diff options
Diffstat (limited to 'docs/yodldocs/smbpasswd.8.yo')
-rw-r--r-- | docs/yodldocs/smbpasswd.8.yo | 320 |
1 files changed, 320 insertions, 0 deletions
diff --git a/docs/yodldocs/smbpasswd.8.yo b/docs/yodldocs/smbpasswd.8.yo new file mode 100644 index 0000000000..cc1845be50 --- /dev/null +++ b/docs/yodldocs/smbpasswd.8.yo @@ -0,0 +1,320 @@ +mailto(samba-bugs@samba.anu.edu.au) + +manpage(smbpasswd)(8)(23 Oct 1998)(Samba)(SAMBA) + +label(NAME) +manpagename(smbpasswd)(change a users SMB password) + +label(SYNOPSIS) +manpagesynopsis() + +bf(smbpasswd) [-a] [-d] [-e] [-D debug level] [-n] [-r remote_machine] [-R name resolve order] [-m] [-j DOMAIN] [-U username] [-h] [-s] username + +label(DESCRIPTION) +manpagedescription() + +This program is part of the bf(Samba) suite. + +The bf(smbpasswd) program has several different functions, depending +on whether it is run by the em(root) user or not. When run as a normal +user it allows the user to change the password used for their SMB +sessions on any machines that store SMB passwords. + +By default (when run with no arguments) it will attempt to change the +current users SMB password on the local machine. This is similar to +the way the bf(passwd (1)) program works. Note that in order for this +to succeed the url(bf(smbd))(smbd.8.html) daemon must be running on +the local machine. On a UNIX machine the encrypted SMB passwords are +usually stored in the url(bf(smbpasswd (5)))(smbpasswd.5.html) file. + +When run by an ordinary user with no options. bf(smbpasswd) will +prompt them for their old smb password and then ask them for their new +password twice, to ensure that the new password was typed +correctly. No passwords will be echoed on the screen whilst being +typed. If you have a blank smb password (specified by the string "NO +PASSWORD" in the url(bf(smbpasswd))(smbpasswd.5.html) file) then just +press the <Enter> key when asked for your old password. + +bf(smbpasswd) also can be used by a normal user to change their SMB +password on remote machines, such as Windows NT Primary Domain +Controllers. See the link(bf(-r))(minusr) and link(bf(-U))(minusU) +options below. + +When run by root, bf(smbpasswd) allows new users to be added and +deleted in the url(bf(smbpasswd))(smbpasswd.5.html) file, as well as +changes to the attributes of the user in this file to be made. When +run by root, bf(smbpasswd) accesses the local +url(bf(smbpasswd))(smbpasswd.5.html) file directly, thus enabling +changes to be made even if url(bf(smbd))(smbd.8.html) is not running. + +label(OPTIONS) +manpageoptions() + +startdit() + +dit(bf(-a)) This option specifies that the username following should +be added to the local url(bf(smbpasswd))(smbpasswd.5.html) file, with +the new password typed (type <Enter> for the old password). This +option is ignored if the username following already exists in the +url(bf(smbpasswd))(smbpasswd.5.html) file and it is treated like a +regular change password command. Note that the user to be added .B +must already exist in the system password file (usually /etc/passwd) +else the request to add the user will fail. + +This option is only available when running bf(smbpasswd) as +root. + +label(minusd) +dit(bf(-d)) This option specifies that the username following should be +em(disabled) in the local url(bf(smbpasswd))(smbpasswd.5.html) file. +This is done by writing a em('D') flag into the account control space +in the url(bf(smbpasswd))(smbpasswd.5.html) file. Once this is done +all attempts to authenticate via SMB using this username will fail. + +If the url(bf(smbpasswd))(smbpasswd.5.html) file is in the 'old' +format (pre-Samba 2.0 format) there is no space in the users password +entry to write this information and so the user is disabled by writing +'X' characters into the password space in the +url(bf(smbpasswd))(smbpasswd.5.html) file. See url(bf(smbpasswd +(5)))(smbpasswd.5.html) for details on the 'old' and new password file +formats. + +This option is only available when running bf(smbpasswd) as root. + +dit(bf(-e)) This option specifies that the username following should be +em(enabled) in the local url(bf(smbpasswd))(smbpasswd.5.html) file, +if the account was previously disabled. If the account was not +disabled this option has no effect. Once the account is enabled +then the user will be able to authenticate via SMB once again. + +If the smbpasswd file is in the 'old' format then bf(smbpasswd) will +prompt for a new password for this user, otherwise the account will be +enabled by removing the em('D') flag from account control space in the +url(bf(smbpasswd))(smbpasswd.5.html) file. See url(bf(smbpasswd +(5)))(smbpasswd.5.html) for details on the 'old' and new password file +formats. + +This option is only available when running bf(smbpasswd) as root. + +label(minusD) +dit(bf(-D debuglevel)) debuglevel is an integer from 0 +to 10. The default value if this parameter is not specified is zero. + +The higher this value, the more detail will be logged to the log files +about the activities of smbpasswd. At level 0, only critical errors +and serious warnings will be logged. + +Levels above 1 will generate considerable amounts of log data, and +should only be used when investigating a problem. Levels above 3 are +designed for use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic. + +dit(bf(-n)) This option specifies that the username following should +have their password set to null (i.e. a blank password) in the local +url(bf(smbpasswd))(smbpasswd.5.html) file. This is done by writing the +string "NO PASSWORD" as the first part of the first password stored in +the url(bf(smbpasswd))(smbpasswd.5.html) file. + +Note that to allow users to logon to a Samba server once the password +has been set to "NO PASSWORD" in the +url(bf(smbpasswd))(smbpasswd.5.html) file the administrator must set +the following parameter in the [global] section of the +url(bf(smb.conf))(smb.conf.5.html) file : + +url(null passwords = true)(smb.conf.5.html#null passwords) + +This option is only available when running bf(smbpasswd) as root. + +dit(bf(-r remote machine name)) This option allows a user to specify +what machine they wish to change their password on. Without this +parameter bf(smbpasswd) defaults to the local host. The em("remote +machine name") is the NetBIOS name of the SMB/CIFS server to contact +to attempt the password change. This name is resolved into an IP +address using the standard name resolution mechanism in all programs +of the url(bf(Samba))(samba.7.html) suite. See the link(bf(-R name +resolve order))(nameresolveorder) parameter for details on changing this +resolving mechanism. + +The username whose password is changed is that of the current UNIX +logged on user. See the link(bf(-U username))(minusU) parameter for +details on changing the password for a different username. + +Note that if changing a Windows NT Domain password the remote machine +specified must be the Primary Domain Controller for the domain (Backup +Domain Controllers only have a read-only copy of the user account +database and will not allow the password change). + +label(nameresolveorder) +dit(bf(-R name resolve order)) This option allows the user of +smbclient to determine what name resolution services to use when +looking up the NetBIOS name of the host being connected to. + +The options are :"lmhosts", "host", "wins" and "bcast". They cause +names to be resolved as follows : + +startit() + +it() bf(lmhosts) : Lookup an IP address in the Samba lmhosts file. + +it() bf(host) : Do a standard host name to IP address resolution, +using the system /etc/hosts, NIS, or DNS lookups. This method of name +resolution is operating system depended for instance on IRIX or +Solaris this may be controlled by the em(/etc/nsswitch.conf) file). + +it() bf(wins) : Query a name with the IP address listed in the url(bf(wins +server))(smb.conf.5.html#wins server) parameter in the smb.conf file. If +no WINS server has been specified this method will be ignored. + +it() bf(bcast) : Do a broadcast on each of the known local interfaces +listed in the url(bf(interfaces))(smb.conf.5.html#interfaces) parameter +in the smb.conf file. This is the least reliable of the name resolution +methods as it depends on the target host being on a locally connected +subnet. + +endit() + +If this parameter is not set then the name resolver order defined +in the url(bf(smb.conf))(smb.conf.5.html) file parameter +url((bf(name resolve order))(smb.conf.5.html#name resolve order) +will be used. + +The default order is lmhosts, host, wins, bcast and without this +parameter or any entry in the url(bf(smb.conf))(smb.conf.5.html) +file the name resolution methods will be attempted in this order. + +dit(bf(-m)) This option tells bf(smbpasswd) that the account being +changed is a em(MACHINE) account. Currently this is used when Samba is +being used as an NT Primary Domain Controller. PDC support is not a +supported feature in Samba2.0 but will become supported in a later +release. If you wish to know more about using Samba as an NT PDC then +please subscribe to the mailing list +email(samba-ntdom@samba.anu.edu.au). + +This option is only available when running bf(smbpasswd) as root. + +dit(bf(-j DOMAIN)) This option is used to add a Samba server into a +Windows NT Domain, as a Domain member capable of authenticating user +accounts to any Domain Controller in the same way as a Windows NT +Server. See the url(bf(security=domain))(smb.conf.5.html#security) +option in the url(bf(smb.conf (5)))(smb.conf.5.html) man page. + +In order to be used in this way, the Administrator for the Windows +NT Domain must have used the program em("Server Manager for Domains") +to add the url(primary NetBIOS name)(smb.conf.5.html#netbios name) of +the Samba server as a member of the Domain. + +After this has been done, to join the Domain invoke bf(smbpasswd) with +this parameter. bf(smbpasswd) will then look up the Primary Domain +Controller for the Domain (found in the +url(bf(smb.conf))(smb.conf.5.html) file in the parameter +url(bf("password server"))(smb.conf.5.html#password server) and change +the machine account password used to create the secure Domain +communication. This password is then stored by bf(smbpasswd) in a +file, read only by root, called tt(<Domain>.<Machine>.mac) where +tt(<Domain>) is the name of the Domain we are joining and tt<Machine> +is the primary NetBIOS name of the machine we are running on. + +Once this operation has been performed the +url(bf(smb.conf))(smb.conf.5.html) file may be updated to set the +url(bf(security=domain))(smb.conf.5.html#security) option and all +future logins to the Samba server will be authenticated to the Windows +NT PDC. + +Note that even though the authentication is being done to the PDC all +users accessing the Samba server must still have a valid UNIX account +on that machine. + +This option is only available when running bf(smbpasswd) as root. + +label(minusU) +dit(bf(-U username)) + +.RE +.I username + +.RS 3 +You may only specify a username to the smbpasswd command +if you are running as root. Only root should have the +permission to modify other users smb passwords. + +NOTES + +.B New for 1.9.18p4. +smbpasswd will now allow a user to change their password +on a Windows NT server. To use this add the +.I \-r +.I \<remote_machine\> +paramter to the smbpasswd command. The machine name is looked +up using the "name resolve order" parameter defined in the +smb.conf [global] section. Note that when changing a Windows +NT password for a domain user, +.I \<remote machine\> +must be the name of the Primary domain controller. + +To allow users to change their passwords from "NO PASSWORD" in the +smbpasswd file to a valid password the administrator must set the +following parameter in the [global] section of the smb.conf : + +null passwords = true + +This is .B NOT recommended as a general policy, it is recommended that +new users be assigned a default password instead. + + +The +.I \-a +and +.I username +options can only be used by a user running as root. + +.RE +.RE +.SH INSTALLATION + +The location of the server and its support files is a matter for individual +system administrators. The following are thus suggestions only. + +It is recommended that the +.B smbpasswd +program be installed in the /usr/local/samba/bin directory. This should be +a directory readable by all, writeable only by root. The program should be +executable by all. The program +.B must not +be setuid root. + +.SH VERSION + +This man page is correct for version 1.9.18p4 of the Samba suite. +These notes will necessarily lag behind +development of the software, so it is possible that your version of +the program has extensions or parameter semantics that differ from or are not +covered by this man page. Please notify these to the address below for +rectification. +.SH SEE ALSO +.BR smbd (8), +.BR smb.conf (5) +.SH +.B BUGS + +.RE +The +.B smbpasswd +command is only useful if +.I Samba +has been set up to use encrypted passwords. See the file +.I ENCRYPTION.txt +in the docs directory for details on how to do this. + +.SH CREDITS +.RE +The original Samba software and related utilities were created by +Andrew Tridgell (samba-bugs@samba.anu.edu.au). Andrew is also the Keeper +of the Source for this project. smbpasswd and the encrypted password +file code was written by Jeremy Allison (samba-bugs@samba.anu.edu.au). + +This man page was written by Jeremy Allison. Bug reports to samba-bugs@samba.anu.edu.au. + +See +.BR smb.conf (5) +for a full list of contributors and details of how to +submit bug reports, comments etc. |