From 7bab8111d2b1668495b8e0411fa1de6b174aacdc Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 23 Feb 2001 02:37:25 +0000 Subject: I'm just checking these in. There not done. (This used to be commit 03f85cf3c80e8bb93d698da0a17ac61d0da91950) --- docs/docbook/manpages/rpcclient.1.sgml | 137 +++++++++++ docs/docbook/manpages/smbcacls.1.sgml | 105 +++++++++ docs/docbook/manpages/smbclient.1.sgml | 408 +++++++++++++++++++++++++++++++++ docs/docbook/manpages/smbpasswd.5.sgml | 136 +++++++++++ docs/docbook/manpages/smbpasswd.8.sgml | 165 +++++++++++++ 5 files changed, 951 insertions(+) create mode 100644 docs/docbook/manpages/rpcclient.1.sgml create mode 100644 docs/docbook/manpages/smbcacls.1.sgml create mode 100644 docs/docbook/manpages/smbclient.1.sgml create mode 100644 docs/docbook/manpages/smbpasswd.5.sgml create mode 100644 docs/docbook/manpages/smbpasswd.8.sgml (limited to 'docs') diff --git a/docs/docbook/manpages/rpcclient.1.sgml b/docs/docbook/manpages/rpcclient.1.sgml new file mode 100644 index 0000000000..ce395305ea --- /dev/null +++ b/docs/docbook/manpages/rpcclient.1.sgml @@ -0,0 +1,137 @@ +Namerpcclient - developer's tool to testing client side MS-RPC functions Synopsisrpcclient[-d +debuglevel] [-S server] [-l logbasename] [-n netbios name] [-N] [-m maxprotocol] +[-I destIP] [-E] [-U username] [-W workgroup] [-c `command string`] [-t terminalcode] +[-i scope] [-O socket options] [-s smb.conf] Descriptionrpcclientis a utility +for developers for executing various MS-RPC functions. It's primary use is +for testing Samba's own MS-RPC server implementation, however many administrators +have written scripts around it to manage Windows NT clients from their +UNIX workstation. Options +-d debuglevelset the debuglevel. Debug level 0 is +the lowest and 100 being the highest. This should be set to 100 if you are +planning on submitting a bug report to the Samba team (see BUGS.txt). -S +serverNetBIOS name of Server to which you wish to connect. The server can +be any SMB/CIFS server. The name is resolved using either the "name resolve + order = " line or by using the -R option. -l logbasenameFile name for log/debug +files. .client will be appended. The log file is never removed by the client. +-n netbios nameNetBIOS name of the local machine. This option is only needed +if your Samba client cannot find it automatically. Samba should use the +uppercase of the machine's hostname. -Ntells rpcclient not to ask for a password. +rpcclient will prompt the user by default. -I destIPThe IP address of the +server specified with the -S option. Only needed when the server's NetBIOS +name cannot be resolved using WINS or broadcast and isn't found in the LMHOSTS +file. -Ecauses regedit to write messages to stderr instead of stdout. -U username[%pass]Sets +the SMB username or username and password. If %pass is not specified, The +user will be prompted. The client will first check the USER environment +variable, then the LOGNAME variable and if either exist, the string is +uppercased. Anything in these variables following a % sign will be treated +as the password. If these environmental variables are not found, the username +GUEST is used. If the password is not included in these environment variables +(using the %pass syntax), rpcclient will look for a PASSWD environment +variable from which to read the password. A third option is to use a credentials +file which contains the plaintext of the username and password. This option +is mainly provided for scripts where the admin doesn't desire to pass the +credentials on the command line or via environment variables. If this method +is used, make certain that the permissions on the file restrict access +from unwanted users. See the -A for more details. Be cautious about including +passwords in scripts or in the CWPASSWD environment variable. Also, on many +systems the command line of a running process may be seen via the CWps +command to be safe always allow smbclient to prompt for a password and +type it in directly. -A This option allows you to specify a file +from which to read the username and password used in the connection. The +format of the file is CWusername = +CWpassword = +Make certain that the permissions on the file restrict access from unwanted +users. -W domainSet the SMB domain of the username. This overrides the default + domain which is the domain of the server specified with the bt(-S) option. +If the domain specified is the same as the server's NetBIOS name, it causes +the client to log on using the server's local SAM (as opposed to the Domain +SAM). -Poperate in promptless mode. Without this mode (the default) rpcclient +displays a prompt of the form '[domain\username@host]$' -c 'command string'execute +semicolon separated commands (listed below)) -t terminalcodeThis tells the +Samba client how to interpret the incoming filenames, in regards to character +sets. The list here is not complete. For a complete list see your local Samba +source. Some valid options are sjis, euc, jis7, jis8, junet and hex. -O socket +optionsThese socket options are the same as in smb.conf (under the bt(socket +options = ) section). -s smb.confSpecifies the location of the all important +smb.conf file. -i scopeDefines the NetBIOS scope. For more information on NetBIOS +scopes, see rfc1001 and rfc1002. NetBIOS scopes are rarely used. +Commands +SPOOLSS +CommandsspoolenumExecute an EnumPrinters call. This lists the various installed +and share printers. Refer to the MS Platform SDK documentation for more +details of the various flags and calling options. +spoolenumports Executes +an EnumPorts call using the specified info level. Currently only info level +1 and 2 are supported. +spoolenumdataEnumerate all printer setting data stored +on the server. On Windows NT clients, these values are stored in the registry, +while Samba servers store them in the printers TDB. This command corresponds +to the MS Platform SDK EnumPorts function. +spooljobs List the jobs +and status of a given printer. This command corresponds to the MS Platform +SDK EnumJobs function. +spoolopen Execute an OpenPrinterEx() and ClosePrinter() +RPC against a given printer. +spoolgetdataRetrive the data for a given printer +setting. See the spoolenumdata command for more information. This command +corresponds to the GetPrinterData() MS Platform SDK function. +spoolgetprinter +Retrieve the current printer information. This command sorresponds +to the GetPrinter() MS Platform SDK function. +spoolgetprinterdriver Retrive +the printer driver information (such as driver file, config file, dependent +files, etc...) for the given printer. This command corresponds to the GetPrinterDriver() +MS Platform SDK function. +spoolgetprinterdriverdir Execute a GetPrinterDriverDirectory() +RPC to retreive the SMB share name and subdirectory for storing printer +driver files for a given architecture. Possible values for are "Windows +4.0" (for Windows 95/98), "Windows NT x86", "Windows NT PowerPC", "Windows +Alpha_AXP", and "Windows NT R4000". + " .YODLTAGEND. Add a +printer on the remote server. This printer will be automatically shared. + Be aware that the printer driver must already be installed on the server +(see addprinterdriver) and the must be a valid port name. +spooladdprinterdriver + Execute an AddPrinterDriver() RPC to install the printer driver +information on the server. Note that the driver files should already exist +in the directort returned by spoolgetprinterdriverdir. Possible values +for are the same as those for the spooolgetprintedriverdir command. +The parameter is defined as follows: +::::::: +Any empty fields should be enter +as the string "NULL". +Samba does not need to support the concept of Print +Monitors since these only apply to local printers whose driver can make +use of a bi-directional link for communication. This field should be "NULL". + On a remote NT print server, the Print Monitor for a driver must already +be installed prior to adding the driver or else the RPC will fail. +General +CommandssetSet miscellaneous rpcclient command line options during a running + session. +useConnect to a rmeote SMB server. rpcclient has the ability to +maintain connections to multiple server simulaneously. +helpPrint a listing +of all known commands or extended help on a particular command. +quitExit +rpcclient. +Bugsrpcclient is designed as a developer testing tool and may +not be robust in certain areas (such as command line parsing). It has been +known to generate a core dump upon failures when invalid parameters where +passed to the interpreter. +From Luke Leighton's original rpcclient man page: +"WARNING! The MSRPC over SMB code has been developed from examining Network +traces. No documentation is available from the original creators (Microsoft) +on how MSRPC over SMB works, or how the individual MSRPC services work. +Microsoft's implementation of these services has been demonstrated (and +reported) to be... a bit flakey in places. +The development of Samba's implementation +is also a bit rough, and as more of the services are understood, it can +even result in versions of smbd(8) and rpcclient that are incompatible +for some commands or services. Additionally, the developers are sending +reports to Microsoft, and problems found or reported to Microsoft are +fixed in Service Packs, which may result in incompatibilities." +See Alsosamba +(7) AuthorSamba is written by The Samba Team as Open Source. This man page +was written by Matthew Geddes, Luke Kenneth Casson, and Gerald Carter. \ No newline at end of file diff --git a/docs/docbook/manpages/smbcacls.1.sgml b/docs/docbook/manpages/smbcacls.1.sgml new file mode 100644 index 0000000000..aaddf5c09c --- /dev/null +++ b/docs/docbook/manpages/smbcacls.1.sgml @@ -0,0 +1,105 @@ + +Namesmbcacls - Set or get ACLs on an NT file or directory +Synopsis +smbcacls +//server/share filename [-U username] [-A acls] [-M acls] [-D acls] [-S acls] + [-C name] [-G name] [-n] [-h] +Description +The smbcacls program manipulates +NT Access Control Lists (ACLs) on SMB file shares. +Options +The following +options are available to the smbcacls program. The format of ACLs is described +in the section ACL FORMAT +-A aclsAdd the ACLs specified to the ACL list. + Existing access control entries are unchanged. -M aclsModify the mask value +(permissions) for the ACLs specified on the command line. An error will +be printed for each ACL specified that was not already present in the ACL +list. -D aclsDelete any ACLs specfied on the command line. An error will +be printed for each ACL specified that was not already present in the ACL +list. -S aclsThis command sets the ACLs on the file with only the ones specified +on the command line. All other ACLs are erased. Note that the ACL specified +must contain at least a revision, type, owner and group for the call to +succeed. -U usernameSpecifies a username used to connect to the specified +service. The username may be of the form CWusername in which case the user +is prompted to enter in a password and the workgroup specified in the smb.conf +file is used, or CWusername%password or CWDOMAIN\username%password and the +password and workgroup names are used as provided. -C nameThe owner of a +file or directory can be changed to the name given using the -C option. +The name can be a sid in the form CWS-1-x-y-z or a name resolved against the +server specified in the first argument. This command is a shortcut for CW-M +OWNER:name. -G nameThe group owner of a file or directory can be changed +to the name given using the -G option. The name can be a sid in the form +CWS-1-x-y-z or a name resolved against the server specified in the first argument. +This command is a shortcut for CW-M GROUP:name. -nThis option displays all +ACL information in numeric format. The default is to convert SIDs to names +and ACE types and masks to a readable string format. -hPrint usage information +on the smbcacls program +Acl Format +The format of an ACL is one or more ACL +entries separated by either commas or newlines. An ACL entry is one of +the following: + + + +REVISION: +OWNER: +GROUP: +ACL::// + + + +The revision of the ACL specifies the internal Windows NT ACL revision +for the security descriptor. If not specified it defaults to 1. Using values +other than 1 may cause strange behaviour. +The owner and group specify the +owner and group sids for the object. If a SID in the format CWS-1-x-y-z is +specified this is used, otherwise the name specified is resolved using +the server on which the file or directory resides. +ACLs specify permissions +granted to the SID. This SID again can be specified in CWS-1-x-y-z format or +as a name in which case it is resolved against the server on which the +file or directory resides. The type, flags and mask values determine the +type of access granted to the SID. +The type can be either 0 or 1 corresponding +to ALLOWED or DENIED access to the SID. The flags values are generally +zero for file ACLs and either 9 or 2 for directory ACLs. Some common flags +are: + + + +#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1 +#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2 +#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4 +#define SEC_ACE_FLAG_INHERIT_ONLY 0x8 + + + +At present flags can only be specified as decimal or hexadecimal values. + +The mask is a value which expresses the access right granted to the SID. +It can be given as a decimal or hexadecimal value, or by using one of the +following text strings which map to the NT file permissions of the same +name. +CWR Allow read access CWW Allow write access CWX Execute permission +on the object CWD Delete the object CWP Change permissions CWO Take ownership + +The following combined permissions can be specified: +CWREAD Equivalent +to CWRX permissions CWCHANGE Equivalent to CWRXWD permissions CWFULL + Equivalent to CWRWXDPO permissions +Exit Status +The smbcacls program sets +the exit status depending on the success or otherwise of the operations +performed. The exit status may be one of the following values. +If the operation +succeded, smbcacls returns and exit status of 0. If smbcacls couldn't connect +to the specified server, or there was an error getting or setting the ACLs, +an exit status of 1 is returned. If there was an error parsing any command +line arguments, an exit status of 2 is returned. +Author +The original Samba +software and related utilities were created by Andrew Tridgell. Samba is +now developed by the Samba Team as an Open Source project. +smbcacls was +written by Andrew Tridgell and Tim Potter. \ No newline at end of file diff --git a/docs/docbook/manpages/smbclient.1.sgml b/docs/docbook/manpages/smbclient.1.sgml new file mode 100644 index 0000000000..314c815970 --- /dev/null +++ b/docs/docbook/manpages/smbclient.1.sgml @@ -0,0 +1,408 @@ + +Namesmbclient - ftp-like client to access SMB/CIFS resources on servers +Synopsis +smbclient +servicename [-s smb.conf] [-O socket options][-R name resolve order] [-M NetBIOS +name] [-i scope] [-N] [-n NetBIOS name] [-d debuglevel] [-P] [-p port] [-l log +basename] [-h] [-I dest IP] [-E] [-U username] [-L NetBIOS name] [-t terminal +code] [-m max protocol] [-b buffersize] [-W workgroup] [-TIXFqgbNan] [-D directory] +[-c command string] +Description +This program is part of the Samba suite. +smbclient +is a client that can 'talk' to an SMB/CIFS server. It offers an interface +similar to that of the ftp program (see ftp (1)). Operations include things +like getting files from the server to the local machine, putting files +from the local machine to the server, retrieving directory information +from the server and so on. +Options +servicenameservicename is the name of +the service you want to use on the server. A service name takes the form +CW//server/service where server is the NetBIOS name of the SMB/CIFS server +offering the desired service and service is the name of the service offered. +Thus to connect to the service printer on the SMB/CIFS server smbserver, +you would use the servicename CW//smbserver/printer Note that the server +name required is NOT necessarily the IP (DNS) host name of the server ! +The name required is a NetBIOS server name, which may or may not be the +same as the IP hostname of the machine running the server. The server name +is looked up according to either the -R parameter to smbclient or using +the name resolve order parameter in the smb.conf file, allowing an administrator +to change the order and methods by which server names are looked up. passwordpassword +is the password required to access the specified service on the specified +server. If this parameter is supplied, the -N option (suppress password prompt) +is assumed. There is no default password. If no password is supplied on the +command line (either by using this parameter or adding a password to the +-U option (see below)) and the -N option is not specified, the client will +prompt for a password, even if the desired service does not require one. +(If no password is required, simply press ENTER to provide a null password.) +Note: Some servers (including OS/2 and Windows for Workgroups) insist on +an uppercase password. Lowercase or mixed case passwords may be rejected +by these servers. Be cautious about including passwords in scripts. -s smb.confThis +parameter specifies the pathname to the Samba configuration file, smb.conf. +This file controls all aspects of the Samba setup on the machine and smbclient +also needs to read this file. -O socket optionsTCP socket options to set +on the client socket. See the socket options parameter in the smb.conf (5) +manpage for the list of valid options. -R name resolve orderThis option allows +the user of smbclient to determine what name resolution services to use +when looking up the NetBIOS name of the host being connected to. The options +are :"lmhosts", "host", "wins" and "bcast". They cause names to be resolved +as follows : olmhosts : Lookup an IP address in the Samba lmhosts file. +The lmhosts file is stored in the same directory as the smb.conf file. ohost +: Do a standard host name to IP address resolution, using the system /etc/hosts, +NIS, or DNS lookups. This method of name resolution is operating system +depended for instance on IRIX or Solaris this may be controlled by the +/etc/nsswitch.conf file). owins : Query a name with the IP address listed +in the wins server parameter in the smb.conf file. If no WINS server has +been specified this method will be ignored. obcast : Do a broadcast on each +of the known local interfaces listed in the interfaces parameter in the +smb.conf file. This is the least reliable of the name resolution methods +as it depends on the target host being on a locally connected subnet. If +this parameter is not set then the name resolve order defined in the smb.conf +file parameter (name resolve order) will be used. The default order is +lmhosts, host, wins, bcast and without this parameter or any entry in the +"name resolve order" parameter of the smb.conf file the name resolution +methods will be attempted in this order. -M NetBIOS nameThis options allows +you to send messages, using the "WinPopup" protocol, to another computer. +Once a connection is established you then type your message, pressing ^D +(control-D) to end. If the receiving computer is running WinPopup the user +will receive the message and probably a beep. If they are not running WinPopup +the message will be lost, and no error message will occur. The message is +also automatically truncated if the message is over 1600 bytes, as this +is the limit of the protocol. One useful trick is to cat the message through +smbclient. For example: CWcat mymessage.txt | smbclient -M FRED will send the +message in the file mymessage.txt to the machine FRED. You may also find +the -U and -I options useful, as they allow you to control the FROM and TO +parts of the message. See the message command parameter in the smb.conf (5) +for a description of how to handle incoming WinPopup messages in Samba. +Note: Copy WinPopup into the startup group on your WfWg PCs if you want +them to always be able to receive messages. -i scopeThis specifies a NetBIOS +scope that smbclient will use to communicate with when generating NetBIOS +names. For details on the use of NetBIOS scopes, see rfc1001.txt and rfc1002.txt. +NetBIOS scopes are very rarely used, only set this parameter if you are +the system administrator in charge of all the NetBIOS systems you communicate +with. -NIf specified, this parameter suppresses the normal password prompt +from the client to the user. This is useful when accessing a service that +does not require a password. Unless a password is specified on the command +line or this parameter is specified, the client will request a password. +-n NetBIOS nameBy default, the client will use the local machine's hostname +(in uppercase) as its NetBIOS name. This parameter allows you to override +the host name and use whatever NetBIOS name you wish. -d debugleveldebuglevel +is an integer from 0 to 10, or the letter 'A'. The default value if this parameter +is not specified is zero. The higher this value, the more detail will be +logged to the log files about the activities of the client. At level 0, +only critical errors and serious warnings will be logged. Level 1 is a reasonable +level for day to day running - it generates a small amount of information +about operations carried out. Levels above 1 will generate considerable +amounts of log data, and should only be used when investigating a problem. +Levels above 3 are designed for use only by developers and generate HUGE +amounts of log data, most of which is extremely cryptic. If debuglevel is +set to the letter 'A', then all debug messages will be printed. This setting +is for developers only (and people who really want to know how the code +works internally). Note that specifying this parameter here will override +the log level parameter in the smb.conf (5) file. -PThis option is no longer +used. The code in Samba2.0 now lets the server decide the device type, so +no printer specific flag is needed. -p portThis number is the TCP port number +that will be used when making connections to the server. The standard (well-known) +TCP port number for an SMB/CIFS server is 139, which is the default. -l logfilenameIf +specified, logfilename specifies a base filename into which operational +data from the running client will be logged. The default base name is specified +at compile time. The base name is used to generate actual log file names. +For example, if the name specified was "log", the debug file would be CWlog.client. +The log file generated is never removed by the client. -hPrint the usage +message for the client. -I IP addressIP address is the address of the server +to connect to. It should be specified in standard "a.b.c.d" notation. Normally +the client would attempt to locate a named SMB/CIFS server by looking it +up via the NetBIOS name resolution mechanism described above in the name +resolve order parameter above. Using this parameter will force the client +to assume that the server is on the machine with the specified IP address +and the NetBIOS name component of the resource being connected to will +be ignored. There is no default for this parameter. If not supplied, it will +be determined automatically by the client as described above. -EThis parameter +causes the client to write messages to the standard error stream (stderr) +rather than to the standard output stream. By default, the client writes +messages to standard output - typically the user's tty. -U usernameThis specifies +the user name that will be used by the client to make a connection, assuming +your server is not a downlevel server that is running a protocol level +that uses passwords on shares, not on usernames. Some servers are fussy +about the case of this name, and some insist that it must be a valid NetBIOS +name. If no username is supplied, it will default to an uppercase version +of the environment variable CWUSER or CWLOGNAME in that order. If no username +is supplied and neither environment variable exists the username "GUEST" +will be used. If the CWUSER environment variable contains a '%' character, +everything after that will be treated as a password. This allows you to +set the environment variable to be CWUSER=username%password so that a password +is not passed on the command line (where it may be seen by the ps command). +You can specify a domain name as part of the username by using a username +of the form "DOMAIN/user" or "DOMAIN\user". If the service you are connecting +to requires a password, it can be supplied using the -U option, by appending +a percent symbol ("%") then the password to username. For example, to attach +to a service as user CW"fred" with password CW"secret", you would specify. + +CW-U fred%secret +on the command line. Note that there are no spaces around the percent symbol. +If you specify the password as part of username then the -N option (suppress +password prompt) is assumed. If you specify the password as a parameter +AND as part of username then the password as part of username will take +precedence. Putting nothing before or nothing after the percent symbol will +cause an empty username or an empty password to be used, respectively. The +password may also be specified by setting up an environment variable called +CWPASSWD that contains the users password. Note that this may be very insecure +on some systems but on others allows users to script smbclient commands +without having a password appear in the command line of a process listing. +A third option is to use a credentials file which contains the plaintext +of the username and password. This option is mainly provided for scripts +where the admin doesn't desire to pass the credentials on the command line +or via environment variables. If this method is used, make certain that +the permissions on the file restrict access from unwanted users. See the +-A for more details. Note: Some servers (including OS/2 and Windows for Workgroups) +insist on an uppercase password. Lowercase or mixed case passwords may be +rejected by these servers. Be cautious about including passwords in scripts +or in the CWPASSWD environment variable. Also, on many systems the command +line of a running process may be seen via the CWps command to be safe always +allow smbclient to prompt for a password and type it in directly. -A This +option allows you to specify a file from which to read the username and +password used in the connection. The format of the file is CWusername = + +CWpassword = +The +backslash ("\") indicates the current working directory on the server, and +will change if the current working directory is changed. +The prompt indicates +that the client is ready and waiting to carry out a user command. Each command +is a single word, optionally followed by parameters specific to that command. +Command and parameters are space-delimited unless these notes specifically +state otherwise. All commands are case-insensitive. Parameters to commands +may or may not be case sensitive, depending on the command. +You can specify +file names which have spaces in them by quoting the name with double quotes, +for example "a long file name". +Parameters shown in square brackets (e.g., +"[parameter]") are optional. If not given, the command will use suitable +defaults. Parameters shown in angle brackets (e.g., "") are required. + +Note that all commands operating on the server are actually performed by +issuing a request to the server. Thus the behavior may vary from server +to server, depending on how the server was implemented. +The commands available +are given here in alphabetical order. +? [command]If "command" is specified, +the ? command will display a brief informative message about the specified +command. If no command is specified, a list of available commands will +be displayed. ! [shell command]If "shell command" is specified, the ! command +will execute a shell locally and run the specified shell command. If no +command is specified, a local shell will be run. cd [directory name]If "directory +name" is specified, the current working directory on the server will be +changed to the directory specified. This operation will fail if for any +reason the specified directory is inaccessible. If no directory name is +specified, the current working directory on the server will be reported. +del The client will request that the server attempt to delete all files +matching "mask" from the current working directory on the server. dir A +list of the files matching "mask" in the current working directory on the +server will be retrieved from the server and displayed. exitTerminate the +connection with the server and exit from the program. get +[local file name]Copy the file called "remote file name" from the server +to the machine running the client. If specified, name the local copy "local +file name". Note that all transfers in smbclient are binary. See also the +lowercase command. help [command]See the ? command above. lcd [directory +name]If "directory name" is specified, the current working directory on +the local machine will be changed to the directory specified. This operation +will fail if for any reason the specified directory is inaccessible. If +no directory name is specified, the name of the current working directory +on the local machine will be reported. lowercaseToggle lowercasing of filenames +for the get and mget commands. When lowercasing is toggled ON, local filenames +are converted to lowercase when using the get and mget commands. This is +often useful when copying (say) MSDOS files from a server, because lowercase +filenames are the norm on UNIX systems. ls See the dir command above. +mask This command allows the user to set up a mask which will be used +during recursive operation of the mget and mput commands. The masks specified +to the mget and mput commands act as filters for directories rather than +files when recursion is toggled ON. The mask specified with the .B mask command +is necessary to filter files within those directories. For example, if the +mask specified in an mget command is "source*" and the mask specified with +the mask command is "*.c" and recursion is toggled ON, the mget command +will retrieve all files matching "*.c" in all directories below and including +all directories matching "source*" in the current working directory. Note +that the value for mask defaults to blank (equivalent to "*") and remains +so until the mask command is used to change it. It retains the most recently +specified value indefinitely. To avoid unexpected results it would be wise +to change the value of .I mask back to "*" after using the mget or mput +commands. md See the mkdir command. mget Copy all files +matching mask from the server to the machine running the client. Note that +mask is interpreted differently during recursive operation and non-recursive +operation - refer to the recurse and mask commands for more information. +Note that all transfers in .B smbclient are binary. See also the lowercase +command. mkdir Create a new directory on the server (user +access privileges permitting) with the specified name. mput Copy all +files matching mask in the current working directory on the local machine +to the current working directory on the server. Note that mask is interpreted +differently during recursive operation and non-recursive operation - refer +to the recurse and mask commands for more information. Note that all transfers +in .B smbclient are binary. print Print the specified file from +the local machine through a printable service on the server. See also the +printmode command. printmode Set the print mode to suit +either binary data (such as graphical information) or text. Subsequent print +commands will use the currently set print mode. promptToggle prompting for +filenames during operation of the mget and mput commands. When toggled ON, +the user will be prompted to confirm the transfer of each file during these +commands. When toggled OFF, all specified files will be transferred without +prompting. put [remote file name]Copy the file called "local +file name" from the machine running the client to the server. If specified, +name the remote copy "remote file name". Note that all transfers in smbclient +are binary. See also the lowercase command. queueDisplays the print queue, +showing the job id, name, size and current status. quitSee the exit command. +rd See the rmdir command. recurseToggle directory recursion +for the commands mget and mput. When toggled ON, these commands will process +all directories in the source directory (i.e., the directory they are copying +.IR from ) and will recurse into any that match the mask specified to the +command. Only files that match the mask specified using the mask command +will be retrieved. See also the mask command. When recursion is toggled OFF, +only files from the current working directory on the source machine that +match the mask specified to the mget or mput commands will be copied, and +any mask specified using the mask command will be ignored. rm Remove +all files matching mask from the current working directory on the server. +rmdir Remove the specified directory (user access privileges +permitting) from the server. tar [IXbgNa]Performs a tar operation - see +the -T command line option above. Behavior may be affected by the tarmode +command (see below). Using g (incremental) and N (newer) will affect tarmode +settings. Note that using the "-" option with tar x may not work - use the +command line option instead. blocksize Blocksize. Must be followed +by a valid (greater than zero) blocksize. Causes tar file to be written +out in blocksize*TBLOCK (usually 512 byte) blocks. tarmode Changes +tar's behavior with regard to archive bits. In full mode, tar will back up +everything regardless of the archive bit setting (this is the default mode). +In incremental mode, tar will only back up files with the archive bit set. +In reset mode, tar will reset the archive bit on all files it backs up +(implies read/write share). setmode A version of the +DOS attrib command to set file permissions. For example: CWsetmode myfile ++r would make myfile read only. +Notes +Some servers are fussy about the case +of supplied usernames, passwords, share names (AKA service names) and machine +names. If you fail to connect try giving all parameters in uppercase. +It +is often necessary to use the -n option when connecting to some types of +servers. For example OS/2 LanManager insists on a valid NetBIOS name being +used, so you need to supply a valid name that would be known to the server. + +smbclient supports long file names where the server supports the LANMAN2 +protocol or above. +Environment Variables +The variable USER may contain the +username of the person using the client. This information is used only +if the protocol level is high enough to support session-level passwords. + +The variable PASSWD may contain the password of the person using the client. + This information is used only if the protocol level is high enough to +support session-level passwords. +Installation +The location of the client program +is a matter for individual system administrators. The following are thus +suggestions only. +It is recommended that the smbclient software be installed +in the /usr/local/samba/bin or /usr/samba/bin directory, this directory +readable by all, writeable only by root. The client program itself should +be executable by all. The client should NOT be setuid or setgid! +The client +log files should be put in a directory readable and writeable only by the +user. +To test the client, you will need to know the name of a running SMB/CIFS +server. It is possible to run smbd (8) an ordinary user - running that server +as a daemon on a user-accessible port (typically any port number over 1024) +would provide a suitable test server. +Diagnostics +Most diagnostics issued +by the client are logged in a specified log file. The log file name is specified +at compile time, but may be overridden on the command line. +The number and +nature of diagnostics available depends on the debug level used by the +client. If you have problems, set the debug level to 3 and peruse the log +files. +Version +This man page is correct for version 2.0 of the Samba suite. + +Author +The original Samba software and related utilities were created by +Andrew Tridgell samba@samba.org. Samba is now developed by the Samba Team +as an Open Source project similar to the way the Linux kernel is developed. + +The original Samba man pages were written by Karl Auer. The man page sources +were converted to YODL format (another excellent piece of Open Source software, +available at ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba2.0 +release by Jeremy Allison. samba@samba.org. +See samba (7) to find out how +to get a full list of contributors and details on how to submit bug reports, +comments etc. \ No newline at end of file diff --git a/docs/docbook/manpages/smbpasswd.5.sgml b/docs/docbook/manpages/smbpasswd.5.sgml new file mode 100644 index 0000000000..95495000f3 --- /dev/null +++ b/docs/docbook/manpages/smbpasswd.5.sgml @@ -0,0 +1,136 @@ + +Namesmbpasswd - The Samba encrypted password file +Synopsis +smbpasswd is the +Samba encrypted password file. +Description +This file is part of the Samba +suite. +smbpasswd is the Samba encrypted password file. It contains the username, +Unix user id and the SMB hashed passwords of the user, as well as account +flag information and the time the password was last changed. This file format +has been evolving with Samba and has had several different formats in the +past. +File Format +The format of the smbpasswd file used by Samba 2.0 is very +similar to the familiar Unix passwd (5) file. It is an ASCII file containing +one line for each user. Each field within each line is separated from the +next by a colon. Any entry beginning with # is ignored. The smbpasswd file +contains the following information for each user: +name + +This is the user name. It must be a name that already exists in the standard +UNIX passwd file. uid + +This is the UNIX uid. It must match the uid field for the same user entry +in the standard UNIX passwd file. If this does not match then Samba will +refuse to recognize this smbpasswd file entry as being valid for a user. +Lanman Password Hash + +This is the LANMAN hash of the users password, encoded as 32 hex digits. +The LANMAN hash is created by DES encrypting a well known string with the +users password as the DES key. This is the same password used by Windows +95/98 machines. Note that this password hash is regarded as weak as it is +vulnerable to dictionary attacks and if two users choose the same password +this entry will be identical (i.e. the password is not "salted" as the UNIX +password is). If the user has a null password this field will contain the +characters CW"NO PASSWORD" as the start of the hex string. If the hex string +is equal to 32 CW'X' characters then the users account is marked as disabled +and the user will not be able to log onto the Samba server. WARNING !!. Note +that, due to the challenge-response nature of the SMB/CIFS authentication +protocol, anyone with a knowledge of this password hash will be able to +impersonate the user on the network. For this reason these hashes are known +as "plain text equivalent" and must NOT be made available to anyone but +the root user. To protect these passwords the smbpasswd file is placed in +a directory with read and traverse access only to the root user and the +smbpasswd file itself must be set to be read/write only by root, with no +other access. NT Password Hash + +This is the Windows NT hash of the users password, encoded as 32 hex digits. +The Windows NT hash is created by taking the users password as represented +in 16-bit, little-endian UNICODE and then applying the MD4 (internet rfc1321) +hashing algorithm to it. This password hash is considered more secure than +the Lanman Password Hash as it preserves the case of the password and uses +a much higher quality hashing algorithm. However, it is still the case that +if two users choose the same password this entry will be identical (i.e. +the password is not "salted" as the UNIX password is). WARNING !!. Note that, +due to the challenge-response nature of the SMB/CIFS authentication protocol, +anyone with a knowledge of this password hash will be able to impersonate +the user on the network. For this reason these hashes are known as "plain +text equivalent" and must NOT be made available to anyone but the root +user. To protect these passwords the smbpasswd file is placed in a directory +with read and traverse access only to the root user and the smbpasswd file +itself must be set to be read/write only by root, with no other access. +Account Flags + +This section contains flags that describe the attributes of the users account. +In the Samba2.0 release this field is bracketed by CW'[' and CW']' characters +and is always 13 characters in length (including the CW'[' and CW']' characters). +The contents of this field may be any of the characters. o'U' This means this +is a "User" account, i.e. an ordinary user. Only User and Workstation Trust +accounts are currently supported in the smbpasswd file. o'N' This means the +account has no password (the passwords in the fields Lanman Password Hash +and NT Password Hash are ignored). Note that this will only allow users +to log on with no password if the null passwords parameter is set in the +smb.conf (5) config file. o'D' This means the account is disabled and no SMB/CIFS +logins will be allowed for this user. o'W' This means this account is a "Workstation +Trust" account. This kind of account is used in the Samba PDC code stream +to allow Windows NT Workstations and Servers to join a Domain hosted by +a Samba PDC. Other flags may be added as the code is extended in future. +The rest of this field space is filled in with spaces. Last Change Time + +This field consists of the time the account was last modified. It consists +of the characters CWLCT- (standing for "Last Change Time") followed by a +numeric encoding of the UNIX time in seconds since the epoch (1970) that +the last change was made. Following fields + +All other colon separated fields are ignored at this time. +Notes +In previous +versions of Samba (notably the 1.9.18 series) this file did not contain the +Account Flags or Last Change Time fields. The Samba 2.0 code will read and +write these older password files but will not be able to modify the old +entries to add the new fields. New entries added with smbpasswd (8) will +contain the new fields in the added accounts however. Thus an older smbpasswd +file used with Samba 2.0 may end up with some accounts containing the new +fields and some not. +In order to convert from an old-style smbpasswd file +to a new style, run the script convert_smbpasswd, installed in the Samba +CWbin/ directory (the same place that the smbd and nmbd binaries are installed) +as follows: + + + + + + cat old_smbpasswd_file | convert_smbpasswd > new_smbpasswd_file + + + + + +The convert_smbpasswd script reads from stdin and writes to stdout so +as not to overwrite any files by accident. +Once this script has been run, +check the contents of the new smbpasswd file to ensure that it has not +been damaged by the conversion script (which uses awk), and then replace +the CW with the CW. +Version +This man +page is correct for version 2.0 of the Samba suite. +See Also +smbpasswd (8), +samba (7), and the Internet RFC1321 for details on the MD4 algorithm. +Author +The +original Samba software and related utilities were created by Andrew Tridgell +samba@samba.org. Samba is now developed by the Samba Team as an Open Source +project similar to the way the Linux kernel is developed. +The original Samba +man pages were written by Karl Auer. The man page sources were converted +to YODL format (another excellent piece of Open Source software, available +at ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba2.0 release by +Jeremy Allison, samba@samba.org. +See samba (7) to find out how to get a full +list of contributors and details on how to submit bug reports, comments +etc. \ No newline at end of file diff --git a/docs/docbook/manpages/smbpasswd.8.sgml b/docs/docbook/manpages/smbpasswd.8.sgml new file mode 100644 index 0000000000..15cb6ffff1 --- /dev/null +++ b/docs/docbook/manpages/smbpasswd.8.sgml @@ -0,0 +1,165 @@ + +Namesmbpasswd - change a users SMB password +Synopsis +smbpasswd [-a] [-x] [-d] +[-e] [-D debug level] [-n] [-r remote_machine] [-R name resolve order] [-m] [-j +DOMAIN] [-U username] [-h] [-s] username +Description +This program is part of +the Samba suite. +The smbpasswd program has several different functions, +depending on whether it is run by the root user or not. When run as a normal +user it allows the user to change the password used for their SMB sessions +on any machines that store SMB passwords. +By default (when run with no arguments) +it will attempt to change the current users SMB password on the local machine. +This is similar to the way the passwd (1) program works. smbpasswd differs +from how the passwd program works however in that it is not setuid root +but works in a client-server mode and communicates with a locally running +smbd. As a consequence in order for this to succeed the smbd daemon must +be running on the local machine. On a UNIX machine the encrypted SMB passwords +are usually stored in the smbpasswd (5) file. +When run by an ordinary user +with no options. smbpasswd will prompt them for their old smb password and +then ask them for their new password twice, to ensure that the new password +was typed correctly. No passwords will be echoed on the screen whilst being +typed. If you have a blank smb password (specified by the string "NO PASSWORD" +in the smbpasswd file) then just press the key when asked for your +old password. +smbpasswd can also be used by a normal user to change their +SMB password on remote machines, such as Windows NT Primary Domain Controllers. +See the (-r) and -U options below. +When run by root, smbpasswd allows new +users to be added and deleted in the smbpasswd file, as well as allows +changes to the attributes of the user in this file to be made. When run +by root, smbpasswd accesses the local smbpasswd file directly, thus enabling +changes to be made even if smbd is not running. +Options +-aThis option specifies +that the username following should be added to the local smbpasswd file, +with the new password typed (type for the old password). This option +is ignored if the username following already exists in the smbpasswd file +and it is treated like a regular change password command. Note that the +user to be added must already exist in the system password file (usually +/etc/passwd) else the request to add the user will fail. This option is +only available when running smbpasswd as root. -xThis option specifies that +the username following should be deleted from the local smbpasswd file. +This option is only available when running smbpasswd as root. -dThis option +specifies that the username following should be disabled in the local smbpasswd +file. This is done by writing a 'D' flag into the account control space in +the smbpasswd file. Once this is done all attempts to authenticate via SMB +using this username will fail. If the smbpasswd file is in the 'old' format +(pre-Samba 2.0 format) there is no space in the users password entry to write +this information and so the user is disabled by writing 'X' characters into +the password space in the smbpasswd file. See smbpasswd (5) for details +on the 'old' and new password file formats. This option is only available +when running smbpasswd as root. -eThis option specifies that the username +following should be enabled in the local smbpasswd file, if the account +was previously disabled. If the account was not disabled this option has +no effect. Once the account is enabled then the user will be able to authenticate +via SMB once again. If the smbpasswd file is in the 'old' format then smbpasswd +will prompt for a new password for this user, otherwise the account will +be enabled by removing the 'D' flag from account control space in the smbpasswd +file. See smbpasswd (5) for details on the 'old' and new password file formats. +This option is only available when running smbpasswd as root. -D debugleveldebuglevel +is an integer from 0 to 10. The default value if this parameter is not +specified is zero. The higher this value, the more detail will be logged +to the log files about the activities of smbpasswd. At level 0, only critical +errors and serious warnings will be logged. Levels above 1 will generate +considerable amounts of log data, and should only be used when investigating +a problem. Levels above 3 are designed for use only by developers and generate +HUGE amounts of log data, most of which is extremely cryptic. -nThis option +specifies that the username following should have their password set to +null (i.e. a blank password) in the local smbpasswd file. This is done by +writing the string "NO PASSWORD" as the first part of the first password +stored in the smbpasswd file. Note that to allow users to logon to a Samba +server once the password has been set to "NO PASSWORD" in the smbpasswd +file the administrator must set the following parameter in the [global] +section of the smb.conf file : null passwords = true This option is only +available when running smbpasswd as root. -r remote machine nameThis option +allows a user to specify what machine they wish to change their password +on. Without this parameter smbpasswd defaults to the local host. The "remote +machine name" is the NetBIOS name of the SMB/CIFS server to contact to +attempt the password change. This name is resolved into an IP address using +the standard name resolution mechanism in all programs of the Samba suite. +See the -R name resolve order parameter for details on changing this resolving +mechanism. The username whose password is changed is that of the current +UNIX logged on user. See the -U username parameter for details on changing +the password for a different username. Note that if changing a Windows NT +Domain password the remote machine specified must be the Primary Domain +Controller for the domain (Backup Domain Controllers only have a read-only +copy of the user account database and will not allow the password change). +Note that Windows 95/98 do not have a real password database so it is not +possible to change passwords specifying a Win95/98 machine as remote machine +target. -R name resolve orderThis option allows the user of smbclient to +determine what name resolution services to use when looking up the NetBIOS +name of the host being connected to. The options are :"lmhosts", "host", +"wins" and "bcast". They cause names to be resolved as follows : olmhosts +: Lookup an IP address in the Samba lmhosts file. ohost : Do a standard +host name to IP address resolution, using the system /etc/hosts, NIS, or +DNS lookups. This method of name resolution is operating system dependent. +For instance on IRIX or Solaris, this may be controlled by the /etc/nsswitch.conf +file). owins : Query a name with the IP address listed in the wins server +parameter in the smb.conf file. If no WINS server has been specified this +method will be ignored. obcast : Do a broadcast on each of the known local +interfaces listed in the interfaces parameter in the smb.conf file. This +is the least reliable of the name resolution methods as it depends on the +target host being on a locally connected subnet. If this parameter is not +set then the name resolve order defined in the smb.conf file parameter +name resolve order will be used. The default order is lmhosts, host, wins, +bcast and without this parameter or any entry in the smb.conf file the +name resolution methods will be attempted in this order. -mThis option tells +smbpasswd that the account being changed is a MACHINE account. Currently +this is used when Samba is being used as an NT Primary Domain Controller. +PDC support is not a supported feature in Samba2.0 but will become supported +in a later release. If you wish to know more about using Samba as an NT +PDC then please subscribe to the mailing list samba-ntdom@samba.org. This +option is only available when running smbpasswd as root. -j DOMAINThis option +is used to add a Samba server into a Windows NT Domain, as a Domain member +capable of authenticating user accounts to any Domain Controller in the +same way as a Windows NT Server. See the security=domain option in the smb.conf +(5) man page. In order to be used in this way, the Administrator for the +Windows NT Domain must have used the program "Server Manager for Domains" +to add the primary NetBIOS name of the Samba server as a member of the +Domain. After this has been done, to join the Domain invoke smbpasswd with +this parameter. smbpasswd will then look up the Primary Domain Controller +for the Domain (found in the smb.conf file in the parameter password server +and change the machine account password used to create the secure Domain +communication. This password is then stored by smbpasswd in a file, read +only by root, called CW..mac where CW is the name of the +Domain we are joining and CW is the primary NetBIOS name of the +machine we are running on. Once this operation has been performed the smb.conf +file may be updated to set the security=domain option and all future logins +to the Samba server will be authenticated to the Windows NT PDC. Note that +even though the authentication is being done to the PDC all users accessing +the Samba server must still have a valid UNIX account on that machine. This +option is only available when running smbpasswd as root. -U usernameThis +option may only be used in conjunction with the -r option. When changing +a password on a remote machine it allows the user to specify the user name +on that machine whose password will be changed. It is present to allow users +who have different user names on different systems to change these passwords. +-hThis option prints the help string for smbpasswd, selecting the correct +one for running as root or as an ordinary user. -sThis option causes smbpasswd +to be silent (i.e. not issue prompts) and to read it's old and new passwords +from standard input, rather than from CW/dev/tty (like the passwd (1) +program does). This option is to aid people writing scripts to drive smbpasswd +usernameThis specifies the username for all of the root only options to +operate on. Only root can specify this parameter as only root has the permission +needed to modify attributes directly in the local smbpasswd file. NotesSince +smbpasswd works in client-server mode communicating with a local smbd for +a non-root user then the smbd daemon must be running for this to work. A +common problem is to add a restriction to the hosts that may access the +smbd running on the local machine by specifying a "allow hosts" or "deny +hosts" entry in the smb.conf file and neglecting to allow "localhost" access +to the smbd. In addition, the smbpasswd command is only useful if Samba +has been set up to use encrypted passwords. See the file ENCRYPTION.txt in +the docs directory for details on how to do this. VersionThis man page is +correct for version 2.0 of the Samba suite. AuthorThe original Samba software +and related utilities were created by Andrew Tridgell samba@samba.org. Samba +is now developed by the Samba Team as an Open Source project similar to +the way the Linux kernel is developed. The original Samba man pages were +written by Karl Auer. The man page sources were converted to YODL format +(another excellent piece of Open Source software, available at ftp://ftp.icce.rug.nl/pub/unix/) +and updated for the Samba2.0 release by Jeremy Allison. samba@samba.org. See +samba (7) to find out how to get a full list of contributors and details +on how to submit bug reports, comments etc. \ No newline at end of file -- cgit