diff options
Diffstat (limited to 'docs/htmldocs')
| -rw-r--r-- | docs/htmldocs/smbcacls.1.html | 531 | ||||
| -rw-r--r-- | docs/htmldocs/smbpasswd.5.html | 521 | ||||
| -rw-r--r-- | docs/htmldocs/smbpasswd.8.html | 917 |
3 files changed, 1336 insertions, 633 deletions
diff --git a/docs/htmldocs/smbcacls.1.html b/docs/htmldocs/smbcacls.1.html index e75a5741e5..36f570f2a0 100644 --- a/docs/htmldocs/smbcacls.1.html +++ b/docs/htmldocs/smbcacls.1.html @@ -1,161 +1,378 @@ - - - - -<html><head><title>smbcacls (1)</title> - -</head> -<body> - -<hr> - -<h1>smbcacls (1)</h1> -<h2>Samba</h2> -<h2>22 Dec 2000</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - smbcacls - Set or get ACLs on an NT file or directory -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><strong>smbcacls</strong> //server/share filename [<a href="smbcacls.1.html#minusU">-U username</a>] -[<a href="smbcacls.1.html#minusA">-A acls</a>] [<a href="smbcacls.1.html#minusM">-M acls</a>] -[<a href="smbcacls.1.html#minusD">-D acls</a>] [<a href="smbcacls.1.html#minusS">-S acls</a>] -[<a href="smbcacls.1.html#minusC">-C name</a>] [<a href="smbcacls.1.html#minusG">-G name</a>] -[<a href="smbcacls.1.html#minusn">-n</a>] [<a href="smbcacls.1.html#minush">-h</a>] -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>The <strong>smbcacls</strong> program manipulates NT Access Control Lists (ACLs) on -SMB file shares. -<p><a name="OPTIONS"></a> -<h2>OPTIONS</h2> - -<p>The following options are available to the <strong>smbcacls</strong> program. The -format of ACLs is described in the section <a href="smbcacls.1.html#ACLFORMAT">ACL FORMAT</a> -<p><dl> -<p><a name="minusA"></a> -<p></p><dt><strong><strong>-A acls</strong></strong><dd> -<p>Add the ACLs specified to the ACL list. Existing access control entries -are unchanged. -<p><a name="minusM"></a> -<p></p><dt><strong><strong>-M acls</strong></strong><dd> -<p>Modify the mask value (permissions) for the ACLs specified on the command -line. An error will be printed for each ACL specified that was not already -present in the ACL list. -<p><a name="minusD"></a> -<p></p><dt><strong><strong>-D acls</strong></strong><dd> -<p>Delete any ACLs specfied on the command line. An error will be printed for -each ACL specified that was not already present in the ACL list. -<p><a name="minusS"></a> -<p></p><dt><strong><strong>-S acls</strong></strong><dd> -<p>This command sets the ACLs on the file with only the ones specified on the -command line. All other ACLs are erased. Note that the ACL specified must -contain at least a revision, type, owner and group for the call to succeed. -<p><a name="minusU"></a> -<p></p><dt><strong><strong>-U username</strong></strong><dd> -<p>Specifies a username used to connect to the specified service. The -username may be of the form <code>username</code> in which case the user is -prompted to enter in a password and the workgroup specified in the -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file is used, or <code>username%password</code> -or <code>DOMAIN\username%password</code> and the password and workgroup names are -used as provided. -<p><a name="minusC"></a> -<p></p><dt><strong><strong>-C name</strong></strong><dd> -<p>The owner of a file or directory can be changed to the name given -using the -C option. The name can be a sid in the form <code>S-1-x-y-z</code> or a -name resolved against the server specified in the first argument. -<p>This command is a shortcut for <code>-M OWNER:name</code>. -<p><a name="minusG"></a> -<p></p><dt><strong><strong>-G name</strong></strong><dd> -<p>The group owner of a file or directory can be changed to the name given -using the -G option. The name can be a sid in the form <code>S-1-x-y-z</code> or a -name resolved against the server specified in the first argument. -<p>This command is a shortcut for <code>-M GROUP:name</code>. -<p><a name="minusn"></a> -<p></p><dt><strong><strong>-n</strong></strong><dd> -<p>This option displays all ACL information in numeric format. The default is -to convert SIDs to names and ACE types and masks to a readable string -format. -<p><a name="minush"></a> -<p></p><dt><strong><strong>-h</strong></strong><dd> -<p>Print usage information on the <strong>smbcacls</strong> program -<p></dl> -<p><a name="ACLFORMAT"></a> -<h2>ACL FORMAT</h2> - -<p>The format of an ACL is one or more ACL entries separated by either -commas or newlines. An ACL entry is one of the following: -<p><pre> +<HTML +><HEAD +><TITLE +>smbcacls</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="SMBCACLS" +>smbcacls</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>smbcacls -- Set or get ACLs on an NT file or directory names</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>nmblookup</B +> {//server/share} {filename} [-U username] [-A acls] [-M acls] [-D acls] [-S acls] [-C name] [-G name] [-n] [-h]</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN22" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +>The smbcacls program manipulates NT Access Control Lists + (ACLs) on SMB file shares. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN27" +></A +><H2 +>OPTIONS</H2 +><P +>The following options are available to the smbcacls program. + The format of ACLs is described in the section ACL FORMAT </P +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>-A acls</DT +><DD +><P +>Add the ACLs specified to the ACL list. Existing + access control entries are unchanged. </P +></DD +><DT +>-M acls</DT +><DD +><P +>Modify the mask value (permissions) for the ACLs + specified on the command line. An error will be printed for each + ACL specified that was not already present in the ACL list + </P +></DD +><DT +>-D acls</DT +><DD +><P +>Delete any ACLs specfied on the command line. + An error will be printed for each ACL specified that was not + already present in the ACL list. </P +></DD +><DT +>-S acls</DT +><DD +><P +>This command sets the ACLs on the file with + only the ones specified on the command line. All other ACLs are + erased. Note that the ACL specified must contain at least a revision, + type, owner and group for the call to succeed. </P +></DD +><DT +>-U username</DT +><DD +><P +>Specifies a username used to connect to the + specified service. The username may be of the form "username" in + which case the user is prompted to enter in a password and the + workgroup specified in the <TT +CLASS="FILENAME" +>smb.conf</TT +> file is + used, or "username%password" or "DOMAIN\username%password" and the + password and workgroup names are used as provided. </P +></DD +><DT +>-C name</DT +><DD +><P +>The owner of a file or directory can be changed + to the name given using the <TT +CLASS="PARAMETER" +><I +>-C</I +></TT +> option. + The name can be a sid in the form S-1-x-y-z or a name resolved + against the server specified in the first argument. </P +><P +>This command is a shortcut for -M OWNER:name. + </P +></DD +><DT +>-G name</DT +><DD +><P +>The group owner of a file or directory can + be changed to the name given using the <TT +CLASS="PARAMETER" +><I +>-G</I +></TT +> + option. The name can be a sid in the form S-1-x-y-z or a name + resolved against the server specified n the first argument. + </P +><P +>This command is a shortcut for -M GROUP:name.</P +></DD +><DT +>-n</DT +><DD +><P +>This option displays all ACL information in numeric + format. The default is to convert SIDs to names and ACE types + and masks to a readable string format. </P +></DD +><DT +>-h</DT +><DD +><P +>Print usage information on the <B +CLASS="COMMAND" +>smbcacls + </B +> program.</P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN73" +></A +><H2 +>ACL FORMAT</H2 +><P +>The format of an ACL is one or more ACL entries separated by + either commas or newlines. An ACL entry is one of the following: </P +><P +><PRE +CLASS="PROGRAMLISTING" +> REVISION:<revision number> OWNER:<sid or name> GROUP:<sid or name> ACL:<sid or name>:<type>/<flags>/<mask> -</pre> - -<p>The revision of the ACL specifies the internal Windows NT ACL revision for -the security descriptor. If not specified it defaults to 1. Using values -other than 1 may cause strange behaviour. -<p>The owner and group specify the owner and group sids for the object. If a -SID in the format <code>S-1-x-y-z</code> is specified this is used, otherwise -the name specified is resolved using the server on which the file or -directory resides. -<p>ACLs specify permissions granted to the SID. This SID again can be -specified in <code>S-1-x-y-z</code> format or as a name in which case it is resolved -against the server on which the file or directory resides. The type, flags -and mask values determine the type of access granted to the SID. -<p>The type can be either 0 or 1 corresponding to ALLOWED or DENIED access to -the SID. The flags values are generally zero for file ACLs and either 9 or -2 for directory ACLs. Some common flags are: -<p><pre> -#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1 -#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2 -#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4 -#define SEC_ACE_FLAG_INHERIT_ONLY 0x8 -</pre> - -<p>At present flags can only be specified as decimal or hexadecimal values. -<p>The mask is a value which expresses the access right granted to the SID. -It can be given as a decimal or hexadecimal value, or by using one of the -following text strings which map to the NT file permissions of the same -name. -<p><dl> -<p><p></p><dt><strong></strong><dd> <code>R</code> Allow read access -<p><p></p><dt><strong></strong><dd> <code>W</code> Allow write access -<p><p></p><dt><strong></strong><dd> <code>X</code> Execute permission on the object -<p><p></p><dt><strong></strong><dd> <code>D</code> Delete the object -<p><p></p><dt><strong></strong><dd> <code>P</code> Change permissions -<p><p></p><dt><strong></strong><dd> <code>O</code> Take ownership -<p></dl> -<p>The following combined permissions can be specified: -<p><dl> -<p><p></p><dt><strong></strong><dd> <code>READ</code> -<p>Equivalent to <code>RX</code> permissions -<p><p></p><dt><strong></strong><dd> <code>CHANGE</code> -<p>Equivalent to <code>RXWD</code> permissions -<p><p></p><dt><strong></strong><dd> <code>FULL</code> -<p>Equivalent to <code>RWXDPO</code> permissions -<p></dl> -<p><a name="EXITSTATUS"></a> -<h2>EXIT STATUS</h2> - -<p>The <strong>smbcacls</strong> program sets the exit status depending on the success or -otherwise of the operations performed. The exit status may be one of the -following values. -<p>If the operation succeded, <strong>smbcacls</strong> returns and exit status of 0. If -<strong>smbcacls</strong> couldn't connect to the specified server, or there was an -error getting or setting the ACLs, an exit status of 1 is returned. If -there was an error parsing any command line arguments, an exit status of 2 -is returned. -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell. Samba is now developed by the Samba Team as an Open -Source project. -<p><strong>smbcacls</strong> was written by Andrew Tridgell and Tim Potter. -</body> -</html> + </PRE +></P +><P +>The revision of the ACL specifies the internal Windows + NT ACL revision for the security descriptor. + If not specified it defaults to 1. Using values other than 1 may + cause strange behaviour. </P +><P +>The owner and group specify the owner and group sids for the + object. If a SID in the format CWS-1-x-y-z is specified this is used, + otherwise the name specified is resolved using the server on which + the file or directory resides. </P +><P +>ACLs specify permissions granted to the SID. This SID again + can be specified in CWS-1-x-y-z format or as a name in which case + it is resolved against the server on which the file or directory + resides. The type, flags and mask values determine the type of + access granted to the SID. </P +><P +>The type can be either 0 or 1 corresponding to ALLOWED or + DENIED access to the SID. The flags values are generally + zero for file ACLs and either 9 or 2 for directory ACLs. Some + common flags are: </P +><P +></P +><UL +><LI +><P +>#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1</P +></LI +><LI +><P +>#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2</P +></LI +><LI +><P +>#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4 + </P +></LI +><LI +><P +>#define SEC_ACE_FLAG_INHERIT_ONLY 0x8</P +></LI +></UL +><P +>At present flags can only be specified as decimal or + hexadecimal values.</P +><P +>The mask is a value which expresses the access right + granted to the SID. It can be given as a decimal or hexadecimal value, + or by using one of the following text strings which map to the NT + file permissions of the same name. </P +><P +></P +><UL +><LI +><P +><I +CLASS="EMPHASIS" +>R</I +> - Allow read access </P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>W</I +> - Allow write access</P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>X</I +> - Execute permission on the object</P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>D</I +> - Delete the object</P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>P</I +> - Change permissions</P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>O</I +> - Take ownership</P +></LI +></UL +><P +>The following combined permissions can be specified:</P +><P +></P +><UL +><LI +><P +><I +CLASS="EMPHASIS" +>READ</I +> - Equivalent to 'RX' + permissions</P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>CHANGE</I +> - Equivalent to 'RXWD' permissions + </P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>FULL</I +> - Equivalent to 'RWXDPO' + permissions</P +></LI +></UL +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN123" +></A +><H2 +>EXIT STATUS</H2 +><P +>The <B +CLASS="COMMAND" +>smbcacls</B +> program sets the exit status + depending on the success or otherwise of the operations performed. + The exit status may be one of the following values. </P +><P +>If the operation succeded, smbcacls returns and exit + status of 0. If smbcacls couldn't connect to the specified server, + or there was an error getting or setting the ACLs, an exit status + of 1 is returned. If there was an error parsing any command line + arguments, an exit status of 2 is returned. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN128" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN131" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +><B +CLASS="COMMAND" +>smbcacls</B +> was written by Andrew Tridgell + and Tim Potter.</P +><P +>The conversion to DocBook for Samba 2.2 was done + by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/smbpasswd.5.html b/docs/htmldocs/smbpasswd.5.html index 2969022790..4ec7b7c86a 100644 --- a/docs/htmldocs/smbpasswd.5.html +++ b/docs/htmldocs/smbpasswd.5.html @@ -1,195 +1,326 @@ - - - - - - -<html><head><title>smbpasswd (5)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>smbpasswd (5)</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - smbpasswd - The Samba encrypted password file -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p>smbpasswd is the <strong>Samba</strong> encrypted password file. -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>This file is part of the <strong>Samba</strong> suite. -<p>smbpasswd is the <strong>Samba</strong> encrypted password file. It contains -the username, Unix user id and the SMB hashed passwords of the -user, as well as account flag information and the time the password -was last changed. This file format has been evolving with Samba -and has had several different formats in the past. -<p><a name="FILEFORMAT"></a> -<h2>FILE FORMAT</h2> - -<p>The format of the smbpasswd file used by Samba 2.0 is very similar to -the familiar Unix <strong>passwd (5)</strong> file. It is an ASCII file containing -one line for each user. Each field within each line is separated from -the next by a colon. Any entry beginning with # is ignored. The -smbpasswd file contains the following information for each user: -<p><dl> -<p><a name="name"></a> -<p></p><dt><strong><strong>name</strong></strong><dd> <br> <br> -<p>This is the user name. It must be a name that already exists - in the standard UNIX passwd file. -<p><a name="uid"></a> -<p></p><dt><strong><strong>uid</strong></strong><dd> <br> <br> -<p>This is the UNIX uid. It must match the uid field for the same - user entry in the standard UNIX passwd file. If this does not - match then Samba will refuse to recognize this <strong>smbpasswd</strong> file entry - as being valid for a user. -<p><a name="LanmanPasswordHash"></a> -<p></p><dt><strong><strong>Lanman Password Hash</strong></strong><dd> <br> <br> -<p>This is the <em>LANMAN</em> hash of the users password, encoded as 32 hex - digits. The <em>LANMAN</em> hash is created by DES encrypting a well known - string with the users password as the DES key. This is the same - password used by Windows 95/98 machines. Note that this password hash - is regarded as weak as it is vulnerable to dictionary attacks and if - two users choose the same password this entry will be identical (i.e. - the password is not <em>"salted"</em> as the UNIX password is). If the - user has a null password this field will contain the characters - <code>"NO PASSWORD"</code> as the start of the hex string. If the hex string - is equal to 32 <code>'X'</code> characters then the users account is marked as - <em>disabled</em> and the user will not be able to log onto the Samba - server. -<p><em>WARNING !!</em>. Note that, due to the challenge-response nature of the - SMB/CIFS authentication protocol, anyone with a knowledge of this - password hash will be able to impersonate the user on the network. - For this reason these hashes are known as <em>"plain text equivalent"</em> - and must <em>NOT</em> be made available to anyone but the root user. To - protect these passwords the <strong>smbpasswd</strong> file is placed in a - directory with read and traverse access only to the root user and the - <strong>smbpasswd</strong> file itself must be set to be read/write only by root, - with no other access. -<p><a name="NTPasswordHash"></a> -<p></p><dt><strong><strong>NT Password Hash</strong></strong><dd> <br> <br> -<p>This is the <em>Windows NT</em> hash of the users password, encoded as 32 - hex digits. The <em>Windows NT</em> hash is created by taking the users - password as represented in 16-bit, little-endian UNICODE and then - applying the <em>MD4</em> (internet rfc1321) hashing algorithm to it. -<p>This password hash is considered more secure than the <a href="smbpasswd.5.html#LanmanPasswordHash"><strong>Lanman - Password Hash</strong></a> as it preserves the case of the - password and uses a much higher quality hashing algorithm. However, it - is still the case that if two users choose the same password this - entry will be identical (i.e. the password is not <em>"salted"</em> as the - UNIX password is). -<p><em>WARNING !!</em>. Note that, due to the challenge-response nature of the - SMB/CIFS authentication protocol, anyone with a knowledge of this - password hash will be able to impersonate the user on the network. - For this reason these hashes are known as <em>"plain text equivalent"</em> - and must <em>NOT</em> be made available to anyone but the root user. To - protect these passwords the <strong>smbpasswd</strong> file is placed in a - directory with read and traverse access only to the root user and the - <strong>smbpasswd</strong> file itself must be set to be read/write only by root, - with no other access. -<p><a name="AccountFlags"></a> -<p></p><dt><strong><strong>Account Flags</strong></strong><dd> <br> <br> -<p>This section contains flags that describe the attributes of the users - account. In the <strong>Samba2.0</strong> release this field is bracketed by <code>'['</code> - and <code>']'</code> characters and is always 13 characters in length (including - the <code>'['</code> and <code>']'</code> characters). The contents of this field may be - any of the characters. -<p><dl> -<p><a name="capU"></a> - <li > <strong>'U'</strong> This means this is a <em>"User"</em> account, i.e. an ordinary - user. Only <strong>User</strong> and <a href="smbpasswd.5.html#capW"><strong>Workstation Trust</strong></a> accounts are - currently supported in the <strong>smbpasswd</strong> file. -<p><a name="capN"></a> - <li > <strong>'N'</strong> This means the account has <em>no</em> password (the passwords - in the fields <a href="smbpasswd.5.html#LanmanPasswordHash"><strong>Lanman Password Hash</strong></a> and - <a href="smbpasswd.5.html#NTPasswordHash"><strong>NT Password Hash</strong></a> are ignored). Note that this - will only allow users to log on with no password if the - <a href="smb.conf.5.html#nullpasswords"><strong>null passwords</strong></a> parameter is set - in the <a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a> config file. -<p><a name="capD"></a> - <li > <strong>'D'</strong> This means the account is disabled and no SMB/CIFS logins - will be allowed for this user. -<p><a name="capW"></a> - <li > <strong>'W'</strong> This means this account is a <em>"Workstation Trust"</em> account. - This kind of account is used in the Samba PDC code stream to allow Windows - NT Workstations and Servers to join a Domain hosted by a Samba PDC. -<p></dl> -<p>Other flags may be added as the code is extended in future. The rest of - this field space is filled in with spaces. -<p><a name="LastChangeTime"></a> -<p></p><dt><strong><strong>Last Change Time</strong></strong><dd> <br> <br> -<p>This field consists of the time the account was last modified. It consists of - the characters <code>LCT-</code> (standing for <em>"Last Change Time"</em>) followed by a numeric - encoding of the UNIX time in seconds since the epoch (1970) that the last change - was made. -<p><p></p><dt><strong><strong>Following fields</strong></strong><dd> <br> <br> -<p>All other colon separated fields are ignored at this time. -<p></dl> -<p><a name="NOTES"></a> -<h2>NOTES</h2> - -<p>In previous versions of Samba (notably the 1.9.18 series) this file -did not contain the <a href="smbpasswd.5.html#AccountFlags"><strong>Account Flags</strong></a> or -<a href="smbpasswd.5.html#LastChangeTime"><strong>Last Change Time</strong></a> fields. The Samba 2.0 -code will read and write these older password files but will not be able to -modify the old entries to add the new fields. New entries added with -<a href="smbpasswd.8.html"><strong>smbpasswd (8)</strong></a> will contain the new fields -in the added accounts however. Thus an older <strong>smbpasswd</strong> file used -with Samba 2.0 may end up with some accounts containing the new fields -and some not. -<p>In order to convert from an old-style <strong>smbpasswd</strong> file to a new -style, run the script <strong>convert_smbpasswd</strong>, installed in the -Samba <code>bin/</code> directory (the same place that the <a href="smbd.8.html"><strong>smbd</strong></a> -and <a href="nmbd.8.html"><strong>nmbd</strong></a> binaries are installed) as follows: -<p><pre> - - - cat old_smbpasswd_file | convert_smbpasswd > new_smbpasswd_file - - -</pre> - -<p>The <strong>convert_smbpasswd</strong> script reads from stdin and writes to stdout -so as not to overwrite any files by accident. -<p>Once this script has been run, check the contents of the new smbpasswd -file to ensure that it has not been damaged by the conversion script -(which uses <strong>awk</strong>), and then replace the <code><old smbpasswd file></code> -with the <code><new smbpasswd file></code>. -<p><a name="VERSION"></a> -<h2>VERSION</h2> - -<p>This man page is correct for version 2.0 of the Samba suite. -<p><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<p><a href="smbpasswd.8.html"><strong>smbpasswd (8)</strong></a>, <a href="samba.7.html"><strong>samba -(7)</strong></a>, and the Internet RFC1321 for details on the MD4 -algorithm. -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p>The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy -Allison, <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -</body> -</html> +<HTML +><HEAD +><TITLE +>smbpasswd</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="SMBPASSWD" +>smbpasswd</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>smbpasswd -- The Samba encrypted password file</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><TT +CLASS="FILENAME" +>smbpasswd</TT +></P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN11" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +>smbpasswd is the Samba encrypted password file. It contains + the username, Unix user id and the SMB hashed passwords of the + user, as well as account flag information and the time the + password was last changed. This file format has been evolving with + Samba and has had several different formats in the past. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN16" +></A +><H2 +>FILE FORMAT</H2 +><P +>The format of the smbpasswd file used by Samba 2.2 + is very similar to the familiar Unix <TT +CLASS="FILENAME" +>passwd(5)</TT +> + file. It is an ASCII file containing one line for each user. Each field + ithin each line is separated from the next by a colon. Any entry + beginning with '#' is ignored. The smbpasswd file contains the + following information for each user: </P +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>name</DT +><DD +><P +> This is the user name. It must be a name that + already exists in the standard UNIX passwd file. </P +></DD +><DT +>uid</DT +><DD +><P +>This is the UNIX uid. It must match the uid + field for the same user entry in the standard UNIX passwd file. + If this does not match then Samba will refuse to recognize + this smbpasswd file entry as being valid for a user. + </P +></DD +><DT +>Lanman Password Hash</DT +><DD +><P +>This is the LANMAN hash of the users password, + encoded as 32 hex digits. The LANMAN hash is created by DES + encrypting a well known string with the users password as the + DES key. This is the same password used by Windows 95/98 machines. + Note that this password hash is regarded as weak as it is + vulnerable to dictionary attacks and if two users choose the + same password this entry will be identical (i.e. the password + is not "salted" as the UNIX password is). If the user has a + null password this field will contain the characters "NO PASSWORD" + as the start of the hex string. If the hex string is equal to + 32 'X' characters then the users account is marked as + <TT +CLASS="CONSTANT" +>disabled</TT +> and the user will not be able to + log onto the Samba server. </P +><P +><I +CLASS="EMPHASIS" +>WARNING !!</I +> Note that, due to + the challenge-response nature of the SMB/CIFS authentication + protocol, anyone with a knowledge of this password hash will + be able to impersonate the user on the network. For this + reason these hashes are known as <I +CLASS="EMPHASIS" +>plain text + equivalents</I +> and must <I +CLASS="EMPHASIS" +>NOT</I +> be made + available to anyone but the root user. To protect these passwords + the smbpasswd file is placed in a directory with read and + traverse access only to the root user and the smbpasswd file + itself must be set to be read/write only by root, with no + other access. </P +></DD +><DT +>NT Password Hash</DT +><DD +><P +>This is the Windows NT hash of the users + password, encoded as 32 hex digits. The Windows NT hash is + created by taking the users password as represented in + 16-bit, little-endian UNICODE and then applying the MD4 + (internet rfc1321) hashing algorithm to it. </P +><P +>This password hash is considered more secure than + the Lanman Password Hash as it preserves the case of the + password and uses a much higher quality hashing algorithm. + However, it is still the case that if two users choose the same + password this entry will be identical (i.e. the password is + not "salted" as the UNIX password is). </P +><P +><I +CLASS="EMPHASIS" +>WARNING !!</I +>. Note that, due to + the challenge-response nature of the SMB/CIFS authentication + protocol, anyone with a knowledge of this password hash will + be able to impersonate the user on the network. For this + reason these hashes are known as <I +CLASS="EMPHASIS" +>plain text + equivalents</I +> and must <I +CLASS="EMPHASIS" +>NOT</I +> be made + available to anyone but the root user. To protect these passwords + the smbpasswd file is placed in a directory with read and + traverse access only to the root user and the smbpasswd file + itself must be set to be read/write only by root, with no + other access. </P +></DD +><DT +>Account Flags</DT +><DD +><P +>This section contains flags that describe + the attributes of the users account. In the Samba 2.2 release + this field is bracketed by '[' and ']' characters and is always + 13 characters in length (including the '[' and ']' characters). + The contents of this field may be any of the characters. + </P +><P +></P +><UL +><LI +><P +><I +CLASS="EMPHASIS" +>U</I +> - This means + this is a "User" account, i.e. an ordinary user. Only User + and Workstation Trust accounts are currently supported + in the smbpasswd file. </P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>N</I +> - This means the + account has no password (the passwords in the fields Lanman + Password Hash and NT Password Hash are ignored). Note that this + will only allow users to log on with no password if the <TT +CLASS="PARAMETER" +><I +> null passwords</I +></TT +> parameter is set in the <A +HREF="smb.conf.5.html#NULLPASSWORDS" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5) + </TT +></A +> config file. </P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>D</I +> - This means the account + is disabled and no SMB/CIFS logins will be allowed for + this user. </P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>W</I +> - This means this account + is a "Workstation Trust" account. This kind of account is used + in the Samba PDC code stream to allow Windows NT Workstations + and Servers to join a Domain hosted by a Samba PDC. </P +></LI +></UL +><P +>Other flags may be added as the code is extended in future. + The rest of this field space is filled in with spaces. </P +></DD +><DT +>Last Change Time</DT +><DD +><P +>This field consists of the time the account was + last modified. It consists of the characters 'LCT-' (standing for + "Last Change Time") followed by a numeric encoding of the UNIX time + in seconds since the epoch (1970) that the last change was made. + </P +></DD +></DL +></DIV +><P +>All other colon separated fields are ignored at this time.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN73" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN76" +></A +><H2 +>SEE ALSO</H2 +><P +><A +HREF="smbpasswd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbpasswd(8)</B +></A +>, + <A +HREF="samba.7.html" +TARGET="_top" +>samba(7)</A +>, and + the Internet RFC1321 for details on the MD4 algorithm. + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN82" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/smbpasswd.8.html b/docs/htmldocs/smbpasswd.8.html index a0f4577b08..8fb2c580e7 100644 --- a/docs/htmldocs/smbpasswd.8.html +++ b/docs/htmldocs/smbpasswd.8.html @@ -1,281 +1,636 @@ - - - - - - -<html><head><title>smbpasswd (8)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>smbpasswd (8)</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - smbpasswd - change a users SMB password -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><strong>smbpasswd</strong> [<a href="smbpasswd.8.html#minusa">-a</a>] [<a href="smbpasswd.8.html#minusx">-x</a>] [<a href="smbpasswd.8.html#minusd">-d</a>] [<a href="smbpasswd.8.html#minuse">-e</a>] [<a href="smbpasswd.8.html#minusD">-D debug level</a>] [<a href="smbpasswd.8.html#minusn">-n</a>] [<a href="smbpasswd.8.html#minusr">-r remote_machine</a>] [<a href="smbpasswd.8.html#minusR">-R name resolve order</a>] [<a href="smbpasswd.8.html#minusm">-m</a>] [<a href="smbpasswd.8.html#minusj">-j DOMAIN</a>] [<a href="smbpasswd.8.html#minusU">-U username</a>] [<a href="smbpasswd.8.html#minush">-h</a>] [<a href="smbpasswd.8.html#minuss">-s</a>] <a href="smbpasswd.8.html#username">username</a> -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>This program is part of the <strong>Samba</strong> suite. -<p>The <strong>smbpasswd</strong> program has several different functions, depending -on whether it is run by the <em>root</em> user or not. When run as a normal -user it allows the user to change the password used for their SMB -sessions on any machines that store SMB passwords. -<p>By default (when run with no arguments) it will attempt to change the -current users SMB password on the local machine. This is similar to -the way the <strong>passwd (1)</strong> program works. <strong>smbpasswd</strong> differs from how -the <strong>passwd</strong> program works however in that it is not <em>setuid root</em> -but works in a client-server mode and communicates with a locally -running <a href="smbd.8.html"><strong>smbd</strong></a>. As a consequence in order for this -to succeed the <a href="smbd.8.html"><strong>smbd</strong></a> daemon must be running on -the local machine. On a UNIX machine the encrypted SMB passwords are -usually stored in the <a href="smbpasswd.5.html"><strong>smbpasswd (5)</strong></a> file. -<p>When run by an ordinary user with no options. <strong>smbpasswd</strong> will -prompt them for their old smb password and then ask them for their new -password twice, to ensure that the new password was typed -correctly. No passwords will be echoed on the screen whilst being -typed. If you have a blank smb password (specified by the string "NO -PASSWORD" in the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file) then just -press the <Enter> key when asked for your old password. -<p><strong>smbpasswd</strong> can also be used by a normal user to change their SMB -password on remote machines, such as Windows NT Primary Domain -Controllers. See the <a href="smbpasswd.8.html#minusr">(<strong>-r</strong>)</a> and -<a href="smbpasswd.8.html#minusU"><strong>-U</strong></a> options below. -<p>When run by root, <strong>smbpasswd</strong> allows new users to be added and -deleted in the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file, as well as -allows changes to the attributes of the user in this file to be made. When -run by root, <strong>smbpasswd</strong> accesses the local -<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file directly, thus enabling -changes to be made even if <a href="smbd.8.html"><strong>smbd</strong></a> is not running. -<p><a name="OPTIONS"></a> -<h2>OPTIONS</h2> - -<p><dl> -<p><a name="minusa"></a> -<p></p><dt><strong><strong>-a</strong></strong><dd> This option specifies that the username following should -be added to the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file, with -the new password typed (type <Enter> for the old password). This -option is ignored if the username following already exists in the -<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file and it is treated like a -regular change password command. Note that the user to be added -<strong>must</strong> already exist in the system password file (usually /etc/passwd) -else the request to add the user will fail. -<p>This option is only available when running <strong>smbpasswd</strong> as -root. -<p><a name="minusx"></a> -<p></p><dt><strong><strong>-x</strong></strong><dd> This option specifies that the username following should -be deleted from the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. -<p>This option is only available when running <strong>smbpasswd</strong> as -root. -<p><a name="minusd"></a> -<p></p><dt><strong><strong>-d</strong></strong><dd> This option specifies that the username following should be -<em>disabled</em> in the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. -This is done by writing a <em>'D'</em> flag into the account control space -in the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. Once this is done -all attempts to authenticate via SMB using this username will fail. -<p>If the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file is in the 'old' -format (pre-Samba 2.0 format) there is no space in the users password -entry to write this information and so the user is disabled by writing -'X' characters into the password space in the -<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. See <a href="smbpasswd.5.html"><strong>smbpasswd -(5)</strong></a> for details on the 'old' and new password file -formats. -<p>This option is only available when running <strong>smbpasswd</strong> as root. -<p><a name="minuse"></a> -<p></p><dt><strong><strong>-e</strong></strong><dd> This option specifies that the username following should be -<em>enabled</em> in the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file, -if the account was previously disabled. If the account was not -disabled this option has no effect. Once the account is enabled -then the user will be able to authenticate via SMB once again. -<p>If the smbpasswd file is in the 'old' format then <strong>smbpasswd</strong> will -prompt for a new password for this user, otherwise the account will be -enabled by removing the <em>'D'</em> flag from account control space in the -<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. See <a href="smbpasswd.5.html"><strong>smbpasswd -(5)</strong></a> for details on the 'old' and new password file -formats. -<p>This option is only available when running <strong>smbpasswd</strong> as root. -<p><a name="minusD"></a> -<p></p><dt><strong><strong>-D debuglevel</strong></strong><dd> debuglevel is an integer from 0 -to 10. The default value if this parameter is not specified is zero. -<p>The higher this value, the more detail will be logged to the log files -about the activities of smbpasswd. At level 0, only critical errors -and serious warnings will be logged. -<p>Levels above 1 will generate considerable amounts of log data, and -should only be used when investigating a problem. Levels above 3 are -designed for use only by developers and generate HUGE amounts of log -data, most of which is extremely cryptic. -<p><a name="minusn"></a> -<p></p><dt><strong><strong>-n</strong></strong><dd> This option specifies that the username following should -have their password set to null (i.e. a blank password) in the local -<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. This is done by writing the -string "NO PASSWORD" as the first part of the first password stored in -the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. -<p>Note that to allow users to logon to a Samba server once the password -has been set to "NO PASSWORD" in the -<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file the administrator must set -the following parameter in the [global] section of the -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file : -<p><a href="smb.conf.5.html#nullpasswords">null passwords = true</a> -<p>This option is only available when running <strong>smbpasswd</strong> as root. -<p><a name="minusr"></a> -<p></p><dt><strong><strong>-r remote machine name</strong></strong><dd> This option allows a -user to specify what machine they wish to change their password -on. Without this parameter <strong>smbpasswd</strong> defaults to the local -host. The <em>"remote machine name"</em> is the NetBIOS name of the -SMB/CIFS server to contact to attempt the password change. This name -is resolved into an IP address using the standard name resolution -mechanism in all programs of the <a href="samba.7.html"><strong>Samba</strong></a> -suite. See the <a href="smbpasswd.8.html#minusR"><strong>-R name resolve order</strong></a> parameter for details on changing this resolving -mechanism. -<p>The username whose password is changed is that of the current UNIX -logged on user. See the <a href="smbpasswd.8.html#minusU"><strong>-U username</strong></a> -parameter for details on changing the password for a different -username. -<p>Note that if changing a Windows NT Domain password the remote machine -specified must be the Primary Domain Controller for the domain (Backup -Domain Controllers only have a read-only copy of the user account -database and will not allow the password change). -<p><em>Note</em> that Windows 95/98 do not have a real password database -so it is not possible to change passwords specifying a Win95/98 -machine as remote machine target. -<p><a name="minusR"></a> -<p></p><dt><strong><strong>-R name resolve order</strong></strong><dd> This option allows the user of -smbclient to determine what name resolution services to use when -looking up the NetBIOS name of the host being connected to. -<p>The options are :<a href="smbpasswd.8.html#lmhosts">"lmhosts"</a>, <a href="smbpasswd.8.html#host">"host"</a>, -<a href="smbpasswd.8.html#wins">"wins"</a> and <a href="smbpasswd.8.html#bcast">"bcast"</a>. They cause names to be -resolved as follows : -<p><dl> -<p><a name="lmhosts"></a> -<li > <strong>lmhosts</strong> : Lookup an IP address in the Samba lmhosts file. -<p><a name="host"></a> -<li > <strong>host</strong> : Do a standard host name to IP address resolution, -using the system /etc/hosts, NIS, or DNS lookups. This method of name -resolution is operating system dependent. For instance on IRIX or -Solaris, this may be controlled by the <em>/etc/nsswitch.conf</em> file). -<p><a name="wins"></a> -<li > <strong>wins</strong> : Query a name with the IP address listed in the -<a href="smb.conf.5.html#winsserver"><strong>wins server</strong></a> parameter in the -<a href="smb.conf.5.html"><strong>smb.conf file</strong></a>. If -no WINS server has been specified this method will be ignored. -<p><a name="bcast"></a> -<li > <strong>bcast</strong> : Do a broadcast on each of the known local interfaces -listed in the <a href="smb.conf.5.html#interfaces"><strong>interfaces</strong></a> parameter -in the smb.conf file. This is the least reliable of the name resolution -methods as it depends on the target host being on a locally connected -subnet. -<p></dl> -<p>If this parameter is not set then the name resolve order defined -in the <a href="smb.conf.5.html"><strong>smb.conf</strong></a> file parameter -<a href="smb.conf.5.html#nameresolveorder"><strong>name resolve order</strong></a> -will be used. -<p>The default order is lmhosts, host, wins, bcast and without this -parameter or any entry in the <a href="smb.conf.5.html"><strong>smb.conf</strong></a> -file the name resolution methods will be attempted in this order. -<p><a name="minusm"></a> -<p></p><dt><strong><strong>-m</strong></strong><dd> This option tells <strong>smbpasswd</strong> that the account being -changed is a <em>MACHINE</em> account. Currently this is used when Samba is -being used as an NT Primary Domain Controller. PDC support is not a -supported feature in Samba2.0 but will become supported in a later -release. If you wish to know more about using Samba as an NT PDC then -please subscribe to the mailing list -<a href="mailto:samba-ntdom@samba.org"><em>samba-ntdom@samba.org</em></a>. -<p>This option is only available when running <strong>smbpasswd</strong> as root. -<p><a name="minusj"></a> -<p></p><dt><strong><strong>-j DOMAIN</strong></strong><dd> This option is used to add a Samba server into a -Windows NT Domain, as a Domain member capable of authenticating user -accounts to any Domain Controller in the same way as a Windows NT -Server. See the <a href="smb.conf.5.html#security"><strong>security=domain</strong></a> -option in the <a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a> man page. -<p>In order to be used in this way, the Administrator for the Windows -NT Domain must have used the program <em>"Server Manager for Domains"</em> -to add the <a href="smb.conf.5.html#netbiosname">primary NetBIOS name</a> of -the Samba server as a member of the Domain. -<p>After this has been done, to join the Domain invoke <strong>smbpasswd</strong> with -this parameter. <strong>smbpasswd</strong> will then look up the Primary Domain -Controller for the Domain (found in the -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file in the parameter -<a href="smb.conf.5.html#passwordserver"><strong>password server</strong></a> and change -the machine account password used to create the secure Domain -communication. This password is then stored by <strong>smbpasswd</strong> in a -file, read only by root, called <code><Domain>.<Machine>.mac</code> where -<code><Domain></code> is the name of the Domain we are joining and <code><Machine></code> -is the primary NetBIOS name of the machine we are running on. -<p>Once this operation has been performed the -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file may be updated to set the -<a href="smb.conf.5.html#security"><strong>security=domain</strong></a> option and all -future logins to the Samba server will be authenticated to the Windows -NT PDC. -<p>Note that even though the authentication is being done to the PDC all -users accessing the Samba server must still have a valid UNIX account -on that machine. -<p>This option is only available when running <strong>smbpasswd</strong> as root. -<p><a name="minusU"></a> -<p></p><dt><strong><strong>-U username</strong></strong><dd> This option may only be used in -conjunction with the <a href="smbpasswd.8.html#minusr"><strong>-r</strong></a> -option. When changing a password on a remote machine it allows the -user to specify the user name on that machine whose password will be -changed. It is present to allow users who have different user names on -different systems to change these passwords. -<p><a name="minush"></a> -<p></p><dt><strong><strong>-h</strong></strong><dd> This option prints the help string for <strong>smbpasswd</strong>, -selecting the correct one for running as root or as an ordinary user. -<p><a name="minuss"></a> -<p></p><dt><strong><strong>-s</strong></strong><dd> This option causes <strong>smbpasswd</strong> to be silent (i.e. not -issue prompts) and to read it's old and new passwords from standard -input, rather than from <code>/dev/tty</code> (like the <strong>passwd (1)</strong> program -does). This option is to aid people writing scripts to drive <strong>smbpasswd</strong> -<p><a name="username"></a> -<p></p><dt><strong><strong>username</strong></strong><dd> This specifies the username for all of the <em>root -only</em> options to operate on. Only root can specify this parameter as -only root has the permission needed to modify attributes directly -in the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. -<p><a name="NOTES"></a> -<h2>NOTES</h2> - -<p>Since <strong>smbpasswd</strong> works in client-server mode communicating with a -local <a href="smbd.8.html"><strong>smbd</strong></a> for a non-root user then the <strong>smbd</strong> -daemon must be running for this to work. A common problem is to add a -restriction to the hosts that may access the <strong>smbd</strong> running on the -local machine by specifying a <a href="smb.conf.5.html#allowhosts"><strong>"allow -hosts"</strong></a> or <a href="smb.conf.5.html#denyhosts"><strong>"deny -hosts"</strong></a> entry in the -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file and neglecting to allow -<em>"localhost"</em> access to the <strong>smbd</strong>. -<p>In addition, the <strong>smbpasswd</strong> command is only useful if <strong>Samba</strong> has -been set up to use encrypted passwords. See the file <strong>ENCRYPTION.txt</strong> -in the docs directory for details on how to do this. -<p><a name="VERSION"></a> -<h2>VERSION</h2> - -<p>This man page is correct for version 2.0 of the Samba suite. -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p>The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy Allison. -<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -</body> -</html> +<HTML +><HEAD +><TITLE +>smbpasswd</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="SMBPASSWD" +>smbpasswd</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>smbpasswd -- change a users SMB password</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>smbpasswd</B +> [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-j DOMAIN] [-U username] [-h] [-s] [username]</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN25" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +>The smbpasswd program has several different + functions, depending on whether it is run by the <I +CLASS="EMPHASIS" +>root</I +> + user or not. When run as a normal user it allows the user to change + the password used for their SMB sessions on any machines that store + SMB passwords. </P +><P +>By default (when run with no arguments) it will attempt to + change the current users SMB password on the local machine. This is + similar to the way the <B +CLASS="COMMAND" +>passwd(1)</B +> program works. + <B +CLASS="COMMAND" +>smbpasswd</B +> differs from how the passwd program works + however in that it is not <I +CLASS="EMPHASIS" +>setuid root</I +> but works in + a client-server mode and communicates with a locally running + <B +CLASS="COMMAND" +>smbd(8)</B +>. As a consequence in order for this to + succeed the smbd daemon must be running on the local machine. On a + UNIX machine the encrypted SMB passwords are usually stored in + the <TT +CLASS="FILENAME" +>smbpasswd(5)</TT +> file. </P +><P +>When run by an ordinary user with no options. smbpasswd + will prompt them for their old smb password and then ask them + for their new password twice, to ensure that the new password + was typed correctly. No passwords will be echoed on the screen + whilst being typed. If you have a blank smb password (specified by + the string "NO PASSWORD" in the smbpasswd file) then just press + the <Enter> key when asked for your old password. </P +><P +>smbpasswd can also be used by a normal user to change their + SMB password on remote machines, such as Windows NT Primary Domain + Controllers. See the (-r) and -U options below. </P +><P +>When run by root, smbpasswd allows new users to be added + and deleted in the smbpasswd file, as well as allows changes to + the attributes of the user in this file to be made. When run by root, + <B +CLASS="COMMAND" +>smbpasswd</B +> accesses the local smbpasswd file + directly, thus enabling changes to be made even if smbd is not + running. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN41" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>-a</DT +><DD +><P +>This option specifies that the username + following should be added to the local smbpasswd file, with the + new password typed (type <Enter> for the old password). This + option is ignored if the username following already exists in + the smbpasswd file and it is treated like a regular change + password command. Note that the user to be added must already exist + in the system password file (usually <TT +CLASS="FILENAME" +>/etc/passwd</TT +>) + else the request to add the user will fail. </P +><P +>This option is only available when running smbpasswd + as root. </P +></DD +><DT +>-x</DT +><DD +><P +>This option specifies that the username + following should be deleted from the local smbpasswd file. + </P +><P +>This option is only available when running smbpasswd as + root.</P +></DD +><DT +>-d</DT +><DD +><P +>This option specifies that the username following + should be <TT +CLASS="CONSTANT" +>disabled</TT +> in the local smbpasswd + file. This is done by writing a <TT +CLASS="CONSTANT" +>'D'</TT +> flag + into the account control space in the smbpasswd file. Once this + is done all attempts to authenticate via SMB using this username + will fail. </P +><P +>If the smbpasswd file is in the 'old' format (pre-Samba 2.0 + format) there is no space in the users password entry to write + this information and so the user is disabled by writing 'X' characters + into the password space in the smbpasswd file. See <B +CLASS="COMMAND" +>smbpasswd(5) + </B +> for details on the 'old' and new password file formats. + </P +><P +>This option is only available when running smbpasswd as + root.</P +></DD +><DT +>-e</DT +><DD +><P +>This option specifies that the username following + should be <TT +CLASS="CONSTANT" +>enabled</TT +> in the local smbpasswd file, + if the account was previously disabled. If the account was not + disabled this option has no effect. Once the account is enabled then + the user will be able to authenticate via SMB once again. </P +><P +>If the smbpasswd file is in the 'old' format, then <B +CLASS="COMMAND" +> smbpasswd</B +> will prompt for a new password for this user, + otherwise the account will be enabled by removing the <TT +CLASS="CONSTANT" +>'D' + </TT +> flag from account control space in the <TT +CLASS="FILENAME" +> smbpasswd</TT +> file. See <B +CLASS="COMMAND" +>smbpasswd (5)</B +> for + details on the 'old' and new password file formats. </P +><P +>This option is only available when running smbpasswd as root. + </P +></DD +><DT +>-D debuglevel</DT +><DD +><P +><TT +CLASS="PARAMETER" +><I +>debuglevel</I +></TT +> is an integer + from 0 to 10. The default value if this parameter is not specified + is zero. </P +><P +>The higher this value, the more detail will be logged to the + log files about the activities of smbpasswd. At level 0, only + critical errors and serious warnings will be logged. </P +><P +>Levels above 1 will generate considerable amounts of log + data, and should only be used when investigating a problem. Levels + above 3 are designed for use only by developers and generate + HUGE amounts of log data, most of which is extremely cryptic. + </P +></DD +><DT +>-n</DT +><DD +><P +>This option specifies that the username following + should have their password set to null (i.e. a blank password) in + the local smbpasswd file. This is done by writing the string "NO + PASSWORD" as the first part of the first password stored in the + smbpasswd file. </P +><P +>Note that to allow users to logon to a Samba server once + the password has been set to "NO PASSWORD" in the smbpasswd + file the administrator must set the following parameter in the [global] + section of the <TT +CLASS="FILENAME" +>smb.conf</TT +> file : </P +><P +><B +CLASS="COMMAND" +>null passwords = yes</B +></P +><P +>This option is only available when running smbpasswd as + root.</P +></DD +><DT +>-r remote machine name</DT +><DD +><P +>This option allows a user to specify what machine + they wish to change their password on. Without this parameter + smbpasswd defaults to the local host. The <TT +CLASS="REPLACEABLE" +><I +>remote + machine name</I +></TT +> is the NetBIOS name of the SMB/CIFS + server to contact to attempt the password change. This name is + resolved into an IP address using the standard name resolution + mechanism in all programs of the Samba suite. See the <TT +CLASS="PARAMETER" +><I +>-R + name resolve order</I +></TT +> parameter for details on changing + this resolving mechanism. </P +><P +>The username whose password is changed is that of the + current UNIX logged on user. See the <TT +CLASS="PARAMETER" +><I +>-U username</I +></TT +> + parameter for details on changing the password for a different + username. </P +><P +>Note that if changing a Windows NT Domain password the + remote machine specified must be the Primary Domain Controller for + the domain (Backup Domain Controllers only have a read-only + copy of the user account database and will not allow the password + change).</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that Windows 95/98 do not have + a real password database so it is not possible to change passwords + specifying a Win95/98 machine as remote machine target. </P +></DD +><DT +>-R name resolve order</DT +><DD +><P +>This option allows the user of smbclient to determine + what name resolution services to use when looking up the NetBIOS + name of the host being connected to. </P +><P +>The options are :"lmhosts", "host", "wins" and "bcast". They cause + names to be resolved as follows : </P +><P +></P +><UL +><LI +><P +><TT +CLASS="CONSTANT" +>lmhosts</TT +> : Lookup an IP + address in the Samba lmhosts file. If the line in lmhosts has + no name type attached to the NetBIOS name (see the <A +HREF="lmhosts.5.html" +TARGET="_top" +>lmhosts(5)</A +> for details) then + any name type matches for lookup.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>host</TT +> : Do a standard host + name to IP address resolution, using the system <TT +CLASS="FILENAME" +>/etc/hosts + </TT +>, NIS, or DNS lookups. This method of name resolution + is operating system depended for instance on IRIX or Solaris this + may be controlled by the <TT +CLASS="FILENAME" +>/etc/nsswitch.conf</TT +> + file). Note that this method is only used if the NetBIOS name + type being queried is the 0x20 (server) name type, otherwise + it is ignored.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>wins</TT +> : Query a name with + the IP address listed in the <TT +CLASS="PARAMETER" +><I +>wins server</I +></TT +> + parameter. If no WINS server has been specified this method + will be ignored.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>bcast</TT +> : Do a broadcast on + each of the known local interfaces listed in the + <TT +CLASS="PARAMETER" +><I +>interfaces</I +></TT +> parameter. This is the least + reliable of the name resolution methods as it depends on the + target host being on a locally connected subnet.</P +></LI +></UL +><P +>The default order is <B +CLASS="COMMAND" +>lmhosts, host, wins, bcast</B +> + and without this parameter or any entry in the + <TT +CLASS="FILENAME" +>smb.conf</TT +> file the name resolution methods will + be attempted in this order. </P +></DD +><DT +>-m</DT +><DD +><P +>This option tells smbpasswd that the account + being changed is a MACHINE account. Currently this is used + when Samba is being used as an NT Primary Domain Controller.</P +><P +>This option is only available when running smbpasswd as root. + </P +></DD +><DT +>-j DOMAIN</DT +><DD +><P +>This option is used to add a Samba server + into a Windows NT Domain, as a Domain member capable of authenticating + user accounts to any Domain Controller in the same way as a Windows + NT Server. See the <B +CLASS="COMMAND" +>security = domain</B +> option in + the <TT +CLASS="FILENAME" +>smb.conf(5)</TT +> man page. </P +><P +>In order to be used in this way, the Administrator for + the Windows NT Domain must have used the program "Server Manager + for Domains" to add the primary NetBIOS name of the Samba server + as a member of the Domain. </P +><P +>After this has been done, to join the Domain invoke <B +CLASS="COMMAND" +> smbpasswd</B +> with this parameter. smbpasswd will then + look up the Primary Domain Controller for the Domain (found in + the <TT +CLASS="FILENAME" +>smb.conf</TT +> file in the parameter + <TT +CLASS="PARAMETER" +><I +>password server</I +></TT +> and change the machine account + password used to create the secure Domain communication. This + password is then stored by smbpasswd in a TDB, writeable only by root, + called <TT +CLASS="FILENAME" +>secrets.tdb</TT +> </P +><P +>Once this operation has been performed the <TT +CLASS="FILENAME" +> smb.conf</TT +> file may be updated to set the <B +CLASS="COMMAND" +> security = domain</B +> option and all future logins + to the Samba server will be authenticated to the Windows NT + PDC. </P +><P +>Note that even though the authentication is being + done to the PDC all users accessing the Samba server must still + have a valid UNIX account on that machine. </P +><P +>This option is only available when running smbpasswd as root. + </P +></DD +><DT +>-U username</DT +><DD +><P +>This option may only be used in conjunction + with the <TT +CLASS="PARAMETER" +><I +>-r</I +></TT +> option. When changing + a password on a remote machine it allows the user to specify + the user name on that machine whose password will be changed. It + is present to allow users who have different user names on + different systems to change these passwords. </P +></DD +><DT +>-h</DT +><DD +><P +>This option prints the help string for <B +CLASS="COMMAND" +> smbpasswd</B +>, selecting the correct one for running as root + or as an ordinary user. </P +></DD +><DT +>-s</DT +><DD +><P +>This option causes smbpasswd to be silent (i.e. + not issue prompts) and to read it's old and new passwords from + standard input, rather than from <TT +CLASS="FILENAME" +>/dev/tty</TT +> + (like the <B +CLASS="COMMAND" +>passwd(1)</B +> program does). This option + is to aid people writing scripts to drive smbpasswd</P +></DD +><DT +>username</DT +><DD +><P +>This specifies the username for all of the + <I +CLASS="EMPHASIS" +>root only</I +> options to operate on. Only root + can specify this parameter as only root has the permission needed + to modify attributes directly in the local smbpasswd file. + </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN171" +></A +><H2 +>NOTES</H2 +><P +>Since <B +CLASS="COMMAND" +>smbpasswd</B +> works in client-server + mode communicating with a local smbd for a non-root user then + the smbd daemon must be running for this to work. A common problem + is to add a restriction to the hosts that may access the <B +CLASS="COMMAND" +> smbd</B +> running on the local machine by specifying a + <TT +CLASS="PARAMETER" +><I +>allow hosts</I +></TT +> or <TT +CLASS="PARAMETER" +><I +>deny hosts</I +></TT +> + entry in the <TT +CLASS="FILENAME" +>smb.conf</TT +> file and neglecting to + allow "localhost" access to the smbd. </P +><P +>In addition, the smbpasswd command is only useful if Samba + has been set up to use encrypted passwords. See the file + <TT +CLASS="FILENAME" +>ENCRYPTION.txt</TT +> in the docs directory for details + on how to do this. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN181" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN184" +></A +><H2 +>SEE ALSO</H2 +><P +><A +HREF="smbpasswd.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smbpasswd(5)</TT +></A +>, + <A +HREF="samba.7.html" +TARGET="_top" +>samba(7)</A +> + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN190" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file |