diff options
Diffstat (limited to 'docs/docbook/manpages/smbpasswd.8.sgml')
| -rw-r--r-- | docs/docbook/manpages/smbpasswd.8.sgml | 572 |
1 files changed, 408 insertions, 164 deletions
diff --git a/docs/docbook/manpages/smbpasswd.8.sgml b/docs/docbook/manpages/smbpasswd.8.sgml index 15cb6ffff1..7f7783425a 100644 --- a/docs/docbook/manpages/smbpasswd.8.sgml +++ b/docs/docbook/manpages/smbpasswd.8.sgml @@ -1,165 +1,409 @@ +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> +<refentry id="smbpasswd"> -Namesmbpasswd - change a users SMB password -Synopsis -smbpasswd [-a] [-x] [-d] -[-e] [-D debug level] [-n] [-r remote_machine] [-R name resolve order] [-m] [-j -DOMAIN] [-U username] [-h] [-s] username -Description -This program is part of -the Samba suite. -The smbpasswd program has several different functions, -depending on whether it is run by the root user or not. When run as a normal -user it allows the user to change the password used for their SMB sessions -on any machines that store SMB passwords. -By default (when run with no arguments) -it will attempt to change the current users SMB password on the local machine. -This is similar to the way the passwd (1) program works. smbpasswd differs -from how the passwd program works however in that it is not setuid root -but works in a client-server mode and communicates with a locally running -smbd. As a consequence in order for this to succeed the smbd daemon must -be running on the local machine. On a UNIX machine the encrypted SMB passwords -are usually stored in the smbpasswd (5) file. -When run by an ordinary user -with no options. smbpasswd will prompt them for their old smb password and -then ask them for their new password twice, to ensure that the new password -was typed correctly. No passwords will be echoed on the screen whilst being -typed. If you have a blank smb password (specified by the string "NO PASSWORD" -in the smbpasswd file) then just press the <Enter> key when asked for your -old password. -smbpasswd can also be used by a normal user to change their -SMB password on remote machines, such as Windows NT Primary Domain Controllers. -See the (-r) and -U options below. -When run by root, smbpasswd allows new -users to be added and deleted in the smbpasswd file, as well as allows -changes to the attributes of the user in this file to be made. When run -by root, smbpasswd accesses the local smbpasswd file directly, thus enabling -changes to be made even if smbd is not running. -Options --aThis option specifies -that the username following should be added to the local smbpasswd file, -with the new password typed (type <Enter> for the old password). This option -is ignored if the username following already exists in the smbpasswd file -and it is treated like a regular change password command. Note that the -user to be added must already exist in the system password file (usually -/etc/passwd) else the request to add the user will fail. This option is -only available when running smbpasswd as root. -xThis option specifies that -the username following should be deleted from the local smbpasswd file. -This option is only available when running smbpasswd as root. -dThis option -specifies that the username following should be disabled in the local smbpasswd -file. This is done by writing a 'D' flag into the account control space in -the smbpasswd file. Once this is done all attempts to authenticate via SMB -using this username will fail. If the smbpasswd file is in the 'old' format -(pre-Samba 2.0 format) there is no space in the users password entry to write -this information and so the user is disabled by writing 'X' characters into -the password space in the smbpasswd file. See smbpasswd (5) for details -on the 'old' and new password file formats. This option is only available -when running smbpasswd as root. -eThis option specifies that the username -following should be enabled in the local smbpasswd file, if the account -was previously disabled. If the account was not disabled this option has -no effect. Once the account is enabled then the user will be able to authenticate -via SMB once again. If the smbpasswd file is in the 'old' format then smbpasswd -will prompt for a new password for this user, otherwise the account will -be enabled by removing the 'D' flag from account control space in the smbpasswd -file. See smbpasswd (5) for details on the 'old' and new password file formats. -This option is only available when running smbpasswd as root. -D debugleveldebuglevel -is an integer from 0 to 10. The default value if this parameter is not -specified is zero. The higher this value, the more detail will be logged -to the log files about the activities of smbpasswd. At level 0, only critical -errors and serious warnings will be logged. Levels above 1 will generate -considerable amounts of log data, and should only be used when investigating -a problem. Levels above 3 are designed for use only by developers and generate -HUGE amounts of log data, most of which is extremely cryptic. -nThis option -specifies that the username following should have their password set to -null (i.e. a blank password) in the local smbpasswd file. This is done by -writing the string "NO PASSWORD" as the first part of the first password -stored in the smbpasswd file. Note that to allow users to logon to a Samba -server once the password has been set to "NO PASSWORD" in the smbpasswd -file the administrator must set the following parameter in the [global] -section of the smb.conf file : null passwords = true This option is only -available when running smbpasswd as root. -r remote machine nameThis option -allows a user to specify what machine they wish to change their password -on. Without this parameter smbpasswd defaults to the local host. The "remote -machine name" is the NetBIOS name of the SMB/CIFS server to contact to -attempt the password change. This name is resolved into an IP address using -the standard name resolution mechanism in all programs of the Samba suite. -See the -R name resolve order parameter for details on changing this resolving -mechanism. The username whose password is changed is that of the current -UNIX logged on user. See the -U username parameter for details on changing -the password for a different username. Note that if changing a Windows NT -Domain password the remote machine specified must be the Primary Domain -Controller for the domain (Backup Domain Controllers only have a read-only -copy of the user account database and will not allow the password change). -Note that Windows 95/98 do not have a real password database so it is not -possible to change passwords specifying a Win95/98 machine as remote machine -target. -R name resolve orderThis option allows the user of smbclient to -determine what name resolution services to use when looking up the NetBIOS -name of the host being connected to. The options are :"lmhosts", "host", -"wins" and "bcast". They cause names to be resolved as follows : olmhosts -: Lookup an IP address in the Samba lmhosts file. ohost : Do a standard -host name to IP address resolution, using the system /etc/hosts, NIS, or -DNS lookups. This method of name resolution is operating system dependent. -For instance on IRIX or Solaris, this may be controlled by the /etc/nsswitch.conf -file). owins : Query a name with the IP address listed in the wins server -parameter in the smb.conf file. If no WINS server has been specified this -method will be ignored. obcast : Do a broadcast on each of the known local -interfaces listed in the interfaces parameter in the smb.conf file. This -is the least reliable of the name resolution methods as it depends on the -target host being on a locally connected subnet. If this parameter is not -set then the name resolve order defined in the smb.conf file parameter -name resolve order will be used. The default order is lmhosts, host, wins, -bcast and without this parameter or any entry in the smb.conf file the -name resolution methods will be attempted in this order. -mThis option tells -smbpasswd that the account being changed is a MACHINE account. Currently -this is used when Samba is being used as an NT Primary Domain Controller. -PDC support is not a supported feature in Samba2.0 but will become supported -in a later release. If you wish to know more about using Samba as an NT -PDC then please subscribe to the mailing list samba-ntdom@samba.org. This -option is only available when running smbpasswd as root. -j DOMAINThis option -is used to add a Samba server into a Windows NT Domain, as a Domain member -capable of authenticating user accounts to any Domain Controller in the -same way as a Windows NT Server. See the security=domain option in the smb.conf -(5) man page. In order to be used in this way, the Administrator for the -Windows NT Domain must have used the program "Server Manager for Domains" -to add the primary NetBIOS name of the Samba server as a member of the -Domain. After this has been done, to join the Domain invoke smbpasswd with -this parameter. smbpasswd will then look up the Primary Domain Controller -for the Domain (found in the smb.conf file in the parameter password server -and change the machine account password used to create the secure Domain -communication. This password is then stored by smbpasswd in a file, read -only by root, called CW<Domain>.<Machine>.mac where CW<Domain> is the name of the -Domain we are joining and CW<Machine> is the primary NetBIOS name of the -machine we are running on. Once this operation has been performed the smb.conf -file may be updated to set the security=domain option and all future logins -to the Samba server will be authenticated to the Windows NT PDC. Note that -even though the authentication is being done to the PDC all users accessing -the Samba server must still have a valid UNIX account on that machine. This -option is only available when running smbpasswd as root. -U usernameThis -option may only be used in conjunction with the -r option. When changing -a password on a remote machine it allows the user to specify the user name -on that machine whose password will be changed. It is present to allow users -who have different user names on different systems to change these passwords. --hThis option prints the help string for smbpasswd, selecting the correct -one for running as root or as an ordinary user. -sThis option causes smbpasswd -to be silent (i.e. not issue prompts) and to read it's old and new passwords -from standard input, rather than from CW/dev/tty (like the passwd (1) -program does). This option is to aid people writing scripts to drive smbpasswd -usernameThis specifies the username for all of the root only options to -operate on. Only root can specify this parameter as only root has the permission -needed to modify attributes directly in the local smbpasswd file. NotesSince -smbpasswd works in client-server mode communicating with a local smbd for -a non-root user then the smbd daemon must be running for this to work. A -common problem is to add a restriction to the hosts that may access the -smbd running on the local machine by specifying a "allow hosts" or "deny -hosts" entry in the smb.conf file and neglecting to allow "localhost" access -to the smbd. In addition, the smbpasswd command is only useful if Samba -has been set up to use encrypted passwords. See the file ENCRYPTION.txt in -the docs directory for details on how to do this. VersionThis man page is -correct for version 2.0 of the Samba suite. AuthorThe original Samba software -and related utilities were created by Andrew Tridgell samba@samba.org. Samba -is now developed by the Samba Team as an Open Source project similar to -the way the Linux kernel is developed. The original Samba man pages were -written by Karl Auer. The man page sources were converted to YODL format -(another excellent piece of Open Source software, available at ftp://ftp.icce.rug.nl/pub/unix/) -and updated for the Samba2.0 release by Jeremy Allison. samba@samba.org. See -samba (7) to find out how to get a full list of contributors and details -on how to submit bug reports, comments etc.
\ No newline at end of file +<refmeta> + <refentrytitle>smbpasswd</refentrytitle> + <manvolnum>8</manvolnum> +</refmeta> + + +<refnamediv> + <refname>smbpasswd</refname> + <refpurpose>change a users SMB password</refpurpose> +</refnamediv> + +<refsynopsisdiv> + <cmdsynopsis> + <command>smbpasswd</command> + <arg choice="opt">-a</arg> + <arg choice="opt">-x</arg> + <arg choice="opt">-d</arg> + <arg choice="opt">-e</arg> + <arg choice="opt">-D debuglevel</arg> + <arg choice="opt">-n</arg> + <arg choice="opt">-r <remote machine></arg> + <arg choice="opt">-R <name resolve order></arg> + <arg choice="opt">-m</arg> + <arg choice="opt">-j DOMAIN</arg> + <arg choice="opt">-U username</arg> + <arg choice="opt">-h</arg> + <arg choice="opt">-s</arg> + <arg choice="opt">username</arg> + </cmdsynopsis> +</refsynopsisdiv> + +<refsect1> + <title>DESCRIPTION</title> + + <para>This tool is part of the <ulink url="samba.7.html"> + Samba</ulink> suite.</para> + + <para>The smbpasswd program has several different + functions, depending on whether it is run by the <emphasis>root</emphasis> + user or not. When run as a normal user it allows the user to change + the password used for their SMB sessions on any machines that store + SMB passwords. </para> + + <para>By default (when run with no arguments) it will attempt to + change the current users SMB password on the local machine. This is + similar to the way the <command>passwd(1)</command> program works. + <command>smbpasswd</command> differs from how the passwd program works + however in that it is not <emphasis>setuid root</emphasis> but works in + a client-server mode and communicates with a locally running + <command>smbd(8)</command>. As a consequence in order for this to + succeed the smbd daemon must be running on the local machine. On a + UNIX machine the encrypted SMB passwords are usually stored in + the <filename>smbpasswd(5)</filename> file. </para> + + <para>When run by an ordinary user with no options. smbpasswd + will prompt them for their old smb password and then ask them + for their new password twice, to ensure that the new password + was typed correctly. No passwords will be echoed on the screen + whilst being typed. If you have a blank smb password (specified by + the string "NO PASSWORD" in the smbpasswd file) then just press + the <Enter> key when asked for your old password. </para> + + <para>smbpasswd can also be used by a normal user to change their + SMB password on remote machines, such as Windows NT Primary Domain + Controllers. See the (-r) and -U options below. </para> + + <para>When run by root, smbpasswd allows new users to be added + and deleted in the smbpasswd file, as well as allows changes to + the attributes of the user in this file to be made. When run by root, + <command>smbpasswd</command> accesses the local smbpasswd file + directly, thus enabling changes to be made even if smbd is not + running. </para> +</refsect1> + +<refsect1> + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term>-a</term> + <listitem><para>This option specifies that the username + following should be added to the local smbpasswd file, with the + new password typed (type <Enter> for the old password). This + option is ignored if the username following already exists in + the smbpasswd file and it is treated like a regular change + password command. Note that the user to be added must already exist + in the system password file (usually <filename>/etc/passwd</filename>) + else the request to add the user will fail. </para> + + <para>This option is only available when running smbpasswd + as root. </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-x</term> + <listitem><para>This option specifies that the username + following should be deleted from the local smbpasswd file. + </para> + + <para>This option is only available when running smbpasswd as + root.</para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-d</term> + <listitem><para>This option specifies that the username following + should be <constant>disabled</constant> in the local smbpasswd + file. This is done by writing a <constant>'D'</constant> flag + into the account control space in the smbpasswd file. Once this + is done all attempts to authenticate via SMB using this username + will fail. </para> + + <para>If the smbpasswd file is in the 'old' format (pre-Samba 2.0 + format) there is no space in the users password entry to write + this information and so the user is disabled by writing 'X' characters + into the password space in the smbpasswd file. See <command>smbpasswd(5) + </command> for details on the 'old' and new password file formats. + </para> + + <para>This option is only available when running smbpasswd as + root.</para></listitem> + </varlistentry> + + + <varlistentry> + <term>-e</term> + <listitem><para>This option specifies that the username following + should be <constant>enabled</constant> in the local smbpasswd file, + if the account was previously disabled. If the account was not + disabled this option has no effect. Once the account is enabled then + the user will be able to authenticate via SMB once again. </para> + + <para>If the smbpasswd file is in the 'old' format, then <command> + smbpasswd</command> will prompt for a new password for this user, + otherwise the account will be enabled by removing the <constant>'D' + </constant> flag from account control space in the <filename> + smbpasswd</filename> file. See <command>smbpasswd (5)</command> for + details on the 'old' and new password file formats. </para> + + <para>This option is only available when running smbpasswd as root. + </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-D debuglevel</term> + <listitem><para><parameter>debuglevel</parameter> is an integer + from 0 to 10. The default value if this parameter is not specified + is zero. </para> + + <para>The higher this value, the more detail will be logged to the + log files about the activities of smbpasswd. At level 0, only + critical errors and serious warnings will be logged. </para> + + <para>Levels above 1 will generate considerable amounts of log + data, and should only be used when investigating a problem. Levels + above 3 are designed for use only by developers and generate + HUGE amounts of log data, most of which is extremely cryptic. + </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-n</term> + <listitem><para>This option specifies that the username following + should have their password set to null (i.e. a blank password) in + the local smbpasswd file. This is done by writing the string "NO + PASSWORD" as the first part of the first password stored in the + smbpasswd file. </para> + + <para>Note that to allow users to logon to a Samba server once + the password has been set to "NO PASSWORD" in the smbpasswd + file the administrator must set the following parameter in the [global] + section of the <filename>smb.conf</filename> file : </para> + + <para><command>null passwords = yes</command></para> + + <para>This option is only available when running smbpasswd as + root.</para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-r remote machine name</term> + <listitem><para>This option allows a user to specify what machine + they wish to change their password on. Without this parameter + smbpasswd defaults to the local host. The <replaceable>remote + machine name</replaceable> is the NetBIOS name of the SMB/CIFS + server to contact to attempt the password change. This name is + resolved into an IP address using the standard name resolution + mechanism in all programs of the Samba suite. See the <parameter>-R + name resolve order</parameter> parameter for details on changing + this resolving mechanism. </para> + + <para>The username whose password is changed is that of the + current UNIX logged on user. See the <parameter>-U username</parameter> + parameter for details on changing the password for a different + username. </para> + + <para>Note that if changing a Windows NT Domain password the + remote machine specified must be the Primary Domain Controller for + the domain (Backup Domain Controllers only have a read-only + copy of the user account database and will not allow the password + change).</para> + + <para><emphasis>Note</emphasis> that Windows 95/98 do not have + a real password database so it is not possible to change passwords + specifying a Win95/98 machine as remote machine target. </para> + </listitem> + </varlistentry> + + + <varlistentry> + <term>-R name resolve order</term> + <listitem><para>This option allows the user of smbclient to determine + what name resolution services to use when looking up the NetBIOS + name of the host being connected to. </para> + + <para>The options are :"lmhosts", "host", "wins" and "bcast". They cause + names to be resolved as follows : </para> + <itemizedlist> + <listitem><para><constant>lmhosts</constant> : Lookup an IP + address in the Samba lmhosts file. If the line in lmhosts has + no name type attached to the NetBIOS name (see the <ulink + url="lmhosts.5.html">lmhosts(5)</ulink> for details) then + any name type matches for lookup.</para></listitem> + + <listitem><para><constant>host</constant> : Do a standard host + name to IP address resolution, using the system <filename>/etc/hosts + </filename>, NIS, or DNS lookups. This method of name resolution + is operating system depended for instance on IRIX or Solaris this + may be controlled by the <filename>/etc/nsswitch.conf</filename> + file). Note that this method is only used if the NetBIOS name + type being queried is the 0x20 (server) name type, otherwise + it is ignored.</para></listitem> + + <listitem><para><constant>wins</constant> : Query a name with + the IP address listed in the <parameter>wins server</parameter> + parameter. If no WINS server has been specified this method + will be ignored.</para></listitem> + + <listitem><para><constant>bcast</constant> : Do a broadcast on + each of the known local interfaces listed in the + <parameter>interfaces</parameter> parameter. This is the least + reliable of the name resolution methods as it depends on the + target host being on a locally connected subnet.</para></listitem> + </itemizedlist> + + <para>The default order is <command>lmhosts, host, wins, bcast</command> + and without this parameter or any entry in the + <filename>smb.conf</filename> file the name resolution methods will + be attempted in this order. </para></listitem> + </varlistentry> + + + <varlistentry> + <term>-m</term> + <listitem><para>This option tells smbpasswd that the account + being changed is a MACHINE account. Currently this is used + when Samba is being used as an NT Primary Domain Controller.</para> + + <para>This option is only available when running smbpasswd as root. + </para></listitem> + </varlistentry> + + + <varlistentry> + <term>-j DOMAIN</term> + <listitem><para>This option is used to add a Samba server + into a Windows NT Domain, as a Domain member capable of authenticating + user accounts to any Domain Controller in the same way as a Windows + NT Server. See the <command>security = domain</command> option in + the <filename>smb.conf(5)</filename> man page. </para> + + <para>In order to be used in this way, the Administrator for + the Windows NT Domain must have used the program "Server Manager + for Domains" to add the primary NetBIOS name of the Samba server + as a member of the Domain. </para> + + <para>After this has been done, to join the Domain invoke <command> + smbpasswd</command> with this parameter. smbpasswd will then + look up the Primary Domain Controller for the Domain (found in + the <filename>smb.conf</filename> file in the parameter + <parameter>password server</parameter> and change the machine account + password used to create the secure Domain communication. This + password is then stored by smbpasswd in a TDB, writeable only by root, + called <filename>secrets.tdb</filename> </para> + + <para>Once this operation has been performed the <filename> + smb.conf</filename> file may be updated to set the <command> + security = domain</command> option and all future logins + to the Samba server will be authenticated to the Windows NT + PDC. </para> + + <para>Note that even though the authentication is being + done to the PDC all users accessing the Samba server must still + have a valid UNIX account on that machine. </para> + + + <para>This option is only available when running smbpasswd as root. + </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-U username</term> + <listitem><para>This option may only be used in conjunction + with the <parameter>-r</parameter> option. When changing + a password on a remote machine it allows the user to specify + the user name on that machine whose password will be changed. It + is present to allow users who have different user names on + different systems to change these passwords. </para></listitem> + </varlistentry> + + + <varlistentry> + <term>-h</term> + <listitem><para>This option prints the help string for <command> + smbpasswd</command>, selecting the correct one for running as root + or as an ordinary user. </para></listitem> + </varlistentry> + + + + <varlistentry> + <term>-s</term> + <listitem><para>This option causes smbpasswd to be silent (i.e. + not issue prompts) and to read it's old and new passwords from + standard input, rather than from <filename>/dev/tty</filename> + (like the <command>passwd(1)</command> program does). This option + is to aid people writing scripts to drive smbpasswd</para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term>username</term> + <listitem><para>This specifies the username for all of the + <emphasis>root only</emphasis> options to operate on. Only root + can specify this parameter as only root has the permission needed + to modify attributes directly in the local smbpasswd file. + </para></listitem> + </varlistentry> + </variablelist> +</refsect1> + + +<refsect1> + <title>NOTES</title> + + <para>Since <command>smbpasswd</command> works in client-server + mode communicating with a local smbd for a non-root user then + the smbd daemon must be running for this to work. A common problem + is to add a restriction to the hosts that may access the <command> + smbd</command> running on the local machine by specifying a + <parameter>allow hosts</parameter> or <parameter>deny hosts</parameter> + entry in the <filename>smb.conf</filename> file and neglecting to + allow "localhost" access to the smbd. </para> + + <para>In addition, the smbpasswd command is only useful if Samba + has been set up to use encrypted passwords. See the file + <filename>ENCRYPTION.txt</filename> in the docs directory for details + on how to do this. </para> +</refsect1> + + +<refsect1> + <title>VERSION</title> + + <para>This man page is correct for version 2.2 of + the Samba suite.</para> +</refsect1> + +<refsect1> + <title>SEE ALSO</title> + <para><ulink url="smbpasswd.5.html"><filename>smbpasswd(5)</filename></ulink>, + <ulink url="samba.7.html">samba(7)</ulink> + </para> +</refsect1> + +<refsect1> + <title>AUTHOR</title> + + <para>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</para> + + <para>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <ulink url="ftp://ftp.icce.rug.nl/pub/unix/"> + ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</para> +</refsect1> + +</refentry> |