followed by a numeric -encoding of the UNIX time in seconds since the epoch (1970) that the last change -was made\&. -.IP -.IP "\fBFollowing fields\fP" -.br -.br -.IP -All other colon separated fields are ignored at this time\&. -.IP -.PP -.SH "NOTES" -.PP -In previous versions of Samba (notably the 1\&.9\&.18 series) this file -did not contain the \fBAccount Flags\fP or -\fBLast Change Time\fP fields\&. The Samba 2\&.0 -code will read and write these older password files but will not be able to -modify the old entries to add the new fields\&. New entries added with -\fBsmbpasswd (8)\fP will contain the new fields -in the added accounts however\&. Thus an older \fBsmbpasswd\fP file used -with Samba 2\&.0 may end up with some accounts containing the new fields -and some not\&. -.PP -In order to convert from an old-style \fBsmbpasswd\fP file to a new -style, run the script \fBconvert_smbpasswd\fP, installed in the -Samba \f(CWbin/\fP directory (the same place that the \fBsmbd\fP -and \fBnmbd\fP binaries are installed) as follows: -.PP +.SH SYNOPSIS +.PP +\fIsmbpasswd\fR +.SH "DESCRIPTION" +.PP +This tool is part of the Samba <URL:samba.7.html> suite. +.PP +smbpasswd is the Samba encrypted password file. It contains +the username, Unix user id and the SMB hashed passwords of the +user, as well as account flag information and the time the +password was last changed. This file format has been evolving with +Samba and has had several different formats in the past. +.SH "FILE FORMAT" +.PP +The format of the smbpasswd file used by Samba 2.2 +is very similar to the familiar Unix \fIpasswd(5)\fR +file. It is an ASCII file containing one line for each user. Each field +ithin each line is separated from the next by a colon. Any entry +beginning with '#' is ignored. The smbpasswd file contains the +following information for each user: +.TP +\fBname\fR +This is the user name. It must be a name that +already exists in the standard UNIX passwd file. +.TP +\fBuid\fR +This is the UNIX uid. It must match the uid +field for the same user entry in the standard UNIX passwd file. +If this does not match then Samba will refuse to recognize +this smbpasswd file entry as being valid for a user. +.TP +\fBLanman Password Hash\fR +This is the LANMAN hash of the users password, +encoded as 32 hex digits. The LANMAN hash is created by DES +encrypting a well known string with the users password as the +DES key. This is the same password used by Windows 95/98 machines. +Note that this password hash is regarded as weak as it is +vulnerable to dictionary attacks and if two users choose the +same password this entry will be identical (i.e. the password +is not "salted" as the UNIX password is). If the user has a +null password this field will contain the characters "NO PASSWORD" +as the start of the hex string. If the hex string is equal to +32 'X' characters then the users account is marked as +disabled and the user will not be able to +log onto the Samba server. -.nf - +\fBWARNING !!\fR Note that, due to +the challenge-response nature of the SMB/CIFS authentication +protocol, anyone with a knowledge of this password hash will +be able to impersonate the user on the network. For this +reason these hashes are known as \fBplain text +equivalents\fR and must \fBNOT\fR be made +available to anyone but the root user. To protect these passwords +the smbpasswd file is placed in a directory with read and +traverse access only to the root user and the smbpasswd file +itself must be set to be read/write only by root, with no +other access. +.TP +\fBNT Password Hash\fR +This is the Windows NT hash of the users +password, encoded as 32 hex digits. The Windows NT hash is +created by taking the users password as represented in +16-bit, little-endian UNICODE and then applying the MD4 +(internet rfc1321) hashing algorithm to it. +This password hash is considered more secure than +the Lanman Password Hash as it preserves the case of the +password and uses a much higher quality hashing algorithm. +However, it is still the case that if two users choose the same +password this entry will be identical (i.e. the password is +not "salted" as the UNIX password is). - cat old_smbpasswd_file | convert_smbpasswd > new_smbpasswd_file - - -.fi - - -.PP -The \fBconvert_smbpasswd\fP script reads from stdin and writes to stdout -so as not to overwrite any files by accident\&. -.PP -Once this script has been run, check the contents of the new smbpasswd -file to ensure that it has not been damaged by the conversion script -(which uses \fBawk\fP), and then replace the \f(CW<old smbpasswd file>\fP -with the \f(CW<new smbpasswd file>\fP\&. -.PP -.SH "VERSION" -.PP -This man page is correct for version 2\&.0 of the Samba suite\&. -.PP -.SH "SEE ALSO" -.PP -\fBsmbpasswd (8)\fP, \fBsamba -(7)\fP, and the Internet RFC1321 for details on the MD4 -algorithm\&. -.PP -.SH "AUTHOR" -.PP -The original Samba software and related utilities were created by -Andrew Tridgell samba@samba\&.org\&. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed\&. -.PP -The original Samba man pages were written by Karl Auer\&. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -\fBftp://ftp\&.icce\&.rug\&.nl/pub/unix/\fP) -and updated for the Samba2\&.0 release by Jeremy -Allison, samba@samba\&.org\&. -.PP -See \fBsamba (7)\fP to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc\&. +\fBWARNING !!\fR. Note that, due to +the challenge-response nature of the SMB/CIFS authentication +protocol, anyone with a knowledge of this password hash will +be able to impersonate the user on the network. For this +reason these hashes are known as \fBplain text +equivalents\fR and must \fBNOT\fR be made +available to anyone but the root user. To protect these passwords +the smbpasswd file is placed in a directory with read and +traverse access only to the root user and the smbpasswd file +itself must be set to be read/write only by root, with no +other access. +.TP +\fBAccount Flags\fR +This section contains flags that describe +the attributes of the users account. In the Samba 2.2 release +this field is bracketed by '[' and ']' characters and is always +13 characters in length (including the '[' and ']' characters). +The contents of this field may be any of the characters. +.RS +.TP 0.2i +\(bu +\fBU\fR - This means +this is a "User" account, i.e. an ordinary user. Only User +and Workstation Trust accounts are currently supported +in the smbpasswd file. +.TP 0.2i +\(bu +\fBN\fR - This means the +account has no password (the passwords in the fields Lanman +Password Hash and NT Password Hash are ignored). Note that this +will only allow users to log on with no password if the \fI null passwords\fR parameter is set in the \fIsmb.conf(5) +\fR <URL:smb.conf.5.html#NULLPASSWORDS> config file. +.TP 0.2i +\(bu +\fBD\fR - This means the account +is disabled and no SMB/CIFS logins will be allowed for +this user. +.TP 0.2i +\(bu +\fBW\fR - This means this account +is a "Workstation Trust" account. This kind of account is used +in the Samba PDC code stream to allow Windows NT Workstations +and Servers to join a Domain hosted by a Samba PDC. +.RE +.PP +Other flags may be added as the code is extended in future. +The rest of this field space is filled in with spaces. +.PP +.TP +\fBLast Change Time\fR +This field consists of the time the account was +last modified. It consists of the characters 'LCT-' (standing for +"Last Change Time") followed by a numeric encoding of the UNIX time +in seconds since the epoch (1970) that the last change was made. +.PP +All other colon separated fields are ignored at this time. +.PP +.SH "VERSION" +.PP +This man page is correct for version 2.2 of +the Samba suite. +.SH "SEE ALSO" +.PP +\fBsmbpasswd(8)\fR <URL:smbpasswd.8.html>, +samba(7) <URL:samba.7.html>, and +the Internet RFC1321 for details on the MD4 algorithm. +.SH "AUTHOR" +.PP +The original Samba software and related utilities +were created by Andrew Tridgell. Samba is now developed +by the Samba Team as an Open Source project similar +to the way the Linux kernel is developed. +.PP +The original Samba man pages were written by Karl Auer. +The man page sources were converted to YODL format (another +excellent piece of Open Source software, available at +ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the Samba 2.0 +release by Jeremy Allison. The conversion to DocBook for +Samba 2.2 was done by Gerald Carter diff --git a/docs/manpages/smbpasswd.8 b/docs/manpages/smbpasswd.8 index be70fad031..3c134913a9 100644 --- a/docs/manpages/smbpasswd.8 +++ b/docs/manpages/smbpasswd.8 @@ -1,308 +1,301 @@ -.TH "smbpasswd " "8" "23 Oct 1998" "Samba" "SAMBA" -.PP -.SH "NAME" +.\" This manpage has been automatically generated by docbook2man-spec +.\" from a DocBook document. docbook2man-spec can be found at: +.\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/> +.\" Please send any bug reports, improvements, comments, patches, +.\" etc. to Steve Cheng <steve@ggi-project.org>. +.TH "SMBPASSWD" "8" "22 February 2001" "" "" +.SH NAME smbpasswd \- change a users SMB password -.PP -.SH "SYNOPSIS" -.PP -\fBsmbpasswd\fP [-a] [-x] [-d] [-e] [-D debug level] [-n] [-r remote_machine] [-R name resolve order] [-m] [-j DOMAIN] [-U username] [-h] [-s] username -.PP -.SH "DESCRIPTION" -.PP -This program is part of the \fBSamba\fP suite\&. -.PP -The \fBsmbpasswd\fP program has several different functions, depending -on whether it is run by the \fIroot\fP user or not\&. When run as a normal -user it allows the user to change the password used for their SMB -sessions on any machines that store SMB passwords\&. -.PP -By default (when run with no arguments) it will attempt to change the -current users SMB password on the local machine\&. This is similar to -the way the \fBpasswd (1)\fP program works\&. \fBsmbpasswd\fP differs from how -the \fBpasswd\fP program works however in that it is not \fIsetuid root\fP -but works in a client-server mode and communicates with a locally -running \fBsmbd\fP\&. As a consequence in order for this -to succeed the \fBsmbd\fP daemon must be running on -the local machine\&. On a UNIX machine the encrypted SMB passwords are -usually stored in the \fBsmbpasswd (5)\fP file\&. -.PP -When run by an ordinary user with no options\&. \fBsmbpasswd\fP will -prompt them for their old smb password and then ask them for their new -password twice, to ensure that the new password was typed -correctly\&. No passwords will be echoed on the screen whilst being -typed\&. If you have a blank smb password (specified by the string "NO -PASSWORD" in the \fBsmbpasswd\fP file) then just -press the <Enter> key when asked for your old password\&. -.PP -\fBsmbpasswd\fP can also be used by a normal user to change their SMB -password on remote machines, such as Windows NT Primary Domain -Controllers\&. See the (\fB-r\fP) and -\fB-U\fP options below\&. -.PP -When run by root, \fBsmbpasswd\fP allows new users to be added and -deleted in the \fBsmbpasswd\fP file, as well as -allows changes to the attributes of the user in this file to be made\&. When -run by root, \fBsmbpasswd\fP accesses the local -\fBsmbpasswd\fP file directly, thus enabling -changes to be made even if \fBsmbd\fP is not running\&. -.PP -.SH "OPTIONS" -.PP -.IP -.IP "\fB-a\fP" -This option specifies that the username following should -be added to the local \fBsmbpasswd\fP file, with -the new password typed (type <Enter> for the old password)\&. This -option is ignored if the username following already exists in the -\fBsmbpasswd\fP file and it is treated like a -regular change password command\&. Note that the user to be added -\fBmust\fP already exist in the system password file (usually /etc/passwd) -else the request to add the user will fail\&. -.IP -This option is only available when running \fBsmbpasswd\fP as -root\&. -.IP -.IP "\fB-x\fP" -This option specifies that the username following should -be deleted from the local \fBsmbpasswd\fP file\&. -.IP -This option is only available when running \fBsmbpasswd\fP as -root\&. -.IP -.IP "\fB-d\fP" -This option specifies that the username following should be -\fIdisabled\fP in the local \fBsmbpasswd\fP file\&. -This is done by writing a \fI\'D\'\fP flag into the account control space -in the \fBsmbpasswd\fP file\&. Once this is done -all attempts to authenticate via SMB using this username will fail\&. -.IP -If the \fBsmbpasswd\fP file is in the \'old\' -format (pre-Samba 2\&.0 format) there is no space in the users password -entry to write this information and so the user is disabled by writing -\'X\' characters into the password space in the -\fBsmbpasswd\fP file\&. See \fBsmbpasswd -(5)\fP for details on the \'old\' and new password file -formats\&. -.IP -This option is only available when running \fBsmbpasswd\fP as root\&. -.IP -.IP "\fB-e\fP" -This option specifies that the username following should be -\fIenabled\fP in the local \fBsmbpasswd\fP file, -if the account was previously disabled\&. If the account was not -disabled this option has no effect\&. Once the account is enabled -then the user will be able to authenticate via SMB once again\&. -.IP -If the smbpasswd file is in the \'old\' format then \fBsmbpasswd\fP will -prompt for a new password for this user, otherwise the account will be -enabled by removing the \fI\'D\'\fP flag from account control space in the -\fBsmbpasswd\fP file\&. See \fBsmbpasswd -(5)\fP for details on the \'old\' and new password file -formats\&. -.IP -This option is only available when running \fBsmbpasswd\fP as root\&. -.IP -.IP "\fB-D debuglevel\fP" -debuglevel is an integer from 0 -to 10\&. The default value if this parameter is not specified is zero\&. -.IP -The higher this value, the more detail will be logged to the log files -about the activities of smbpasswd\&. At level 0, only critical errors -and serious warnings will be logged\&. -.IP -Levels above 1 will generate considerable amounts of log data, and -should only be used when investigating a problem\&. Levels above 3 are -designed for use only by developers and generate HUGE amounts of log -data, most of which is extremely cryptic\&. -.IP -.IP "\fB-n\fP" -This option specifies that the username following should -have their password set to null (i\&.e\&. a blank password) in the local -\fBsmbpasswd\fP file\&. This is done by writing the -string "NO PASSWORD" as the first part of the first password stored in -the \fBsmbpasswd\fP file\&. -.IP -Note that to allow users to logon to a Samba server once the password -has been set to "NO PASSWORD" in the -\fBsmbpasswd\fP file the administrator must set -the following parameter in the [global] section of the -\fBsmb\&.conf\fP file : -.IP -null passwords = true -.IP -This option is only available when running \fBsmbpasswd\fP as root\&. -.IP -.IP "\fB-r remote machine name\fP" -This option allows a -user to specify what machine they wish to change their password -on\&. Without this parameter \fBsmbpasswd\fP defaults to the local -host\&. The \fI"remote machine name"\fP is the NetBIOS name of the -SMB/CIFS server to contact to attempt the password change\&. This name -is resolved into an IP address using the standard name resolution -mechanism in all programs of the \fBSamba\fP -suite\&. See the \fB-R name resolve order\fP parameter for details on changing this resolving -mechanism\&. -.IP -The username whose password is changed is that of the current UNIX -logged on user\&. See the \fB-U username\fP -parameter for details on changing the password for a different -username\&. -.IP -Note that if changing a Windows NT Domain password the remote machine -specified must be the Primary Domain Controller for the domain (Backup -Domain Controllers only have a read-only copy of the user account -database and will not allow the password change)\&. -.IP -\fINote\fP that Windows 95/98 do not have a real password database -so it is not possible to change passwords specifying a Win95/98 -machine as remote machine target\&. -.IP -.IP "\fB-R name resolve order\fP" -This option allows the user of -smbclient to determine what name resolution services to use when -looking up the NetBIOS name of the host being connected to\&. -.IP -The options are :"lmhosts", "host", -"wins" and "bcast"\&. They cause names to be -resolved as follows : -.IP -.IP -.IP o -\fBlmhosts\fP : Lookup an IP address in the Samba lmhosts file\&. -.IP -.IP o -\fBhost\fP : Do a standard host name to IP address resolution, -using the system /etc/hosts, NIS, or DNS lookups\&. This method of name -resolution is operating system dependent\&. For instance on IRIX or -Solaris, this may be controlled by the \fI/etc/nsswitch\&.conf\fP file)\&. -.IP -.IP o -\fBwins\fP : Query a name with the IP address listed in the -\fBwins server\fP parameter in the -\fBsmb\&.conf file\fP\&. If -no WINS server has been specified this method will be ignored\&. -.IP -.IP o -\fBbcast\fP : Do a broadcast on each of the known local interfaces -listed in the \fBinterfaces\fP parameter -in the smb\&.conf file\&. This is the least reliable of the name resolution -methods as it depends on the target host being on a locally connected -subnet\&. -.IP -.IP -If this parameter is not set then the name resolve order defined -in the \fBsmb\&.conf\fP file parameter -\fBname resolve order\fP -will be used\&. -.IP -The default order is lmhosts, host, wins, bcast and without this -parameter or any entry in the \fBsmb\&.conf\fP -file the name resolution methods will be attempted in this order\&. -.IP -.IP "\fB-m\fP" -This option tells \fBsmbpasswd\fP that the account being -changed is a \fIMACHINE\fP account\&. Currently this is used when Samba is -being used as an NT Primary Domain Controller\&. PDC support is not a -supported feature in Samba2\&.0 but will become supported in a later -release\&. If you wish to know more about using Samba as an NT PDC then -please subscribe to the mailing list -samba-ntdom@samba\&.org\&. -.IP -This option is only available when running \fBsmbpasswd\fP as root\&. -.IP -.IP "\fB-j DOMAIN\fP" -This option is used to add a Samba server into a -Windows NT Domain, as a Domain member capable of authenticating user -accounts to any Domain Controller in the same way as a Windows NT -Server\&. See the \fBsecurity=domain\fP -option in the \fBsmb\&.conf (5)\fP man page\&. -.IP -In order to be used in this way, the Administrator for the Windows -NT Domain must have used the program \fI"Server Manager for Domains"\fP -to add the primary NetBIOS name of -the Samba server as a member of the Domain\&. -.IP -After this has been done, to join the Domain invoke \fBsmbpasswd\fP with -this parameter\&. \fBsmbpasswd\fP will then look up the Primary Domain -Controller for the Domain (found in the -\fBsmb\&.conf\fP file in the parameter -\fBpassword server\fP and change -the machine account password used to create the secure Domain -communication\&. This password is then stored by \fBsmbpasswd\fP in a -file, read only by root, called \f(CW<Domain>\&.<Machine>\&.mac\fP where -\f(CW<Domain>\fP is the name of the Domain we are joining and \f(CW<Machine>\fP -is the primary NetBIOS name of the machine we are running on\&. -.IP -Once this operation has been performed the -\fBsmb\&.conf\fP file may be updated to set the -\fBsecurity=domain\fP option and all -future logins to the Samba server will be authenticated to the Windows -NT PDC\&. -.IP -Note that even though the authentication is being done to the PDC all -users accessing the Samba server must still have a valid UNIX account -on that machine\&. -.IP -This option is only available when running \fBsmbpasswd\fP as root\&. -.IP -.IP "\fB-U username\fP" -This option may only be used in -conjunction with the \fB-r\fP -option\&. When changing a password on a remote machine it allows the -user to specify the user name on that machine whose password will be -changed\&. It is present to allow users who have different user names on -different systems to change these passwords\&. -.IP -.IP "\fB-h\fP" -This option prints the help string for \fBsmbpasswd\fP, -selecting the correct one for running as root or as an ordinary user\&. -.IP -.IP "\fB-s\fP" -This option causes \fBsmbpasswd\fP to be silent (i\&.e\&. not -issue prompts) and to read it\'s old and new passwords from standard -input, rather than from \f(CW/dev/tty\fP (like the \fBpasswd (1)\fP program -does)\&. This option is to aid people writing scripts to drive \fBsmbpasswd\fP -.IP -.IP "\fBusername\fP" -This specifies the username for all of the \fIroot -only\fP options to operate on\&. Only root can specify this parameter as -only root has the permission needed to modify attributes directly -in the local \fBsmbpasswd\fP file\&. -.IP -.SH "NOTES" -.IP -Since \fBsmbpasswd\fP works in client-server mode communicating with a -local \fBsmbd\fP for a non-root user then the \fBsmbd\fP -daemon must be running for this to work\&. A common problem is to add a -restriction to the hosts that may access the \fBsmbd\fP running on the -local machine by specifying a \fB"allow -hosts"\fP or \fB"deny -hosts"\fP entry in the -\fBsmb\&.conf\fP file and neglecting to allow -\fI"localhost"\fP access to the \fBsmbd\fP\&. -.IP -In addition, the \fBsmbpasswd\fP command is only useful if \fBSamba\fP has -been set up to use encrypted passwords\&. See the file \fBENCRYPTION\&.txt\fP -in the docs directory for details on how to do this\&. -.IP -.SH "VERSION" -.IP -This man page is correct for version 2\&.0 of the Samba suite\&. -.IP -.SH "AUTHOR" -.IP -The original Samba software and related utilities were created by -Andrew Tridgell samba@samba\&.org\&. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed\&. -.IP -The original Samba man pages were written by Karl Auer\&. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -\fBftp://ftp\&.icce\&.rug\&.nl/pub/unix/\fP) -and updated for the Samba2\&.0 release by Jeremy Allison\&. -samba@samba\&.org\&. -.IP -See \fBsamba (7)\fP to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc\&. +.SH SYNOPSIS +.sp +\fBsmbpasswd\fR [ \fB-a\fR ] [ \fB-x\fR ] [ \fB-d\fR ] [ \fB-e\fR ] [ \fB-D debuglevel\fR ] [ \fB-n\fR ] [ \fB-r <remote machine>\fR ] [ \fB-R <name resolve order>\fR ] [ \fB-m\fR ] [ \fB-j DOMAIN\fR ] [ \fB-U username\fR ] [ \fB-h\fR ] [ \fB-s\fR ] [ \fBusername\fR ] +.SH "DESCRIPTION" +.PP +This tool is part of the Samba <URL:samba.7.html> suite. +.PP +The smbpasswd program has several different +functions, depending on whether it is run by the \fBroot\fR +user or not. When run as a normal user it allows the user to change +the password used for their SMB sessions on any machines that store +SMB passwords. +.PP +By default (when run with no arguments) it will attempt to +change the current users SMB password on the local machine. This is +similar to the way the \fBpasswd(1)\fR program works. +\fBsmbpasswd\fR differs from how the passwd program works +however in that it is not \fBsetuid root\fR but works in +a client-server mode and communicates with a locally running +\fBsmbd(8)\fR. As a consequence in order for this to +succeed the smbd daemon must be running on the local machine. On a +UNIX machine the encrypted SMB passwords are usually stored in +the \fIsmbpasswd(5)\fR file. +.PP +When run by an ordinary user with no options. smbpasswd +will prompt them for their old smb password and then ask them +for their new password twice, to ensure that the new password +was typed correctly. No passwords will be echoed on the screen +whilst being typed. If you have a blank smb password (specified by +the string "NO PASSWORD" in the smbpasswd file) then just press +the <Enter> key when asked for your old password. +.PP +smbpasswd can also be used by a normal user to change their +SMB password on remote machines, such as Windows NT Primary Domain +Controllers. See the (-r) and -U options below. +.PP +When run by root, smbpasswd allows new users to be added +and deleted in the smbpasswd file, as well as allows changes to +the attributes of the user in this file to be made. When run by root, +\fBsmbpasswd\fR accesses the local smbpasswd file +directly, thus enabling changes to be made even if smbd is not +running. +.SH "OPTIONS" +.TP +\fB-a\fR +This option specifies that the username +following should be added to the local smbpasswd file, with the +new password typed (type <Enter> for the old password). This +option is ignored if the username following already exists in +the smbpasswd file and it is treated like a regular change +password command. Note that the user to be added must already exist +in the system password file (usually \fI/etc/passwd\fR) +else the request to add the user will fail. + +This option is only available when running smbpasswd +as root. +.TP +\fB-x\fR +This option specifies that the username +following should be deleted from the local smbpasswd file. + +This option is only available when running smbpasswd as +root. +.TP +\fB-d\fR +This option specifies that the username following +should be disabled in the local smbpasswd +file. This is done by writing a 'D' flag +into the account control space in the smbpasswd file. Once this +is done all attempts to authenticate via SMB using this username +will fail. + +If the smbpasswd file is in the 'old' format (pre-Samba 2.0 +format) there is no space in the users password entry to write +this information and so the user is disabled by writing 'X' characters +into the password space in the smbpasswd file. See \fBsmbpasswd(5) +\fRfor details on the 'old' and new password file formats. + +This option is only available when running smbpasswd as +root. +.TP +\fB-e\fR +This option specifies that the username following +should be enabled in the local smbpasswd file, +if the account was previously disabled. If the account was not +disabled this option has no effect. Once the account is enabled then +the user will be able to authenticate via SMB once again. + +If the smbpasswd file is in the 'old' format, then \fB smbpasswd\fR will prompt for a new password for this user, +otherwise the account will be enabled by removing the 'D' +flag from account control space in the \fI smbpasswd\fR file. See \fBsmbpasswd (5)\fR for +details on the 'old' and new password file formats. + +This option is only available when running smbpasswd as root. +.TP +\fB-D debuglevel\fR +\fIdebuglevel\fR is an integer +from 0 to 10. The default value if this parameter is not specified +is zero. + +The higher this value, the more detail will be logged to the +log files about the activities of smbpasswd. At level 0, only +critical errors and serious warnings will be logged. + +Levels above 1 will generate considerable amounts of log +data, and should only be used when investigating a problem. Levels +above 3 are designed for use only by developers and generate +HUGE amounts of log data, most of which is extremely cryptic. +.TP +\fB-n\fR +This option specifies that the username following +should have their password set to null (i.e. a blank password) in +the local smbpasswd file. This is done by writing the string "NO +PASSWORD" as the first part of the first password stored in the +smbpasswd file. + +Note that to allow users to logon to a Samba server once +the password has been set to "NO PASSWORD" in the smbpasswd +file the administrator must set the following parameter in the [global] +section of the \fIsmb.conf\fR file : + +\fBnull passwords = yes\fR + +This option is only available when running smbpasswd as +root. +.TP +\fB-r remote machine name\fR +This option allows a user to specify what machine +they wish to change their password on. Without this parameter +smbpasswd defaults to the local host. The \fIremote +machine name\fR is the NetBIOS name of the SMB/CIFS +server to contact to attempt the password change. This name is +resolved into an IP address using the standard name resolution +mechanism in all programs of the Samba suite. See the \fI-R +name resolve order\fR parameter for details on changing +this resolving mechanism. + +The username whose password is changed is that of the +current UNIX logged on user. See the \fI-U username\fR +parameter for details on changing the password for a different +username. + +Note that if changing a Windows NT Domain password the +remote machine specified must be the Primary Domain Controller for +the domain (Backup Domain Controllers only have a read-only +copy of the user account database and will not allow the password +change). + +\fBNote\fR that Windows 95/98 do not have +a real password database so it is not possible to change passwords +specifying a Win95/98 machine as remote machine target. +.TP +\fB-R name resolve order\fR +This option allows the user of smbclient to determine +what name resolution services to use when looking up the NetBIOS +name of the host being connected to. + +The options are :"lmhosts", "host", "wins" and "bcast". They cause +names to be resolved as follows : +.RS +.TP 0.2i +\(bu +lmhosts : Lookup an IP +address in the Samba lmhosts file. If the line in lmhosts has +no name type attached to the NetBIOS name (see the lmhosts(5) <URL:lmhosts.5.html> for details) then +any name type matches for lookup. +.TP 0.2i +\(bu +host : Do a standard host +name to IP address resolution, using the system \fI/etc/hosts +\fR, NIS, or DNS lookups. This method of name resolution +is operating system depended for instance on IRIX or Solaris this +may be controlled by the \fI/etc/nsswitch.conf\fR +file). Note that this method is only used if the NetBIOS name +type being queried is the 0x20 (server) name type, otherwise +it is ignored. +.TP 0.2i +\(bu +wins : Query a name with +the IP address listed in the \fIwins server\fR +parameter. If no WINS server has been specified this method +will be ignored. +.TP 0.2i +\(bu +bcast : Do a broadcast on +each of the known local interfaces listed in the +\fIinterfaces\fR parameter. This is the least +reliable of the name resolution methods as it depends on the +target host being on a locally connected subnet. +.RE +.PP +The default order is \fBlmhosts, host, wins, bcast\fR +and without this parameter or any entry in the +\fIsmb.conf\fR file the name resolution methods will +be attempted in this order. +.PP +.TP +\fB-m\fR +This option tells smbpasswd that the account +being changed is a MACHINE account. Currently this is used +when Samba is being used as an NT Primary Domain Controller. + +This option is only available when running smbpasswd as root. +.TP +\fB-j DOMAIN\fR +This option is used to add a Samba server +into a Windows NT Domain, as a Domain member capable of authenticating +user accounts to any Domain Controller in the same way as a Windows +NT Server. See the \fBsecurity = domain\fR option in +the \fIsmb.conf(5)\fR man page. + +In order to be used in this way, the Administrator for +the Windows NT Domain must have used the program "Server Manager +for Domains" to add the primary NetBIOS name of the Samba server +as a member of the Domain. + +After this has been done, to join the Domain invoke \fB smbpasswd\fR with this parameter. smbpasswd will then +look up the Primary Domain Controller for the Domain (found in +the \fIsmb.conf\fR file in the parameter +\fIpassword server\fR and change the machine account +password used to create the secure Domain communication. This +password is then stored by smbpasswd in a TDB, writeable only by root, +called \fIsecrets.tdb\fR + +Once this operation has been performed the \fI smb.conf\fR file may be updated to set the \fB security = domain\fR option and all future logins +to the Samba server will be authenticated to the Windows NT +PDC. + +Note that even though the authentication is being +done to the PDC all users accessing the Samba server must still +have a valid UNIX account on that machine. + +This option is only available when running smbpasswd as root. +.TP +\fB-U username\fR +This option may only be used in conjunction +with the \fI-r\fR option. When changing +a password on a remote machine it allows the user to specify +the user name on that machine whose password will be changed. It +is present to allow users who have different user names on +different systems to change these passwords. +.TP +\fB-h\fR +This option prints the help string for \fB smbpasswd\fR, selecting the correct one for running as root +or as an ordinary user. +.TP +\fB-s\fR +This option causes smbpasswd to be silent (i.e. +not issue prompts) and to read it's old and new passwords from +standard input, rather than from \fI/dev/tty\fR +(like the \fBpasswd(1)\fR program does). This option +is to aid people writing scripts to drive smbpasswd +.TP +\fBusername\fR +This specifies the username for all of the +\fBroot only\fR options to operate on. Only root +can specify this parameter as only root has the permission needed +to modify attributes directly in the local smbpasswd file. +.SH "NOTES" +.PP +Since \fBsmbpasswd\fR works in client-server +mode communicating with a local smbd for a non-root user then +the smbd daemon must be running for this to work. A common problem +is to add a restriction to the hosts that may access the \fB smbd\fR running on the local machine by specifying a +\fIallow hosts\fR or \fIdeny hosts\fR +entry in the \fIsmb.conf\fR file and neglecting to +allow "localhost" access to the smbd. +.PP +In addition, the smbpasswd command is only useful if Samba +has been set up to use encrypted passwords. See the file +\fIENCRYPTION.txt\fR in the docs directory for details +on how to do this. +.SH "VERSION" +.PP +This man page is correct for version 2.2 of +the Samba suite. +.SH "SEE ALSO" +.PP +\fIsmbpasswd(5)\fR <URL:smbpasswd.5.html>, +samba(7) <URL:samba.7.html> +.SH "AUTHOR" +.PP +The original Samba software and related utilities +were created by Andrew Tridgell. Samba is now developed +by the Samba Team as an Open Source project similar +to the way the Linux kernel is developed. +.PP +The original Samba man pages were written by Karl Auer. +The man page sources were converted to YODL format (another +excellent piece of Open Source software, available at +ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the Samba 2.0 +release by Jeremy Allison. The conversion to DocBook for +Samba 2.2 was done by Gerald Carter |