Penguin
Recent Changes
Blame: smbpasswd(8)
EditPageHistoryDiffInfoLikePages
Annotated edit history of smbpasswd(8) version 1, including all changes. View license author blame.
Rev Author # Line
1 perry 1 SMBPASSWD
2 !!!SMBPASSWD
3 NAME
4 SYNOPSIS
5 DESCRIPTION
6 OPTIONS
7 NOTES
8 VERSION
9 SEE ALSO
10 AUTHOR
11 ----
12 !!NAME
13
14
15 smbpasswd - change a user's SMB password
16 !!SYNOPSIS
17
18
19 __smbpasswd__ [[ __-a__ ] [[ __-x__ ] [[ __-d__ ] [[
20 __-e__ ] [[ __-D debuglevel__ ] [[ __-n__ ] [[ __-r
21 __ ] [[ __-R
22 __ ] [[ __-m__ ] [[ __-j DOMAIN__ ] [[ __-U
23 username[[%password]__ ] [[ __-h__ ] [[ __-s__ ] [[
24 __-w pass__ ] [[ __username__ ]
25 !!DESCRIPTION
26
27
28 This tool is part of the Sambasuite.
29
30
31 The smbpasswd program has several different functions,
32 depending on whether it is run by the __root__ user or
33 not. When run as a normal user it allows the user to change
34 the password used for their SMB sessions on any machines
35 that store SMB passwords.
36
37
38 By default (when run with no arguments) it will attempt to
39 change the current user's SMB password on the local machine.
40 This is similar to the way the __passwd(1)__ program
41 works. __smbpasswd__ differs from how the passwd program
42 works however in that it is not __setuid root__ but works
43 in a client-server mode and communicates with a locally
44 running __smbd(8)__. As a consequence in order for this
45 to succeed the smbd daemon must be running on the local
46 machine. On a UNIX machine the encrypted SMB passwords are
47 usually stored in the ''smbpasswd(5)'' file.
48
49
50 When run by an ordinary user with no options. smbpasswd will
51 prompt them for their old SMB password and then ask them for
52 their new password twice, to ensure that the new password
53 was typed correctly. No passwords will be echoed on the
54 screen whilst being typed. If you have a blank SMB password
55 (specified by the string
56
57
58 smbpasswd can also be used by a normal user to change their
59 SMB password on remote machines, such as Windows NT Primary
60 Domain Controllers. See the (-r) and -U options
61 below.
62
63
64 When run by root, smbpasswd allows new users to be added and
65 deleted in the smbpasswd file, as well as allows changes to
66 the attributes of the user in this file to be made. When run
67 by root, __smbpasswd__ accesses the local smbpasswd file
68 directly, thus enabling changes to be made even if smbd is
69 not running.
70 !!OPTIONS
71
72
73 __-a__
74
75
76 This option specifies that the username following should be
77 added to the local smbpasswd file, with the new password
78 typed (type
79 /etc/passwd'') else the request to add the user will
80 fail.
81
82
83 This option is only available when running smbpasswd as
84 root.
85
86
87 __-x__
88
89
90 This option specifies that the username following should be
91 deleted from the local smbpasswd file.
92
93
94 This option is only available when running smbpasswd as
95 root.
96
97
98 __-d__
99
100
101 This option specifies that the username following should be
102 disabled in the local smbpasswd file. This is done by
103 writing a 'D' flag into the account control space in the
104 smbpasswd file. Once this is done all attempts to
105 authenticate via SMB using this username will
106 fail.
107
108
109 If the smbpasswd file is in the 'old' format (pre-Samba 2.0
110 format) there is no space in the user's password entry to
111 write this information and so the user is disabled by
112 writing 'X' characters into the password space in the
113 smbpasswd file. See __smbpasswd(5)__ for details on the
114 'old' and new password file formats.
115
116
117 This option is only available when running smbpasswd as
118 root.
119
120
121 __-e__
122
123
124 This option specifies that the username following should be
125 enabled in the local smbpasswd file, if the account was
126 previously disabled. If the account was not disabled this
127 option has no effect. Once the account is enabled then the
128 user will be able to authenticate via SMB once
129 again.
130
131
132 If the smbpasswd file is in the 'old' format, then
133 __smbpasswd__ will prompt for a new password for this
134 user, otherwise the account will be enabled by removing the
135 'D' flag from account control space in the ''smbpasswd''
136 file. See __smbpasswd (5)__ for details on the 'old' and
137 new password file formats.
138
139
140 This option is only available when running smbpasswd as
141 root.
142
143
144 __-D debuglevel__
145
146
147 ''debuglevel'' is an integer from 0 to 10. The default
148 value if this parameter is not specified is
149 zero.
150
151
152 The higher this value, the more detail will be logged to the
153 log files about the activities of smbpasswd. At level 0,
154 only critical errors and serious warnings will be
155 logged.
156
157
158 Levels above 1 will generate considerable amounts of log
159 data, and should only be used when investigating a problem.
160 Levels above 3 are designed for use only by developers and
161 generate HUGE amounts of log data, most of which is
162 extremely cryptic.
163
164
165 __-n__
166
167
168 This option specifies that the username following should
169 have their password set to null (i.e. a blank password) in
170 the local smbpasswd file. This is done by writing the string
171
172
173 Note that to allow users to logon to a Samba server once the
174 password has been set to
175 smb.conf''
176 file :
177
178
179 __null passwords = yes__
180
181
182 This option is only available when running smbpasswd as
183 root.
184
185
186 __-r remote machine name__
187
188
189 This option allows a user to specify what machine they wish
190 to change their password on. Without this parameter
191 smbpasswd defaults to the local host. The ''remote machine
192 name'' is the NetBIOS name of the SMB/CIFS server to
193 contact to attempt the password change. This name is
194 resolved into an IP address using the standard name
195 resolution mechanism in all programs of the Samba suite. See
196 the ''-R name resolve order'' parameter for details on
197 changing this resolving mechanism.
198
199
200 The username whose password is changed is that of the
201 current UNIX logged on user. See the ''-U username''
202 parameter for details on changing the password for a
203 different username.
204
205
206 Note that if changing a Windows NT Domain password the
207 remote machine specified must be the Primary Domain
208 Controller for the domain (Backup Domain Controllers only
209 have a read-only copy of the user account database and will
210 not allow the password change).
211
212
213 __Note__ that Windows 95/98 do not have a real password
214 database so it is not possible to change passwords
215 specifying a Win95/98 machine as remote machine
216 target.
217
218
219 __-R name resolve order__
220
221
222 This option allows the user of smbpasswd to determine what
223 name resolution services to use when looking up the NetBIOS
224 name of the host being connected to.
225
226
227 The options are :
228
229
230 lmhosts : Lookup an IP address in the Samba lmhosts file. If
231 the line in lmhosts has no name type attached to the NetBIOS
232 name (see the lmhosts(5)for details) then any name type
233 matches for lookup.
234
235
236 host : Do a standard host name to IP address resolution,
237 using the system ''/etc/hosts'' , NIS, or DNS lookups.
238 This method of name resolution is operating system depended
239 for instance on IRIX or Solaris this may be controlled by
240 the ''/etc/nsswitch.conf'' file). Note that this method
241 is only used if the NetBIOS name type being queried is the
242 0x20 (server) name type, otherwise it is
243 ignored.
244
245
246 wins : Query a name with the IP address listed in the
247 ''wins server'' parameter. If no WINS server has been
248 specified this method will be ignored.
249
250
251 bcast : Do a broadcast on each of the known local interfaces
252 listed in the ''interfaces'' parameter. This is the least
253 reliable of the name resolution methods as it depends on the
254 target host being on a locally connected
255 subnet.
256
257
258 The default order is __lmhosts, host, wins, bcast__ and
259 without this parameter or any entry in the ''smb.conf''
260 file the name resolution methods will be attempted in this
261 order.
262
263
264 __-m__
265
266
267 This option tells smbpasswd that the account being changed
268 is a MACHINE account. Currently this is used when Samba is
269 being used as an NT Primary Domain Controller.
270
271
272 This option is only available when running smbpasswd as
273 root.
274
275
276 __-j DOMAIN__
277
278
279 This option is used to add a Samba server into a Windows NT
280 Domain, as a Domain member capable of authenticating user
281 accounts to any Domain Controller in the same way as a
282 Windows NT Server. See the __security = domain__ option
283 in the ''smb.conf(5)'' man page.
284
285
286 This command can work both with and without the -U
287 parameter.
288
289
290 When invoked with -U, that username (and optional password)
291 are used to contact the PDC (which must be specified with
292 -r) to both create a machine account, and to set a password
293 on it.
294
295
296 Alternately, if -U is omitted, Samba will contact its PDC
297 and attempt to change the password on a pre-existing
298 account.
299
300
301 In order to be used in this way, the Administrator for the
302 Windows NT Domain must have used the program
303
304
305 After this has been done, to join the Domain invoke
306 __smbpasswd__ with this parameter. smbpasswd will then
307 look up the Primary Domain Controller for the Domain (found
308 in the ''smb.conf'' file in the parameter ''password
309 server'' and change the machine account password used to
310 create the secure Domain communication.
311
312
313 Either way, this password is then stored by smbpasswd in a
314 TDB, writeable only by root, called
315 ''secrets.tdb''
316
317
318 Once this operation has been performed the ''smb.conf''
319 file may be updated to set the __security = domain__
320 option and all future logins to the Samba server will be
321 authenticated to the Windows NT PDC.
322
323
324 Note that even though the authentication is being done to
325 the PDC all users accessing the Samba server must still have
326 a valid UNIX account on that machine. The __winbindd(8)__
327 daemon can be used to create UNIX accounts for NT
328 users.
329
330
331 This option is only available when running smbpasswd as
332 root.
333
334
335 __-U username__
336
337
338 This option may only be used in conjunction with the
339 ''-r'' option. When changing a password on a remote
340 machine it allows the user to specify the user name on that
341 machine whose password will be changed. It is present to
342 allow users who have different user names on different
343 systems to change these passwords.
344
345
346 In particular, this parameter specifies the username used to
347 create the machine account when invoked with -j
348
349
350 __-h__
351
352
353 This option prints the help string for __smbpasswd__,
354 selecting the correct one for running as root or as an
355 ordinary user.
356
357
358 __-s__
359
360
361 This option causes smbpasswd to be silent (i.e. not issue
362 prompts) and to read its old and new passwords from standard
363 input, rather than from ''/dev/tty'' (like the
364 __passwd(1)__ program does). This option is to aid people
365 writing scripts to drive smbpasswd
366
367
368 __-w password__
369
370
371 This parameter is only available is Samba has been
372 configured to use the experimental __--with-ldapsam__
373 option. The ''-w'' switch is used to specify the password
374 to be used with the ''ldap admin dn''. Note that the
375 password is stored in the ''private/secrets.tdb'' and is
376 keyed off of the admin's DN. This means that if the value of
377 ''ldap admin dn'' ever changes, the password will beed to
378 be manually updated as well.
379
380
381 __username__
382
383
384 This specifies the username for all of the __root only__
385 options to operate on. Only root can specify this parameter
386 as only root has the permission needed to modify attributes
387 directly in the local smbpasswd file.
388 !!NOTES
389
390
391 Since __smbpasswd__ works in client-server mode
392 communicating with a local smbd for a non-root user then the
393 smbd daemon must be running for this to work. A common
394 problem is to add a restriction to the hosts that may access
395 the __smbd__ running on the local machine by specifying a
396 ''allow hosts'' or ''deny hosts'' entry in the
397 ''smb.conf'' file and neglecting to allow
398 ''
399
400
401 In addition, the smbpasswd command is only useful if Samba
402 has been set up to use encrypted passwords. See the file
403 ''ENCRYPTION.txt'' in the docs directory for details on
404 how to do this.
405 !!VERSION
406
407
408 This man page is correct for version 2.2 of the Samba
409 suite.
410 !!SEE ALSO
411
412
413 ''smbpasswd(5)'', samba(7)
414 !!AUTHOR
415
416
417 The original Samba software and related utilities were
418 created by Andrew Tridgell. Samba is now developed by the
419 Samba Team as an Open Source project similar to the way the
420 Linux kernel is developed.
421
422
423 The original Samba man pages were written by Karl Auer. The
424 man page sources were converted to YODL format (another
425 excellent piece of Open Source software, available at
426 ftp://ftp.icce.rug.nl/pub/unix/
427 ----
This page is a man page (or other imported legacy content). We are unable to automatically determine the license status of this page.