diff options
author | Gerald Carter <jerry@samba.org> | 2001-02-23 04:34:24 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2001-02-23 04:34:24 +0000 |
commit | b58b856db5c5c2583a4bbe24ab39726efefb18a6 (patch) | |
tree | 6bec93ee6bfb51723e3ad118621c7c8b6d1fdcab /docs/manpages | |
parent | ed77fca1990f96dba6fe9204e551056395c6ed29 (diff) | |
download | samba-b58b856db5c5c2583a4bbe24ab39726efefb18a6.tar.gz samba-b58b856db5c5c2583a4bbe24ab39726efefb18a6.tar.xz samba-b58b856db5c5c2583a4bbe24ab39726efefb18a6.zip |
more updates. Conversion almost done. 2 more man pages
(then all the ASCII stuff)
(This used to be commit 7247027e833616bfe9350253cc1e6cdb236b2cdf)
Diffstat (limited to 'docs/manpages')
-rw-r--r-- | docs/manpages/smbcacls.1 | 369 | ||||
-rw-r--r-- | docs/manpages/smbpasswd.5 | 365 | ||||
-rw-r--r-- | docs/manpages/smbpasswd.8 | 607 |
3 files changed, 639 insertions, 702 deletions
diff --git a/docs/manpages/smbcacls.1 b/docs/manpages/smbcacls.1 index 9f5c00c6c4f..fd8ca135914 100644 --- a/docs/manpages/smbcacls.1 +++ b/docs/manpages/smbcacls.1 @@ -1,192 +1,191 @@ -.TH "smbcacls " "1" "22 Dec 2000" "Samba" "SAMBA" -.PP -.SH "NAME" -smbcacls \- Set or get ACLs on an NT file or directory -.PP -.SH "SYNOPSIS" -.PP -\fBsmbcacls\fP //server/share filename [-U username] -[-A acls] [-M acls] -[-D acls] [-S acls] -[-C name] [-G name] -[-n] [-h] -.PP -.SH "DESCRIPTION" -.PP -The \fBsmbcacls\fP program manipulates NT Access Control Lists (ACLs) on -SMB file shares\&. -.PP -.SH "OPTIONS" -.PP -The following options are available to the \fBsmbcacls\fP program\&. The -format of ACLs is described in the section ACL FORMAT -.PP -.IP -.IP "\fB-A acls\fP" -.IP -Add the ACLs specified to the ACL list\&. Existing access control entries -are unchanged\&. -.IP -.IP "\fB-M acls\fP" -.IP -Modify the mask value (permissions) for the ACLs specified on the command -line\&. An error will be printed for each ACL specified that was not already -present in the ACL list\&. -.IP -.IP "\fB-D acls\fP" -.IP -Delete any ACLs specfied on the command line\&. An error will be printed for -each ACL specified that was not already present in the ACL list\&. -.IP -.IP "\fB-S acls\fP" -.IP -This command sets the ACLs on the file with only the ones specified on the -command line\&. All other ACLs are erased\&. Note that the ACL specified must -contain at least a revision, type, owner and group for the call to succeed\&. -.IP -.IP "\fB-U username\fP" -.IP -Specifies a username used to connect to the specified service\&. The -username may be of the form \f(CWusername\fP in which case the user is -prompted to enter in a password and the workgroup specified in the -\fBsmb\&.conf\fP file is used, or \f(CWusername%password\fP -or \f(CWDOMAIN\eusername%password\fP and the password and workgroup names are -used as provided\&. -.IP -.IP "\fB-C name\fP" -.IP -The owner of a file or directory can be changed to the name given -using the -C option\&. The name can be a sid in the form \f(CWS-1-x-y-z\fP or a -name resolved against the server specified in the first argument\&. -.IP -This command is a shortcut for \f(CW-M OWNER:name\fP\&. -.IP -.IP "\fB-G name\fP" -.IP -The group owner of a file or directory can be changed to the name given -using the -G option\&. The name can be a sid in the form \f(CWS-1-x-y-z\fP or a -name resolved against the server specified in the first argument\&. -.IP -This command is a shortcut for \f(CW-M GROUP:name\fP\&. -.IP -.IP "\fB-n\fP" -.IP -This option displays all ACL information in numeric format\&. The default is -to convert SIDs to names and ACE types and masks to a readable string -format\&. -.IP -.IP "\fB-h\fP" -.IP -Print usage information on the \fBsmbcacls\fP program -.IP -.PP -.SH "ACL FORMAT" -.PP -The format of an ACL is one or more ACL entries separated by either -commas or newlines\&. An ACL entry is one of the following: -.PP +.\" This manpage has been automatically generated by docbook2man-spec +.\" from a DocBook document. docbook2man-spec can be found at: +.\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/> +.\" Please send any bug reports, improvements, comments, patches, +.\" etc. to Steve Cheng <steve@ggi-project.org>. +.TH "SMBCACLS" "1" "22 February 2001" "" "" +.SH NAME +smbcacls \- Set or get ACLs on an NT file or directory names +.SH SYNOPSIS +.sp +\fBnmblookup\fR \fB//server/share\fR \fBfilename\fR [ \fB-U username\fR ] [ \fB-A acls\fR ] [ \fB-M acls\fR ] [ \fB-D acls\fR ] [ \fB-S acls\fR ] [ \fB-C name\fR ] [ \fB-G name\fR ] [ \fB-n\fR ] [ \fB-h\fR ] +.SH "DESCRIPTION" +.PP +This tool is part of the Samba <URL:samba.7.html> suite. +.PP +The smbcacls program manipulates NT Access Control Lists +(ACLs) on SMB file shares. +.SH "OPTIONS" +.PP +The following options are available to the smbcacls program. +The format of ACLs is described in the section ACL FORMAT +.TP +\fB-A acls\fR +Add the ACLs specified to the ACL list. Existing +access control entries are unchanged. +.TP +\fB-M acls\fR +Modify the mask value (permissions) for the ACLs +specified on the command line. An error will be printed for each +ACL specified that was not already present in the ACL list +.TP +\fB-D acls\fR +Delete any ACLs specfied on the command line. +An error will be printed for each ACL specified that was not +already present in the ACL list. +.TP +\fB-S acls\fR +This command sets the ACLs on the file with +only the ones specified on the command line. All other ACLs are +erased. Note that the ACL specified must contain at least a revision, +type, owner and group for the call to succeed. +.TP +\fB-U username\fR +Specifies a username used to connect to the +specified service. The username may be of the form "username" in +which case the user is prompted to enter in a password and the +workgroup specified in the \fIsmb.conf\fR file is +used, or "username%password" or "DOMAIN\\username%password" and the +password and workgroup names are used as provided. +.TP +\fB-C name\fR +The owner of a file or directory can be changed +to the name given using the \fI-C\fR option. +The name can be a sid in the form S-1-x-y-z or a name resolved +against the server specified in the first argument. -.nf +This command is a shortcut for -M OWNER:name. +.TP +\fB-G name\fR +The group owner of a file or directory can +be changed to the name given using the \fI-G\fR +option. The name can be a sid in the form S-1-x-y-z or a name +resolved against the server specified n the first argument. + +This command is a shortcut for -M GROUP:name. +.TP +\fB-n\fR +This option displays all ACL information in numeric +format. The default is to convert SIDs to names and ACE types +and masks to a readable string format. +.TP +\fB-h\fR +Print usage information on the \fBsmbcacls +\fRprogram. +.SH "ACL FORMAT" +.PP +The format of an ACL is one or more ACL entries separated by +either commas or newlines. An ACL entry is one of the following: +.PP +.sp +.nf REVISION:<revision number> OWNER:<sid or name> GROUP:<sid or name> ACL:<sid or name>:<type>/<flags>/<mask> -.fi - - -.PP -The revision of the ACL specifies the internal Windows NT ACL revision for -the security descriptor\&. If not specified it defaults to 1\&. Using values -other than 1 may cause strange behaviour\&. -.PP -The owner and group specify the owner and group sids for the object\&. If a -SID in the format \f(CWS-1-x-y-z\fP is specified this is used, otherwise -the name specified is resolved using the server on which the file or -directory resides\&. -.PP -ACLs specify permissions granted to the SID\&. This SID again can be -specified in \f(CWS-1-x-y-z\fP format or as a name in which case it is resolved -against the server on which the file or directory resides\&. The type, flags -and mask values determine the type of access granted to the SID\&. -.PP -The type can be either 0 or 1 corresponding to ALLOWED or DENIED access to -the SID\&. The flags values are generally zero for file ACLs and either 9 or -2 for directory ACLs\&. Some common flags are: -.PP - -.nf - -#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1 -#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2 -#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4 -#define SEC_ACE_FLAG_INHERIT_ONLY 0x8 -.fi - - -.PP -At present flags can only be specified as decimal or hexadecimal values\&. -.PP -The mask is a value which expresses the access right granted to the SID\&. -It can be given as a decimal or hexadecimal value, or by using one of the -following text strings which map to the NT file permissions of the same -name\&. -.PP -.IP -.IP "" -\f(CWR\fP Allow read access -.IP -.IP "" -\f(CWW\fP Allow write access -.IP -.IP "" -\f(CWX\fP Execute permission on the object -.IP -.IP "" -\f(CWD\fP Delete the object -.IP -.IP "" -\f(CWP\fP Change permissions -.IP -.IP "" -\f(CWO\fP Take ownership -.IP -.PP + +.sp +.fi +.PP +The revision of the ACL specifies the internal Windows +NT ACL revision for the security descriptor. +If not specified it defaults to 1. Using values other than 1 may +cause strange behaviour. +.PP +The owner and group specify the owner and group sids for the +object. If a SID in the format CWS-1-x-y-z is specified this is used, +otherwise the name specified is resolved using the server on which +the file or directory resides. +.PP +ACLs specify permissions granted to the SID. This SID again +can be specified in CWS-1-x-y-z format or as a name in which case +it is resolved against the server on which the file or directory +resides. The type, flags and mask values determine the type of +access granted to the SID. +.PP +The type can be either 0 or 1 corresponding to ALLOWED or +DENIED access to the SID. The flags values are generally +zero for file ACLs and either 9 or 2 for directory ACLs. Some +common flags are: +.TP 0.2i +\(bu +#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1 +.TP 0.2i +\(bu +#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2 +.TP 0.2i +\(bu +#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4 +.TP 0.2i +\(bu +#define SEC_ACE_FLAG_INHERIT_ONLY 0x8 +.PP +At present flags can only be specified as decimal or +hexadecimal values. +.PP +.PP +The mask is a value which expresses the access right +granted to the SID. It can be given as a decimal or hexadecimal value, +or by using one of the following text strings which map to the NT +file permissions of the same name. +.PP +.TP 0.2i +\(bu +\fBR\fR - Allow read access +.TP 0.2i +\(bu +\fBW\fR - Allow write access +.TP 0.2i +\(bu +\fBX\fR - Execute permission on the object +.TP 0.2i +\(bu +\fBD\fR - Delete the object +.TP 0.2i +\(bu +\fBP\fR - Change permissions +.TP 0.2i +\(bu +\fBO\fR - Take ownership +.PP The following combined permissions can be specified: -.PP -.IP -.IP "" -\f(CWREAD\fP -.IP -Equivalent to \f(CWRX\fP permissions -.IP -.IP "" -\f(CWCHANGE\fP -.IP -Equivalent to \f(CWRXWD\fP permissions -.IP -.IP "" -\f(CWFULL\fP -.IP -Equivalent to \f(CWRWXDPO\fP permissions -.IP -.PP -.SH "EXIT STATUS" -.PP -The \fBsmbcacls\fP program sets the exit status depending on the success or -otherwise of the operations performed\&. The exit status may be one of the -following values\&. -.PP -If the operation succeded, \fBsmbcacls\fP returns and exit status of 0\&. If -\fBsmbcacls\fP couldn\'t connect to the specified server, or there was an -error getting or setting the ACLs, an exit status of 1 is returned\&. If -there was an error parsing any command line arguments, an exit status of 2 -is returned\&. -.PP -.SH "AUTHOR" -.PP -The original Samba software and related utilities were created by -Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open -Source project\&. -.PP -\fBsmbcacls\fP was written by Andrew Tridgell and Tim Potter\&. +.PP +.TP 0.2i +\(bu +\fBREAD\fR - Equivalent to 'RX' +permissions +.TP 0.2i +\(bu +\fBCHANGE\fR - Equivalent to 'RXWD' permissions +.TP 0.2i +\(bu +\fBFULL\fR - Equivalent to 'RWXDPO' +permissions +.SH "EXIT STATUS" +.PP +The \fBsmbcacls\fR program sets the exit status +depending on the success or otherwise of the operations performed. +The exit status may be one of the following values. +.PP +If the operation succeded, smbcacls returns and exit +status of 0. If smbcacls couldn't connect to the specified server, +or there was an error getting or setting the ACLs, an exit status +of 1 is returned. If there was an error parsing any command line +arguments, an exit status of 2 is returned. +.SH "VERSION" +.PP +This man page is correct for version 2.2 of +the Samba suite. +.SH "AUTHOR" +.PP +The original Samba software and related utilities +were created by Andrew Tridgell. Samba is now developed +by the Samba Team as an Open Source project similar +to the way the Linux kernel is developed. +.PP +\fBsmbcacls\fR was written by Andrew Tridgell +and Tim Potter. +.PP +The conversion to DocBook for Samba 2.2 was done +by Gerald Carter diff --git a/docs/manpages/smbpasswd.5 b/docs/manpages/smbpasswd.5 index bc87d134d23..fef3713425d 100644 --- a/docs/manpages/smbpasswd.5 +++ b/docs/manpages/smbpasswd.5 @@ -1,214 +1,159 @@ -.TH "smbpasswd " "5" "23 Oct 1998" "Samba" "SAMBA" -.PP -.SH "NAME" +.\" This manpage has been automatically generated by docbook2man-spec +.\" from a DocBook document. docbook2man-spec can be found at: +.\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/> +.\" Please send any bug reports, improvements, comments, patches, +.\" etc. to Steve Cheng <steve@ggi-project.org>. +.TH "SMBPASSWD" "5" "22 February 2001" "" "" +.SH NAME smbpasswd \- The Samba encrypted password file -.PP -.SH "SYNOPSIS" -.PP -smbpasswd is the \fBSamba\fP encrypted password file\&. -.PP -.SH "DESCRIPTION" -.PP -This file is part of the \fBSamba\fP suite\&. -.PP -smbpasswd is the \fBSamba\fP encrypted password file\&. It contains -the username, Unix user id and the SMB hashed passwords of the -user, as well as account flag information and the time the password -was last changed\&. This file format has been evolving with Samba -and has had several different formats in the past\&. -.PP -.SH "FILE FORMAT" -.PP -The format of the smbpasswd file used by Samba 2\&.0 is very similar to -the familiar Unix \fBpasswd (5)\fP file\&. It is an ASCII file containing -one line for each user\&. Each field within each line is separated from -the next by a colon\&. Any entry beginning with # is ignored\&. The -smbpasswd file contains the following information for each user: -.PP -.IP -.IP "\fBname\fP" -.br -.br -.IP -This is the user name\&. It must be a name that already exists -in the standard UNIX passwd file\&. -.IP -.IP "\fBuid\fP" -.br -.br -.IP -This is the UNIX uid\&. It must match the uid field for the same -user entry in the standard UNIX passwd file\&. If this does not -match then Samba will refuse to recognize this \fBsmbpasswd\fP file entry -as being valid for a user\&. -.IP -.IP "\fBLanman Password Hash\fP" -.br -.br -.IP -This is the \fILANMAN\fP hash of the users password, encoded as 32 hex -digits\&. The \fILANMAN\fP hash is created by DES encrypting a well known -string with the users password as the DES key\&. This is the same -password used by Windows 95/98 machines\&. Note that this password hash -is regarded as weak as it is vulnerable to dictionary attacks and if -two users choose the same password this entry will be identical (i\&.e\&. -the password is not \fI"salted"\fP as the UNIX password is)\&. If the -user has a null password this field will contain the characters -\f(CW"NO PASSWORD"\fP as the start of the hex string\&. If the hex string -is equal to 32 \f(CW\'X\'\fP characters then the users account is marked as -\fIdisabled\fP and the user will not be able to log onto the Samba -server\&. -.IP -\fIWARNING !!\fP\&. Note that, due to the challenge-response nature of the -SMB/CIFS authentication protocol, anyone with a knowledge of this -password hash will be able to impersonate the user on the network\&. -For this reason these hashes are known as \fI"plain text equivalent"\fP -and must \fINOT\fP be made available to anyone but the root user\&. To -protect these passwords the \fBsmbpasswd\fP file is placed in a -directory with read and traverse access only to the root user and the -\fBsmbpasswd\fP file itself must be set to be read/write only by root, -with no other access\&. -.IP -.IP "\fBNT Password Hash\fP" -.br -.br -.IP -This is the \fIWindows NT\fP hash of the users password, encoded as 32 -hex digits\&. The \fIWindows NT\fP hash is created by taking the users -password as represented in 16-bit, little-endian UNICODE and then -applying the \fIMD4\fP (internet rfc1321) hashing algorithm to it\&. -.IP -This password hash is considered more secure than the \fBLanman -Password Hash\fP as it preserves the case of the -password and uses a much higher quality hashing algorithm\&. However, it -is still the case that if two users choose the same password this -entry will be identical (i\&.e\&. the password is not \fI"salted"\fP as the -UNIX password is)\&. -.IP -\fIWARNING !!\fP\&. Note that, due to the challenge-response nature of the -SMB/CIFS authentication protocol, anyone with a knowledge of this -password hash will be able to impersonate the user on the network\&. -For this reason these hashes are known as \fI"plain text equivalent"\fP -and must \fINOT\fP be made available to anyone but the root user\&. To -protect these passwords the \fBsmbpasswd\fP file is placed in a -directory with read and traverse access only to the root user and the -\fBsmbpasswd\fP file itself must be set to be read/write only by root, -with no other access\&. -.IP -.IP "\fBAccount Flags\fP" -.br -.br -.IP -This section contains flags that describe the attributes of the users -account\&. In the \fBSamba2\&.0\fP release this field is bracketed by \f(CW\'[\'\fP -and \f(CW\']\'\fP characters and is always 13 characters in length (including -the \f(CW\'[\'\fP and \f(CW\']\'\fP characters)\&. The contents of this field may be -any of the characters\&. -.IP -.IP -.IP o -\fB\'U\'\fP This means this is a \fI"User"\fP account, i\&.e\&. an ordinary -user\&. Only \fBUser\fP and \fBWorkstation Trust\fP accounts are -currently supported in the \fBsmbpasswd\fP file\&. -.IP -.IP o -\fB\'N\'\fP This means the account has \fIno\fP password (the passwords -in the fields \fBLanman Password Hash\fP and -\fBNT Password Hash\fP are ignored)\&. Note that this -will only allow users to log on with no password if the -\fBnull passwords\fP parameter is set -in the \fBsmb\&.conf (5)\fP config file\&. -.IP -.IP o -\fB\'D\'\fP This means the account is disabled and no SMB/CIFS logins -will be allowed for this user\&. -.IP -.IP o -\fB\'W\'\fP This means this account is a \fI"Workstation Trust"\fP account\&. -This kind of account is used in the Samba PDC code stream to allow Windows -NT Workstations and Servers to join a Domain hosted by a Samba PDC\&. -.IP -.IP -Other flags may be added as the code is extended in future\&. The rest of -this field space is filled in with spaces\&. -.IP -.IP "\fBLast Change Time\fP" -.br -.br -.IP -This field consists of the time the account was last modified\&. It consists of -the characters \f(CWLCT-\fP (standing for \fI"Last Change Time"\fP) followed by a numeric -encoding of the UNIX time in seconds since the epoch (1970) that the last change -was made\&. -.IP -.IP "\fBFollowing fields\fP" -.br -.br -.IP -All other colon separated fields are ignored at this time\&. -.IP -.PP -.SH "NOTES" -.PP -In previous versions of Samba (notably the 1\&.9\&.18 series) this file -did not contain the \fBAccount Flags\fP or -\fBLast Change Time\fP fields\&. The Samba 2\&.0 -code will read and write these older password files but will not be able to -modify the old entries to add the new fields\&. New entries added with -\fBsmbpasswd (8)\fP will contain the new fields -in the added accounts however\&. Thus an older \fBsmbpasswd\fP file used -with Samba 2\&.0 may end up with some accounts containing the new fields -and some not\&. -.PP -In order to convert from an old-style \fBsmbpasswd\fP file to a new -style, run the script \fBconvert_smbpasswd\fP, installed in the -Samba \f(CWbin/\fP directory (the same place that the \fBsmbd\fP -and \fBnmbd\fP binaries are installed) as follows: -.PP +.SH SYNOPSIS +.PP +\fIsmbpasswd\fR +.SH "DESCRIPTION" +.PP +This tool is part of the Samba <URL:samba.7.html> suite. +.PP +smbpasswd is the Samba encrypted password file. It contains +the username, Unix user id and the SMB hashed passwords of the +user, as well as account flag information and the time the +password was last changed. This file format has been evolving with +Samba and has had several different formats in the past. +.SH "FILE FORMAT" +.PP +The format of the smbpasswd file used by Samba 2.2 +is very similar to the familiar Unix \fIpasswd(5)\fR +file. It is an ASCII file containing one line for each user. Each field +ithin each line is separated from the next by a colon. Any entry +beginning with '#' is ignored. The smbpasswd file contains the +following information for each user: +.TP +\fBname\fR +This is the user name. It must be a name that +already exists in the standard UNIX passwd file. +.TP +\fBuid\fR +This is the UNIX uid. It must match the uid +field for the same user entry in the standard UNIX passwd file. +If this does not match then Samba will refuse to recognize +this smbpasswd file entry as being valid for a user. +.TP +\fBLanman Password Hash\fR +This is the LANMAN hash of the users password, +encoded as 32 hex digits. The LANMAN hash is created by DES +encrypting a well known string with the users password as the +DES key. This is the same password used by Windows 95/98 machines. +Note that this password hash is regarded as weak as it is +vulnerable to dictionary attacks and if two users choose the +same password this entry will be identical (i.e. the password +is not "salted" as the UNIX password is). If the user has a +null password this field will contain the characters "NO PASSWORD" +as the start of the hex string. If the hex string is equal to +32 'X' characters then the users account is marked as +disabled and the user will not be able to +log onto the Samba server. -.nf - +\fBWARNING !!\fR Note that, due to +the challenge-response nature of the SMB/CIFS authentication +protocol, anyone with a knowledge of this password hash will +be able to impersonate the user on the network. For this +reason these hashes are known as \fBplain text +equivalents\fR and must \fBNOT\fR be made +available to anyone but the root user. To protect these passwords +the smbpasswd file is placed in a directory with read and +traverse access only to the root user and the smbpasswd file +itself must be set to be read/write only by root, with no +other access. +.TP +\fBNT Password Hash\fR +This is the Windows NT hash of the users +password, encoded as 32 hex digits. The Windows NT hash is +created by taking the users password as represented in +16-bit, little-endian UNICODE and then applying the MD4 +(internet rfc1321) hashing algorithm to it. +This password hash is considered more secure than +the Lanman Password Hash as it preserves the case of the +password and uses a much higher quality hashing algorithm. +However, it is still the case that if two users choose the same +password this entry will be identical (i.e. the password is +not "salted" as the UNIX password is). - cat old_smbpasswd_file | convert_smbpasswd > new_smbpasswd_file - - -.fi - - -.PP -The \fBconvert_smbpasswd\fP script reads from stdin and writes to stdout -so as not to overwrite any files by accident\&. -.PP -Once this script has been run, check the contents of the new smbpasswd -file to ensure that it has not been damaged by the conversion script -(which uses \fBawk\fP), and then replace the \f(CW<old smbpasswd file>\fP -with the \f(CW<new smbpasswd file>\fP\&. -.PP -.SH "VERSION" -.PP -This man page is correct for version 2\&.0 of the Samba suite\&. -.PP -.SH "SEE ALSO" -.PP -\fBsmbpasswd (8)\fP, \fBsamba -(7)\fP, and the Internet RFC1321 for details on the MD4 -algorithm\&. -.PP -.SH "AUTHOR" -.PP -The original Samba software and related utilities were created by -Andrew Tridgell samba@samba\&.org\&. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed\&. -.PP -The original Samba man pages were written by Karl Auer\&. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -\fBftp://ftp\&.icce\&.rug\&.nl/pub/unix/\fP) -and updated for the Samba2\&.0 release by Jeremy -Allison, samba@samba\&.org\&. -.PP -See \fBsamba (7)\fP to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc\&. +\fBWARNING !!\fR. Note that, due to +the challenge-response nature of the SMB/CIFS authentication +protocol, anyone with a knowledge of this password hash will +be able to impersonate the user on the network. For this +reason these hashes are known as \fBplain text +equivalents\fR and must \fBNOT\fR be made +available to anyone but the root user. To protect these passwords +the smbpasswd file is placed in a directory with read and +traverse access only to the root user and the smbpasswd file +itself must be set to be read/write only by root, with no +other access. +.TP +\fBAccount Flags\fR +This section contains flags that describe +the attributes of the users account. In the Samba 2.2 release +this field is bracketed by '[' and ']' characters and is always +13 characters in length (including the '[' and ']' characters). +The contents of this field may be any of the characters. +.RS +.TP 0.2i +\(bu +\fBU\fR - This means +this is a "User" account, i.e. an ordinary user. Only User +and Workstation Trust accounts are currently supported +in the smbpasswd file. +.TP 0.2i +\(bu +\fBN\fR - This means the +account has no password (the passwords in the fields Lanman +Password Hash and NT Password Hash are ignored). Note that this +will only allow users to log on with no password if the \fI null passwords\fR parameter is set in the \fIsmb.conf(5) +\fR <URL:smb.conf.5.html#NULLPASSWORDS> config file. +.TP 0.2i +\(bu +\fBD\fR - This means the account +is disabled and no SMB/CIFS logins will be allowed for +this user. +.TP 0.2i +\(bu +\fBW\fR - This means this account +is a "Workstation Trust" account. This kind of account is used +in the Samba PDC code stream to allow Windows NT Workstations +and Servers to join a Domain hosted by a Samba PDC. +.RE +.PP +Other flags may be added as the code is extended in future. +The rest of this field space is filled in with spaces. +.PP +.TP +\fBLast Change Time\fR +This field consists of the time the account was +last modified. It consists of the characters 'LCT-' (standing for +"Last Change Time") followed by a numeric encoding of the UNIX time +in seconds since the epoch (1970) that the last change was made. +.PP +All other colon separated fields are ignored at this time. +.PP +.SH "VERSION" +.PP +This man page is correct for version 2.2 of +the Samba suite. +.SH "SEE ALSO" +.PP +\fBsmbpasswd(8)\fR <URL:smbpasswd.8.html>, +samba(7) <URL:samba.7.html>, and +the Internet RFC1321 for details on the MD4 algorithm. +.SH "AUTHOR" +.PP +The original Samba software and related utilities +were created by Andrew Tridgell. Samba is now developed +by the Samba Team as an Open Source project similar +to the way the Linux kernel is developed. +.PP +The original Samba man pages were written by Karl Auer. +The man page sources were converted to YODL format (another +excellent piece of Open Source software, available at +ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the Samba 2.0 +release by Jeremy Allison. The conversion to DocBook for +Samba 2.2 was done by Gerald Carter diff --git a/docs/manpages/smbpasswd.8 b/docs/manpages/smbpasswd.8 index be70fad031d..3c134913a96 100644 --- a/docs/manpages/smbpasswd.8 +++ b/docs/manpages/smbpasswd.8 @@ -1,308 +1,301 @@ -.TH "smbpasswd " "8" "23 Oct 1998" "Samba" "SAMBA" -.PP -.SH "NAME" +.\" This manpage has been automatically generated by docbook2man-spec +.\" from a DocBook document. docbook2man-spec can be found at: +.\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/> +.\" Please send any bug reports, improvements, comments, patches, +.\" etc. to Steve Cheng <steve@ggi-project.org>. +.TH "SMBPASSWD" "8" "22 February 2001" "" "" +.SH NAME smbpasswd \- change a users SMB password -.PP -.SH "SYNOPSIS" -.PP -\fBsmbpasswd\fP [-a] [-x] [-d] [-e] [-D debug level] [-n] [-r remote_machine] [-R name resolve order] [-m] [-j DOMAIN] [-U username] [-h] [-s] username -.PP -.SH "DESCRIPTION" -.PP -This program is part of the \fBSamba\fP suite\&. -.PP -The \fBsmbpasswd\fP program has several different functions, depending -on whether it is run by the \fIroot\fP user or not\&. When run as a normal -user it allows the user to change the password used for their SMB -sessions on any machines that store SMB passwords\&. -.PP -By default (when run with no arguments) it will attempt to change the -current users SMB password on the local machine\&. This is similar to -the way the \fBpasswd (1)\fP program works\&. \fBsmbpasswd\fP differs from how -the \fBpasswd\fP program works however in that it is not \fIsetuid root\fP -but works in a client-server mode and communicates with a locally -running \fBsmbd\fP\&. As a consequence in order for this -to succeed the \fBsmbd\fP daemon must be running on -the local machine\&. On a UNIX machine the encrypted SMB passwords are -usually stored in the \fBsmbpasswd (5)\fP file\&. -.PP -When run by an ordinary user with no options\&. \fBsmbpasswd\fP will -prompt them for their old smb password and then ask them for their new -password twice, to ensure that the new password was typed -correctly\&. No passwords will be echoed on the screen whilst being -typed\&. If you have a blank smb password (specified by the string "NO -PASSWORD" in the \fBsmbpasswd\fP file) then just -press the <Enter> key when asked for your old password\&. -.PP -\fBsmbpasswd\fP can also be used by a normal user to change their SMB -password on remote machines, such as Windows NT Primary Domain -Controllers\&. See the (\fB-r\fP) and -\fB-U\fP options below\&. -.PP -When run by root, \fBsmbpasswd\fP allows new users to be added and -deleted in the \fBsmbpasswd\fP file, as well as -allows changes to the attributes of the user in this file to be made\&. When -run by root, \fBsmbpasswd\fP accesses the local -\fBsmbpasswd\fP file directly, thus enabling -changes to be made even if \fBsmbd\fP is not running\&. -.PP -.SH "OPTIONS" -.PP -.IP -.IP "\fB-a\fP" -This option specifies that the username following should -be added to the local \fBsmbpasswd\fP file, with -the new password typed (type <Enter> for the old password)\&. This -option is ignored if the username following already exists in the -\fBsmbpasswd\fP file and it is treated like a -regular change password command\&. Note that the user to be added -\fBmust\fP already exist in the system password file (usually /etc/passwd) -else the request to add the user will fail\&. -.IP -This option is only available when running \fBsmbpasswd\fP as -root\&. -.IP -.IP "\fB-x\fP" -This option specifies that the username following should -be deleted from the local \fBsmbpasswd\fP file\&. -.IP -This option is only available when running \fBsmbpasswd\fP as -root\&. -.IP -.IP "\fB-d\fP" -This option specifies that the username following should be -\fIdisabled\fP in the local \fBsmbpasswd\fP file\&. -This is done by writing a \fI\'D\'\fP flag into the account control space -in the \fBsmbpasswd\fP file\&. Once this is done -all attempts to authenticate via SMB using this username will fail\&. -.IP -If the \fBsmbpasswd\fP file is in the \'old\' -format (pre-Samba 2\&.0 format) there is no space in the users password -entry to write this information and so the user is disabled by writing -\'X\' characters into the password space in the -\fBsmbpasswd\fP file\&. See \fBsmbpasswd -(5)\fP for details on the \'old\' and new password file -formats\&. -.IP -This option is only available when running \fBsmbpasswd\fP as root\&. -.IP -.IP "\fB-e\fP" -This option specifies that the username following should be -\fIenabled\fP in the local \fBsmbpasswd\fP file, -if the account was previously disabled\&. If the account was not -disabled this option has no effect\&. Once the account is enabled -then the user will be able to authenticate via SMB once again\&. -.IP -If the smbpasswd file is in the \'old\' format then \fBsmbpasswd\fP will -prompt for a new password for this user, otherwise the account will be -enabled by removing the \fI\'D\'\fP flag from account control space in the -\fBsmbpasswd\fP file\&. See \fBsmbpasswd -(5)\fP for details on the \'old\' and new password file -formats\&. -.IP -This option is only available when running \fBsmbpasswd\fP as root\&. -.IP -.IP "\fB-D debuglevel\fP" -debuglevel is an integer from 0 -to 10\&. The default value if this parameter is not specified is zero\&. -.IP -The higher this value, the more detail will be logged to the log files -about the activities of smbpasswd\&. At level 0, only critical errors -and serious warnings will be logged\&. -.IP -Levels above 1 will generate considerable amounts of log data, and -should only be used when investigating a problem\&. Levels above 3 are -designed for use only by developers and generate HUGE amounts of log -data, most of which is extremely cryptic\&. -.IP -.IP "\fB-n\fP" -This option specifies that the username following should -have their password set to null (i\&.e\&. a blank password) in the local -\fBsmbpasswd\fP file\&. This is done by writing the -string "NO PASSWORD" as the first part of the first password stored in -the \fBsmbpasswd\fP file\&. -.IP -Note that to allow users to logon to a Samba server once the password -has been set to "NO PASSWORD" in the -\fBsmbpasswd\fP file the administrator must set -the following parameter in the [global] section of the -\fBsmb\&.conf\fP file : -.IP -null passwords = true -.IP -This option is only available when running \fBsmbpasswd\fP as root\&. -.IP -.IP "\fB-r remote machine name\fP" -This option allows a -user to specify what machine they wish to change their password -on\&. Without this parameter \fBsmbpasswd\fP defaults to the local -host\&. The \fI"remote machine name"\fP is the NetBIOS name of the -SMB/CIFS server to contact to attempt the password change\&. This name -is resolved into an IP address using the standard name resolution -mechanism in all programs of the \fBSamba\fP -suite\&. See the \fB-R name resolve order\fP parameter for details on changing this resolving -mechanism\&. -.IP -The username whose password is changed is that of the current UNIX -logged on user\&. See the \fB-U username\fP -parameter for details on changing the password for a different -username\&. -.IP -Note that if changing a Windows NT Domain password the remote machine -specified must be the Primary Domain Controller for the domain (Backup -Domain Controllers only have a read-only copy of the user account -database and will not allow the password change)\&. -.IP -\fINote\fP that Windows 95/98 do not have a real password database -so it is not possible to change passwords specifying a Win95/98 -machine as remote machine target\&. -.IP -.IP "\fB-R name resolve order\fP" -This option allows the user of -smbclient to determine what name resolution services to use when -looking up the NetBIOS name of the host being connected to\&. -.IP -The options are :"lmhosts", "host", -"wins" and "bcast"\&. They cause names to be -resolved as follows : -.IP -.IP -.IP o -\fBlmhosts\fP : Lookup an IP address in the Samba lmhosts file\&. -.IP -.IP o -\fBhost\fP : Do a standard host name to IP address resolution, -using the system /etc/hosts, NIS, or DNS lookups\&. This method of name -resolution is operating system dependent\&. For instance on IRIX or -Solaris, this may be controlled by the \fI/etc/nsswitch\&.conf\fP file)\&. -.IP -.IP o -\fBwins\fP : Query a name with the IP address listed in the -\fBwins server\fP parameter in the -\fBsmb\&.conf file\fP\&. If -no WINS server has been specified this method will be ignored\&. -.IP -.IP o -\fBbcast\fP : Do a broadcast on each of the known local interfaces -listed in the \fBinterfaces\fP parameter -in the smb\&.conf file\&. This is the least reliable of the name resolution -methods as it depends on the target host being on a locally connected -subnet\&. -.IP -.IP -If this parameter is not set then the name resolve order defined -in the \fBsmb\&.conf\fP file parameter -\fBname resolve order\fP -will be used\&. -.IP -The default order is lmhosts, host, wins, bcast and without this -parameter or any entry in the \fBsmb\&.conf\fP -file the name resolution methods will be attempted in this order\&. -.IP -.IP "\fB-m\fP" -This option tells \fBsmbpasswd\fP that the account being -changed is a \fIMACHINE\fP account\&. Currently this is used when Samba is -being used as an NT Primary Domain Controller\&. PDC support is not a -supported feature in Samba2\&.0 but will become supported in a later -release\&. If you wish to know more about using Samba as an NT PDC then -please subscribe to the mailing list -samba-ntdom@samba\&.org\&. -.IP -This option is only available when running \fBsmbpasswd\fP as root\&. -.IP -.IP "\fB-j DOMAIN\fP" -This option is used to add a Samba server into a -Windows NT Domain, as a Domain member capable of authenticating user -accounts to any Domain Controller in the same way as a Windows NT -Server\&. See the \fBsecurity=domain\fP -option in the \fBsmb\&.conf (5)\fP man page\&. -.IP -In order to be used in this way, the Administrator for the Windows -NT Domain must have used the program \fI"Server Manager for Domains"\fP -to add the primary NetBIOS name of -the Samba server as a member of the Domain\&. -.IP -After this has been done, to join the Domain invoke \fBsmbpasswd\fP with -this parameter\&. \fBsmbpasswd\fP will then look up the Primary Domain -Controller for the Domain (found in the -\fBsmb\&.conf\fP file in the parameter -\fBpassword server\fP and change -the machine account password used to create the secure Domain -communication\&. This password is then stored by \fBsmbpasswd\fP in a -file, read only by root, called \f(CW<Domain>\&.<Machine>\&.mac\fP where -\f(CW<Domain>\fP is the name of the Domain we are joining and \f(CW<Machine>\fP -is the primary NetBIOS name of the machine we are running on\&. -.IP -Once this operation has been performed the -\fBsmb\&.conf\fP file may be updated to set the -\fBsecurity=domain\fP option and all -future logins to the Samba server will be authenticated to the Windows -NT PDC\&. -.IP -Note that even though the authentication is being done to the PDC all -users accessing the Samba server must still have a valid UNIX account -on that machine\&. -.IP -This option is only available when running \fBsmbpasswd\fP as root\&. -.IP -.IP "\fB-U username\fP" -This option may only be used in -conjunction with the \fB-r\fP -option\&. When changing a password on a remote machine it allows the -user to specify the user name on that machine whose password will be -changed\&. It is present to allow users who have different user names on -different systems to change these passwords\&. -.IP -.IP "\fB-h\fP" -This option prints the help string for \fBsmbpasswd\fP, -selecting the correct one for running as root or as an ordinary user\&. -.IP -.IP "\fB-s\fP" -This option causes \fBsmbpasswd\fP to be silent (i\&.e\&. not -issue prompts) and to read it\'s old and new passwords from standard -input, rather than from \f(CW/dev/tty\fP (like the \fBpasswd (1)\fP program -does)\&. This option is to aid people writing scripts to drive \fBsmbpasswd\fP -.IP -.IP "\fBusername\fP" -This specifies the username for all of the \fIroot -only\fP options to operate on\&. Only root can specify this parameter as -only root has the permission needed to modify attributes directly -in the local \fBsmbpasswd\fP file\&. -.IP -.SH "NOTES" -.IP -Since \fBsmbpasswd\fP works in client-server mode communicating with a -local \fBsmbd\fP for a non-root user then the \fBsmbd\fP -daemon must be running for this to work\&. A common problem is to add a -restriction to the hosts that may access the \fBsmbd\fP running on the -local machine by specifying a \fB"allow -hosts"\fP or \fB"deny -hosts"\fP entry in the -\fBsmb\&.conf\fP file and neglecting to allow -\fI"localhost"\fP access to the \fBsmbd\fP\&. -.IP -In addition, the \fBsmbpasswd\fP command is only useful if \fBSamba\fP has -been set up to use encrypted passwords\&. See the file \fBENCRYPTION\&.txt\fP -in the docs directory for details on how to do this\&. -.IP -.SH "VERSION" -.IP -This man page is correct for version 2\&.0 of the Samba suite\&. -.IP -.SH "AUTHOR" -.IP -The original Samba software and related utilities were created by -Andrew Tridgell samba@samba\&.org\&. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed\&. -.IP -The original Samba man pages were written by Karl Auer\&. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -\fBftp://ftp\&.icce\&.rug\&.nl/pub/unix/\fP) -and updated for the Samba2\&.0 release by Jeremy Allison\&. -samba@samba\&.org\&. -.IP -See \fBsamba (7)\fP to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc\&. +.SH SYNOPSIS +.sp +\fBsmbpasswd\fR [ \fB-a\fR ] [ \fB-x\fR ] [ \fB-d\fR ] [ \fB-e\fR ] [ \fB-D debuglevel\fR ] [ \fB-n\fR ] [ \fB-r <remote machine>\fR ] [ \fB-R <name resolve order>\fR ] [ \fB-m\fR ] [ \fB-j DOMAIN\fR ] [ \fB-U username\fR ] [ \fB-h\fR ] [ \fB-s\fR ] [ \fBusername\fR ] +.SH "DESCRIPTION" +.PP +This tool is part of the Samba <URL:samba.7.html> suite. +.PP +The smbpasswd program has several different +functions, depending on whether it is run by the \fBroot\fR +user or not. When run as a normal user it allows the user to change +the password used for their SMB sessions on any machines that store +SMB passwords. +.PP +By default (when run with no arguments) it will attempt to +change the current users SMB password on the local machine. This is +similar to the way the \fBpasswd(1)\fR program works. +\fBsmbpasswd\fR differs from how the passwd program works +however in that it is not \fBsetuid root\fR but works in +a client-server mode and communicates with a locally running +\fBsmbd(8)\fR. As a consequence in order for this to +succeed the smbd daemon must be running on the local machine. On a +UNIX machine the encrypted SMB passwords are usually stored in +the \fIsmbpasswd(5)\fR file. +.PP +When run by an ordinary user with no options. smbpasswd +will prompt them for their old smb password and then ask them +for their new password twice, to ensure that the new password +was typed correctly. No passwords will be echoed on the screen +whilst being typed. If you have a blank smb password (specified by +the string "NO PASSWORD" in the smbpasswd file) then just press +the <Enter> key when asked for your old password. +.PP +smbpasswd can also be used by a normal user to change their +SMB password on remote machines, such as Windows NT Primary Domain +Controllers. See the (-r) and -U options below. +.PP +When run by root, smbpasswd allows new users to be added +and deleted in the smbpasswd file, as well as allows changes to +the attributes of the user in this file to be made. When run by root, +\fBsmbpasswd\fR accesses the local smbpasswd file +directly, thus enabling changes to be made even if smbd is not +running. +.SH "OPTIONS" +.TP +\fB-a\fR +This option specifies that the username +following should be added to the local smbpasswd file, with the +new password typed (type <Enter> for the old password). This +option is ignored if the username following already exists in +the smbpasswd file and it is treated like a regular change +password command. Note that the user to be added must already exist +in the system password file (usually \fI/etc/passwd\fR) +else the request to add the user will fail. + +This option is only available when running smbpasswd +as root. +.TP +\fB-x\fR +This option specifies that the username +following should be deleted from the local smbpasswd file. + +This option is only available when running smbpasswd as +root. +.TP +\fB-d\fR +This option specifies that the username following +should be disabled in the local smbpasswd +file. This is done by writing a 'D' flag +into the account control space in the smbpasswd file. Once this +is done all attempts to authenticate via SMB using this username +will fail. + +If the smbpasswd file is in the 'old' format (pre-Samba 2.0 +format) there is no space in the users password entry to write +this information and so the user is disabled by writing 'X' characters +into the password space in the smbpasswd file. See \fBsmbpasswd(5) +\fRfor details on the 'old' and new password file formats. + +This option is only available when running smbpasswd as +root. +.TP +\fB-e\fR +This option specifies that the username following +should be enabled in the local smbpasswd file, +if the account was previously disabled. If the account was not +disabled this option has no effect. Once the account is enabled then +the user will be able to authenticate via SMB once again. + +If the smbpasswd file is in the 'old' format, then \fB smbpasswd\fR will prompt for a new password for this user, +otherwise the account will be enabled by removing the 'D' +flag from account control space in the \fI smbpasswd\fR file. See \fBsmbpasswd (5)\fR for +details on the 'old' and new password file formats. + +This option is only available when running smbpasswd as root. +.TP +\fB-D debuglevel\fR +\fIdebuglevel\fR is an integer +from 0 to 10. The default value if this parameter is not specified +is zero. + +The higher this value, the more detail will be logged to the +log files about the activities of smbpasswd. At level 0, only +critical errors and serious warnings will be logged. + +Levels above 1 will generate considerable amounts of log +data, and should only be used when investigating a problem. Levels +above 3 are designed for use only by developers and generate +HUGE amounts of log data, most of which is extremely cryptic. +.TP +\fB-n\fR +This option specifies that the username following +should have their password set to null (i.e. a blank password) in +the local smbpasswd file. This is done by writing the string "NO +PASSWORD" as the first part of the first password stored in the +smbpasswd file. + +Note that to allow users to logon to a Samba server once +the password has been set to "NO PASSWORD" in the smbpasswd +file the administrator must set the following parameter in the [global] +section of the \fIsmb.conf\fR file : + +\fBnull passwords = yes\fR + +This option is only available when running smbpasswd as +root. +.TP +\fB-r remote machine name\fR +This option allows a user to specify what machine +they wish to change their password on. Without this parameter +smbpasswd defaults to the local host. The \fIremote +machine name\fR is the NetBIOS name of the SMB/CIFS +server to contact to attempt the password change. This name is +resolved into an IP address using the standard name resolution +mechanism in all programs of the Samba suite. See the \fI-R +name resolve order\fR parameter for details on changing +this resolving mechanism. + +The username whose password is changed is that of the +current UNIX logged on user. See the \fI-U username\fR +parameter for details on changing the password for a different +username. + +Note that if changing a Windows NT Domain password the +remote machine specified must be the Primary Domain Controller for +the domain (Backup Domain Controllers only have a read-only +copy of the user account database and will not allow the password +change). + +\fBNote\fR that Windows 95/98 do not have +a real password database so it is not possible to change passwords +specifying a Win95/98 machine as remote machine target. +.TP +\fB-R name resolve order\fR +This option allows the user of smbclient to determine +what name resolution services to use when looking up the NetBIOS +name of the host being connected to. + +The options are :"lmhosts", "host", "wins" and "bcast". They cause +names to be resolved as follows : +.RS +.TP 0.2i +\(bu +lmhosts : Lookup an IP +address in the Samba lmhosts file. If the line in lmhosts has +no name type attached to the NetBIOS name (see the lmhosts(5) <URL:lmhosts.5.html> for details) then +any name type matches for lookup. +.TP 0.2i +\(bu +host : Do a standard host +name to IP address resolution, using the system \fI/etc/hosts +\fR, NIS, or DNS lookups. This method of name resolution +is operating system depended for instance on IRIX or Solaris this +may be controlled by the \fI/etc/nsswitch.conf\fR +file). Note that this method is only used if the NetBIOS name +type being queried is the 0x20 (server) name type, otherwise +it is ignored. +.TP 0.2i +\(bu +wins : Query a name with +the IP address listed in the \fIwins server\fR +parameter. If no WINS server has been specified this method +will be ignored. +.TP 0.2i +\(bu +bcast : Do a broadcast on +each of the known local interfaces listed in the +\fIinterfaces\fR parameter. This is the least +reliable of the name resolution methods as it depends on the +target host being on a locally connected subnet. +.RE +.PP +The default order is \fBlmhosts, host, wins, bcast\fR +and without this parameter or any entry in the +\fIsmb.conf\fR file the name resolution methods will +be attempted in this order. +.PP +.TP +\fB-m\fR +This option tells smbpasswd that the account +being changed is a MACHINE account. Currently this is used +when Samba is being used as an NT Primary Domain Controller. + +This option is only available when running smbpasswd as root. +.TP +\fB-j DOMAIN\fR +This option is used to add a Samba server +into a Windows NT Domain, as a Domain member capable of authenticating +user accounts to any Domain Controller in the same way as a Windows +NT Server. See the \fBsecurity = domain\fR option in +the \fIsmb.conf(5)\fR man page. + +In order to be used in this way, the Administrator for +the Windows NT Domain must have used the program "Server Manager +for Domains" to add the primary NetBIOS name of the Samba server +as a member of the Domain. + +After this has been done, to join the Domain invoke \fB smbpasswd\fR with this parameter. smbpasswd will then +look up the Primary Domain Controller for the Domain (found in +the \fIsmb.conf\fR file in the parameter +\fIpassword server\fR and change the machine account +password used to create the secure Domain communication. This +password is then stored by smbpasswd in a TDB, writeable only by root, +called \fIsecrets.tdb\fR + +Once this operation has been performed the \fI smb.conf\fR file may be updated to set the \fB security = domain\fR option and all future logins +to the Samba server will be authenticated to the Windows NT +PDC. + +Note that even though the authentication is being +done to the PDC all users accessing the Samba server must still +have a valid UNIX account on that machine. + +This option is only available when running smbpasswd as root. +.TP +\fB-U username\fR +This option may only be used in conjunction +with the \fI-r\fR option. When changing +a password on a remote machine it allows the user to specify +the user name on that machine whose password will be changed. It +is present to allow users who have different user names on +different systems to change these passwords. +.TP +\fB-h\fR +This option prints the help string for \fB smbpasswd\fR, selecting the correct one for running as root +or as an ordinary user. +.TP +\fB-s\fR +This option causes smbpasswd to be silent (i.e. +not issue prompts) and to read it's old and new passwords from +standard input, rather than from \fI/dev/tty\fR +(like the \fBpasswd(1)\fR program does). This option +is to aid people writing scripts to drive smbpasswd +.TP +\fBusername\fR +This specifies the username for all of the +\fBroot only\fR options to operate on. Only root +can specify this parameter as only root has the permission needed +to modify attributes directly in the local smbpasswd file. +.SH "NOTES" +.PP +Since \fBsmbpasswd\fR works in client-server +mode communicating with a local smbd for a non-root user then +the smbd daemon must be running for this to work. A common problem +is to add a restriction to the hosts that may access the \fB smbd\fR running on the local machine by specifying a +\fIallow hosts\fR or \fIdeny hosts\fR +entry in the \fIsmb.conf\fR file and neglecting to +allow "localhost" access to the smbd. +.PP +In addition, the smbpasswd command is only useful if Samba +has been set up to use encrypted passwords. See the file +\fIENCRYPTION.txt\fR in the docs directory for details +on how to do this. +.SH "VERSION" +.PP +This man page is correct for version 2.2 of +the Samba suite. +.SH "SEE ALSO" +.PP +\fIsmbpasswd(5)\fR <URL:smbpasswd.5.html>, +samba(7) <URL:samba.7.html> +.SH "AUTHOR" +.PP +The original Samba software and related utilities +were created by Andrew Tridgell. Samba is now developed +by the Samba Team as an Open Source project similar +to the way the Linux kernel is developed. +.PP +The original Samba man pages were written by Karl Auer. +The man page sources were converted to YODL format (another +excellent piece of Open Source software, available at +ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the Samba 2.0 +release by Jeremy Allison. The conversion to DocBook for +Samba 2.2 was done by Gerald Carter |