summaryrefslogtreecommitdiff
path: root/docs/htmldocs
diff options
context:
space:
mode:
Diffstat (limited to 'docs/htmldocs')
-rw-r--r--docs/htmldocs/smbcacls.1.html531
-rw-r--r--docs/htmldocs/smbpasswd.5.html521
-rw-r--r--docs/htmldocs/smbpasswd.8.html917
3 files changed, 1336 insertions, 633 deletions
diff --git a/docs/htmldocs/smbcacls.1.html b/docs/htmldocs/smbcacls.1.html
index e75a5741e5..36f570f2a0 100644
--- a/docs/htmldocs/smbcacls.1.html
+++ b/docs/htmldocs/smbcacls.1.html
@@ -1,161 +1,378 @@
-
-
-
-
-<html><head><title>smbcacls (1)</title>
-
-</head>
-<body>
-
-<hr>
-
-<h1>smbcacls (1)</h1>
-<h2>Samba</h2>
-<h2>22 Dec 2000</h2>
-
-
-
-<p><a name="NAME"></a>
-<h2>NAME</h2>
- smbcacls - Set or get ACLs on an NT file or directory
-<p><a name="SYNOPSIS"></a>
-<h2>SYNOPSIS</h2>
-
-<p><strong>smbcacls</strong> //server/share filename [<a href="smbcacls.1.html#minusU">-U username</a>]
-[<a href="smbcacls.1.html#minusA">-A acls</a>] [<a href="smbcacls.1.html#minusM">-M acls</a>]
-[<a href="smbcacls.1.html#minusD">-D acls</a>] [<a href="smbcacls.1.html#minusS">-S acls</a>]
-[<a href="smbcacls.1.html#minusC">-C name</a>] [<a href="smbcacls.1.html#minusG">-G name</a>]
-[<a href="smbcacls.1.html#minusn">-n</a>] [<a href="smbcacls.1.html#minush">-h</a>]
-<p><a name="DESCRIPTION"></a>
-<h2>DESCRIPTION</h2>
-
-<p>The <strong>smbcacls</strong> program manipulates NT Access Control Lists (ACLs) on
-SMB file shares.
-<p><a name="OPTIONS"></a>
-<h2>OPTIONS</h2>
-
-<p>The following options are available to the <strong>smbcacls</strong> program. The
-format of ACLs is described in the section <a href="smbcacls.1.html#ACLFORMAT">ACL FORMAT</a>
-<p><dl>
-<p><a name="minusA"></a>
-<p></p><dt><strong><strong>-A acls</strong></strong><dd>
-<p>Add the ACLs specified to the ACL list. Existing access control entries
-are unchanged.
-<p><a name="minusM"></a>
-<p></p><dt><strong><strong>-M acls</strong></strong><dd>
-<p>Modify the mask value (permissions) for the ACLs specified on the command
-line. An error will be printed for each ACL specified that was not already
-present in the ACL list.
-<p><a name="minusD"></a>
-<p></p><dt><strong><strong>-D acls</strong></strong><dd>
-<p>Delete any ACLs specfied on the command line. An error will be printed for
-each ACL specified that was not already present in the ACL list.
-<p><a name="minusS"></a>
-<p></p><dt><strong><strong>-S acls</strong></strong><dd>
-<p>This command sets the ACLs on the file with only the ones specified on the
-command line. All other ACLs are erased. Note that the ACL specified must
-contain at least a revision, type, owner and group for the call to succeed.
-<p><a name="minusU"></a>
-<p></p><dt><strong><strong>-U username</strong></strong><dd>
-<p>Specifies a username used to connect to the specified service. The
-username may be of the form <code>username</code> in which case the user is
-prompted to enter in a password and the workgroup specified in the
-<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file is used, or <code>username%password</code>
-or <code>DOMAIN\username%password</code> and the password and workgroup names are
-used as provided.
-<p><a name="minusC"></a>
-<p></p><dt><strong><strong>-C name</strong></strong><dd>
-<p>The owner of a file or directory can be changed to the name given
-using the -C option. The name can be a sid in the form <code>S-1-x-y-z</code> or a
-name resolved against the server specified in the first argument.
-<p>This command is a shortcut for <code>-M OWNER:name</code>.
-<p><a name="minusG"></a>
-<p></p><dt><strong><strong>-G name</strong></strong><dd>
-<p>The group owner of a file or directory can be changed to the name given
-using the -G option. The name can be a sid in the form <code>S-1-x-y-z</code> or a
-name resolved against the server specified in the first argument.
-<p>This command is a shortcut for <code>-M GROUP:name</code>.
-<p><a name="minusn"></a>
-<p></p><dt><strong><strong>-n</strong></strong><dd>
-<p>This option displays all ACL information in numeric format. The default is
-to convert SIDs to names and ACE types and masks to a readable string
-format.
-<p><a name="minush"></a>
-<p></p><dt><strong><strong>-h</strong></strong><dd>
-<p>Print usage information on the <strong>smbcacls</strong> program
-<p></dl>
-<p><a name="ACLFORMAT"></a>
-<h2>ACL FORMAT</h2>
-
-<p>The format of an ACL is one or more ACL entries separated by either
-commas or newlines. An ACL entry is one of the following:
-<p><pre>
+<HTML
+><HEAD
+><TITLE
+>smbcacls</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="SMBCACLS"
+>smbcacls</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN5"
+></A
+><H2
+>Name</H2
+>smbcacls&nbsp;--&nbsp;Set or get ACLs on an NT file or directory names</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>nmblookup</B
+> {//server/share} {filename} [-U username] [-A acls] [-M acls] [-D acls] [-S acls] [-C name] [-G name] [-n] [-h]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN22"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>This tool is part of the <A
+HREF="samba.7.html"
+TARGET="_top"
+> Samba</A
+> suite.</P
+><P
+>The smbcacls program manipulates NT Access Control Lists
+ (ACLs) on SMB file shares. </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN27"
+></A
+><H2
+>OPTIONS</H2
+><P
+>The following options are available to the smbcacls program.
+ The format of ACLs is described in the section ACL FORMAT </P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-A acls</DT
+><DD
+><P
+>Add the ACLs specified to the ACL list. Existing
+ access control entries are unchanged. </P
+></DD
+><DT
+>-M acls</DT
+><DD
+><P
+>Modify the mask value (permissions) for the ACLs
+ specified on the command line. An error will be printed for each
+ ACL specified that was not already present in the ACL list
+ </P
+></DD
+><DT
+>-D acls</DT
+><DD
+><P
+>Delete any ACLs specfied on the command line.
+ An error will be printed for each ACL specified that was not
+ already present in the ACL list. </P
+></DD
+><DT
+>-S acls</DT
+><DD
+><P
+>This command sets the ACLs on the file with
+ only the ones specified on the command line. All other ACLs are
+ erased. Note that the ACL specified must contain at least a revision,
+ type, owner and group for the call to succeed. </P
+></DD
+><DT
+>-U username</DT
+><DD
+><P
+>Specifies a username used to connect to the
+ specified service. The username may be of the form "username" in
+ which case the user is prompted to enter in a password and the
+ workgroup specified in the <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file is
+ used, or "username%password" or "DOMAIN\username%password" and the
+ password and workgroup names are used as provided. </P
+></DD
+><DT
+>-C name</DT
+><DD
+><P
+>The owner of a file or directory can be changed
+ to the name given using the <TT
+CLASS="PARAMETER"
+><I
+>-C</I
+></TT
+> option.
+ The name can be a sid in the form S-1-x-y-z or a name resolved
+ against the server specified in the first argument. </P
+><P
+>This command is a shortcut for -M OWNER:name.
+ </P
+></DD
+><DT
+>-G name</DT
+><DD
+><P
+>The group owner of a file or directory can
+ be changed to the name given using the <TT
+CLASS="PARAMETER"
+><I
+>-G</I
+></TT
+>
+ option. The name can be a sid in the form S-1-x-y-z or a name
+ resolved against the server specified n the first argument.
+ </P
+><P
+>This command is a shortcut for -M GROUP:name.</P
+></DD
+><DT
+>-n</DT
+><DD
+><P
+>This option displays all ACL information in numeric
+ format. The default is to convert SIDs to names and ACE types
+ and masks to a readable string format. </P
+></DD
+><DT
+>-h</DT
+><DD
+><P
+>Print usage information on the <B
+CLASS="COMMAND"
+>smbcacls
+ </B
+> program.</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN73"
+></A
+><H2
+>ACL FORMAT</H2
+><P
+>The format of an ACL is one or more ACL entries separated by
+ either commas or newlines. An ACL entry is one of the following: </P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>
REVISION:&lt;revision number&gt;
OWNER:&lt;sid or name&gt;
GROUP:&lt;sid or name&gt;
ACL:&lt;sid or name&gt;:&lt;type&gt;/&lt;flags&gt;/&lt;mask&gt;
-</pre>
-
-<p>The revision of the ACL specifies the internal Windows NT ACL revision for
-the security descriptor. If not specified it defaults to 1. Using values
-other than 1 may cause strange behaviour.
-<p>The owner and group specify the owner and group sids for the object. If a
-SID in the format <code>S-1-x-y-z</code> is specified this is used, otherwise
-the name specified is resolved using the server on which the file or
-directory resides.
-<p>ACLs specify permissions granted to the SID. This SID again can be
-specified in <code>S-1-x-y-z</code> format or as a name in which case it is resolved
-against the server on which the file or directory resides. The type, flags
-and mask values determine the type of access granted to the SID.
-<p>The type can be either 0 or 1 corresponding to ALLOWED or DENIED access to
-the SID. The flags values are generally zero for file ACLs and either 9 or
-2 for directory ACLs. Some common flags are:
-<p><pre>
-#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1
-#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2
-#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4
-#define SEC_ACE_FLAG_INHERIT_ONLY 0x8
-</pre>
-
-<p>At present flags can only be specified as decimal or hexadecimal values.
-<p>The mask is a value which expresses the access right granted to the SID.
-It can be given as a decimal or hexadecimal value, or by using one of the
-following text strings which map to the NT file permissions of the same
-name.
-<p><dl>
-<p><p></p><dt><strong></strong><dd> <code>R</code> Allow read access
-<p><p></p><dt><strong></strong><dd> <code>W</code> Allow write access
-<p><p></p><dt><strong></strong><dd> <code>X</code> Execute permission on the object
-<p><p></p><dt><strong></strong><dd> <code>D</code> Delete the object
-<p><p></p><dt><strong></strong><dd> <code>P</code> Change permissions
-<p><p></p><dt><strong></strong><dd> <code>O</code> Take ownership
-<p></dl>
-<p>The following combined permissions can be specified:
-<p><dl>
-<p><p></p><dt><strong></strong><dd> <code>READ</code>
-<p>Equivalent to <code>RX</code> permissions
-<p><p></p><dt><strong></strong><dd> <code>CHANGE</code>
-<p>Equivalent to <code>RXWD</code> permissions
-<p><p></p><dt><strong></strong><dd> <code>FULL</code>
-<p>Equivalent to <code>RWXDPO</code> permissions
-<p></dl>
-<p><a name="EXITSTATUS"></a>
-<h2>EXIT STATUS</h2>
-
-<p>The <strong>smbcacls</strong> program sets the exit status depending on the success or
-otherwise of the operations performed. The exit status may be one of the
-following values.
-<p>If the operation succeded, <strong>smbcacls</strong> returns and exit status of 0. If
-<strong>smbcacls</strong> couldn't connect to the specified server, or there was an
-error getting or setting the ACLs, an exit status of 1 is returned. If
-there was an error parsing any command line arguments, an exit status of 2
-is returned.
-<p><a name="AUTHOR"></a>
-<h2>AUTHOR</h2>
-
-<p>The original Samba software and related utilities were created by
-Andrew Tridgell. Samba is now developed by the Samba Team as an Open
-Source project.
-<p><strong>smbcacls</strong> was written by Andrew Tridgell and Tim Potter.
-</body>
-</html>
+ </PRE
+></P
+><P
+>The revision of the ACL specifies the internal Windows
+ NT ACL revision for the security descriptor.
+ If not specified it defaults to 1. Using values other than 1 may
+ cause strange behaviour. </P
+><P
+>The owner and group specify the owner and group sids for the
+ object. If a SID in the format CWS-1-x-y-z is specified this is used,
+ otherwise the name specified is resolved using the server on which
+ the file or directory resides. </P
+><P
+>ACLs specify permissions granted to the SID. This SID again
+ can be specified in CWS-1-x-y-z format or as a name in which case
+ it is resolved against the server on which the file or directory
+ resides. The type, flags and mask values determine the type of
+ access granted to the SID. </P
+><P
+>The type can be either 0 or 1 corresponding to ALLOWED or
+ DENIED access to the SID. The flags values are generally
+ zero for file ACLs and either 9 or 2 for directory ACLs. Some
+ common flags are: </P
+><P
+></P
+><UL
+><LI
+><P
+>#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1</P
+></LI
+><LI
+><P
+>#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2</P
+></LI
+><LI
+><P
+>#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4
+ </P
+></LI
+><LI
+><P
+>#define SEC_ACE_FLAG_INHERIT_ONLY 0x8</P
+></LI
+></UL
+><P
+>At present flags can only be specified as decimal or
+ hexadecimal values.</P
+><P
+>The mask is a value which expresses the access right
+ granted to the SID. It can be given as a decimal or hexadecimal value,
+ or by using one of the following text strings which map to the NT
+ file permissions of the same name. </P
+><P
+></P
+><UL
+><LI
+><P
+><I
+CLASS="EMPHASIS"
+>R</I
+> - Allow read access </P
+></LI
+><LI
+><P
+><I
+CLASS="EMPHASIS"
+>W</I
+> - Allow write access</P
+></LI
+><LI
+><P
+><I
+CLASS="EMPHASIS"
+>X</I
+> - Execute permission on the object</P
+></LI
+><LI
+><P
+><I
+CLASS="EMPHASIS"
+>D</I
+> - Delete the object</P
+></LI
+><LI
+><P
+><I
+CLASS="EMPHASIS"
+>P</I
+> - Change permissions</P
+></LI
+><LI
+><P
+><I
+CLASS="EMPHASIS"
+>O</I
+> - Take ownership</P
+></LI
+></UL
+><P
+>The following combined permissions can be specified:</P
+><P
+></P
+><UL
+><LI
+><P
+><I
+CLASS="EMPHASIS"
+>READ</I
+> - Equivalent to 'RX'
+ permissions</P
+></LI
+><LI
+><P
+><I
+CLASS="EMPHASIS"
+>CHANGE</I
+> - Equivalent to 'RXWD' permissions
+ </P
+></LI
+><LI
+><P
+><I
+CLASS="EMPHASIS"
+>FULL</I
+> - Equivalent to 'RWXDPO'
+ permissions</P
+></LI
+></UL
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN123"
+></A
+><H2
+>EXIT STATUS</H2
+><P
+>The <B
+CLASS="COMMAND"
+>smbcacls</B
+> program sets the exit status
+ depending on the success or otherwise of the operations performed.
+ The exit status may be one of the following values. </P
+><P
+>If the operation succeded, smbcacls returns and exit
+ status of 0. If smbcacls couldn't connect to the specified server,
+ or there was an error getting or setting the ACLs, an exit status
+ of 1 is returned. If there was an error parsing any command line
+ arguments, an exit status of 2 is returned. </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN128"
+></A
+><H2
+>VERSION</H2
+><P
+>This man page is correct for version 2.2 of
+ the Samba suite.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN131"
+></A
+><H2
+>AUTHOR</H2
+><P
+>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</P
+><P
+><B
+CLASS="COMMAND"
+>smbcacls</B
+> was written by Andrew Tridgell
+ and Tim Potter.</P
+><P
+>The conversion to DocBook for Samba 2.2 was done
+ by Gerald Carter</P
+></DIV
+></BODY
+></HTML
+> \ No newline at end of file
diff --git a/docs/htmldocs/smbpasswd.5.html b/docs/htmldocs/smbpasswd.5.html
index 2969022790..4ec7b7c86a 100644
--- a/docs/htmldocs/smbpasswd.5.html
+++ b/docs/htmldocs/smbpasswd.5.html
@@ -1,195 +1,326 @@
-
-
-
-
-
-
-<html><head><title>smbpasswd (5)</title>
-
-<link rev="made" href="mailto:samba@samba.org">
-</head>
-<body>
-
-<hr>
-
-<h1>smbpasswd (5)</h1>
-<h2>Samba</h2>
-<h2>23 Oct 1998</h2>
-
-
-
-<p><a name="NAME"></a>
-<h2>NAME</h2>
- smbpasswd - The Samba encrypted password file
-<p><a name="SYNOPSIS"></a>
-<h2>SYNOPSIS</h2>
-
-<p>smbpasswd is the <strong>Samba</strong> encrypted password file.
-<p><a name="DESCRIPTION"></a>
-<h2>DESCRIPTION</h2>
-
-<p>This file is part of the <strong>Samba</strong> suite.
-<p>smbpasswd is the <strong>Samba</strong> encrypted password file. It contains
-the username, Unix user id and the SMB hashed passwords of the
-user, as well as account flag information and the time the password
-was last changed. This file format has been evolving with Samba
-and has had several different formats in the past.
-<p><a name="FILEFORMAT"></a>
-<h2>FILE FORMAT</h2>
-
-<p>The format of the smbpasswd file used by Samba 2.0 is very similar to
-the familiar Unix <strong>passwd (5)</strong> file. It is an ASCII file containing
-one line for each user. Each field within each line is separated from
-the next by a colon. Any entry beginning with # is ignored. The
-smbpasswd file contains the following information for each user:
-<p><dl>
-<p><a name="name"></a>
-<p></p><dt><strong><strong>name</strong></strong><dd> <br> <br>
-<p>This is the user name. It must be a name that already exists
- in the standard UNIX passwd file.
-<p><a name="uid"></a>
-<p></p><dt><strong><strong>uid</strong></strong><dd> <br> <br>
-<p>This is the UNIX uid. It must match the uid field for the same
- user entry in the standard UNIX passwd file. If this does not
- match then Samba will refuse to recognize this <strong>smbpasswd</strong> file entry
- as being valid for a user.
-<p><a name="LanmanPasswordHash"></a>
-<p></p><dt><strong><strong>Lanman Password Hash</strong></strong><dd> <br> <br>
-<p>This is the <em>LANMAN</em> hash of the users password, encoded as 32 hex
- digits. The <em>LANMAN</em> hash is created by DES encrypting a well known
- string with the users password as the DES key. This is the same
- password used by Windows 95/98 machines. Note that this password hash
- is regarded as weak as it is vulnerable to dictionary attacks and if
- two users choose the same password this entry will be identical (i.e.
- the password is not <em>"salted"</em> as the UNIX password is). If the
- user has a null password this field will contain the characters
- <code>"NO PASSWORD"</code> as the start of the hex string. If the hex string
- is equal to 32 <code>'X'</code> characters then the users account is marked as
- <em>disabled</em> and the user will not be able to log onto the Samba
- server.
-<p><em>WARNING !!</em>. Note that, due to the challenge-response nature of the
- SMB/CIFS authentication protocol, anyone with a knowledge of this
- password hash will be able to impersonate the user on the network.
- For this reason these hashes are known as <em>"plain text equivalent"</em>
- and must <em>NOT</em> be made available to anyone but the root user. To
- protect these passwords the <strong>smbpasswd</strong> file is placed in a
- directory with read and traverse access only to the root user and the
- <strong>smbpasswd</strong> file itself must be set to be read/write only by root,
- with no other access.
-<p><a name="NTPasswordHash"></a>
-<p></p><dt><strong><strong>NT Password Hash</strong></strong><dd> <br> <br>
-<p>This is the <em>Windows NT</em> hash of the users password, encoded as 32
- hex digits. The <em>Windows NT</em> hash is created by taking the users
- password as represented in 16-bit, little-endian UNICODE and then
- applying the <em>MD4</em> (internet rfc1321) hashing algorithm to it.
-<p>This password hash is considered more secure than the <a href="smbpasswd.5.html#LanmanPasswordHash"><strong>Lanman
- Password Hash</strong></a> as it preserves the case of the
- password and uses a much higher quality hashing algorithm. However, it
- is still the case that if two users choose the same password this
- entry will be identical (i.e. the password is not <em>"salted"</em> as the
- UNIX password is).
-<p><em>WARNING !!</em>. Note that, due to the challenge-response nature of the
- SMB/CIFS authentication protocol, anyone with a knowledge of this
- password hash will be able to impersonate the user on the network.
- For this reason these hashes are known as <em>"plain text equivalent"</em>
- and must <em>NOT</em> be made available to anyone but the root user. To
- protect these passwords the <strong>smbpasswd</strong> file is placed in a
- directory with read and traverse access only to the root user and the
- <strong>smbpasswd</strong> file itself must be set to be read/write only by root,
- with no other access.
-<p><a name="AccountFlags"></a>
-<p></p><dt><strong><strong>Account Flags</strong></strong><dd> <br> <br>
-<p>This section contains flags that describe the attributes of the users
- account. In the <strong>Samba2.0</strong> release this field is bracketed by <code>'['</code>
- and <code>']'</code> characters and is always 13 characters in length (including
- the <code>'['</code> and <code>']'</code> characters). The contents of this field may be
- any of the characters.
-<p><dl>
-<p><a name="capU"></a>
- <li > <strong>'U'</strong> This means this is a <em>"User"</em> account, i.e. an ordinary
- user. Only <strong>User</strong> and <a href="smbpasswd.5.html#capW"><strong>Workstation Trust</strong></a> accounts are
- currently supported in the <strong>smbpasswd</strong> file.
-<p><a name="capN"></a>
- <li > <strong>'N'</strong> This means the account has <em>no</em> password (the passwords
- in the fields <a href="smbpasswd.5.html#LanmanPasswordHash"><strong>Lanman Password Hash</strong></a> and
- <a href="smbpasswd.5.html#NTPasswordHash"><strong>NT Password Hash</strong></a> are ignored). Note that this
- will only allow users to log on with no password if the
- <a href="smb.conf.5.html#nullpasswords"><strong>null passwords</strong></a> parameter is set
- in the <a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a> config file.
-<p><a name="capD"></a>
- <li > <strong>'D'</strong> This means the account is disabled and no SMB/CIFS logins
- will be allowed for this user.
-<p><a name="capW"></a>
- <li > <strong>'W'</strong> This means this account is a <em>"Workstation Trust"</em> account.
- This kind of account is used in the Samba PDC code stream to allow Windows
- NT Workstations and Servers to join a Domain hosted by a Samba PDC.
-<p></dl>
-<p>Other flags may be added as the code is extended in future. The rest of
- this field space is filled in with spaces.
-<p><a name="LastChangeTime"></a>
-<p></p><dt><strong><strong>Last Change Time</strong></strong><dd> <br> <br>
-<p>This field consists of the time the account was last modified. It consists of
- the characters <code>LCT-</code> (standing for <em>"Last Change Time"</em>) followed by a numeric
- encoding of the UNIX time in seconds since the epoch (1970) that the last change
- was made.
-<p><p></p><dt><strong><strong>Following fields</strong></strong><dd> <br> <br>
-<p>All other colon separated fields are ignored at this time.
-<p></dl>
-<p><a name="NOTES"></a>
-<h2>NOTES</h2>
-
-<p>In previous versions of Samba (notably the 1.9.18 series) this file
-did not contain the <a href="smbpasswd.5.html#AccountFlags"><strong>Account Flags</strong></a> or
-<a href="smbpasswd.5.html#LastChangeTime"><strong>Last Change Time</strong></a> fields. The Samba 2.0
-code will read and write these older password files but will not be able to
-modify the old entries to add the new fields. New entries added with
-<a href="smbpasswd.8.html"><strong>smbpasswd (8)</strong></a> will contain the new fields
-in the added accounts however. Thus an older <strong>smbpasswd</strong> file used
-with Samba 2.0 may end up with some accounts containing the new fields
-and some not.
-<p>In order to convert from an old-style <strong>smbpasswd</strong> file to a new
-style, run the script <strong>convert_smbpasswd</strong>, installed in the
-Samba <code>bin/</code> directory (the same place that the <a href="smbd.8.html"><strong>smbd</strong></a>
-and <a href="nmbd.8.html"><strong>nmbd</strong></a> binaries are installed) as follows:
-<p><pre>
-
-
- cat old_smbpasswd_file | convert_smbpasswd &gt; new_smbpasswd_file
-
-
-</pre>
-
-<p>The <strong>convert_smbpasswd</strong> script reads from stdin and writes to stdout
-so as not to overwrite any files by accident.
-<p>Once this script has been run, check the contents of the new smbpasswd
-file to ensure that it has not been damaged by the conversion script
-(which uses <strong>awk</strong>), and then replace the <code>&lt;old smbpasswd file&gt;</code>
-with the <code>&lt;new smbpasswd file&gt;</code>.
-<p><a name="VERSION"></a>
-<h2>VERSION</h2>
-
-<p>This man page is correct for version 2.0 of the Samba suite.
-<p><a name="SEEALSO"></a>
-<h2>SEE ALSO</h2>
-
-<p><a href="smbpasswd.8.html"><strong>smbpasswd (8)</strong></a>, <a href="samba.7.html"><strong>samba
-(7)</strong></a>, and the Internet RFC1321 for details on the MD4
-algorithm.
-<p><a name="AUTHOR"></a>
-<h2>AUTHOR</h2>
-
-<p>The original Samba software and related utilities were created by
-Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed
-by the Samba Team as an Open Source project similar to the way the
-Linux kernel is developed.
-<p>The original Samba man pages were written by Karl Auer. The man page
-sources were converted to YODL format (another excellent piece of Open
-Source software, available at
-<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>)
-and updated for the Samba2.0 release by Jeremy
-Allison, <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>.
-<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full
-list of contributors and details on how to submit bug reports,
-comments etc.
-</body>
-</html>
+<HTML
+><HEAD
+><TITLE
+>smbpasswd</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="SMBPASSWD"
+>smbpasswd</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN5"
+></A
+><H2
+>Name</H2
+>smbpasswd&nbsp;--&nbsp;The Samba encrypted password file</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Synopsis</H2
+><P
+><TT
+CLASS="FILENAME"
+>smbpasswd</TT
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN11"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>This tool is part of the <A
+HREF="samba.7.html"
+TARGET="_top"
+> Samba</A
+> suite.</P
+><P
+>smbpasswd is the Samba encrypted password file. It contains
+ the username, Unix user id and the SMB hashed passwords of the
+ user, as well as account flag information and the time the
+ password was last changed. This file format has been evolving with
+ Samba and has had several different formats in the past. </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN16"
+></A
+><H2
+>FILE FORMAT</H2
+><P
+>The format of the smbpasswd file used by Samba 2.2
+ is very similar to the familiar Unix <TT
+CLASS="FILENAME"
+>passwd(5)</TT
+>
+ file. It is an ASCII file containing one line for each user. Each field
+ ithin each line is separated from the next by a colon. Any entry
+ beginning with '#' is ignored. The smbpasswd file contains the
+ following information for each user: </P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>name</DT
+><DD
+><P
+> This is the user name. It must be a name that
+ already exists in the standard UNIX passwd file. </P
+></DD
+><DT
+>uid</DT
+><DD
+><P
+>This is the UNIX uid. It must match the uid
+ field for the same user entry in the standard UNIX passwd file.
+ If this does not match then Samba will refuse to recognize
+ this smbpasswd file entry as being valid for a user.
+ </P
+></DD
+><DT
+>Lanman Password Hash</DT
+><DD
+><P
+>This is the LANMAN hash of the users password,
+ encoded as 32 hex digits. The LANMAN hash is created by DES
+ encrypting a well known string with the users password as the
+ DES key. This is the same password used by Windows 95/98 machines.
+ Note that this password hash is regarded as weak as it is
+ vulnerable to dictionary attacks and if two users choose the
+ same password this entry will be identical (i.e. the password
+ is not "salted" as the UNIX password is). If the user has a
+ null password this field will contain the characters "NO PASSWORD"
+ as the start of the hex string. If the hex string is equal to
+ 32 'X' characters then the users account is marked as
+ <TT
+CLASS="CONSTANT"
+>disabled</TT
+> and the user will not be able to
+ log onto the Samba server. </P
+><P
+><I
+CLASS="EMPHASIS"
+>WARNING !!</I
+> Note that, due to
+ the challenge-response nature of the SMB/CIFS authentication
+ protocol, anyone with a knowledge of this password hash will
+ be able to impersonate the user on the network. For this
+ reason these hashes are known as <I
+CLASS="EMPHASIS"
+>plain text
+ equivalents</I
+> and must <I
+CLASS="EMPHASIS"
+>NOT</I
+> be made
+ available to anyone but the root user. To protect these passwords
+ the smbpasswd file is placed in a directory with read and
+ traverse access only to the root user and the smbpasswd file
+ itself must be set to be read/write only by root, with no
+ other access. </P
+></DD
+><DT
+>NT Password Hash</DT
+><DD
+><P
+>This is the Windows NT hash of the users
+ password, encoded as 32 hex digits. The Windows NT hash is
+ created by taking the users password as represented in
+ 16-bit, little-endian UNICODE and then applying the MD4
+ (internet rfc1321) hashing algorithm to it. </P
+><P
+>This password hash is considered more secure than
+ the Lanman Password Hash as it preserves the case of the
+ password and uses a much higher quality hashing algorithm.
+ However, it is still the case that if two users choose the same
+ password this entry will be identical (i.e. the password is
+ not "salted" as the UNIX password is). </P
+><P
+><I
+CLASS="EMPHASIS"
+>WARNING !!</I
+>. Note that, due to
+ the challenge-response nature of the SMB/CIFS authentication
+ protocol, anyone with a knowledge of this password hash will
+ be able to impersonate the user on the network. For this
+ reason these hashes are known as <I
+CLASS="EMPHASIS"
+>plain text
+ equivalents</I
+> and must <I
+CLASS="EMPHASIS"
+>NOT</I
+> be made
+ available to anyone but the root user. To protect these passwords
+ the smbpasswd file is placed in a directory with read and
+ traverse access only to the root user and the smbpasswd file
+ itself must be set to be read/write only by root, with no
+ other access. </P
+></DD
+><DT
+>Account Flags</DT
+><DD
+><P
+>This section contains flags that describe
+ the attributes of the users account. In the Samba 2.2 release
+ this field is bracketed by '[' and ']' characters and is always
+ 13 characters in length (including the '[' and ']' characters).
+ The contents of this field may be any of the characters.
+ </P
+><P
+></P
+><UL
+><LI
+><P
+><I
+CLASS="EMPHASIS"
+>U</I
+> - This means
+ this is a "User" account, i.e. an ordinary user. Only User
+ and Workstation Trust accounts are currently supported
+ in the smbpasswd file. </P
+></LI
+><LI
+><P
+><I
+CLASS="EMPHASIS"
+>N</I
+> - This means the
+ account has no password (the passwords in the fields Lanman
+ Password Hash and NT Password Hash are ignored). Note that this
+ will only allow users to log on with no password if the <TT
+CLASS="PARAMETER"
+><I
+> null passwords</I
+></TT
+> parameter is set in the <A
+HREF="smb.conf.5.html#NULLPASSWORDS"
+TARGET="_top"
+><TT
+CLASS="FILENAME"
+>smb.conf(5)
+ </TT
+></A
+> config file. </P
+></LI
+><LI
+><P
+><I
+CLASS="EMPHASIS"
+>D</I
+> - This means the account
+ is disabled and no SMB/CIFS logins will be allowed for
+ this user. </P
+></LI
+><LI
+><P
+><I
+CLASS="EMPHASIS"
+>W</I
+> - This means this account
+ is a "Workstation Trust" account. This kind of account is used
+ in the Samba PDC code stream to allow Windows NT Workstations
+ and Servers to join a Domain hosted by a Samba PDC. </P
+></LI
+></UL
+><P
+>Other flags may be added as the code is extended in future.
+ The rest of this field space is filled in with spaces. </P
+></DD
+><DT
+>Last Change Time</DT
+><DD
+><P
+>This field consists of the time the account was
+ last modified. It consists of the characters 'LCT-' (standing for
+ "Last Change Time") followed by a numeric encoding of the UNIX time
+ in seconds since the epoch (1970) that the last change was made.
+ </P
+></DD
+></DL
+></DIV
+><P
+>All other colon separated fields are ignored at this time.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN73"
+></A
+><H2
+>VERSION</H2
+><P
+>This man page is correct for version 2.2 of
+ the Samba suite.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN76"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><A
+HREF="smbpasswd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbpasswd(8)</B
+></A
+>,
+ <A
+HREF="samba.7.html"
+TARGET="_top"
+>samba(7)</A
+>, and
+ the Internet RFC1321 for details on the MD4 algorithm.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN82"
+></A
+><H2
+>AUTHOR</H2
+><P
+>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</P
+><P
+>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <A
+HREF="ftp://ftp.icce.rug.nl/pub/unix/"
+TARGET="_top"
+> ftp://ftp.icce.rug.nl/pub/unix/</A
+>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</P
+></DIV
+></BODY
+></HTML
+> \ No newline at end of file
diff --git a/docs/htmldocs/smbpasswd.8.html b/docs/htmldocs/smbpasswd.8.html
index a0f4577b08..8fb2c580e7 100644
--- a/docs/htmldocs/smbpasswd.8.html
+++ b/docs/htmldocs/smbpasswd.8.html
@@ -1,281 +1,636 @@
-
-
-
-
-
-
-<html><head><title>smbpasswd (8)</title>
-
-<link rev="made" href="mailto:samba@samba.org">
-</head>
-<body>
-
-<hr>
-
-<h1>smbpasswd (8)</h1>
-<h2>Samba</h2>
-<h2>23 Oct 1998</h2>
-
-
-
-<p><a name="NAME"></a>
-<h2>NAME</h2>
- smbpasswd - change a users SMB password
-<p><a name="SYNOPSIS"></a>
-<h2>SYNOPSIS</h2>
-
-<p><strong>smbpasswd</strong> [<a href="smbpasswd.8.html#minusa">-a</a>] [<a href="smbpasswd.8.html#minusx">-x</a>] [<a href="smbpasswd.8.html#minusd">-d</a>] [<a href="smbpasswd.8.html#minuse">-e</a>] [<a href="smbpasswd.8.html#minusD">-D debug level</a>] [<a href="smbpasswd.8.html#minusn">-n</a>] [<a href="smbpasswd.8.html#minusr">-r remote_machine</a>] [<a href="smbpasswd.8.html#minusR">-R name resolve order</a>] [<a href="smbpasswd.8.html#minusm">-m</a>] [<a href="smbpasswd.8.html#minusj">-j DOMAIN</a>] [<a href="smbpasswd.8.html#minusU">-U username</a>] [<a href="smbpasswd.8.html#minush">-h</a>] [<a href="smbpasswd.8.html#minuss">-s</a>] <a href="smbpasswd.8.html#username">username</a>
-<p><a name="DESCRIPTION"></a>
-<h2>DESCRIPTION</h2>
-
-<p>This program is part of the <strong>Samba</strong> suite.
-<p>The <strong>smbpasswd</strong> program has several different functions, depending
-on whether it is run by the <em>root</em> user or not. When run as a normal
-user it allows the user to change the password used for their SMB
-sessions on any machines that store SMB passwords.
-<p>By default (when run with no arguments) it will attempt to change the
-current users SMB password on the local machine. This is similar to
-the way the <strong>passwd (1)</strong> program works. <strong>smbpasswd</strong> differs from how
-the <strong>passwd</strong> program works however in that it is not <em>setuid root</em>
-but works in a client-server mode and communicates with a locally
-running <a href="smbd.8.html"><strong>smbd</strong></a>. As a consequence in order for this
-to succeed the <a href="smbd.8.html"><strong>smbd</strong></a> daemon must be running on
-the local machine. On a UNIX machine the encrypted SMB passwords are
-usually stored in the <a href="smbpasswd.5.html"><strong>smbpasswd (5)</strong></a> file.
-<p>When run by an ordinary user with no options. <strong>smbpasswd</strong> will
-prompt them for their old smb password and then ask them for their new
-password twice, to ensure that the new password was typed
-correctly. No passwords will be echoed on the screen whilst being
-typed. If you have a blank smb password (specified by the string "NO
-PASSWORD" in the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file) then just
-press the &lt;Enter&gt; key when asked for your old password.
-<p><strong>smbpasswd</strong> can also be used by a normal user to change their SMB
-password on remote machines, such as Windows NT Primary Domain
-Controllers. See the <a href="smbpasswd.8.html#minusr">(<strong>-r</strong>)</a> and
-<a href="smbpasswd.8.html#minusU"><strong>-U</strong></a> options below.
-<p>When run by root, <strong>smbpasswd</strong> allows new users to be added and
-deleted in the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file, as well as
-allows changes to the attributes of the user in this file to be made. When
-run by root, <strong>smbpasswd</strong> accesses the local
-<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file directly, thus enabling
-changes to be made even if <a href="smbd.8.html"><strong>smbd</strong></a> is not running.
-<p><a name="OPTIONS"></a>
-<h2>OPTIONS</h2>
-
-<p><dl>
-<p><a name="minusa"></a>
-<p></p><dt><strong><strong>-a</strong></strong><dd> This option specifies that the username following should
-be added to the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file, with
-the new password typed (type &lt;Enter&gt; for the old password). This
-option is ignored if the username following already exists in the
-<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file and it is treated like a
-regular change password command. Note that the user to be added
-<strong>must</strong> already exist in the system password file (usually /etc/passwd)
-else the request to add the user will fail.
-<p>This option is only available when running <strong>smbpasswd</strong> as
-root.
-<p><a name="minusx"></a>
-<p></p><dt><strong><strong>-x</strong></strong><dd> This option specifies that the username following should
-be deleted from the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file.
-<p>This option is only available when running <strong>smbpasswd</strong> as
-root.
-<p><a name="minusd"></a>
-<p></p><dt><strong><strong>-d</strong></strong><dd> This option specifies that the username following should be
-<em>disabled</em> in the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file.
-This is done by writing a <em>'D'</em> flag into the account control space
-in the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. Once this is done
-all attempts to authenticate via SMB using this username will fail.
-<p>If the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file is in the 'old'
-format (pre-Samba 2.0 format) there is no space in the users password
-entry to write this information and so the user is disabled by writing
-'X' characters into the password space in the
-<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. See <a href="smbpasswd.5.html"><strong>smbpasswd
-(5)</strong></a> for details on the 'old' and new password file
-formats.
-<p>This option is only available when running <strong>smbpasswd</strong> as root.
-<p><a name="minuse"></a>
-<p></p><dt><strong><strong>-e</strong></strong><dd> This option specifies that the username following should be
-<em>enabled</em> in the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file,
-if the account was previously disabled. If the account was not
-disabled this option has no effect. Once the account is enabled
-then the user will be able to authenticate via SMB once again.
-<p>If the smbpasswd file is in the 'old' format then <strong>smbpasswd</strong> will
-prompt for a new password for this user, otherwise the account will be
-enabled by removing the <em>'D'</em> flag from account control space in the
-<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. See <a href="smbpasswd.5.html"><strong>smbpasswd
-(5)</strong></a> for details on the 'old' and new password file
-formats.
-<p>This option is only available when running <strong>smbpasswd</strong> as root.
-<p><a name="minusD"></a>
-<p></p><dt><strong><strong>-D debuglevel</strong></strong><dd> debuglevel is an integer from 0
-to 10. The default value if this parameter is not specified is zero.
-<p>The higher this value, the more detail will be logged to the log files
-about the activities of smbpasswd. At level 0, only critical errors
-and serious warnings will be logged.
-<p>Levels above 1 will generate considerable amounts of log data, and
-should only be used when investigating a problem. Levels above 3 are
-designed for use only by developers and generate HUGE amounts of log
-data, most of which is extremely cryptic.
-<p><a name="minusn"></a>
-<p></p><dt><strong><strong>-n</strong></strong><dd> This option specifies that the username following should
-have their password set to null (i.e. a blank password) in the local
-<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. This is done by writing the
-string "NO PASSWORD" as the first part of the first password stored in
-the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file.
-<p>Note that to allow users to logon to a Samba server once the password
-has been set to "NO PASSWORD" in the
-<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file the administrator must set
-the following parameter in the [global] section of the
-<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file :
-<p><a href="smb.conf.5.html#nullpasswords">null passwords = true</a>
-<p>This option is only available when running <strong>smbpasswd</strong> as root.
-<p><a name="minusr"></a>
-<p></p><dt><strong><strong>-r remote machine name</strong></strong><dd> This option allows a
-user to specify what machine they wish to change their password
-on. Without this parameter <strong>smbpasswd</strong> defaults to the local
-host. The <em>"remote machine name"</em> is the NetBIOS name of the
-SMB/CIFS server to contact to attempt the password change. This name
-is resolved into an IP address using the standard name resolution
-mechanism in all programs of the <a href="samba.7.html"><strong>Samba</strong></a>
-suite. See the <a href="smbpasswd.8.html#minusR"><strong>-R name resolve order</strong></a> parameter for details on changing this resolving
-mechanism.
-<p>The username whose password is changed is that of the current UNIX
-logged on user. See the <a href="smbpasswd.8.html#minusU"><strong>-U username</strong></a>
-parameter for details on changing the password for a different
-username.
-<p>Note that if changing a Windows NT Domain password the remote machine
-specified must be the Primary Domain Controller for the domain (Backup
-Domain Controllers only have a read-only copy of the user account
-database and will not allow the password change).
-<p><em>Note</em> that Windows 95/98 do not have a real password database
-so it is not possible to change passwords specifying a Win95/98
-machine as remote machine target.
-<p><a name="minusR"></a>
-<p></p><dt><strong><strong>-R name resolve order</strong></strong><dd> This option allows the user of
-smbclient to determine what name resolution services to use when
-looking up the NetBIOS name of the host being connected to.
-<p>The options are :<a href="smbpasswd.8.html#lmhosts">"lmhosts"</a>, <a href="smbpasswd.8.html#host">"host"</a>,
-<a href="smbpasswd.8.html#wins">"wins"</a> and <a href="smbpasswd.8.html#bcast">"bcast"</a>. They cause names to be
-resolved as follows :
-<p><dl>
-<p><a name="lmhosts"></a>
-<li > <strong>lmhosts</strong> : Lookup an IP address in the Samba lmhosts file.
-<p><a name="host"></a>
-<li > <strong>host</strong> : Do a standard host name to IP address resolution,
-using the system /etc/hosts, NIS, or DNS lookups. This method of name
-resolution is operating system dependent. For instance on IRIX or
-Solaris, this may be controlled by the <em>/etc/nsswitch.conf</em> file).
-<p><a name="wins"></a>
-<li > <strong>wins</strong> : Query a name with the IP address listed in the
-<a href="smb.conf.5.html#winsserver"><strong>wins server</strong></a> parameter in the
-<a href="smb.conf.5.html"><strong>smb.conf file</strong></a>. If
-no WINS server has been specified this method will be ignored.
-<p><a name="bcast"></a>
-<li > <strong>bcast</strong> : Do a broadcast on each of the known local interfaces
-listed in the <a href="smb.conf.5.html#interfaces"><strong>interfaces</strong></a> parameter
-in the smb.conf file. This is the least reliable of the name resolution
-methods as it depends on the target host being on a locally connected
-subnet.
-<p></dl>
-<p>If this parameter is not set then the name resolve order defined
-in the <a href="smb.conf.5.html"><strong>smb.conf</strong></a> file parameter
-<a href="smb.conf.5.html#nameresolveorder"><strong>name resolve order</strong></a>
-will be used.
-<p>The default order is lmhosts, host, wins, bcast and without this
-parameter or any entry in the <a href="smb.conf.5.html"><strong>smb.conf</strong></a>
-file the name resolution methods will be attempted in this order.
-<p><a name="minusm"></a>
-<p></p><dt><strong><strong>-m</strong></strong><dd> This option tells <strong>smbpasswd</strong> that the account being
-changed is a <em>MACHINE</em> account. Currently this is used when Samba is
-being used as an NT Primary Domain Controller. PDC support is not a
-supported feature in Samba2.0 but will become supported in a later
-release. If you wish to know more about using Samba as an NT PDC then
-please subscribe to the mailing list
-<a href="mailto:samba-ntdom@samba.org"><em>samba-ntdom@samba.org</em></a>.
-<p>This option is only available when running <strong>smbpasswd</strong> as root.
-<p><a name="minusj"></a>
-<p></p><dt><strong><strong>-j DOMAIN</strong></strong><dd> This option is used to add a Samba server into a
-Windows NT Domain, as a Domain member capable of authenticating user
-accounts to any Domain Controller in the same way as a Windows NT
-Server. See the <a href="smb.conf.5.html#security"><strong>security=domain</strong></a>
-option in the <a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a> man page.
-<p>In order to be used in this way, the Administrator for the Windows
-NT Domain must have used the program <em>"Server Manager for Domains"</em>
-to add the <a href="smb.conf.5.html#netbiosname">primary NetBIOS name</a> of
-the Samba server as a member of the Domain.
-<p>After this has been done, to join the Domain invoke <strong>smbpasswd</strong> with
-this parameter. <strong>smbpasswd</strong> will then look up the Primary Domain
-Controller for the Domain (found in the
-<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file in the parameter
-<a href="smb.conf.5.html#passwordserver"><strong>password server</strong></a> and change
-the machine account password used to create the secure Domain
-communication. This password is then stored by <strong>smbpasswd</strong> in a
-file, read only by root, called <code>&lt;Domain&gt;.&lt;Machine&gt;.mac</code> where
-<code>&lt;Domain&gt;</code> is the name of the Domain we are joining and <code>&lt;Machine&gt;</code>
-is the primary NetBIOS name of the machine we are running on.
-<p>Once this operation has been performed the
-<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file may be updated to set the
-<a href="smb.conf.5.html#security"><strong>security=domain</strong></a> option and all
-future logins to the Samba server will be authenticated to the Windows
-NT PDC.
-<p>Note that even though the authentication is being done to the PDC all
-users accessing the Samba server must still have a valid UNIX account
-on that machine.
-<p>This option is only available when running <strong>smbpasswd</strong> as root.
-<p><a name="minusU"></a>
-<p></p><dt><strong><strong>-U username</strong></strong><dd> This option may only be used in
-conjunction with the <a href="smbpasswd.8.html#minusr"><strong>-r</strong></a>
-option. When changing a password on a remote machine it allows the
-user to specify the user name on that machine whose password will be
-changed. It is present to allow users who have different user names on
-different systems to change these passwords.
-<p><a name="minush"></a>
-<p></p><dt><strong><strong>-h</strong></strong><dd> This option prints the help string for <strong>smbpasswd</strong>,
-selecting the correct one for running as root or as an ordinary user.
-<p><a name="minuss"></a>
-<p></p><dt><strong><strong>-s</strong></strong><dd> This option causes <strong>smbpasswd</strong> to be silent (i.e. not
-issue prompts) and to read it's old and new passwords from standard
-input, rather than from <code>/dev/tty</code> (like the <strong>passwd (1)</strong> program
-does). This option is to aid people writing scripts to drive <strong>smbpasswd</strong>
-<p><a name="username"></a>
-<p></p><dt><strong><strong>username</strong></strong><dd> This specifies the username for all of the <em>root
-only</em> options to operate on. Only root can specify this parameter as
-only root has the permission needed to modify attributes directly
-in the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file.
-<p><a name="NOTES"></a>
-<h2>NOTES</h2>
-
-<p>Since <strong>smbpasswd</strong> works in client-server mode communicating with a
-local <a href="smbd.8.html"><strong>smbd</strong></a> for a non-root user then the <strong>smbd</strong>
-daemon must be running for this to work. A common problem is to add a
-restriction to the hosts that may access the <strong>smbd</strong> running on the
-local machine by specifying a <a href="smb.conf.5.html#allowhosts"><strong>"allow
-hosts"</strong></a> or <a href="smb.conf.5.html#denyhosts"><strong>"deny
-hosts"</strong></a> entry in the
-<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file and neglecting to allow
-<em>"localhost"</em> access to the <strong>smbd</strong>.
-<p>In addition, the <strong>smbpasswd</strong> command is only useful if <strong>Samba</strong> has
-been set up to use encrypted passwords. See the file <strong>ENCRYPTION.txt</strong>
-in the docs directory for details on how to do this.
-<p><a name="VERSION"></a>
-<h2>VERSION</h2>
-
-<p>This man page is correct for version 2.0 of the Samba suite.
-<p><a name="AUTHOR"></a>
-<h2>AUTHOR</h2>
-
-<p>The original Samba software and related utilities were created by
-Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed
-by the Samba Team as an Open Source project similar to the way the
-Linux kernel is developed.
-<p>The original Samba man pages were written by Karl Auer. The man page
-sources were converted to YODL format (another excellent piece of Open
-Source software, available at
-<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>)
-and updated for the Samba2.0 release by Jeremy Allison.
-<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>.
-<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full
-list of contributors and details on how to submit bug reports,
-comments etc.
-</body>
-</html>
+<HTML
+><HEAD
+><TITLE
+>smbpasswd</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="SMBPASSWD"
+>smbpasswd</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN5"
+></A
+><H2
+>Name</H2
+>smbpasswd&nbsp;--&nbsp;change a users SMB password</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>smbpasswd</B
+> [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r &lt;remote machine&gt;] [-R &lt;name resolve order&gt;] [-m] [-j DOMAIN] [-U username] [-h] [-s] [username]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN25"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>This tool is part of the <A
+HREF="samba.7.html"
+TARGET="_top"
+> Samba</A
+> suite.</P
+><P
+>The smbpasswd program has several different
+ functions, depending on whether it is run by the <I
+CLASS="EMPHASIS"
+>root</I
+>
+ user or not. When run as a normal user it allows the user to change
+ the password used for their SMB sessions on any machines that store
+ SMB passwords. </P
+><P
+>By default (when run with no arguments) it will attempt to
+ change the current users SMB password on the local machine. This is
+ similar to the way the <B
+CLASS="COMMAND"
+>passwd(1)</B
+> program works.
+ <B
+CLASS="COMMAND"
+>smbpasswd</B
+> differs from how the passwd program works
+ however in that it is not <I
+CLASS="EMPHASIS"
+>setuid root</I
+> but works in
+ a client-server mode and communicates with a locally running
+ <B
+CLASS="COMMAND"
+>smbd(8)</B
+>. As a consequence in order for this to
+ succeed the smbd daemon must be running on the local machine. On a
+ UNIX machine the encrypted SMB passwords are usually stored in
+ the <TT
+CLASS="FILENAME"
+>smbpasswd(5)</TT
+> file. </P
+><P
+>When run by an ordinary user with no options. smbpasswd
+ will prompt them for their old smb password and then ask them
+ for their new password twice, to ensure that the new password
+ was typed correctly. No passwords will be echoed on the screen
+ whilst being typed. If you have a blank smb password (specified by
+ the string "NO PASSWORD" in the smbpasswd file) then just press
+ the &lt;Enter&gt; key when asked for your old password. </P
+><P
+>smbpasswd can also be used by a normal user to change their
+ SMB password on remote machines, such as Windows NT Primary Domain
+ Controllers. See the (-r) and -U options below. </P
+><P
+>When run by root, smbpasswd allows new users to be added
+ and deleted in the smbpasswd file, as well as allows changes to
+ the attributes of the user in this file to be made. When run by root,
+ <B
+CLASS="COMMAND"
+>smbpasswd</B
+> accesses the local smbpasswd file
+ directly, thus enabling changes to be made even if smbd is not
+ running. </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN41"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-a</DT
+><DD
+><P
+>This option specifies that the username
+ following should be added to the local smbpasswd file, with the
+ new password typed (type &lt;Enter&gt; for the old password). This
+ option is ignored if the username following already exists in
+ the smbpasswd file and it is treated like a regular change
+ password command. Note that the user to be added must already exist
+ in the system password file (usually <TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+>)
+ else the request to add the user will fail. </P
+><P
+>This option is only available when running smbpasswd
+ as root. </P
+></DD
+><DT
+>-x</DT
+><DD
+><P
+>This option specifies that the username
+ following should be deleted from the local smbpasswd file.
+ </P
+><P
+>This option is only available when running smbpasswd as
+ root.</P
+></DD
+><DT
+>-d</DT
+><DD
+><P
+>This option specifies that the username following
+ should be <TT
+CLASS="CONSTANT"
+>disabled</TT
+> in the local smbpasswd
+ file. This is done by writing a <TT
+CLASS="CONSTANT"
+>'D'</TT
+> flag
+ into the account control space in the smbpasswd file. Once this
+ is done all attempts to authenticate via SMB using this username
+ will fail. </P
+><P
+>If the smbpasswd file is in the 'old' format (pre-Samba 2.0
+ format) there is no space in the users password entry to write
+ this information and so the user is disabled by writing 'X' characters
+ into the password space in the smbpasswd file. See <B
+CLASS="COMMAND"
+>smbpasswd(5)
+ </B
+> for details on the 'old' and new password file formats.
+ </P
+><P
+>This option is only available when running smbpasswd as
+ root.</P
+></DD
+><DT
+>-e</DT
+><DD
+><P
+>This option specifies that the username following
+ should be <TT
+CLASS="CONSTANT"
+>enabled</TT
+> in the local smbpasswd file,
+ if the account was previously disabled. If the account was not
+ disabled this option has no effect. Once the account is enabled then
+ the user will be able to authenticate via SMB once again. </P
+><P
+>If the smbpasswd file is in the 'old' format, then <B
+CLASS="COMMAND"
+> smbpasswd</B
+> will prompt for a new password for this user,
+ otherwise the account will be enabled by removing the <TT
+CLASS="CONSTANT"
+>'D'
+ </TT
+> flag from account control space in the <TT
+CLASS="FILENAME"
+> smbpasswd</TT
+> file. See <B
+CLASS="COMMAND"
+>smbpasswd (5)</B
+> for
+ details on the 'old' and new password file formats. </P
+><P
+>This option is only available when running smbpasswd as root.
+ </P
+></DD
+><DT
+>-D debuglevel</DT
+><DD
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>debuglevel</I
+></TT
+> is an integer
+ from 0 to 10. The default value if this parameter is not specified
+ is zero. </P
+><P
+>The higher this value, the more detail will be logged to the
+ log files about the activities of smbpasswd. At level 0, only
+ critical errors and serious warnings will be logged. </P
+><P
+>Levels above 1 will generate considerable amounts of log
+ data, and should only be used when investigating a problem. Levels
+ above 3 are designed for use only by developers and generate
+ HUGE amounts of log data, most of which is extremely cryptic.
+ </P
+></DD
+><DT
+>-n</DT
+><DD
+><P
+>This option specifies that the username following
+ should have their password set to null (i.e. a blank password) in
+ the local smbpasswd file. This is done by writing the string "NO
+ PASSWORD" as the first part of the first password stored in the
+ smbpasswd file. </P
+><P
+>Note that to allow users to logon to a Samba server once
+ the password has been set to "NO PASSWORD" in the smbpasswd
+ file the administrator must set the following parameter in the [global]
+ section of the <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file : </P
+><P
+><B
+CLASS="COMMAND"
+>null passwords = yes</B
+></P
+><P
+>This option is only available when running smbpasswd as
+ root.</P
+></DD
+><DT
+>-r remote machine name</DT
+><DD
+><P
+>This option allows a user to specify what machine
+ they wish to change their password on. Without this parameter
+ smbpasswd defaults to the local host. The <TT
+CLASS="REPLACEABLE"
+><I
+>remote
+ machine name</I
+></TT
+> is the NetBIOS name of the SMB/CIFS
+ server to contact to attempt the password change. This name is
+ resolved into an IP address using the standard name resolution
+ mechanism in all programs of the Samba suite. See the <TT
+CLASS="PARAMETER"
+><I
+>-R
+ name resolve order</I
+></TT
+> parameter for details on changing
+ this resolving mechanism. </P
+><P
+>The username whose password is changed is that of the
+ current UNIX logged on user. See the <TT
+CLASS="PARAMETER"
+><I
+>-U username</I
+></TT
+>
+ parameter for details on changing the password for a different
+ username. </P
+><P
+>Note that if changing a Windows NT Domain password the
+ remote machine specified must be the Primary Domain Controller for
+ the domain (Backup Domain Controllers only have a read-only
+ copy of the user account database and will not allow the password
+ change).</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that Windows 95/98 do not have
+ a real password database so it is not possible to change passwords
+ specifying a Win95/98 machine as remote machine target. </P
+></DD
+><DT
+>-R name resolve order</DT
+><DD
+><P
+>This option allows the user of smbclient to determine
+ what name resolution services to use when looking up the NetBIOS
+ name of the host being connected to. </P
+><P
+>The options are :"lmhosts", "host", "wins" and "bcast". They cause
+ names to be resolved as follows : </P
+><P
+></P
+><UL
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>lmhosts</TT
+> : Lookup an IP
+ address in the Samba lmhosts file. If the line in lmhosts has
+ no name type attached to the NetBIOS name (see the <A
+HREF="lmhosts.5.html"
+TARGET="_top"
+>lmhosts(5)</A
+> for details) then
+ any name type matches for lookup.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>host</TT
+> : Do a standard host
+ name to IP address resolution, using the system <TT
+CLASS="FILENAME"
+>/etc/hosts
+ </TT
+>, NIS, or DNS lookups. This method of name resolution
+ is operating system depended for instance on IRIX or Solaris this
+ may be controlled by the <TT
+CLASS="FILENAME"
+>/etc/nsswitch.conf</TT
+>
+ file). Note that this method is only used if the NetBIOS name
+ type being queried is the 0x20 (server) name type, otherwise
+ it is ignored.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>wins</TT
+> : Query a name with
+ the IP address listed in the <TT
+CLASS="PARAMETER"
+><I
+>wins server</I
+></TT
+>
+ parameter. If no WINS server has been specified this method
+ will be ignored.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>bcast</TT
+> : Do a broadcast on
+ each of the known local interfaces listed in the
+ <TT
+CLASS="PARAMETER"
+><I
+>interfaces</I
+></TT
+> parameter. This is the least
+ reliable of the name resolution methods as it depends on the
+ target host being on a locally connected subnet.</P
+></LI
+></UL
+><P
+>The default order is <B
+CLASS="COMMAND"
+>lmhosts, host, wins, bcast</B
+>
+ and without this parameter or any entry in the
+ <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file the name resolution methods will
+ be attempted in this order. </P
+></DD
+><DT
+>-m</DT
+><DD
+><P
+>This option tells smbpasswd that the account
+ being changed is a MACHINE account. Currently this is used
+ when Samba is being used as an NT Primary Domain Controller.</P
+><P
+>This option is only available when running smbpasswd as root.
+ </P
+></DD
+><DT
+>-j DOMAIN</DT
+><DD
+><P
+>This option is used to add a Samba server
+ into a Windows NT Domain, as a Domain member capable of authenticating
+ user accounts to any Domain Controller in the same way as a Windows
+ NT Server. See the <B
+CLASS="COMMAND"
+>security = domain</B
+> option in
+ the <TT
+CLASS="FILENAME"
+>smb.conf(5)</TT
+> man page. </P
+><P
+>In order to be used in this way, the Administrator for
+ the Windows NT Domain must have used the program "Server Manager
+ for Domains" to add the primary NetBIOS name of the Samba server
+ as a member of the Domain. </P
+><P
+>After this has been done, to join the Domain invoke <B
+CLASS="COMMAND"
+> smbpasswd</B
+> with this parameter. smbpasswd will then
+ look up the Primary Domain Controller for the Domain (found in
+ the <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file in the parameter
+ <TT
+CLASS="PARAMETER"
+><I
+>password server</I
+></TT
+> and change the machine account
+ password used to create the secure Domain communication. This
+ password is then stored by smbpasswd in a TDB, writeable only by root,
+ called <TT
+CLASS="FILENAME"
+>secrets.tdb</TT
+> </P
+><P
+>Once this operation has been performed the <TT
+CLASS="FILENAME"
+> smb.conf</TT
+> file may be updated to set the <B
+CLASS="COMMAND"
+> security = domain</B
+> option and all future logins
+ to the Samba server will be authenticated to the Windows NT
+ PDC. </P
+><P
+>Note that even though the authentication is being
+ done to the PDC all users accessing the Samba server must still
+ have a valid UNIX account on that machine. </P
+><P
+>This option is only available when running smbpasswd as root.
+ </P
+></DD
+><DT
+>-U username</DT
+><DD
+><P
+>This option may only be used in conjunction
+ with the <TT
+CLASS="PARAMETER"
+><I
+>-r</I
+></TT
+> option. When changing
+ a password on a remote machine it allows the user to specify
+ the user name on that machine whose password will be changed. It
+ is present to allow users who have different user names on
+ different systems to change these passwords. </P
+></DD
+><DT
+>-h</DT
+><DD
+><P
+>This option prints the help string for <B
+CLASS="COMMAND"
+> smbpasswd</B
+>, selecting the correct one for running as root
+ or as an ordinary user. </P
+></DD
+><DT
+>-s</DT
+><DD
+><P
+>This option causes smbpasswd to be silent (i.e.
+ not issue prompts) and to read it's old and new passwords from
+ standard input, rather than from <TT
+CLASS="FILENAME"
+>/dev/tty</TT
+>
+ (like the <B
+CLASS="COMMAND"
+>passwd(1)</B
+> program does). This option
+ is to aid people writing scripts to drive smbpasswd</P
+></DD
+><DT
+>username</DT
+><DD
+><P
+>This specifies the username for all of the
+ <I
+CLASS="EMPHASIS"
+>root only</I
+> options to operate on. Only root
+ can specify this parameter as only root has the permission needed
+ to modify attributes directly in the local smbpasswd file.
+ </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN171"
+></A
+><H2
+>NOTES</H2
+><P
+>Since <B
+CLASS="COMMAND"
+>smbpasswd</B
+> works in client-server
+ mode communicating with a local smbd for a non-root user then
+ the smbd daemon must be running for this to work. A common problem
+ is to add a restriction to the hosts that may access the <B
+CLASS="COMMAND"
+> smbd</B
+> running on the local machine by specifying a
+ <TT
+CLASS="PARAMETER"
+><I
+>allow hosts</I
+></TT
+> or <TT
+CLASS="PARAMETER"
+><I
+>deny hosts</I
+></TT
+>
+ entry in the <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file and neglecting to
+ allow "localhost" access to the smbd. </P
+><P
+>In addition, the smbpasswd command is only useful if Samba
+ has been set up to use encrypted passwords. See the file
+ <TT
+CLASS="FILENAME"
+>ENCRYPTION.txt</TT
+> in the docs directory for details
+ on how to do this. </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN181"
+></A
+><H2
+>VERSION</H2
+><P
+>This man page is correct for version 2.2 of
+ the Samba suite.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN184"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><A
+HREF="smbpasswd.5.html"
+TARGET="_top"
+><TT
+CLASS="FILENAME"
+>smbpasswd(5)</TT
+></A
+>,
+ <A
+HREF="samba.7.html"
+TARGET="_top"
+>samba(7)</A
+>
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN190"
+></A
+><H2
+>AUTHOR</H2
+><P
+>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</P
+><P
+>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <A
+HREF="ftp://ftp.icce.rug.nl/pub/unix/"
+TARGET="_top"
+> ftp://ftp.icce.rug.nl/pub/unix/</A
+>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</P
+></DIV
+></BODY
+></HTML
+> \ No newline at end of file