| 1 | <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smbpasswd</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smbpasswd.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smbpasswd — change a user's SMB password</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">smbpasswd</code> [-a] [-c <config file>] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-U username[%password]] [-h] [-s] [-w pass] [-W] [-i] [-L] [username]</p></div></div><div class="refsect1" lang="en"><a name="id2483541"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a class="citerefentry" href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The smbpasswd program has several different
|
|---|
| 2 | functions, depending on whether it is run by the <span class="emphasis"><em>root</em></span> user
|
|---|
| 3 | or not. When run as a normal user it allows the user to change
|
|---|
| 4 | the password used for their SMB sessions on any machines that store
|
|---|
| 5 | SMB passwords. </p><p>By default (when run with no arguments) it will attempt to
|
|---|
| 6 | change the current user's SMB password on the local machine. This is
|
|---|
| 7 | similar to the way the <code class="literal">passwd(1)</code> program works. <code class="literal">
|
|---|
| 8 | smbpasswd</code> differs from how the passwd program works
|
|---|
| 9 | however in that it is not <span class="emphasis"><em>setuid root</em></span> but works in
|
|---|
| 10 | a client-server mode and communicates with a
|
|---|
| 11 | locally running <a class="citerefentry" href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>. As a consequence in order for this to
|
|---|
| 12 | succeed the smbd daemon must be running on the local machine. On a
|
|---|
| 13 | UNIX machine the encrypted SMB passwords are usually stored in
|
|---|
| 14 | the <a class="citerefentry" href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a> file. </p><p>When run by an ordinary user with no options, smbpasswd
|
|---|
| 15 | will prompt them for their old SMB password and then ask them
|
|---|
| 16 | for their new password twice, to ensure that the new password
|
|---|
| 17 | was typed correctly. No passwords will be echoed on the screen
|
|---|
| 18 | whilst being typed. If you have a blank SMB password (specified by
|
|---|
| 19 | the string "NO PASSWORD" in the smbpasswd file) then just press
|
|---|
| 20 | the <Enter> key when asked for your old password. </p><p>smbpasswd can also be used by a normal user to change their
|
|---|
| 21 | SMB password on remote machines, such as Windows NT Primary Domain
|
|---|
| 22 | Controllers. See the (<em class="parameter"><code>-r</code></em>) and <em class="parameter"><code>-U</code></em> options
|
|---|
| 23 | below. </p><p>When run by root, smbpasswd allows new users to be added
|
|---|
| 24 | and deleted in the smbpasswd file, as well as allows changes to
|
|---|
| 25 | the attributes of the user in this file to be made. When run by root, <code class="literal">
|
|---|
| 26 | smbpasswd</code> accesses the local smbpasswd file
|
|---|
| 27 | directly, thus enabling changes to be made even if smbd is not
|
|---|
| 28 | running. </p></div><div class="refsect1" lang="en"><a name="id2483663"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-a</span></dt><dd><p>
|
|---|
| 29 | This option specifies that the username following should be added to the local smbpasswd file, with the new
|
|---|
| 30 | password typed (type <Enter> for the old password). This option is ignored if the username following
|
|---|
| 31 | already exists in the smbpasswd file and it is treated like a regular change password command. Note that the
|
|---|
| 32 | default passdb backends require the user to already exist in the system password file (usually
|
|---|
| 33 | <code class="filename">/etc/passwd</code>), else the request to add the user will fail.
|
|---|
| 34 | </p><p>This option is only available when running smbpasswd
|
|---|
| 35 | as root. </p></dd><dt><span class="term">-c</span></dt><dd><p>
|
|---|
| 36 | This option can be used to specify the path and file name of the <code class="filename">smb.conf</code> configuration file when it
|
|---|
| 37 | is important to use other than the default file and / or location.
|
|---|
| 38 | </p></dd><dt><span class="term">-x</span></dt><dd><p>
|
|---|
| 39 | This option specifies that the username following should be deleted from the local smbpasswd file.
|
|---|
| 40 | </p><p>
|
|---|
| 41 | This option is only available when running smbpasswd as root.
|
|---|
| 42 | </p></dd><dt><span class="term">-d</span></dt><dd><p>This option specifies that the username following
|
|---|
| 43 | should be <code class="constant">disabled</code> in the local smbpasswd
|
|---|
| 44 | file. This is done by writing a <code class="constant">'D'</code> flag
|
|---|
| 45 | into the account control space in the smbpasswd file. Once this
|
|---|
| 46 | is done all attempts to authenticate via SMB using this username
|
|---|
| 47 | will fail. </p><p>If the smbpasswd file is in the 'old' format (pre-Samba 2.0
|
|---|
| 48 | format) there is no space in the user's password entry to write
|
|---|
| 49 | this information and the command will FAIL. See <a class="citerefentry" href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a> for details on the 'old' and new password file formats.
|
|---|
| 50 | </p><p>This option is only available when running smbpasswd as
|
|---|
| 51 | root.</p></dd><dt><span class="term">-e</span></dt><dd><p>This option specifies that the username following
|
|---|
| 52 | should be <code class="constant">enabled</code> in the local smbpasswd file,
|
|---|
| 53 | if the account was previously disabled. If the account was not
|
|---|
| 54 | disabled this option has no effect. Once the account is enabled then
|
|---|
| 55 | the user will be able to authenticate via SMB once again. </p><p>If the smbpasswd file is in the 'old' format, then <code class="literal">
|
|---|
| 56 | smbpasswd</code> will FAIL to enable the account.
|
|---|
| 57 | See <a class="citerefentry" href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a> for
|
|---|
| 58 | details on the 'old' and new password file formats. </p><p>This option is only available when running smbpasswd as root.
|
|---|
| 59 | </p></dd><dt><span class="term">-D debuglevel</span></dt><dd><p><em class="replaceable"><code>debuglevel</code></em> is an integer
|
|---|
| 60 | from 0 to 10. The default value if this parameter is not specified
|
|---|
| 61 | is zero. </p><p>The higher this value, the more detail will be logged to the
|
|---|
| 62 | log files about the activities of smbpasswd. At level 0, only
|
|---|
| 63 | critical errors and serious warnings will be logged. </p><p>Levels above 1 will generate considerable amounts of log
|
|---|
| 64 | data, and should only be used when investigating a problem. Levels
|
|---|
| 65 | above 3 are designed for use only by developers and generate
|
|---|
| 66 | HUGE amounts of log data, most of which is extremely cryptic.
|
|---|
| 67 | </p></dd><dt><span class="term">-n</span></dt><dd><p>This option specifies that the username following
|
|---|
| 68 | should have their password set to null (i.e. a blank password) in
|
|---|
| 69 | the local smbpasswd file. This is done by writing the string "NO
|
|---|
| 70 | PASSWORD" as the first part of the first password stored in the
|
|---|
| 71 | smbpasswd file. </p><p>Note that to allow users to logon to a Samba server once
|
|---|
| 72 | the password has been set to "NO PASSWORD" in the smbpasswd
|
|---|
| 73 | file the administrator must set the following parameter in the [global]
|
|---|
| 74 | section of the <code class="filename">smb.conf</code> file : </p><p><code class="literal">null passwords = yes</code></p><p>This option is only available when running smbpasswd as
|
|---|
| 75 | root.</p></dd><dt><span class="term">-r remote machine name</span></dt><dd><p>This option allows a user to specify what machine
|
|---|
| 76 | they wish to change their password on. Without this parameter
|
|---|
| 77 | smbpasswd defaults to the local host. The <em class="replaceable"><code>remote
|
|---|
| 78 | machine name</code></em> is the NetBIOS name of the SMB/CIFS
|
|---|
| 79 | server to contact to attempt the password change. This name is
|
|---|
| 80 | resolved into an IP address using the standard name resolution
|
|---|
| 81 | mechanism in all programs of the Samba suite. See the <em class="parameter"><code>-R
|
|---|
| 82 | name resolve order</code></em> parameter for details on changing
|
|---|
| 83 | this resolving mechanism. </p><p>The username whose password is changed is that of the
|
|---|
| 84 | current UNIX logged on user. See the <em class="parameter"><code>-U username</code></em>
|
|---|
| 85 | parameter for details on changing the password for a different
|
|---|
| 86 | username. </p><p>Note that if changing a Windows NT Domain password the
|
|---|
| 87 | remote machine specified must be the Primary Domain Controller for
|
|---|
| 88 | the domain (Backup Domain Controllers only have a read-only
|
|---|
| 89 | copy of the user account database and will not allow the password
|
|---|
| 90 | change).</p><p><span class="emphasis"><em>Note</em></span> that Windows 95/98 do not have
|
|---|
| 91 | a real password database so it is not possible to change passwords
|
|---|
| 92 | specifying a Win95/98 machine as remote machine target. </p></dd><dt><span class="term">-R name resolve order</span></dt><dd><p>This option allows the user of smbpasswd to determine
|
|---|
| 93 | what name resolution services to use when looking up the NetBIOS
|
|---|
| 94 | name of the host being connected to. </p><p>The options are :"lmhosts", "host", "wins" and "bcast". They
|
|---|
| 95 | cause names to be resolved as follows: </p><div class="itemizedlist"><ul type="disc"><li><p><code class="constant">lmhosts</code>: Lookup an IP
|
|---|
| 96 | address in the Samba lmhosts file. If the line in lmhosts has
|
|---|
| 97 | no name type attached to the NetBIOS name (see the <a class="citerefentry" href="lmhosts.5.html"><span class="citerefentry"><span class="refentrytitle">lmhosts</span>(5)</span></a> for details) then
|
|---|
| 98 | any name type matches for lookup.</p></li><li><p><code class="constant">host</code>: Do a standard host
|
|---|
| 99 | name to IP address resolution, using the system <code class="filename">/etc/hosts
|
|---|
| 100 | </code>, NIS, or DNS lookups. This method of name resolution
|
|---|
| 101 | is operating system depended for instance on IRIX or Solaris this
|
|---|
| 102 | may be controlled by the <code class="filename">/etc/nsswitch.conf</code>
|
|---|
| 103 | file). Note that this method is only used if the NetBIOS name
|
|---|
| 104 | type being queried is the 0x20 (server) name type, otherwise
|
|---|
| 105 | it is ignored.</p></li><li><p><code class="constant">wins</code>: Query a name with
|
|---|
| 106 | the IP address listed in the <em class="parameter"><code>wins server</code></em>
|
|---|
| 107 | parameter. If no WINS server has been specified this method
|
|---|
| 108 | will be ignored.</p></li><li><p><code class="constant">bcast</code>: Do a broadcast on
|
|---|
| 109 | each of the known local interfaces listed in the
|
|---|
| 110 | <em class="parameter"><code>interfaces</code></em> parameter. This is the least
|
|---|
| 111 | reliable of the name resolution methods as it depends on the
|
|---|
| 112 | target host being on a locally connected subnet.</p></li></ul></div><p>The default order is <code class="literal">lmhosts, host, wins, bcast</code>
|
|---|
| 113 | and without this parameter or any entry in the <a class="citerefentry" href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file the name resolution methods will
|
|---|
| 114 | be attempted in this order. </p></dd><dt><span class="term">-m</span></dt><dd><p>This option tells smbpasswd that the account
|
|---|
| 115 | being changed is a MACHINE account. Currently this is used
|
|---|
| 116 | when Samba is being used as an NT Primary Domain Controller.</p><p>This option is only available when running smbpasswd as root.
|
|---|
| 117 | </p></dd><dt><span class="term">-U username</span></dt><dd><p>This option may only be used in conjunction
|
|---|
| 118 | with the <em class="parameter"><code>-r</code></em> option. When changing
|
|---|
| 119 | a password on a remote machine it allows the user to specify
|
|---|
| 120 | the user name on that machine whose password will be changed. It
|
|---|
| 121 | is present to allow users who have different user names on
|
|---|
| 122 | different systems to change these passwords. </p></dd><dt><span class="term">-h</span></dt><dd><p>This option prints the help string for <code class="literal">
|
|---|
| 123 | smbpasswd</code>, selecting the correct one for running as root
|
|---|
| 124 | or as an ordinary user. </p></dd><dt><span class="term">-s</span></dt><dd><p>This option causes smbpasswd to be silent (i.e.
|
|---|
| 125 | not issue prompts) and to read its old and new passwords from
|
|---|
| 126 | standard input, rather than from <code class="filename">/dev/tty</code>
|
|---|
| 127 | (like the <code class="literal">passwd(1)</code> program does). This option
|
|---|
| 128 | is to aid people writing scripts to drive smbpasswd</p></dd><dt><span class="term">-w password</span></dt><dd><p>This parameter is only available if Samba
|
|---|
| 129 | has been compiled with LDAP support. The <em class="parameter"><code>-w</code></em>
|
|---|
| 130 | switch is used to specify the password to be used with the
|
|---|
| 131 | <a class="link" href="smb.conf.5.html#LDAPADMINDN" target="_top">ldap admin dn</a>. Note that the password is stored in
|
|---|
| 132 | the <code class="filename">secrets.tdb</code> and is keyed off
|
|---|
| 133 | of the admin's DN. This means that if the value of <em class="parameter"><code>ldap
|
|---|
| 134 | admin dn</code></em> ever changes, the password will need to be
|
|---|
| 135 | manually updated as well.
|
|---|
| 136 | </p></dd><dt><span class="term">-W</span></dt><dd><p><code class="literal">NOTE: </code> This option is same as "-w"
|
|---|
| 137 | except that the password should be entered using stdin.
|
|---|
| 138 | </p><p>This parameter is only available if Samba
|
|---|
| 139 | has been compiled with LDAP support. The <em class="parameter"><code>-W</code></em>
|
|---|
| 140 | switch is used to specify the password to be used with the
|
|---|
| 141 | <a class="link" href="smb.conf.5.html#LDAPADMINDN" target="_top">ldap admin dn</a>. Note that the password is stored in
|
|---|
| 142 | the <code class="filename">secrets.tdb</code> and is keyed off
|
|---|
| 143 | of the admin's DN. This means that if the value of <em class="parameter"><code>ldap
|
|---|
| 144 | admin dn</code></em> ever changes, the password will need to be
|
|---|
| 145 | manually updated as well.
|
|---|
| 146 | </p></dd><dt><span class="term">-i</span></dt><dd><p>This option tells smbpasswd that the account
|
|---|
| 147 | being changed is an interdomain trust account. Currently this is used
|
|---|
| 148 | when Samba is being used as an NT Primary Domain Controller.
|
|---|
| 149 | The account contains the info about another trusted domain.</p><p>This option is only available when running smbpasswd as root.
|
|---|
| 150 | </p></dd><dt><span class="term">-L</span></dt><dd><p>Run in local mode.</p></dd><dt><span class="term">username</span></dt><dd><p>This specifies the username for all of the
|
|---|
| 151 | <span class="emphasis"><em>root only</em></span> options to operate on. Only root
|
|---|
| 152 | can specify this parameter as only root has the permission needed
|
|---|
| 153 | to modify attributes directly in the local smbpasswd file.
|
|---|
| 154 | </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id2532551"></a><h2>NOTES</h2><p>Since <code class="literal">smbpasswd</code> works in client-server
|
|---|
| 155 | mode communicating with a local smbd for a non-root user then
|
|---|
| 156 | the smbd daemon must be running for this to work. A common problem
|
|---|
| 157 | is to add a restriction to the hosts that may access the <code class="literal">
|
|---|
| 158 | smbd</code> running on the local machine by specifying either <em class="parameter"><code>allow
|
|---|
| 159 | hosts</code></em> or <em class="parameter"><code>deny hosts</code></em> entry in
|
|---|
| 160 | the <a class="citerefentry" href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file and neglecting to
|
|---|
| 161 | allow "localhost" access to the smbd. </p><p>In addition, the smbpasswd command is only useful if Samba
|
|---|
| 162 | has been set up to use encrypted passwords. </p></div><div class="refsect1" lang="en"><a name="id2532600"></a><h2>VERSION</h2><p>This man page is correct for version 3 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id2532610"></a><h2>SEE ALSO</h2><p><a class="citerefentry" href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a>, <a class="citerefentry" href="Samba.7.html"><span class="citerefentry"><span class="refentrytitle">Samba</span>(7)</span></a>.</p></div><div class="refsect1" lang="en"><a name="id2532634"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities
|
|---|
| 163 | were created by Andrew Tridgell. Samba is now developed
|
|---|
| 164 | by the Samba Team as an Open Source project similar
|
|---|
| 165 | to the way the Linux kernel is developed.</p><p>The original Samba man pages were written by Karl Auer.
|
|---|
| 166 | The man page sources were converted to YODL format (another
|
|---|
| 167 | excellent piece of Open Source software, available at <a class="ulink" href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top">
|
|---|
| 168 | ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0
|
|---|
| 169 | release by Jeremy Allison. The conversion to DocBook for
|
|---|
| 170 | Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2
|
|---|
| 171 | for Samba 3.0 was done by Alexander Bokovoy.</p></div></div></body></html>
|
|---|
