1 .\" This manpage has been automatically generated by docbook2man-spec
2 .\" from a DocBook document. docbook2man-spec can be found at:
3 .\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/>
4 .\" Please send any bug reports, improvements, comments, patches,
5 .\" etc. to Steve Cheng <steve@ggi-project.org>.
6 .TH "SMBPASSWD" "8" "03 April 2001" "" ""
8 smbpasswd \- change a users SMB password
11 \fBsmbpasswd\fR [ \fB-a\fR ] [ \fB-x\fR ] [ \fB-d\fR ] [ \fB-e\fR ] [ \fB-D debuglevel\fR ] [ \fB-n\fR ] [ \fB-r <remote machine>\fR ] [ \fB-R <name resolve order>\fR ] [ \fB-m\fR ] [ \fB-j DOMAIN\fR ] [ \fB-U username\fR ] [ \fB-h\fR ] [ \fB-s\fR ] [ \fBusername\fR ]
14 This tool is part of the Sambasuite.
16 The smbpasswd program has several different
17 functions, depending on whether it is run by the \fBroot\fR
18 user or not. When run as a normal user it allows the user to change
19 the password used for their SMB sessions on any machines that store
22 By default (when run with no arguments) it will attempt to
23 change the current users SMB password on the local machine. This is
24 similar to the way the \fBpasswd(1)\fR program works.
25 \fBsmbpasswd\fR differs from how the passwd program works
26 however in that it is not \fBsetuid root\fR but works in
27 a client-server mode and communicates with a locally running
28 \fBsmbd(8)\fR. As a consequence in order for this to
29 succeed the smbd daemon must be running on the local machine. On a
30 UNIX machine the encrypted SMB passwords are usually stored in
31 the \fIsmbpasswd(5)\fR file.
33 When run by an ordinary user with no options. smbpasswd
34 will prompt them for their old smb password and then ask them
35 for their new password twice, to ensure that the new password
36 was typed correctly. No passwords will be echoed on the screen
37 whilst being typed. If you have a blank smb password (specified by
38 the string "NO PASSWORD" in the smbpasswd file) then just press
39 the <Enter> key when asked for your old password.
41 smbpasswd can also be used by a normal user to change their
42 SMB password on remote machines, such as Windows NT Primary Domain
43 Controllers. See the (-r) and -U options below.
45 When run by root, smbpasswd allows new users to be added
46 and deleted in the smbpasswd file, as well as allows changes to
47 the attributes of the user in this file to be made. When run by root,
48 \fBsmbpasswd\fR accesses the local smbpasswd file
49 directly, thus enabling changes to be made even if smbd is not
54 This option specifies that the username
55 following should be added to the local smbpasswd file, with the
56 new password typed (type <Enter> for the old password). This
57 option is ignored if the username following already exists in
58 the smbpasswd file and it is treated like a regular change
59 password command. Note that the user to be added must already exist
60 in the system password file (usually \fI/etc/passwd\fR)
61 else the request to add the user will fail.
63 This option is only available when running smbpasswd
67 This option specifies that the username
68 following should be deleted from the local smbpasswd file.
70 This option is only available when running smbpasswd as
74 This option specifies that the username following
75 should be disabled in the local smbpasswd
76 file. This is done by writing a 'D' flag
77 into the account control space in the smbpasswd file. Once this
78 is done all attempts to authenticate via SMB using this username
81 If the smbpasswd file is in the 'old' format (pre-Samba 2.0
82 format) there is no space in the users password entry to write
83 this information and so the user is disabled by writing 'X' characters
84 into the password space in the smbpasswd file. See \fBsmbpasswd(5)
85 \fRfor details on the 'old' and new password file formats.
87 This option is only available when running smbpasswd as
91 This option specifies that the username following
92 should be enabled in the local smbpasswd file,
93 if the account was previously disabled. If the account was not
94 disabled this option has no effect. Once the account is enabled then
95 the user will be able to authenticate via SMB once again.
97 If the smbpasswd file is in the 'old' format, then \fB smbpasswd\fR will prompt for a new password for this user,
98 otherwise the account will be enabled by removing the 'D'
99 flag from account control space in the \fI smbpasswd\fR file. See \fBsmbpasswd (5)\fR for
100 details on the 'old' and new password file formats.
102 This option is only available when running smbpasswd as root.
105 \fIdebuglevel\fR is an integer
106 from 0 to 10. The default value if this parameter is not specified
109 The higher this value, the more detail will be logged to the
110 log files about the activities of smbpasswd. At level 0, only
111 critical errors and serious warnings will be logged.
113 Levels above 1 will generate considerable amounts of log
114 data, and should only be used when investigating a problem. Levels
115 above 3 are designed for use only by developers and generate
116 HUGE amounts of log data, most of which is extremely cryptic.
119 This option specifies that the username following
120 should have their password set to null (i.e. a blank password) in
121 the local smbpasswd file. This is done by writing the string "NO
122 PASSWORD" as the first part of the first password stored in the
125 Note that to allow users to logon to a Samba server once
126 the password has been set to "NO PASSWORD" in the smbpasswd
127 file the administrator must set the following parameter in the [global]
128 section of the \fIsmb.conf\fR file :
130 \fBnull passwords = yes\fR
132 This option is only available when running smbpasswd as
135 \fB-r remote machine name\fR
136 This option allows a user to specify what machine
137 they wish to change their password on. Without this parameter
138 smbpasswd defaults to the local host. The \fIremote
139 machine name\fR is the NetBIOS name of the SMB/CIFS
140 server to contact to attempt the password change. This name is
141 resolved into an IP address using the standard name resolution
142 mechanism in all programs of the Samba suite. See the \fI-R
143 name resolve order\fR parameter for details on changing
144 this resolving mechanism.
146 The username whose password is changed is that of the
147 current UNIX logged on user. See the \fI-U username\fR
148 parameter for details on changing the password for a different
151 Note that if changing a Windows NT Domain password the
152 remote machine specified must be the Primary Domain Controller for
153 the domain (Backup Domain Controllers only have a read-only
154 copy of the user account database and will not allow the password
157 \fBNote\fR that Windows 95/98 do not have
158 a real password database so it is not possible to change passwords
159 specifying a Win95/98 machine as remote machine target.
161 \fB-R name resolve order\fR
162 This option allows the user of smbpasswd to determine
163 what name resolution services to use when looking up the NetBIOS
164 name of the host being connected to.
166 The options are :"lmhosts", "host", "wins" and "bcast". They cause
167 names to be resolved as follows :
171 lmhosts : Lookup an IP
172 address in the Samba lmhosts file. If the line in lmhosts has
173 no name type attached to the NetBIOS name (see the lmhosts(5)for details) then
174 any name type matches for lookup.
177 host : Do a standard host
178 name to IP address resolution, using the system \fI/etc/hosts
179 \fR, NIS, or DNS lookups. This method of name resolution
180 is operating system depended for instance on IRIX or Solaris this
181 may be controlled by the \fI/etc/nsswitch.conf\fR
182 file). Note that this method is only used if the NetBIOS name
183 type being queried is the 0x20 (server) name type, otherwise
187 wins : Query a name with
188 the IP address listed in the \fIwins server\fR
189 parameter. If no WINS server has been specified this method
193 bcast : Do a broadcast on
194 each of the known local interfaces listed in the
195 \fIinterfaces\fR parameter. This is the least
196 reliable of the name resolution methods as it depends on the
197 target host being on a locally connected subnet.
200 The default order is \fBlmhosts, host, wins, bcast\fR
201 and without this parameter or any entry in the
202 \fIsmb.conf\fR file the name resolution methods will
203 be attempted in this order.
207 This option tells smbpasswd that the account
208 being changed is a MACHINE account. Currently this is used
209 when Samba is being used as an NT Primary Domain Controller.
211 This option is only available when running smbpasswd as root.
214 This option is used to add a Samba server
215 into a Windows NT Domain, as a Domain member capable of authenticating
216 user accounts to any Domain Controller in the same way as a Windows
217 NT Server. See the \fBsecurity = domain\fR option in
218 the \fIsmb.conf(5)\fR man page.
220 In order to be used in this way, the Administrator for
221 the Windows NT Domain must have used the program "Server Manager
222 for Domains" to add the primary NetBIOS name of the Samba server
223 as a member of the Domain.
225 After this has been done, to join the Domain invoke \fB smbpasswd\fR with this parameter. smbpasswd will then
226 look up the Primary Domain Controller for the Domain (found in
227 the \fIsmb.conf\fR file in the parameter
228 \fIpassword server\fR and change the machine account
229 password used to create the secure Domain communication. This
230 password is then stored by smbpasswd in a TDB, writeable only by root,
231 called \fIsecrets.tdb\fR
233 Once this operation has been performed the \fI smb.conf\fR file may be updated to set the \fB security = domain\fR option and all future logins
234 to the Samba server will be authenticated to the Windows NT
237 Note that even though the authentication is being
238 done to the PDC all users accessing the Samba server must still
239 have a valid UNIX account on that machine.
241 This option is only available when running smbpasswd as root.
244 This option may only be used in conjunction
245 with the \fI-r\fR option. When changing
246 a password on a remote machine it allows the user to specify
247 the user name on that machine whose password will be changed. It
248 is present to allow users who have different user names on
249 different systems to change these passwords.
252 This option prints the help string for \fB smbpasswd\fR, selecting the correct one for running as root
253 or as an ordinary user.
256 This option causes smbpasswd to be silent (i.e.
257 not issue prompts) and to read it's old and new passwords from
258 standard input, rather than from \fI/dev/tty\fR
259 (like the \fBpasswd(1)\fR program does). This option
260 is to aid people writing scripts to drive smbpasswd
263 This specifies the username for all of the
264 \fBroot only\fR options to operate on. Only root
265 can specify this parameter as only root has the permission needed
266 to modify attributes directly in the local smbpasswd file.
269 Since \fBsmbpasswd\fR works in client-server
270 mode communicating with a local smbd for a non-root user then
271 the smbd daemon must be running for this to work. A common problem
272 is to add a restriction to the hosts that may access the \fB smbd\fR running on the local machine by specifying a
273 \fIallow hosts\fR or \fIdeny hosts\fR
274 entry in the \fIsmb.conf\fR file and neglecting to
275 allow "localhost" access to the smbd.
277 In addition, the smbpasswd command is only useful if Samba
278 has been set up to use encrypted passwords. See the file
279 \fIENCRYPTION.txt\fR in the docs directory for details
283 This man page is correct for version 2.2 of
290 The original Samba software and related utilities
291 were created by Andrew Tridgell. Samba is now developed
292 by the Samba Team as an Open Source project similar
293 to the way the Linux kernel is developed.
295 The original Samba man pages were written by Karl Auer.
296 The man page sources were converted to YODL format (another
297 excellent piece of Open Source software, available at
298 ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the Samba 2.0
299 release by Jeremy Allison. The conversion to DocBook for
300 Samba 2.2 was done by Gerald Carter