diff options
Diffstat (limited to 'docs/htmldocs/smbpasswd.8.html')
| -rw-r--r-- | docs/htmldocs/smbpasswd.8.html | 582 |
1 files changed, 382 insertions, 200 deletions
diff --git a/docs/htmldocs/smbpasswd.8.html b/docs/htmldocs/smbpasswd.8.html index a8b39b37e57..7c0699c535b 100644 --- a/docs/htmldocs/smbpasswd.8.html +++ b/docs/htmldocs/smbpasswd.8.html @@ -33,15 +33,24 @@ NAME="AEN8" ><H2 >Synopsis</H2 ><P +>When run by root:</P +><P +><B +CLASS="COMMAND" +>smbpasswd</B +> [options] [username] [password]</P +><P +>otherwise:</P +><P ><B CLASS="COMMAND" >smbpasswd</B -> [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-j DOMAIN] [-U username[%password]] [-h] [-s] [-w pass] [username]</P +> [options] [password]</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN26" +NAME="AEN20" ></A ><H2 >DESCRIPTION</H2 @@ -110,7 +119,7 @@ CLASS="COMMAND" ><DIV CLASS="REFSECT1" ><A -NAME="AEN42" +NAME="AEN36" ></A ><H2 >OPTIONS</H2 @@ -120,35 +129,235 @@ NAME="AEN42" CLASS="VARIABLELIST" ><DL ><DT ->-a</DT +>-L</DT ><DD ><P ->This option specifies that the username - following should be added to the local smbpasswd file, with the - new password typed (type <Enter> for the old password). This - option is ignored if the username following already exists in - the smbpasswd file and it is treated like a regular change - password command. Note that the default passdb backends require - the user to already exist in the system password file (usually - <TT +>Run the smbpasswd command in local mode. This + allows a non-root user to specify the root-only options. This + is used mostly in test environments where a non-root user needs + to make changes to the local <TT CLASS="FILENAME" ->/etc/passwd</TT ->), else the request to add the - user will fail. </P +>smbpasswd</TT +> file. + The <TT +CLASS="FILENAME" +>smbpasswd</TT +> file must have read/write + permissions for the user running the command.</P +></DD +><DT +>-h</DT +><DD ><P ->This option is only available when running smbpasswd - as root. </P +>This option prints the help string for + <B +CLASS="COMMAND" +>smbpasswd</B +>. </P ></DD ><DT ->-x</DT +>-c smb.conf file</DT ><DD ><P ->This option specifies that the username - following should be deleted from the local smbpasswd file. +>This option specifies that the configuration + file specified should be used instead of the default value + specified at compile time. </P +></DD +><DT +>-D debuglevel</DT +><DD +><P +><TT +CLASS="REPLACEABLE" +><I +>debuglevel</I +></TT +> is an integer + from 0 to 10. The default value if this parameter is not specified + is zero. </P +><P +>The higher this value, the more detail will be logged to the + log files about the activities of smbpasswd. At level 0, only + critical errors and serious warnings will be logged. </P +><P +>Levels above 1 will generate considerable amounts of log + data, and should only be used when investigating a problem. Levels + above 3 are designed for use only by developers and generate + HUGE amounts of log data, most of which is extremely cryptic. + </P +></DD +><DT +>-r remote machine name</DT +><DD +><P +>This option allows a user to specify what machine + they wish to change their password on. Without this parameter + smbpasswd defaults to the local host. The <TT +CLASS="REPLACEABLE" +><I +>remote + machine name</I +></TT +> is the NetBIOS name of the SMB/CIFS + server to contact to attempt the password change. This name is + resolved into an IP address using the standard name resolution + mechanism in all programs of the Samba suite. See the <TT +CLASS="PARAMETER" +><I +>-R + name resolve order</I +></TT +> parameter for details on changing + this resolving mechanism. </P +><P +>The username whose password is changed is that of the + current UNIX logged on user. See the <TT +CLASS="PARAMETER" +><I +>-U username</I +></TT +> + parameter for details on changing the password for a different + username. </P +><P +>Note that if changing a Windows NT Domain password the + remote machine specified must be the Primary Domain Controller for + the domain (Backup Domain Controllers only have a read-only + copy of the user account database and will not allow the password + change).</P +><P +><EM +>Note</EM +> that Windows 95/98 do not have + a real password database so it is not possible to change passwords + specifying a Win95/98 machine as remote machine target. </P +></DD +><DT +>-s</DT +><DD +><P +>This option causes smbpasswd to be silent (i.e. + not issue prompts) and to read its old and new passwords from + standard input, rather than from <TT +CLASS="FILENAME" +>/dev/tty</TT +> + (like the <B +CLASS="COMMAND" +>passwd(1)</B +> program does). This option + is to aid people writing scripts to drive smbpasswd</P +></DD +><DT +>-S</DT +><DD +><P +>This option causes <B +CLASS="COMMAND" +>smbpasswd</B +> + to query a domain controller of the domain specified + by the <A +HREF="smb.conf.5.html#WORKGROUP" +TARGET="_top" +>workgroup</A +> + parameter in <TT +CLASS="FILENAME" +>smb.conf</TT +> and store the + domain SID in the <TT +CLASS="FILENAME" +>secrets.tdb</TT +> file + as its own machine SID. This is only useful when configuring + a Samba PDC and Samba BDC, or when migrating from a Windows PDC + to a Samba PDC. </P +><P +>The <TT +CLASS="PARAMETER" +><I +>-r</I +></TT +> options can be used + as well to indicate a specific domain controller which should + be contacted. In this case, the domain SID obtained is the + one for the domain to which the remote machine belongs. </P +></DD +><DT +>-t</DT +><DD ><P ->This option is only available when running smbpasswd as - root.</P +>This option is used to force smbpasswd to + change the current password assigned to the machine trust account + when operating in domain security mode. This is really meant to + be used on systems that only run <A +HREF="winbindd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>winbindd</B +></A +>. + Under server installations, <A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd</B +></A +> + handle the password updates automatically.</P +></DD +><DT +>-U username[%pass]</DT +><DD +><P +>This option may only be used in conjunction + with the <TT +CLASS="PARAMETER" +><I +>-r</I +></TT +> option. When changing + a password on a remote machine it allows the user to specify + the user name on that machine whose password will be changed. It + is present to allow users who have different user names on + different systems to change these passwords. The optional + %pass may be used to specify to old password.</P +><P +>In particular, this parameter specifies the username + used to create the machine account when invoked with -j</P +></DD +><DT +><B +CLASS="COMMAND" +>NOTE:</B +></DT +><DD +><P +><B +CLASS="COMMAND" +>The following options are available only when the smbpasswd command is +run as root or in local mode.</B +></P +></DD +><DT +>-a</DT +><DD +><P +>This option specifies that the username + following should be added to the local smbpasswd file, with the + new password typed. This + option is ignored if the username specified already exists in + the smbpasswd file and it is treated like a regular change + password command. Note that the user to be added must already exist + in the system password file (usually <TT +CLASS="FILENAME" +>/etc/passwd</TT +>) + else the request to add the user will fail. </P ></DD ><DT >-d</DT @@ -169,15 +378,13 @@ CLASS="CONSTANT" ><P >If the smbpasswd file is in the 'old' format (pre-Samba 2.0 format) there is no space in the user's password entry to write - this information and the command will FAIL. See <B + this information and so the user is disabled by writing 'X' characters + into the password space in the smbpasswd file. See <B CLASS="COMMAND" >smbpasswd(5) </B > for details on the 'old' and new password file formats. </P -><P ->This option is only available when running smbpasswd as - root.</P ></DD ><DT >-e</DT @@ -195,38 +402,27 @@ CLASS="CONSTANT" >If the smbpasswd file is in the 'old' format, then <B CLASS="COMMAND" > smbpasswd</B -> will FAIL to enable the account. - See <B +> will prompt for a new password for this user, + otherwise the account will be enabled by removing the <TT +CLASS="CONSTANT" +>'D' + </TT +> flag from account control space in the <TT +CLASS="FILENAME" +> smbpasswd</TT +> file. See <B CLASS="COMMAND" >smbpasswd (5)</B > for details on the 'old' and new password file formats. </P -><P ->This option is only available when running smbpasswd as root. - </P ></DD ><DT ->-D debuglevel</DT +>-m</DT ><DD ><P -><TT -CLASS="REPLACEABLE" -><I ->debuglevel</I -></TT -> is an integer - from 0 to 10. The default value if this parameter is not specified - is zero. </P -><P ->The higher this value, the more detail will be logged to the - log files about the activities of smbpasswd. At level 0, only - critical errors and serious warnings will be logged. </P -><P ->Levels above 1 will generate considerable amounts of log - data, and should only be used when investigating a problem. Levels - above 3 are designed for use only by developers and generate - HUGE amounts of log data, most of which is extremely cryptic. - </P +>This option tells smbpasswd that the account + being changed is a MACHINE account. Currently this is used + when Samba is being used as an NT Primary Domain Controller.</P ></DD ><DT >-n</DT @@ -250,55 +446,127 @@ CLASS="FILENAME" CLASS="COMMAND" >null passwords = yes</B ></P -><P ->This option is only available when running smbpasswd as - root.</P ></DD ><DT ->-r remote machine name</DT +>-w password</DT ><DD ><P ->This option allows a user to specify what machine - they wish to change their password on. Without this parameter - smbpasswd defaults to the local host. The <TT -CLASS="REPLACEABLE" +>This parameter is only available is Samba + has been configured to use the experimental + <B +CLASS="COMMAND" +>--with-ldapsam</B +> option. The <TT +CLASS="PARAMETER" ><I ->remote - machine name</I +>-w</I ></TT -> is the NetBIOS name of the SMB/CIFS - server to contact to attempt the password change. This name is - resolved into an IP address using the standard name resolution - mechanism in all programs of the Samba suite. See the <TT +> + switch is used to specify the password to be used with the + <A +HREF="smb.conf.5.html#LDAPADMINDN" +TARGET="_top" +><TT CLASS="PARAMETER" ><I ->-R - name resolve order</I +>ldap admin + dn</I ></TT -> parameter for details on changing - this resolving mechanism. </P +></A +>. Note that the password is stored in + the <TT +CLASS="FILENAME" +>private/secrets.tdb</TT +> and is keyed off + of the admin's DN. This means that if the value of <TT +CLASS="PARAMETER" +><I +>ldap + admin dn</I +></TT +> ever changes, the password will need to be + manually updated as well. + </P +></DD +><DT +>-x</DT +><DD ><P ->The username whose password is changed is that of the - current UNIX logged on user. See the <TT +>This option specifies that the username + following should be deleted from the local smbpasswd file. + </P +></DD +><DT +>-j DOMAIN</DT +><DD +><P +>This option is used to add a Samba server + into a Windows NT Domain, as a Domain member capable of authenticating + user accounts to any Domain Controller in the same way as a Windows + NT Server. See the <B +CLASS="COMMAND" +>security = domain</B +> option in + the <TT +CLASS="FILENAME" +>smb.conf(5)</TT +> man page. </P +><P +>This command can work both with and without the -U parameter. </P +><P +>When invoked with -U, that username (and optional password) are + used to contact the PDC (which must be specified with -r) to both + create a machine account, and to set a password on it.</P +><P +>Alternately, if -U is omitted, Samba will contact its PDC + and attempt to change the password on a pre-existing account. </P +><P +>In order to be used in this way, the Administrator for + the Windows NT Domain must have used the program "Server Manager + for Domains" to add the primary NetBIOS name of the Samba server + as a member of the Domain. </P +><P +>After this has been done, to join the Domain invoke <B +CLASS="COMMAND" +> smbpasswd</B +> with this parameter. smbpasswd will then + look up the Primary Domain Controller for the Domain (found in + the <TT +CLASS="FILENAME" +>smb.conf</TT +> file in the parameter + <TT CLASS="PARAMETER" ><I ->-U username</I +>password server</I ></TT -> - parameter for details on changing the password for a different - username. </P +> and change the machine account + password used to create the secure Domain communication. </P ><P ->Note that if changing a Windows NT Domain password the - remote machine specified must be the Primary Domain Controller for - the domain (Backup Domain Controllers only have a read-only - copy of the user account database and will not allow the password - change).</P +>Either way, this password is then stored by smbpasswd in a TDB, + writeable only by root, called <TT +CLASS="FILENAME" +>secrets.tdb</TT +> </P ><P -><EM ->Note</EM -> that Windows 95/98 do not have - a real password database so it is not possible to change passwords - specifying a Win95/98 machine as remote machine target. </P +>Once this operation has been performed the <TT +CLASS="FILENAME" +> smb.conf</TT +> file may be updated to set the <B +CLASS="COMMAND" +> security = domain</B +> option and all future logins + to the Samba server will be authenticated to the Windows NT + PDC. </P +><P +>Note that even though the authentication is being + done to the PDC all users accessing the Samba server must still + have a valid UNIX account on that machine. + The <B +CLASS="COMMAND" +>winbindd(8)</B +> daemon can be used + to create UNIX accounts for NT users.</P ></DD ><DT >-R name resolve order</DT @@ -319,13 +587,13 @@ CLASS="PARAMETER" CLASS="CONSTANT" >lmhosts</TT > : Lookup an IP - address in the Samba lmhosts file. If the line in lmhosts has - no name type attached to the NetBIOS name (see the <A + address in the Samba lmhosts file. If the line in lmhosts has + no name type attached to the NetBIOS name (see the <A HREF="lmhosts.5.html" TARGET="_top" >lmhosts(5)</A > for details) then - any name type matches for lookup.</P + any name type matches for lookup.</P ></LI ><LI ><P @@ -333,19 +601,19 @@ TARGET="_top" CLASS="CONSTANT" >host</TT > : Do a standard host - name to IP address resolution, using the system <TT + name to IP address resolution, using the system <TT CLASS="FILENAME" >/etc/hosts - </TT + </TT >, NIS, or DNS lookups. This method of name resolution - is operating system depended for instance on IRIX or Solaris this - may be controlled by the <TT + is operating system dependent. For instance, on IRIX or Solaris this + may be controlled by the <TT CLASS="FILENAME" >/etc/nsswitch.conf</TT > - file). Note that this method is only used if the NetBIOS name - type being queried is the 0x20 (server) name type, otherwise - it is ignored.</P + file). Note that this method is only used if the NetBIOS name + type being queried is the 0x20 (server) name type, otherwise + it is ignored.</P ></LI ><LI ><P @@ -353,14 +621,14 @@ CLASS="FILENAME" CLASS="CONSTANT" >wins</TT > : Query a name with - the IP address listed in the <TT + the IP address listed in the <TT CLASS="PARAMETER" ><I >wins server</I ></TT > - parameter. If no WINS server has been specified this method - will be ignored.</P + parameter. If no WINS server has been specified this method + will be ignored.</P ></LI ><LI ><P @@ -368,15 +636,15 @@ CLASS="PARAMETER" CLASS="CONSTANT" >bcast</TT > : Do a broadcast on - each of the known local interfaces listed in the - <TT + each of the known local interfaces listed in the + <TT CLASS="PARAMETER" ><I >interfaces</I ></TT > parameter. This is the least - reliable of the name resolution methods as it depends on the - target host being on a locally connected subnet.</P + reliable of the name resolution methods as it depends on the + target host being on a locally connected subnet.</P ></LI ></UL ><P @@ -392,100 +660,6 @@ CLASS="FILENAME" be attempted in this order. </P ></DD ><DT ->-m</DT -><DD -><P ->This option tells smbpasswd that the account - being changed is a MACHINE account. Currently this is used - when Samba is being used as an NT Primary Domain Controller.</P -><P ->This option is only available when running smbpasswd as root. - </P -></DD -><DT ->-U username</DT -><DD -><P ->This option may only be used in conjunction - with the <TT -CLASS="PARAMETER" -><I ->-r</I -></TT -> option. When changing - a password on a remote machine it allows the user to specify - the user name on that machine whose password will be changed. It - is present to allow users who have different user names on - different systems to change these passwords. </P -></DD -><DT ->-h</DT -><DD -><P ->This option prints the help string for <B -CLASS="COMMAND" -> smbpasswd</B ->, selecting the correct one for running as root - or as an ordinary user. </P -></DD -><DT ->-s</DT -><DD -><P ->This option causes smbpasswd to be silent (i.e. - not issue prompts) and to read its old and new passwords from - standard input, rather than from <TT -CLASS="FILENAME" ->/dev/tty</TT -> - (like the <B -CLASS="COMMAND" ->passwd(1)</B -> program does). This option - is to aid people writing scripts to drive smbpasswd</P -></DD -><DT ->-w password</DT -><DD -><P ->This parameter is only available is Samba - has been configured to use the experiemental - <B -CLASS="COMMAND" ->--with-ldapsam</B -> option. The <TT -CLASS="PARAMETER" -><I ->-w</I -></TT -> - switch is used to specify the password to be used with the - <A -HREF="smb.conf.5.html#LDAPADMINDN" -TARGET="_top" -><TT -CLASS="PARAMETER" -><I ->ldap admin - dn</I -></TT -></A ->. Note that the password is stored in - the <TT -CLASS="FILENAME" ->private/secrets.tdb</TT -> and is keyed off - of the admin's DN. This means that if the value of <TT -CLASS="PARAMETER" -><I ->ldap - admin dn</I -></TT -> ever changes, the password will beed to be - manually updated as well. - </P -></DD -><DT >username</DT ><DD ><P @@ -497,13 +671,21 @@ CLASS="PARAMETER" to modify attributes directly in the local smbpasswd file. </P ></DD +><DT +>password</DT +><DD +><P +>This specifies the new password. If this parameter + is specified you will not be prompted for the new password. + </P +></DD ></DL ></DIV ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN163" +NAME="AEN213" ></A ><H2 >NOTES</H2 @@ -546,18 +728,18 @@ CLASS="FILENAME" ><DIV CLASS="REFSECT1" ><A -NAME="AEN173" +NAME="AEN223" ></A ><H2 >VERSION</H2 ><P ->This man page is correct for version 3.0 of +>This man page is correct for version 2.2 of the Samba suite.</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN176" +NAME="AEN226" ></A ><H2 >SEE ALSO</H2 @@ -580,7 +762,7 @@ TARGET="_top" ><DIV CLASS="REFSECT1" ><A -NAME="AEN182" +NAME="AEN232" ></A ><H2 >AUTHOR</H2 |