version 1 showing authors affecting page license.
.
Rev |
Author |
# |
Line |
1 |
perry |
1 |
SMBPASSWD |
|
|
2 |
!!!SMBPASSWD |
|
|
3 |
NAME |
|
|
4 |
SYNOPSIS |
|
|
5 |
DESCRIPTION |
|
|
6 |
OPTIONS |
|
|
7 |
NOTES |
|
|
8 |
VERSION |
|
|
9 |
SEE ALSO |
|
|
10 |
AUTHOR |
|
|
11 |
---- |
|
|
12 |
!!NAME |
|
|
13 |
|
|
|
14 |
|
|
|
15 |
smbpasswd - change a user's SMB password |
|
|
16 |
!!SYNOPSIS |
|
|
17 |
|
|
|
18 |
|
|
|
19 |
__smbpasswd__ [[ __-a__ ] [[ __-x__ ] [[ __-d__ ] [[ |
|
|
20 |
__-e__ ] [[ __-D debuglevel__ ] [[ __-n__ ] [[ __-r |
|
|
21 |
__ ] [[ __-R |
|
|
22 |
__ ] [[ __-m__ ] [[ __-j DOMAIN__ ] [[ __-U |
|
|
23 |
username[[%password]__ ] [[ __-h__ ] [[ __-s__ ] [[ |
|
|
24 |
__-w pass__ ] [[ __username__ ] |
|
|
25 |
!!DESCRIPTION |
|
|
26 |
|
|
|
27 |
|
|
|
28 |
This tool is part of the Sambasuite. |
|
|
29 |
|
|
|
30 |
|
|
|
31 |
The smbpasswd program has several different functions, |
|
|
32 |
depending on whether it is run by the __root__ user or |
|
|
33 |
not. When run as a normal user it allows the user to change |
|
|
34 |
the password used for their SMB sessions on any machines |
|
|
35 |
that store SMB passwords. |
|
|
36 |
|
|
|
37 |
|
|
|
38 |
By default (when run with no arguments) it will attempt to |
|
|
39 |
change the current user's SMB password on the local machine. |
|
|
40 |
This is similar to the way the __passwd(1)__ program |
|
|
41 |
works. __smbpasswd__ differs from how the passwd program |
|
|
42 |
works however in that it is not __setuid root__ but works |
|
|
43 |
in a client-server mode and communicates with a locally |
|
|
44 |
running __smbd(8)__. As a consequence in order for this |
|
|
45 |
to succeed the smbd daemon must be running on the local |
|
|
46 |
machine. On a UNIX machine the encrypted SMB passwords are |
|
|
47 |
usually stored in the ''smbpasswd(5)'' file. |
|
|
48 |
|
|
|
49 |
|
|
|
50 |
When run by an ordinary user with no options. smbpasswd will |
|
|
51 |
prompt them for their old SMB password and then ask them for |
|
|
52 |
their new password twice, to ensure that the new password |
|
|
53 |
was typed correctly. No passwords will be echoed on the |
|
|
54 |
screen whilst being typed. If you have a blank SMB password |
|
|
55 |
(specified by the string |
|
|
56 |
|
|
|
57 |
|
|
|
58 |
smbpasswd can also be used by a normal user to change their |
|
|
59 |
SMB password on remote machines, such as Windows NT Primary |
|
|
60 |
Domain Controllers. See the (-r) and -U options |
|
|
61 |
below. |
|
|
62 |
|
|
|
63 |
|
|
|
64 |
When run by root, smbpasswd allows new users to be added and |
|
|
65 |
deleted in the smbpasswd file, as well as allows changes to |
|
|
66 |
the attributes of the user in this file to be made. When run |
|
|
67 |
by root, __smbpasswd__ accesses the local smbpasswd file |
|
|
68 |
directly, thus enabling changes to be made even if smbd is |
|
|
69 |
not running. |
|
|
70 |
!!OPTIONS |
|
|
71 |
|
|
|
72 |
|
|
|
73 |
__-a__ |
|
|
74 |
|
|
|
75 |
|
|
|
76 |
This option specifies that the username following should be |
|
|
77 |
added to the local smbpasswd file, with the new password |
|
|
78 |
typed (type |
|
|
79 |
/etc/passwd'') else the request to add the user will |
|
|
80 |
fail. |
|
|
81 |
|
|
|
82 |
|
|
|
83 |
This option is only available when running smbpasswd as |
|
|
84 |
root. |
|
|
85 |
|
|
|
86 |
|
|
|
87 |
__-x__ |
|
|
88 |
|
|
|
89 |
|
|
|
90 |
This option specifies that the username following should be |
|
|
91 |
deleted from the local smbpasswd file. |
|
|
92 |
|
|
|
93 |
|
|
|
94 |
This option is only available when running smbpasswd as |
|
|
95 |
root. |
|
|
96 |
|
|
|
97 |
|
|
|
98 |
__-d__ |
|
|
99 |
|
|
|
100 |
|
|
|
101 |
This option specifies that the username following should be |
|
|
102 |
disabled in the local smbpasswd file. This is done by |
|
|
103 |
writing a 'D' flag into the account control space in the |
|
|
104 |
smbpasswd file. Once this is done all attempts to |
|
|
105 |
authenticate via SMB using this username will |
|
|
106 |
fail. |
|
|
107 |
|
|
|
108 |
|
|
|
109 |
If the smbpasswd file is in the 'old' format (pre-Samba 2.0 |
|
|
110 |
format) there is no space in the user's password entry to |
|
|
111 |
write this information and so the user is disabled by |
|
|
112 |
writing 'X' characters into the password space in the |
|
|
113 |
smbpasswd file. See __smbpasswd(5)__ for details on the |
|
|
114 |
'old' and new password file formats. |
|
|
115 |
|
|
|
116 |
|
|
|
117 |
This option is only available when running smbpasswd as |
|
|
118 |
root. |
|
|
119 |
|
|
|
120 |
|
|
|
121 |
__-e__ |
|
|
122 |
|
|
|
123 |
|
|
|
124 |
This option specifies that the username following should be |
|
|
125 |
enabled in the local smbpasswd file, if the account was |
|
|
126 |
previously disabled. If the account was not disabled this |
|
|
127 |
option has no effect. Once the account is enabled then the |
|
|
128 |
user will be able to authenticate via SMB once |
|
|
129 |
again. |
|
|
130 |
|
|
|
131 |
|
|
|
132 |
If the smbpasswd file is in the 'old' format, then |
|
|
133 |
__smbpasswd__ will prompt for a new password for this |
|
|
134 |
user, otherwise the account will be enabled by removing the |
|
|
135 |
'D' flag from account control space in the ''smbpasswd'' |
|
|
136 |
file. See __smbpasswd (5)__ for details on the 'old' and |
|
|
137 |
new password file formats. |
|
|
138 |
|
|
|
139 |
|
|
|
140 |
This option is only available when running smbpasswd as |
|
|
141 |
root. |
|
|
142 |
|
|
|
143 |
|
|
|
144 |
__-D debuglevel__ |
|
|
145 |
|
|
|
146 |
|
|
|
147 |
''debuglevel'' is an integer from 0 to 10. The default |
|
|
148 |
value if this parameter is not specified is |
|
|
149 |
zero. |
|
|
150 |
|
|
|
151 |
|
|
|
152 |
The higher this value, the more detail will be logged to the |
|
|
153 |
log files about the activities of smbpasswd. At level 0, |
|
|
154 |
only critical errors and serious warnings will be |
|
|
155 |
logged. |
|
|
156 |
|
|
|
157 |
|
|
|
158 |
Levels above 1 will generate considerable amounts of log |
|
|
159 |
data, and should only be used when investigating a problem. |
|
|
160 |
Levels above 3 are designed for use only by developers and |
|
|
161 |
generate HUGE amounts of log data, most of which is |
|
|
162 |
extremely cryptic. |
|
|
163 |
|
|
|
164 |
|
|
|
165 |
__-n__ |
|
|
166 |
|
|
|
167 |
|
|
|
168 |
This option specifies that the username following should |
|
|
169 |
have their password set to null (i.e. a blank password) in |
|
|
170 |
the local smbpasswd file. This is done by writing the string |
|
|
171 |
|
|
|
172 |
|
|
|
173 |
Note that to allow users to logon to a Samba server once the |
|
|
174 |
password has been set to |
|
|
175 |
smb.conf'' |
|
|
176 |
file : |
|
|
177 |
|
|
|
178 |
|
|
|
179 |
__null passwords = yes__ |
|
|
180 |
|
|
|
181 |
|
|
|
182 |
This option is only available when running smbpasswd as |
|
|
183 |
root. |
|
|
184 |
|
|
|
185 |
|
|
|
186 |
__-r remote machine name__ |
|
|
187 |
|
|
|
188 |
|
|
|
189 |
This option allows a user to specify what machine they wish |
|
|
190 |
to change their password on. Without this parameter |
|
|
191 |
smbpasswd defaults to the local host. The ''remote machine |
|
|
192 |
name'' is the NetBIOS name of the SMB/CIFS server to |
|
|
193 |
contact to attempt the password change. This name is |
|
|
194 |
resolved into an IP address using the standard name |
|
|
195 |
resolution mechanism in all programs of the Samba suite. See |
|
|
196 |
the ''-R name resolve order'' parameter for details on |
|
|
197 |
changing this resolving mechanism. |
|
|
198 |
|
|
|
199 |
|
|
|
200 |
The username whose password is changed is that of the |
|
|
201 |
current UNIX logged on user. See the ''-U username'' |
|
|
202 |
parameter for details on changing the password for a |
|
|
203 |
different username. |
|
|
204 |
|
|
|
205 |
|
|
|
206 |
Note that if changing a Windows NT Domain password the |
|
|
207 |
remote machine specified must be the Primary Domain |
|
|
208 |
Controller for the domain (Backup Domain Controllers only |
|
|
209 |
have a read-only copy of the user account database and will |
|
|
210 |
not allow the password change). |
|
|
211 |
|
|
|
212 |
|
|
|
213 |
__Note__ that Windows 95/98 do not have a real password |
|
|
214 |
database so it is not possible to change passwords |
|
|
215 |
specifying a Win95/98 machine as remote machine |
|
|
216 |
target. |
|
|
217 |
|
|
|
218 |
|
|
|
219 |
__-R name resolve order__ |
|
|
220 |
|
|
|
221 |
|
|
|
222 |
This option allows the user of smbpasswd to determine what |
|
|
223 |
name resolution services to use when looking up the NetBIOS |
|
|
224 |
name of the host being connected to. |
|
|
225 |
|
|
|
226 |
|
|
|
227 |
The options are : |
|
|
228 |
|
|
|
229 |
|
|
|
230 |
lmhosts : Lookup an IP address in the Samba lmhosts file. If |
|
|
231 |
the line in lmhosts has no name type attached to the NetBIOS |
|
|
232 |
name (see the lmhosts(5)for details) then any name type |
|
|
233 |
matches for lookup. |
|
|
234 |
|
|
|
235 |
|
|
|
236 |
host : Do a standard host name to IP address resolution, |
|
|
237 |
using the system ''/etc/hosts'' , NIS, or DNS lookups. |
|
|
238 |
This method of name resolution is operating system depended |
|
|
239 |
for instance on IRIX or Solaris this may be controlled by |
|
|
240 |
the ''/etc/nsswitch.conf'' file). Note that this method |
|
|
241 |
is only used if the NetBIOS name type being queried is the |
|
|
242 |
0x20 (server) name type, otherwise it is |
|
|
243 |
ignored. |
|
|
244 |
|
|
|
245 |
|
|
|
246 |
wins : Query a name with the IP address listed in the |
|
|
247 |
''wins server'' parameter. If no WINS server has been |
|
|
248 |
specified this method will be ignored. |
|
|
249 |
|
|
|
250 |
|
|
|
251 |
bcast : Do a broadcast on each of the known local interfaces |
|
|
252 |
listed in the ''interfaces'' parameter. This is the least |
|
|
253 |
reliable of the name resolution methods as it depends on the |
|
|
254 |
target host being on a locally connected |
|
|
255 |
subnet. |
|
|
256 |
|
|
|
257 |
|
|
|
258 |
The default order is __lmhosts, host, wins, bcast__ and |
|
|
259 |
without this parameter or any entry in the ''smb.conf'' |
|
|
260 |
file the name resolution methods will be attempted in this |
|
|
261 |
order. |
|
|
262 |
|
|
|
263 |
|
|
|
264 |
__-m__ |
|
|
265 |
|
|
|
266 |
|
|
|
267 |
This option tells smbpasswd that the account being changed |
|
|
268 |
is a MACHINE account. Currently this is used when Samba is |
|
|
269 |
being used as an NT Primary Domain Controller. |
|
|
270 |
|
|
|
271 |
|
|
|
272 |
This option is only available when running smbpasswd as |
|
|
273 |
root. |
|
|
274 |
|
|
|
275 |
|
|
|
276 |
__-j DOMAIN__ |
|
|
277 |
|
|
|
278 |
|
|
|
279 |
This option is used to add a Samba server into a Windows NT |
|
|
280 |
Domain, as a Domain member capable of authenticating user |
|
|
281 |
accounts to any Domain Controller in the same way as a |
|
|
282 |
Windows NT Server. See the __security = domain__ option |
|
|
283 |
in the ''smb.conf(5)'' man page. |
|
|
284 |
|
|
|
285 |
|
|
|
286 |
This command can work both with and without the -U |
|
|
287 |
parameter. |
|
|
288 |
|
|
|
289 |
|
|
|
290 |
When invoked with -U, that username (and optional password) |
|
|
291 |
are used to contact the PDC (which must be specified with |
|
|
292 |
-r) to both create a machine account, and to set a password |
|
|
293 |
on it. |
|
|
294 |
|
|
|
295 |
|
|
|
296 |
Alternately, if -U is omitted, Samba will contact its PDC |
|
|
297 |
and attempt to change the password on a pre-existing |
|
|
298 |
account. |
|
|
299 |
|
|
|
300 |
|
|
|
301 |
In order to be used in this way, the Administrator for the |
|
|
302 |
Windows NT Domain must have used the program |
|
|
303 |
|
|
|
304 |
|
|
|
305 |
After this has been done, to join the Domain invoke |
|
|
306 |
__smbpasswd__ with this parameter. smbpasswd will then |
|
|
307 |
look up the Primary Domain Controller for the Domain (found |
|
|
308 |
in the ''smb.conf'' file in the parameter ''password |
|
|
309 |
server'' and change the machine account password used to |
|
|
310 |
create the secure Domain communication. |
|
|
311 |
|
|
|
312 |
|
|
|
313 |
Either way, this password is then stored by smbpasswd in a |
|
|
314 |
TDB, writeable only by root, called |
|
|
315 |
''secrets.tdb'' |
|
|
316 |
|
|
|
317 |
|
|
|
318 |
Once this operation has been performed the ''smb.conf'' |
|
|
319 |
file may be updated to set the __security = domain__ |
|
|
320 |
option and all future logins to the Samba server will be |
|
|
321 |
authenticated to the Windows NT PDC. |
|
|
322 |
|
|
|
323 |
|
|
|
324 |
Note that even though the authentication is being done to |
|
|
325 |
the PDC all users accessing the Samba server must still have |
|
|
326 |
a valid UNIX account on that machine. The __winbindd(8)__ |
|
|
327 |
daemon can be used to create UNIX accounts for NT |
|
|
328 |
users. |
|
|
329 |
|
|
|
330 |
|
|
|
331 |
This option is only available when running smbpasswd as |
|
|
332 |
root. |
|
|
333 |
|
|
|
334 |
|
|
|
335 |
__-U username__ |
|
|
336 |
|
|
|
337 |
|
|
|
338 |
This option may only be used in conjunction with the |
|
|
339 |
''-r'' option. When changing a password on a remote |
|
|
340 |
machine it allows the user to specify the user name on that |
|
|
341 |
machine whose password will be changed. It is present to |
|
|
342 |
allow users who have different user names on different |
|
|
343 |
systems to change these passwords. |
|
|
344 |
|
|
|
345 |
|
|
|
346 |
In particular, this parameter specifies the username used to |
|
|
347 |
create the machine account when invoked with -j |
|
|
348 |
|
|
|
349 |
|
|
|
350 |
__-h__ |
|
|
351 |
|
|
|
352 |
|
|
|
353 |
This option prints the help string for __smbpasswd__, |
|
|
354 |
selecting the correct one for running as root or as an |
|
|
355 |
ordinary user. |
|
|
356 |
|
|
|
357 |
|
|
|
358 |
__-s__ |
|
|
359 |
|
|
|
360 |
|
|
|
361 |
This option causes smbpasswd to be silent (i.e. not issue |
|
|
362 |
prompts) and to read its old and new passwords from standard |
|
|
363 |
input, rather than from ''/dev/tty'' (like the |
|
|
364 |
__passwd(1)__ program does). This option is to aid people |
|
|
365 |
writing scripts to drive smbpasswd |
|
|
366 |
|
|
|
367 |
|
|
|
368 |
__-w password__ |
|
|
369 |
|
|
|
370 |
|
|
|
371 |
This parameter is only available is Samba has been |
|
|
372 |
configured to use the experimental __--with-ldapsam__ |
|
|
373 |
option. The ''-w'' switch is used to specify the password |
|
|
374 |
to be used with the ''ldap admin dn''. Note that the |
|
|
375 |
password is stored in the ''private/secrets.tdb'' and is |
|
|
376 |
keyed off of the admin's DN. This means that if the value of |
|
|
377 |
''ldap admin dn'' ever changes, the password will beed to |
|
|
378 |
be manually updated as well. |
|
|
379 |
|
|
|
380 |
|
|
|
381 |
__username__ |
|
|
382 |
|
|
|
383 |
|
|
|
384 |
This specifies the username for all of the __root only__ |
|
|
385 |
options to operate on. Only root can specify this parameter |
|
|
386 |
as only root has the permission needed to modify attributes |
|
|
387 |
directly in the local smbpasswd file. |
|
|
388 |
!!NOTES |
|
|
389 |
|
|
|
390 |
|
|
|
391 |
Since __smbpasswd__ works in client-server mode |
|
|
392 |
communicating with a local smbd for a non-root user then the |
|
|
393 |
smbd daemon must be running for this to work. A common |
|
|
394 |
problem is to add a restriction to the hosts that may access |
|
|
395 |
the __smbd__ running on the local machine by specifying a |
|
|
396 |
''allow hosts'' or ''deny hosts'' entry in the |
|
|
397 |
''smb.conf'' file and neglecting to allow |
|
|
398 |
'' |
|
|
399 |
|
|
|
400 |
|
|
|
401 |
In addition, the smbpasswd command is only useful if Samba |
|
|
402 |
has been set up to use encrypted passwords. See the file |
|
|
403 |
''ENCRYPTION.txt'' in the docs directory for details on |
|
|
404 |
how to do this. |
|
|
405 |
!!VERSION |
|
|
406 |
|
|
|
407 |
|
|
|
408 |
This man page is correct for version 2.2 of the Samba |
|
|
409 |
suite. |
|
|
410 |
!!SEE ALSO |
|
|
411 |
|
|
|
412 |
|
|
|
413 |
''smbpasswd(5)'', samba(7) |
|
|
414 |
!!AUTHOR |
|
|
415 |
|
|
|
416 |
|
|
|
417 |
The original Samba software and related utilities were |
|
|
418 |
created by Andrew Tridgell. Samba is now developed by the |
|
|
419 |
Samba Team as an Open Source project similar to the way the |
|
|
420 |
Linux kernel is developed. |
|
|
421 |
|
|
|
422 |
|
|
|
423 |
The original Samba man pages were written by Karl Auer. The |
|
|
424 |
man page sources were converted to YODL format (another |
|
|
425 |
excellent piece of Open Source software, available at |
|
|
426 |
ftp://ftp.icce.rug.nl/pub/unix/ |
|
|
427 |
---- |