diff options
Diffstat (limited to 'docs/manpages/smbpasswd.8')
-rw-r--r-- | docs/manpages/smbpasswd.8 | 607 |
1 files changed, 300 insertions, 307 deletions
diff --git a/docs/manpages/smbpasswd.8 b/docs/manpages/smbpasswd.8 index be70fad031..3c134913a9 100644 --- a/docs/manpages/smbpasswd.8 +++ b/docs/manpages/smbpasswd.8 @@ -1,308 +1,301 @@ -.TH "smbpasswd " "8" "23 Oct 1998" "Samba" "SAMBA" -.PP -.SH "NAME" +.\" This manpage has been automatically generated by docbook2man-spec +.\" from a DocBook document. docbook2man-spec can be found at: +.\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/> +.\" Please send any bug reports, improvements, comments, patches, +.\" etc. to Steve Cheng <steve@ggi-project.org>. +.TH "SMBPASSWD" "8" "22 February 2001" "" "" +.SH NAME smbpasswd \- change a users SMB password -.PP -.SH "SYNOPSIS" -.PP -\fBsmbpasswd\fP [-a] [-x] [-d] [-e] [-D debug level] [-n] [-r remote_machine] [-R name resolve order] [-m] [-j DOMAIN] [-U username] [-h] [-s] username -.PP -.SH "DESCRIPTION" -.PP -This program is part of the \fBSamba\fP suite\&. -.PP -The \fBsmbpasswd\fP program has several different functions, depending -on whether it is run by the \fIroot\fP user or not\&. When run as a normal -user it allows the user to change the password used for their SMB -sessions on any machines that store SMB passwords\&. -.PP -By default (when run with no arguments) it will attempt to change the -current users SMB password on the local machine\&. This is similar to -the way the \fBpasswd (1)\fP program works\&. \fBsmbpasswd\fP differs from how -the \fBpasswd\fP program works however in that it is not \fIsetuid root\fP -but works in a client-server mode and communicates with a locally -running \fBsmbd\fP\&. As a consequence in order for this -to succeed the \fBsmbd\fP daemon must be running on -the local machine\&. On a UNIX machine the encrypted SMB passwords are -usually stored in the \fBsmbpasswd (5)\fP file\&. -.PP -When run by an ordinary user with no options\&. \fBsmbpasswd\fP will -prompt them for their old smb password and then ask them for their new -password twice, to ensure that the new password was typed -correctly\&. No passwords will be echoed on the screen whilst being -typed\&. If you have a blank smb password (specified by the string "NO -PASSWORD" in the \fBsmbpasswd\fP file) then just -press the <Enter> key when asked for your old password\&. -.PP -\fBsmbpasswd\fP can also be used by a normal user to change their SMB -password on remote machines, such as Windows NT Primary Domain -Controllers\&. See the (\fB-r\fP) and -\fB-U\fP options below\&. -.PP -When run by root, \fBsmbpasswd\fP allows new users to be added and -deleted in the \fBsmbpasswd\fP file, as well as -allows changes to the attributes of the user in this file to be made\&. When -run by root, \fBsmbpasswd\fP accesses the local -\fBsmbpasswd\fP file directly, thus enabling -changes to be made even if \fBsmbd\fP is not running\&. -.PP -.SH "OPTIONS" -.PP -.IP -.IP "\fB-a\fP" -This option specifies that the username following should -be added to the local \fBsmbpasswd\fP file, with -the new password typed (type <Enter> for the old password)\&. This -option is ignored if the username following already exists in the -\fBsmbpasswd\fP file and it is treated like a -regular change password command\&. Note that the user to be added -\fBmust\fP already exist in the system password file (usually /etc/passwd) -else the request to add the user will fail\&. -.IP -This option is only available when running \fBsmbpasswd\fP as -root\&. -.IP -.IP "\fB-x\fP" -This option specifies that the username following should -be deleted from the local \fBsmbpasswd\fP file\&. -.IP -This option is only available when running \fBsmbpasswd\fP as -root\&. -.IP -.IP "\fB-d\fP" -This option specifies that the username following should be -\fIdisabled\fP in the local \fBsmbpasswd\fP file\&. -This is done by writing a \fI\'D\'\fP flag into the account control space -in the \fBsmbpasswd\fP file\&. Once this is done -all attempts to authenticate via SMB using this username will fail\&. -.IP -If the \fBsmbpasswd\fP file is in the \'old\' -format (pre-Samba 2\&.0 format) there is no space in the users password -entry to write this information and so the user is disabled by writing -\'X\' characters into the password space in the -\fBsmbpasswd\fP file\&. See \fBsmbpasswd -(5)\fP for details on the \'old\' and new password file -formats\&. -.IP -This option is only available when running \fBsmbpasswd\fP as root\&. -.IP -.IP "\fB-e\fP" -This option specifies that the username following should be -\fIenabled\fP in the local \fBsmbpasswd\fP file, -if the account was previously disabled\&. If the account was not -disabled this option has no effect\&. Once the account is enabled -then the user will be able to authenticate via SMB once again\&. -.IP -If the smbpasswd file is in the \'old\' format then \fBsmbpasswd\fP will -prompt for a new password for this user, otherwise the account will be -enabled by removing the \fI\'D\'\fP flag from account control space in the -\fBsmbpasswd\fP file\&. See \fBsmbpasswd -(5)\fP for details on the \'old\' and new password file -formats\&. -.IP -This option is only available when running \fBsmbpasswd\fP as root\&. -.IP -.IP "\fB-D debuglevel\fP" -debuglevel is an integer from 0 -to 10\&. The default value if this parameter is not specified is zero\&. -.IP -The higher this value, the more detail will be logged to the log files -about the activities of smbpasswd\&. At level 0, only critical errors -and serious warnings will be logged\&. -.IP -Levels above 1 will generate considerable amounts of log data, and -should only be used when investigating a problem\&. Levels above 3 are -designed for use only by developers and generate HUGE amounts of log -data, most of which is extremely cryptic\&. -.IP -.IP "\fB-n\fP" -This option specifies that the username following should -have their password set to null (i\&.e\&. a blank password) in the local -\fBsmbpasswd\fP file\&. This is done by writing the -string "NO PASSWORD" as the first part of the first password stored in -the \fBsmbpasswd\fP file\&. -.IP -Note that to allow users to logon to a Samba server once the password -has been set to "NO PASSWORD" in the -\fBsmbpasswd\fP file the administrator must set -the following parameter in the [global] section of the -\fBsmb\&.conf\fP file : -.IP -null passwords = true -.IP -This option is only available when running \fBsmbpasswd\fP as root\&. -.IP -.IP "\fB-r remote machine name\fP" -This option allows a -user to specify what machine they wish to change their password -on\&. Without this parameter \fBsmbpasswd\fP defaults to the local -host\&. The \fI"remote machine name"\fP is the NetBIOS name of the -SMB/CIFS server to contact to attempt the password change\&. This name -is resolved into an IP address using the standard name resolution -mechanism in all programs of the \fBSamba\fP -suite\&. See the \fB-R name resolve order\fP parameter for details on changing this resolving -mechanism\&. -.IP -The username whose password is changed is that of the current UNIX -logged on user\&. See the \fB-U username\fP -parameter for details on changing the password for a different -username\&. -.IP -Note that if changing a Windows NT Domain password the remote machine -specified must be the Primary Domain Controller for the domain (Backup -Domain Controllers only have a read-only copy of the user account -database and will not allow the password change)\&. -.IP -\fINote\fP that Windows 95/98 do not have a real password database -so it is not possible to change passwords specifying a Win95/98 -machine as remote machine target\&. -.IP -.IP "\fB-R name resolve order\fP" -This option allows the user of -smbclient to determine what name resolution services to use when -looking up the NetBIOS name of the host being connected to\&. -.IP -The options are :"lmhosts", "host", -"wins" and "bcast"\&. They cause names to be -resolved as follows : -.IP -.IP -.IP o -\fBlmhosts\fP : Lookup an IP address in the Samba lmhosts file\&. -.IP -.IP o -\fBhost\fP : Do a standard host name to IP address resolution, -using the system /etc/hosts, NIS, or DNS lookups\&. This method of name -resolution is operating system dependent\&. For instance on IRIX or -Solaris, this may be controlled by the \fI/etc/nsswitch\&.conf\fP file)\&. -.IP -.IP o -\fBwins\fP : Query a name with the IP address listed in the -\fBwins server\fP parameter in the -\fBsmb\&.conf file\fP\&. If -no WINS server has been specified this method will be ignored\&. -.IP -.IP o -\fBbcast\fP : Do a broadcast on each of the known local interfaces -listed in the \fBinterfaces\fP parameter -in the smb\&.conf file\&. This is the least reliable of the name resolution -methods as it depends on the target host being on a locally connected -subnet\&. -.IP -.IP -If this parameter is not set then the name resolve order defined -in the \fBsmb\&.conf\fP file parameter -\fBname resolve order\fP -will be used\&. -.IP -The default order is lmhosts, host, wins, bcast and without this -parameter or any entry in the \fBsmb\&.conf\fP -file the name resolution methods will be attempted in this order\&. -.IP -.IP "\fB-m\fP" -This option tells \fBsmbpasswd\fP that the account being -changed is a \fIMACHINE\fP account\&. Currently this is used when Samba is -being used as an NT Primary Domain Controller\&. PDC support is not a -supported feature in Samba2\&.0 but will become supported in a later -release\&. If you wish to know more about using Samba as an NT PDC then -please subscribe to the mailing list -samba-ntdom@samba\&.org\&. -.IP -This option is only available when running \fBsmbpasswd\fP as root\&. -.IP -.IP "\fB-j DOMAIN\fP" -This option is used to add a Samba server into a -Windows NT Domain, as a Domain member capable of authenticating user -accounts to any Domain Controller in the same way as a Windows NT -Server\&. See the \fBsecurity=domain\fP -option in the \fBsmb\&.conf (5)\fP man page\&. -.IP -In order to be used in this way, the Administrator for the Windows -NT Domain must have used the program \fI"Server Manager for Domains"\fP -to add the primary NetBIOS name of -the Samba server as a member of the Domain\&. -.IP -After this has been done, to join the Domain invoke \fBsmbpasswd\fP with -this parameter\&. \fBsmbpasswd\fP will then look up the Primary Domain -Controller for the Domain (found in the -\fBsmb\&.conf\fP file in the parameter -\fBpassword server\fP and change -the machine account password used to create the secure Domain -communication\&. This password is then stored by \fBsmbpasswd\fP in a -file, read only by root, called \f(CW<Domain>\&.<Machine>\&.mac\fP where -\f(CW<Domain>\fP is the name of the Domain we are joining and \f(CW<Machine>\fP -is the primary NetBIOS name of the machine we are running on\&. -.IP -Once this operation has been performed the -\fBsmb\&.conf\fP file may be updated to set the -\fBsecurity=domain\fP option and all -future logins to the Samba server will be authenticated to the Windows -NT PDC\&. -.IP -Note that even though the authentication is being done to the PDC all -users accessing the Samba server must still have a valid UNIX account -on that machine\&. -.IP -This option is only available when running \fBsmbpasswd\fP as root\&. -.IP -.IP "\fB-U username\fP" -This option may only be used in -conjunction with the \fB-r\fP -option\&. When changing a password on a remote machine it allows the -user to specify the user name on that machine whose password will be -changed\&. It is present to allow users who have different user names on -different systems to change these passwords\&. -.IP -.IP "\fB-h\fP" -This option prints the help string for \fBsmbpasswd\fP, -selecting the correct one for running as root or as an ordinary user\&. -.IP -.IP "\fB-s\fP" -This option causes \fBsmbpasswd\fP to be silent (i\&.e\&. not -issue prompts) and to read it\'s old and new passwords from standard -input, rather than from \f(CW/dev/tty\fP (like the \fBpasswd (1)\fP program -does)\&. This option is to aid people writing scripts to drive \fBsmbpasswd\fP -.IP -.IP "\fBusername\fP" -This specifies the username for all of the \fIroot -only\fP options to operate on\&. Only root can specify this parameter as -only root has the permission needed to modify attributes directly -in the local \fBsmbpasswd\fP file\&. -.IP -.SH "NOTES" -.IP -Since \fBsmbpasswd\fP works in client-server mode communicating with a -local \fBsmbd\fP for a non-root user then the \fBsmbd\fP -daemon must be running for this to work\&. A common problem is to add a -restriction to the hosts that may access the \fBsmbd\fP running on the -local machine by specifying a \fB"allow -hosts"\fP or \fB"deny -hosts"\fP entry in the -\fBsmb\&.conf\fP file and neglecting to allow -\fI"localhost"\fP access to the \fBsmbd\fP\&. -.IP -In addition, the \fBsmbpasswd\fP command is only useful if \fBSamba\fP has -been set up to use encrypted passwords\&. See the file \fBENCRYPTION\&.txt\fP -in the docs directory for details on how to do this\&. -.IP -.SH "VERSION" -.IP -This man page is correct for version 2\&.0 of the Samba suite\&. -.IP -.SH "AUTHOR" -.IP -The original Samba software and related utilities were created by -Andrew Tridgell samba@samba\&.org\&. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed\&. -.IP -The original Samba man pages were written by Karl Auer\&. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -\fBftp://ftp\&.icce\&.rug\&.nl/pub/unix/\fP) -and updated for the Samba2\&.0 release by Jeremy Allison\&. -samba@samba\&.org\&. -.IP -See \fBsamba (7)\fP to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc\&. +.SH SYNOPSIS +.sp +\fBsmbpasswd\fR [ \fB-a\fR ] [ \fB-x\fR ] [ \fB-d\fR ] [ \fB-e\fR ] [ \fB-D debuglevel\fR ] [ \fB-n\fR ] [ \fB-r <remote machine>\fR ] [ \fB-R <name resolve order>\fR ] [ \fB-m\fR ] [ \fB-j DOMAIN\fR ] [ \fB-U username\fR ] [ \fB-h\fR ] [ \fB-s\fR ] [ \fBusername\fR ] +.SH "DESCRIPTION" +.PP +This tool is part of the Samba <URL:samba.7.html> suite. +.PP +The smbpasswd program has several different +functions, depending on whether it is run by the \fBroot\fR +user or not. When run as a normal user it allows the user to change +the password used for their SMB sessions on any machines that store +SMB passwords. +.PP +By default (when run with no arguments) it will attempt to +change the current users SMB password on the local machine. This is +similar to the way the \fBpasswd(1)\fR program works. +\fBsmbpasswd\fR differs from how the passwd program works +however in that it is not \fBsetuid root\fR but works in +a client-server mode and communicates with a locally running +\fBsmbd(8)\fR. As a consequence in order for this to +succeed the smbd daemon must be running on the local machine. On a +UNIX machine the encrypted SMB passwords are usually stored in +the \fIsmbpasswd(5)\fR file. +.PP +When run by an ordinary user with no options. smbpasswd +will prompt them for their old smb password and then ask them +for their new password twice, to ensure that the new password +was typed correctly. No passwords will be echoed on the screen +whilst being typed. If you have a blank smb password (specified by +the string "NO PASSWORD" in the smbpasswd file) then just press +the <Enter> key when asked for your old password. +.PP +smbpasswd can also be used by a normal user to change their +SMB password on remote machines, such as Windows NT Primary Domain +Controllers. See the (-r) and -U options below. +.PP +When run by root, smbpasswd allows new users to be added +and deleted in the smbpasswd file, as well as allows changes to +the attributes of the user in this file to be made. When run by root, +\fBsmbpasswd\fR accesses the local smbpasswd file +directly, thus enabling changes to be made even if smbd is not +running. +.SH "OPTIONS" +.TP +\fB-a\fR +This option specifies that the username +following should be added to the local smbpasswd file, with the +new password typed (type <Enter> for the old password). This +option is ignored if the username following already exists in +the smbpasswd file and it is treated like a regular change +password command. Note that the user to be added must already exist +in the system password file (usually \fI/etc/passwd\fR) +else the request to add the user will fail. + +This option is only available when running smbpasswd +as root. +.TP +\fB-x\fR +This option specifies that the username +following should be deleted from the local smbpasswd file. + +This option is only available when running smbpasswd as +root. +.TP +\fB-d\fR +This option specifies that the username following +should be disabled in the local smbpasswd +file. This is done by writing a 'D' flag +into the account control space in the smbpasswd file. Once this +is done all attempts to authenticate via SMB using this username +will fail. + +If the smbpasswd file is in the 'old' format (pre-Samba 2.0 +format) there is no space in the users password entry to write +this information and so the user is disabled by writing 'X' characters +into the password space in the smbpasswd file. See \fBsmbpasswd(5) +\fRfor details on the 'old' and new password file formats. + +This option is only available when running smbpasswd as +root. +.TP +\fB-e\fR +This option specifies that the username following +should be enabled in the local smbpasswd file, +if the account was previously disabled. If the account was not +disabled this option has no effect. Once the account is enabled then +the user will be able to authenticate via SMB once again. + +If the smbpasswd file is in the 'old' format, then \fB smbpasswd\fR will prompt for a new password for this user, +otherwise the account will be enabled by removing the 'D' +flag from account control space in the \fI smbpasswd\fR file. See \fBsmbpasswd (5)\fR for +details on the 'old' and new password file formats. + +This option is only available when running smbpasswd as root. +.TP +\fB-D debuglevel\fR +\fIdebuglevel\fR is an integer +from 0 to 10. The default value if this parameter is not specified +is zero. + +The higher this value, the more detail will be logged to the +log files about the activities of smbpasswd. At level 0, only +critical errors and serious warnings will be logged. + +Levels above 1 will generate considerable amounts of log +data, and should only be used when investigating a problem. Levels +above 3 are designed for use only by developers and generate +HUGE amounts of log data, most of which is extremely cryptic. +.TP +\fB-n\fR +This option specifies that the username following +should have their password set to null (i.e. a blank password) in +the local smbpasswd file. This is done by writing the string "NO +PASSWORD" as the first part of the first password stored in the +smbpasswd file. + +Note that to allow users to logon to a Samba server once +the password has been set to "NO PASSWORD" in the smbpasswd +file the administrator must set the following parameter in the [global] +section of the \fIsmb.conf\fR file : + +\fBnull passwords = yes\fR + +This option is only available when running smbpasswd as +root. +.TP +\fB-r remote machine name\fR +This option allows a user to specify what machine +they wish to change their password on. Without this parameter +smbpasswd defaults to the local host. The \fIremote +machine name\fR is the NetBIOS name of the SMB/CIFS +server to contact to attempt the password change. This name is +resolved into an IP address using the standard name resolution +mechanism in all programs of the Samba suite. See the \fI-R +name resolve order\fR parameter for details on changing +this resolving mechanism. + +The username whose password is changed is that of the +current UNIX logged on user. See the \fI-U username\fR +parameter for details on changing the password for a different +username. + +Note that if changing a Windows NT Domain password the +remote machine specified must be the Primary Domain Controller for +the domain (Backup Domain Controllers only have a read-only +copy of the user account database and will not allow the password +change). + +\fBNote\fR that Windows 95/98 do not have +a real password database so it is not possible to change passwords +specifying a Win95/98 machine as remote machine target. +.TP +\fB-R name resolve order\fR +This option allows the user of smbclient to determine +what name resolution services to use when looking up the NetBIOS +name of the host being connected to. + +The options are :"lmhosts", "host", "wins" and "bcast". They cause +names to be resolved as follows : +.RS +.TP 0.2i +\(bu +lmhosts : Lookup an IP +address in the Samba lmhosts file. If the line in lmhosts has +no name type attached to the NetBIOS name (see the lmhosts(5) <URL:lmhosts.5.html> for details) then +any name type matches for lookup. +.TP 0.2i +\(bu +host : Do a standard host +name to IP address resolution, using the system \fI/etc/hosts +\fR, NIS, or DNS lookups. This method of name resolution +is operating system depended for instance on IRIX or Solaris this +may be controlled by the \fI/etc/nsswitch.conf\fR +file). Note that this method is only used if the NetBIOS name +type being queried is the 0x20 (server) name type, otherwise +it is ignored. +.TP 0.2i +\(bu +wins : Query a name with +the IP address listed in the \fIwins server\fR +parameter. If no WINS server has been specified this method +will be ignored. +.TP 0.2i +\(bu +bcast : Do a broadcast on +each of the known local interfaces listed in the +\fIinterfaces\fR parameter. This is the least +reliable of the name resolution methods as it depends on the +target host being on a locally connected subnet. +.RE +.PP +The default order is \fBlmhosts, host, wins, bcast\fR +and without this parameter or any entry in the +\fIsmb.conf\fR file the name resolution methods will +be attempted in this order. +.PP +.TP +\fB-m\fR +This option tells smbpasswd that the account +being changed is a MACHINE account. Currently this is used +when Samba is being used as an NT Primary Domain Controller. + +This option is only available when running smbpasswd as root. +.TP +\fB-j DOMAIN\fR +This option is used to add a Samba server +into a Windows NT Domain, as a Domain member capable of authenticating +user accounts to any Domain Controller in the same way as a Windows +NT Server. See the \fBsecurity = domain\fR option in +the \fIsmb.conf(5)\fR man page. + +In order to be used in this way, the Administrator for +the Windows NT Domain must have used the program "Server Manager +for Domains" to add the primary NetBIOS name of the Samba server +as a member of the Domain. + +After this has been done, to join the Domain invoke \fB smbpasswd\fR with this parameter. smbpasswd will then +look up the Primary Domain Controller for the Domain (found in +the \fIsmb.conf\fR file in the parameter +\fIpassword server\fR and change the machine account +password used to create the secure Domain communication. This +password is then stored by smbpasswd in a TDB, writeable only by root, +called \fIsecrets.tdb\fR + +Once this operation has been performed the \fI smb.conf\fR file may be updated to set the \fB security = domain\fR option and all future logins +to the Samba server will be authenticated to the Windows NT +PDC. + +Note that even though the authentication is being +done to the PDC all users accessing the Samba server must still +have a valid UNIX account on that machine. + +This option is only available when running smbpasswd as root. +.TP +\fB-U username\fR +This option may only be used in conjunction +with the \fI-r\fR option. When changing +a password on a remote machine it allows the user to specify +the user name on that machine whose password will be changed. It +is present to allow users who have different user names on +different systems to change these passwords. +.TP +\fB-h\fR +This option prints the help string for \fB smbpasswd\fR, selecting the correct one for running as root +or as an ordinary user. +.TP +\fB-s\fR +This option causes smbpasswd to be silent (i.e. +not issue prompts) and to read it's old and new passwords from +standard input, rather than from \fI/dev/tty\fR +(like the \fBpasswd(1)\fR program does). This option +is to aid people writing scripts to drive smbpasswd +.TP +\fBusername\fR +This specifies the username for all of the +\fBroot only\fR options to operate on. Only root +can specify this parameter as only root has the permission needed +to modify attributes directly in the local smbpasswd file. +.SH "NOTES" +.PP +Since \fBsmbpasswd\fR works in client-server +mode communicating with a local smbd for a non-root user then +the smbd daemon must be running for this to work. A common problem +is to add a restriction to the hosts that may access the \fB smbd\fR running on the local machine by specifying a +\fIallow hosts\fR or \fIdeny hosts\fR +entry in the \fIsmb.conf\fR file and neglecting to +allow "localhost" access to the smbd. +.PP +In addition, the smbpasswd command is only useful if Samba +has been set up to use encrypted passwords. See the file +\fIENCRYPTION.txt\fR in the docs directory for details +on how to do this. +.SH "VERSION" +.PP +This man page is correct for version 2.2 of +the Samba suite. +.SH "SEE ALSO" +.PP +\fIsmbpasswd(5)\fR <URL:smbpasswd.5.html>, +samba(7) <URL:samba.7.html> +.SH "AUTHOR" +.PP +The original Samba software and related utilities +were created by Andrew Tridgell. Samba is now developed +by the Samba Team as an Open Source project similar +to the way the Linux kernel is developed. +.PP +The original Samba man pages were written by Karl Auer. +The man page sources were converted to YODL format (another +excellent piece of Open Source software, available at +ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the Samba 2.0 +release by Jeremy Allison. The conversion to DocBook for +Samba 2.2 was done by Gerald Carter |