-.\" This manpage has been automatically generated by docbook2man-spec
-.\" from a DocBook document. docbook2man-spec can be found at:
-.\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/>
+.\" This manpage has been automatically generated by docbook2man
+.\" from a DocBook document. This tool can be found at:
+.\" <http://shell.ipoline.com/~elmert/comp/docbook2X/>
.\" Please send any bug reports, improvements, comments, patches,
.\" etc. to Steve Cheng <steve@ggi-project.org>.
-.TH "SMBPASSWD" "8" "23 February 2001" "" ""
+.TH "SMBPASSWD" "8" "28 January 2003" "" ""
+
.SH NAME
-smbpasswd \- change a users SMB password
+smbpasswd \- change a user's SMB password
.SH SYNOPSIS
-.sp
-\fBsmbpasswd\fR [ \fB-a\fR ] [ \fB-x\fR ] [ \fB-d\fR ] [ \fB-e\fR ] [ \fB-D debuglevel\fR ] [ \fB-n\fR ] [ \fB-r <remote machine>\fR ] [ \fB-R <name resolve order>\fR ] [ \fB-m\fR ] [ \fB-j DOMAIN\fR ] [ \fB-U username\fR ] [ \fB-h\fR ] [ \fB-s\fR ] [ \fBusername\fR ]
+
+\fBsmbpasswd\fR [ \fB-a\fR ] [ \fB-x\fR ] [ \fB-d\fR ] [ \fB-e\fR ] [ \fB-D debuglevel\fR ] [ \fB-n\fR ] [ \fB-r <remote machine>\fR ] [ \fB-R <name resolve order>\fR ] [ \fB-m\fR ] [ \fB-U username[%password]\fR ] [ \fB-h\fR ] [ \fB-s\fR ] [ \fB-w pass\fR ] [ \fB-i\fR ] [ \fB-L\fR ] [ \fBusername\fR ]
+
.SH "DESCRIPTION"
.PP
-This tool is part of the Samba <URL:samba.7.html> suite.
+This tool is part of the \fBSamba\fR(7) suite.
.PP
The smbpasswd program has several different
-functions, depending on whether it is run by the \fBroot\fR
-user or not. When run as a normal user it allows the user to change
+functions, depending on whether it is run by the \fBroot\fR user
+or not. When run as a normal user it allows the user to change
the password used for their SMB sessions on any machines that store
SMB passwords.
.PP
By default (when run with no arguments) it will attempt to
-change the current users SMB password on the local machine. This is
-similar to the way the \fBpasswd(1)\fR program works.
-\fBsmbpasswd\fR differs from how the passwd program works
+change the current user's SMB password on the local machine. This is
+similar to the way the \fBpasswd(1)\fR program works. \fB smbpasswd\fR differs from how the passwd program works
however in that it is not \fBsetuid root\fR but works in
-a client-server mode and communicates with a locally running
-\fBsmbd(8)\fR. As a consequence in order for this to
+a client-server mode and communicates with a
+locally running \fBsmbd\fR(8). As a consequence in order for this to
succeed the smbd daemon must be running on the local machine. On a
UNIX machine the encrypted SMB passwords are usually stored in
-the \fIsmbpasswd(5)\fR file.
+the \fBsmbpasswd\fR(5) file.
.PP
-When run by an ordinary user with no options. smbpasswd
-will prompt them for their old smb password and then ask them
+When run by an ordinary user with no options, smbpasswd
+will prompt them for their old SMB password and then ask them
for their new password twice, to ensure that the new password
was typed correctly. No passwords will be echoed on the screen
-whilst being typed. If you have a blank smb password (specified by
+whilst being typed. If you have a blank SMB password (specified by
the string "NO PASSWORD" in the smbpasswd file) then just press
the <Enter> key when asked for your old password.
.PP
smbpasswd can also be used by a normal user to change their
SMB password on remote machines, such as Windows NT Primary Domain
-Controllers. See the (-r) and -U options below.
+Controllers. See the (\fI-r\fR) and \fI-U\fR options
+below.
.PP
When run by root, smbpasswd allows new users to be added
and deleted in the smbpasswd file, as well as allows changes to
-the attributes of the user in this file to be made. When run by root,
-\fBsmbpasswd\fR accesses the local smbpasswd file
+the attributes of the user in this file to be made. When run by root, \fB smbpasswd\fR accesses the local smbpasswd file
directly, thus enabling changes to be made even if smbd is not
running.
.SH "OPTIONS"
new password typed (type <Enter> for the old password). This
option is ignored if the username following already exists in
the smbpasswd file and it is treated like a regular change
-password command. Note that the user to be added must already exist
-in the system password file (usually \fI/etc/passwd\fR)
-else the request to add the user will fail.
+password command. Note that the default passdb backends require
+the user to already exist in the system password file (usually
+\fI/etc/passwd\fR), else the request to add the
+user will fail.
This option is only available when running smbpasswd
as root.
will fail.
If the smbpasswd file is in the 'old' format (pre-Samba 2.0
-format) there is no space in the users password entry to write
-this information and so the user is disabled by writing 'X' characters
-into the password space in the smbpasswd file. See \fBsmbpasswd(5)
-\fRfor details on the 'old' and new password file formats.
+format) there is no space in the user's password entry to write
+this information and the command will FAIL. See \fBsmbpasswd\fR(5) for details on the 'old' and new password file formats.
This option is only available when running smbpasswd as
root.
disabled this option has no effect. Once the account is enabled then
the user will be able to authenticate via SMB once again.
-If the smbpasswd file is in the 'old' format, then \fB smbpasswd\fR will prompt for a new password for this user,
-otherwise the account will be enabled by removing the 'D'
-flag from account control space in the \fI smbpasswd\fR file. See \fBsmbpasswd (5)\fR for
+If the smbpasswd file is in the 'old' format, then \fB smbpasswd\fR will FAIL to enable the account.
+See \fBsmbpasswd\fR(5) for
details on the 'old' and new password file formats.
This option is only available when running smbpasswd as root.
.TP
\fB-D debuglevel\fR
\fIdebuglevel\fR is an integer
-from 0 to 10. The default value if this parameter is not specified
+from 0 to 10. The default value if this parameter is not specified
is zero.
The higher this value, the more detail will be logged to the
\fBNote\fR that Windows 95/98 do not have
a real password database so it is not possible to change passwords
-specifying a Win95/98 machine as remote machine target.
+specifying a Win95/98 machine as remote machine target.
.TP
\fB-R name resolve order\fR
-This option allows the user of smbclient to determine
+This option allows the user of smbpasswd to determine
what name resolution services to use when looking up the NetBIOS
name of the host being connected to.
-The options are :"lmhosts", "host", "wins" and "bcast". They cause
-names to be resolved as follows :
+The options are :"lmhosts", "host", "wins" and "bcast". They
+cause names to be resolved as follows:
.RS
.TP 0.2i
\(bu
-lmhosts : Lookup an IP
+lmhosts: Lookup an IP
address in the Samba lmhosts file. If the line in lmhosts has
-no name type attached to the NetBIOS name (see the lmhosts(5) <URL:lmhosts.5.html> for details) then
+no name type attached to the NetBIOS name (see the \fBlmhosts\fR(5) for details) then
any name type matches for lookup.
.TP 0.2i
\(bu
-host : Do a standard host
+host: Do a standard host
name to IP address resolution, using the system \fI/etc/hosts
\fR, NIS, or DNS lookups. This method of name resolution
is operating system depended for instance on IRIX or Solaris this
may be controlled by the \fI/etc/nsswitch.conf\fR
-file). Note that this method is only used if the NetBIOS name
+file). Note that this method is only used if the NetBIOS name
type being queried is the 0x20 (server) name type, otherwise
it is ignored.
.TP 0.2i
\(bu
-wins : Query a name with
+wins: Query a name with
the IP address listed in the \fIwins server\fR
-parameter. If no WINS server has been specified this method
+parameter. If no WINS server has been specified this method
will be ignored.
.TP 0.2i
\(bu
-bcast : Do a broadcast on
+bcast: Do a broadcast on
each of the known local interfaces listed in the
\fIinterfaces\fR parameter. This is the least
reliable of the name resolution methods as it depends on the
target host being on a locally connected subnet.
.RE
-.PP
+
The default order is \fBlmhosts, host, wins, bcast\fR
-and without this parameter or any entry in the
-\fIsmb.conf\fR file the name resolution methods will
+and without this parameter or any entry in the \fBsmb.conf\fR(5) file the name resolution methods will
be attempted in this order.
-.PP
.TP
\fB-m\fR
This option tells smbpasswd that the account
being changed is a MACHINE account. Currently this is used
when Samba is being used as an NT Primary Domain Controller.
-This option is only available when running smbpasswd as root.
-.TP
-\fB-j DOMAIN\fR
-This option is used to add a Samba server
-into a Windows NT Domain, as a Domain member capable of authenticating
-user accounts to any Domain Controller in the same way as a Windows
-NT Server. See the \fBsecurity = domain\fR option in
-the \fIsmb.conf(5)\fR man page.
-
-In order to be used in this way, the Administrator for
-the Windows NT Domain must have used the program "Server Manager
-for Domains" to add the primary NetBIOS name of the Samba server
-as a member of the Domain.
-
-After this has been done, to join the Domain invoke \fB smbpasswd\fR with this parameter. smbpasswd will then
-look up the Primary Domain Controller for the Domain (found in
-the \fIsmb.conf\fR file in the parameter
-\fIpassword server\fR and change the machine account
-password used to create the secure Domain communication. This
-password is then stored by smbpasswd in a TDB, writeable only by root,
-called \fIsecrets.tdb\fR
-
-Once this operation has been performed the \fI smb.conf\fR file may be updated to set the \fB security = domain\fR option and all future logins
-to the Samba server will be authenticated to the Windows NT
-PDC.
-
-Note that even though the authentication is being
-done to the PDC all users accessing the Samba server must still
-have a valid UNIX account on that machine.
-
-This option is only available when running smbpasswd as root.
+This option is only available when running smbpasswd as root.
.TP
\fB-U username\fR
This option may only be used in conjunction
different systems to change these passwords.
.TP
\fB-h\fR
-This option prints the help string for \fB smbpasswd\fR, selecting the correct one for running as root
+This option prints the help string for \fB smbpasswd\fR, selecting the correct one for running as root
or as an ordinary user.
.TP
\fB-s\fR
This option causes smbpasswd to be silent (i.e.
-not issue prompts) and to read it's old and new passwords from
-standard input, rather than from \fI/dev/tty\fR
+not issue prompts) and to read its old and new passwords from
+standard input, rather than from \fI/dev/tty\fR
(like the \fBpasswd(1)\fR program does). This option
is to aid people writing scripts to drive smbpasswd
.TP
+\fB-w password\fR
+This parameter is only available if Samba
+has been configured to use the experimental
+\fB--with-ldapsam\fR option. The \fI-w\fR
+switch is used to specify the password to be used with the
+\fIldap admin
+dn\fR Note that the password is stored in
+the \fIsecrets.tdb\fR and is keyed off
+of the admin's DN. This means that if the value of \fIldap
+admin dn\fR ever changes, the password will need to be
+manually updated as well.
+.TP
+\fB-i\fR
+This option tells smbpasswd that the account
+being changed is an interdomain trust account. Currently this is used
+when Samba is being used as an NT Primary Domain Controller.
+The account contains the info about another trusted domain.
+
+This option is only available when running smbpasswd as root.
+.TP
+\fB-L\fR
+Run in local mode.
+.TP
\fBusername\fR
This specifies the username for all of the
\fBroot only\fR options to operate on. Only root
.SH "NOTES"
.PP
Since \fBsmbpasswd\fR works in client-server
-mode communicating with a local smbd for a non-root user then
+mode communicating with a local smbd for a non-root user then
the smbd daemon must be running for this to work. A common problem
-is to add a restriction to the hosts that may access the \fB smbd\fR running on the local machine by specifying a
-\fIallow hosts\fR or \fIdeny hosts\fR
-entry in the \fIsmb.conf\fR file and neglecting to
+is to add a restriction to the hosts that may access the \fB smbd\fR running on the local machine by specifying either \fIallow
+hosts\fR or \fIdeny hosts\fR entry in
+the \fBsmb.conf\fR(5) file and neglecting to
allow "localhost" access to the smbd.
.PP
In addition, the smbpasswd command is only useful if Samba
-has been set up to use encrypted passwords. See the file
-\fIENCRYPTION.txt\fR in the docs directory for details
+has been set up to use encrypted passwords. See the document "LanMan and NT Password Encryption in Samba" in the docs directory for details
on how to do this.
.SH "VERSION"
.PP
-This man page is correct for version 2.2 of
-the Samba suite.
+This man page is correct for version 3.0 of the Samba suite.
.SH "SEE ALSO"
.PP
-\fIsmbpasswd(5)\fR <URL:smbpasswd.5.html>,
-samba(7) <URL:samba.7.html>
+\fBsmbpasswd\fR(5), \fBSamba\fR(7).
.SH "AUTHOR"
.PP
The original Samba software and related utilities
.PP
The original Samba man pages were written by Karl Auer.
The man page sources were converted to YODL format (another
-excellent piece of Open Source software, available at
-ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the Samba 2.0
-release by Jeremy Allison. The conversion to DocBook for
-Samba 2.2 was done by Gerald Carter
+excellent piece of Open Source software, available at ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the Samba 2.0
+release by Jeremy Allison. The conversion to DocBook for
+Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2
+for Samba 3.0 was done by Alexander Bokovoy.