+.TH "rpcclient " "1" "23 Oct 1998" "Samba" "SAMBA"
+rpcclient \- utility to manage MSRPC resources on servers
+-S servername
+[-U [username][%][password]]
+[-W domain]
+[-l log basename]
+[-d debuglevel]
+[-O socket options]
+[-i scope]
+[-n NetBIOS name]
+[-I dest IP]
+[-t terminal code]
+[-c command string]
+[-B IP addr]
+[-s smb\&.conf]
+[-m max protocol]
+This program is part of the \fBSamba\fP suite\&.
+\fBrpcclient\fP is a client that can \'talk\' to an SMB/CIFS MSRPC server\&.
+Operations include things like managing a SAM Database (users, groups
+and aliases) in the same way as the Windows NT programs
+\fBUser Manager for Domains\fP and \fBServer Manager for Domains\fP;
+managing a remote registry in the same way as the Windows NT programs
+\fBREGEDT32\&.EXE\fP and \fBREGEDIT\&.EXE\fP; viewing a remote event log (same
+as \fBEVENTVWR\&.EXE\fP) etc\&.
+Typical usage is like this:
+\f(CWrpcclient -I 192\&.168\&.32\&.1 -S "*SMBSERVER" -U fred%secret -l log\fP
+.IP "\fBservername\fP"
+servername is the name of the server you want
+to use on the server\&. This should be the NetBIOS name of the SMB/CIFS
+server, which can be \fB*SMBSERVER\fP on Windows NT 4\&.0 or Samba Servers\&.
+Note that the server name required is NOT necessarily the IP (DNS)
+host name of the server! The name required is a NetBIOS server name,
+which may or may not be the same as the IP hostname of the machine
+running the server\&. Also, remember that having a period in a NetBIOS
+name (such as an IP hostname) may cause connectivity problems on your
+network: NT tends to strip NetBIOS names from the leading period
+The server name is looked up according to either the
+\fB-R\fP parameter to \fBrpcclient\fP or using the
+\fBname resolve order\fP
+parameter in the smb\&.conf file, allowing an administrator to change
+the order and methods by which server names are looked up\&.
+.IP "\fBpassword\fP"
+password is the password required to access the
+specified service on the specified server\&. If this parameter is
+supplied, the \fB-N\fP option (suppress password prompt) is assumed\&.
+There is no default password\&. If no password is supplied on the
+command line (either by using this parameter or adding a password to
+the \fB-U\fP option (see below)) and the \fB-N\fP option is not specified,
+the client will prompt for a password, even if the desired service
+does not require one\&. (If no password is required, simply press ENTER
+to provide a null password\&.)
+Note: Some servers (including OS/2 and Windows for Workgroups) insist
+on an uppercase password\&. Lowercase or mixed case passwords may be
+rejected by these servers\&.
+Be cautious about including passwords in scripts\&.
+.IP "\fB-s smb\&.conf\fP"
+This parameter specifies the pathname to the
+Samba configuration file, smb\&.conf\&. This file controls all aspects of
+the Samba setup on the machine and rpcclient also needs to read this
+.IP "\fB-B IP addr\fP"
+The IP address to use when sending a broadcast packet\&.
+.IP "\fB-O socket options\fP"
+TCP socket options to set on the client
+socket\&. See the socket options
+parameter in the \fBsmb\&.conf (5)\fP manpage for
+the list of valid options\&.
+.IP "\fB-R name resolve order\fP"
+This option allows the user of
+rpcclient to determine what name resolution services to use when
+looking up the NetBIOS name of the host being connected to\&.
+The options are :"lmhosts", "host", "wins" and "bcast"\&. They cause
+names to be resolved as follows :
+.IP o
+\fBlmhosts\fP : Lookup an IP address in the Samba lmhosts file\&.
+The lmhosts file is stored in the same directory as the
+\fBsmb\&.conf\fP file\&.
+.IP o
+\fBhost\fP : Do a standard host name to IP address resolution,
+using the system /etc/hosts, NIS, or DNS lookups\&. This method of name
+resolution is operating system depended for instance on IRIX or
+Solaris this may be controlled by the \fI/etc/nsswitch\&.conf\fP file)\&.
+.IP o
+\fBwins\fP : Query a name with the IP address listed in the \fBwins
+server\fP parameter in the smb\&.conf file\&. If
+no WINS server has been specified this method will be ignored\&.
+.IP o
+\fBbcast\fP : Do a broadcast on each of the known local interfaces
+listed in the \fBinterfaces\fP parameter
+in the smb\&.conf file\&. This is the least reliable of the name resolution
+methods as it depends on the target host being on a locally connected
+subnet\&. To specify a particular broadcast address the \fB-B\fP option
+may be used\&.
+If this parameter is not set then the name resolve order defined
+in the \fBsmb\&.conf\fP file parameter
+(\fBname resolve order\fP)
+will be used\&.
+The default order is lmhosts, host, wins, bcast and without this
+parameter or any entry in the \fB"name resolve
+order"\fP parameter of the
+\fBsmb\&.conf\fP file the name resolution methods
+will be attempted in this order\&.
+.IP "\fB-i scope\fP"
+This specifies a NetBIOS scope that rpcclient will use
+to communicate with when generating NetBIOS names\&. For details on the
+use of NetBIOS scopes, see rfc1001\&.txt and rfc1002\&.txt\&. NetBIOS scopes
+are \fIvery\fP rarely used, only set this parameter if you are the
+system administrator in charge of all the NetBIOS systems you
+communicate with\&.
+.IP "\fB-N\fP"
+If specified, this parameter suppresses the normal
+password prompt from the client to the user\&. This is useful when
+accessing a service that does not require a password\&.
+Unless a password is specified on the command line or this parameter
+is specified, the client will request a password\&.
+.IP "\fB-n NetBIOS name\fP"
+By default, the client will use the local
+machine\'s hostname (in uppercase) as its NetBIOS name\&. This parameter
+allows you to override the host name and use whatever NetBIOS name you
+.IP "\fB-d debuglevel\fP"
+debuglevel is an integer from 0 to 10, or the
+letter \'A\'\&.
+The default value if this parameter is not specified is zero\&.
+The higher this value, the more detail will be logged to the log files
+about the activities of the client\&. At level 0, only critical errors
+and serious warnings will be logged\&. Level 1 is a reasonable level for
+day to day running - it generates a small amount of information about
+operations carried out\&.
+Levels above 1 will generate considerable amounts of log data, and
+should only be used when investigating a problem\&. Levels above 3 are
+designed for use only by developers and generate HUGE amounts of log
+data, most of which is extremely cryptic\&. If debuglevel is set to the
+letter \'A\', then \fIall\fP debug messages will be printed\&. This setting
+is for developers only (and people who \fIreally\fP want to know how the
+code works internally)\&.
+Note that specifying this parameter here will override the \fBlog
+level\fP parameter in the \fBsmb\&.conf
+(5)\fP file\&.
+.IP "\fB-p port\fP"
+This number is the TCP port number that will be used
+when making connections to the server\&. The standard (well-known) TCP
+port number for an SMB/CIFS server is 139, which is the default\&.
+.IP "\fB-l logfilename\fP"
+If specified, logfilename specifies a base
+filename into which operational data from the running client will be
+The default base name is specified at compile time\&.
+The base name is used to generate actual log file names\&. For example,
+if the name specified was "log", the debug file would be
+The log file generated is never removed by the client\&.
+.IP "\fB-h\fP"
+Print the usage message for the client\&.
+.IP "\fB-I IP address\fP"
+IP address is the address of the server to
+connect to\&. It should be specified in standard "a\&.b\&.c\&.d" notation\&.
+Normally the client would attempt to locate a named SMB/CIFS server by
+looking it up via the NetBIOS name resolution mechanism described
+above in the \fBname resolve order\fP parameter
+above\&. Using this parameter will force the client to assume that the
+server is on the machine with the specified IP address and the NetBIOS
+name component of the resource being connected to will be ignored\&.
+There is no default for this parameter\&. If not supplied, it will be
+determined automatically by the client as described above\&.
+.IP "\fB-E\fP"
+This parameter causes the client to write messages to the
+standard error stream (stderr) rather than to the standard output
+By default, the client writes messages to standard output - typically
+the user\'s tty\&.
+Note that by default, debug information is always sent to stderr\&.
+Debug information can instead be sent to a file, using the
+-l log basename option\&.
+.IP "\fB-U username\fP"
+This specifies the user name that will be used by
+the client to make a connection, assuming your server is not a downlevel
+server that is running a protocol level that uses passwords on shares,
+not on usernames\&.
+Some servers are fussy about the case of this name, and some insist
+that it must be a valid NetBIOS name\&.
+If no username is supplied, it will default to an uppercase version of
+the environment variable \f(CWUSER\fP or \f(CWLOGNAME\fP in that order\&. If no
+username is supplied and neither environment variable exists the
+username "GUEST" will be used\&.
+If the \f(CWUSER\fP environment variable contains a \'%\' character,
+everything after that will be treated as a password\&. This allows you
+to set the environment variable to be \f(CWUSER=username%password\fP so
+that a password is not passed on the command line (where it may be
+seen by the ps command)\&.
+If the service you are connecting to requires a password, it can be
+supplied using the \fB-U\fP option, by appending a percent symbol ("%")
+then the password to username\&. For example, to attach to a service as
+user \f(CW"fred"\fP with password \f(CW"secret"\fP, you would specify\&.
+\f(CW-U fred%secret\fP
+on the command line\&. Note that there are no spaces around the percent
+If you specify the password as part of username then the \fB-N\fP option
+(suppress password prompt) is assumed\&.
+If you specify the password as a parameter \fIAND\fP as part of username
+then the password as part of username will take precedence\&. Putting
+nothing before or nothing after the percent symbol will cause an empty
+username or an empty password to be used, respectively\&.
+The password may also be specified by setting up an environment
+variable called \f(CWPASSWORD\fP that contains the users password\&. Note
+that this may be very insecure on some systems but on others allows
+users to script rpcclient commands without having a password appear in
+the command line of a process listing\&.
+Note: Some servers (including OS/2 and Windows for Workgroups) insist
+on an uppercase password\&. Lowercase or mixed case passwords may be
+rejected by these servers\&.
+Be cautious about including passwords in scripts or in the
+\f(CWPASSWORD\fP environment variable\&. Also, on many systems the command
+line of a running process may be seen via the \f(CWps\fP command to be
+safe always allow rpcclient to prompt for a password and type it in
+.IP "\fB-t terminal code\fP"
+This option tells rpcclient how to interpret
+filenames coming from the remote server\&. Usually Asian language
+multibyte UNIX implementations use different character sets than
+SMB/CIFS servers (\fIEUC\fP instead of \fISJIS\fP for example)\&. Setting
+this parameter will let rpcclient convert between the UNIX filenames
+and the SMB filenames correctly\&. This option has not been seriously
+tested and may have some problems\&.
+The terminal codes include \f(CWsjis\fP, \f(CWeuc\fP, \f(CWjis7\fP, \f(CWjis8\fP,
+\f(CWjunet\fP, \f(CWhex\fP, \f(CWcap\fP\&. This is not a complete list, check the
+Samba source code for the complete list\&.
+.IP "\fB-m max protocol level\fP"
+With the new code in Samba2\&.0,
+\fBrpcclient\fP always attempts to connect at the maximum
+protocols level the server supports\&. This parameter is
+preserved for backwards compatibility, but any string
+following the \fB-m\fP will be ignored\&.
+.IP "\fB-W Domain\fP"
+Override the default Domain, which is the remote server\'s
+Domain\&. This option may be needed to connect to some servers\&. It is also
+possible to specify the remote server name as the Domain, which will
+force the username and password to be authenticated against the remote
+server\'s local SAM instead of the Domain SAM\&.
+.IP "\fB-c command string\fP"
+command string is a semicolon separated
+list of commands to be executed instead of prompting from stdin\&.
+\fB-N\fP is implied by \fB-c\fP\&.
+This is particularly useful in scripts, e\&.g\&. \f(CW-c \'lsaquery; enumusers -u\'\fP\&.
+Once the client is running, the user is presented with a prompt :
+The prompt indicates that the client is ready and waiting to carry out
+a user command\&. Each command is a single word, optionally followed by
+parameters specific to that command\&. Command and parameters are
+space-delimited unless these notes specifically state otherwise\&. All
+commands are case-insensitive\&. Parameters to commands may or may not
+be case sensitive, depending on the command\&.
+You can specify names (e\&.g registry keys; user or group names;
+service names) which have spaces in them by quoting the
+name with double quotes, for example "dRMON SmartAgent"\&.
+Parameters shown in square brackets (e\&.g\&., "[parameter]") are
+optional\&. If not given, the command will use suitable
+defaults\&. Parameters shown in angle brackets (e\&.g\&., "<parameter>") are
+Note that all commands operating on the server are actually performed
+by issuing a request to the server\&. Thus the behavior may vary from
+server to server, depending on how the server was implemented\&.
+The commands available are listed in groups relating to different services:
+.IP "Misccellaneous"
+.IP "\fB? [command]\fP"
+If "command" is specified,
+the \fB?\fP command will display a brief informative message about the
+specified command\&. If no command is specified, a list of available
+commands will be displayed\&.
+.IP "\fB! [shell command]\fP"
+If "shell command"
+is specified, the \fB!\fP command will execute a shell locally and run
+the specified shell command\&. If no command is specified, a local shell
+will be run\&.
+.IP "\fBexit\fP"
+Terminate the connection with the server and
+exit from the program\&.
+.IP "\fBhelp [command]\fP"
+See the \fB?\fP
+command above\&.
+.IP "\fBquit\fP"
+See the \fBexit\fP command\&.
+.IP "Event Log"
+.IP "\fBeventlog\fP"
+list the events
+.IP "Service Control"
+It is possible to use command-line completion (if you have
+the GNU readline library) for Service names, by pressing the
+tab key\&.
+.IP "\fBsvcenum\fP"
+[-i] Lists Services Manager
+.IP "\fBsvcinfo\fP"
+<service> Service Information
+.IP "\fBsvcstart\fP"
+<service> [arg 0] [arg 1] \&.\&.\&. Start Service
+.IP "\fBsvcstop\fP"
+<service> Stop Service
+.IP "Scheduler"
+.IP "\fBat\fP"
+Scheduler control (at /? for syntax)
+.IP "Registry"
+It is possible to use command-line completion (if you have
+the GNU readline library) for registry key and value names,
+by pressing the tab key\&.
+.IP "\fBregenum\fP"
+<keyname> Registry Enumeration (keys, values)
+.IP "\fBregdeletekey\fP"
+<keyname> Registry Key Delete
+.IP "\fBregcreatekey\fP"
+<keyname> [keyclass] Registry Key Create
+.IP "\fBshutdown\fP"
+[-m message] [-t timeout] [-r or --reboot] Server Shutdown
+.IP "\fBregqueryval\fP"
+<valname> Registry Value Query
+.IP "\fBregquerykey\fP"
+<keyname> Registry Key Query
+.IP "\fBregdeleteval\fP"
+<valname> Registry Value Delete
+.IP "\fBregcreateval\fP"
+<valname> <valtype> <value> Registry Key Create
+.IP "\fBreggetsec\fP"
+<keyname> Registry Key Security
+.IP "\fBregtestsec\fP"
+<keyname> Test Registry Key Security
+.IP "Printing"
+It is possible to use command-line completion (if you have
+the GNU readline library) for Printer and job names, by
+pressing the tab key\&.
+.IP "\fBspoolenum\fP"
+Enumerate Printers
+.IP "\fBspooljobs\fP"
+<printer name> Enumerate Printer Jobs
+.IP "\fBspoolopen\fP"
+<printer name> Spool Printer Open Test
+.IP "Server"
+.IP "\fBtime\fP"
+Display remote time
+.IP "\fBbrsinfo\fP"
+Browser Query Info
+.IP "\fBwksinfo\fP"
+Workstation Query Info
+.IP "\fBsrvinfo\fP"
+Server Query Info
+.IP "\fBsrvsessions\fP"
+List sessions on a server
+.IP "\fBsrvshares\fP"
+List shares on a server
+.IP "\fBsrvtransports\fP"
+List transports on a server
+.IP "\fBsrvconnections\fP"
+List connections on a server
+.IP "\fBsrvfiles\fP"
+List files on a server
+.IP "Local Security Authority"
+.IP "\fBlsaquery\fP"
+Query Info Policy (domain member or server)
+.IP "\fBlsaenumdomains\fP"
+Enumerate Trusted Domains
+.IP "\fBlookupsids\fP"
+Resolve names from SIDs
+.IP "\fBlookupnames\fP"
+Resolve SIDs from names
+.IP "\fBquerysecret\fP"
+LSA Query Secret (developer use)
+.IP "\fBntlogin\fP"
+[username] [password] NT Domain login test
+.IP "\fBdomtrust\fP"
+<domain> NT Inter-Domain test
+.IP "\fBsamsync\fP"
+SAM Synchronization Test (experimental)
+.IP "SAM Database"
+It is possible to use command-line completion (if you have
+the GNU readline library) for user, group, alias and domain
+names, by pressing the tab key\&.
+.IP "\fBlookupdomain\fP"
+Obtain SID for a local domain
+.IP "\fBenumusers\fP"
+SAM User Database Query (experimental!)
+.IP "\fBaddgroupmem\fP"
+<group rid> [user] [user] \&.\&.\&. SAM Add Domain Group Member
+.IP "\fBaddaliasmem\fP"
+<alias rid> [member sid1] [member sid2] \&.\&.\&. SAM Add Domain Alias Member
+.IP "\fBdelgroupmem\fP"
+<group rid> [user] [user] \&.\&.\&. SAM Delete Domain Group Member
+.IP "\fBdelaliasmem\fP"
+<alias rid> [member sid1] [member sid2] \&.\&.\&. SAM Delete Domain Alias Member
+.IP "\fBcreategroup\fP"
+SAM Create Domain Group
+.IP "\fBcreatealias\fP"
+SAM Create Domain Alias
+.IP "\fBcreateuser\fP"
+<username> SAM Create Domain User
+.IP "\fBdelgroup\fP"
+SAM Delete Domain Group
+.IP "\fBdelalias\fP"
+SAM Delete Domain Alias
+.IP "\fBntpass\fP"
+NT SAM Password Change
+.IP "\fBsamuserset2\fP"
+<username> [-s acb_bits] SAM User Set Info 2 (experimental!)
+.IP "\fBsamuserset\fP"
+<username> [-p password] SAM User Set Info (experimental!)
+.IP "\fBsamuser\fP"
+<username> SAM User Query (experimental!)
+.IP "\fBsamgroup\fP"
+<groupname> SAM Group Query (experimental!)
+.IP "\fBsamalias\fP"
+<aliasname> SAM Alias Query
+.IP "\fBsamaliasmem\fP"
+<aliasname> SAM Alias Members
+.IP "\fBsamgroupmem\fP"
+SAM Group Members
+.IP "\fBsamtest\fP"
+SAM User Encrypted RPC test (experimental!)
+.IP "\fBenumaliases\fP"
+SAM Aliases Database Query (experimental!)
+.IP "\fBenumdomains\fP"
+SAM Domains Database Query (experimental!)
+.IP "\fBenumgroups\fP"
+SAM Group Database Query (experimental!)
+.IP "\fBdominfo\fP"
+SAM Query Domain Info
+.IP "\fBdispinfo\fP"
+SAM Query Display Info
+Some servers are fussy about the case of supplied usernames,
+passwords, share names (AKA service names) and machine names\&. If you
+fail to connect try giving all parameters in uppercase\&.
+It is often necessary to use the \fB-n\fP option when connecting
+to some types of servers\&. For example OS/2 LanManager insists on a valid
+NetBIOS name being used, so you need to supply a valid name that would
+be known to the server\&.
+rpcclient only works on servers that support MSRPC over SMB\&. This includes
+all versions of Windows NT, including the ports to Unix such as AS/U and
+AFPS\&. Support for MSRPC over SMB in other servers is currently rare and
+patchy, for example Samba 2\&.0 only supports a limited set of MSRPC commands,
+and some of those are not supported very well\&.
+The variable \fBUSER\fP may contain the username of the person using the
+client\&. This information is used only if the protocol level is high
+enough to support session-level passwords\&.
+The variable \fBPASSWORD\fP may contain the password of the person using
+the client\&. This information is used only if the protocol level is
+high enough to support session-level passwords\&.
+The location of the client program is a matter for individual system
+administrators\&. The following are thus suggestions only\&.
+It is recommended that the rpcclient software be installed in the
+/usr/local/samba/bin or /usr/samba/bin directory, this directory
+readable by all, writeable only by root\&. The client program itself
+should be executable by all\&. The client should \fINOT\fP be setuid or
+The client log files should be put in a directory readable and
+writeable only by the user\&.
+To test the client, you will need to know the name of a running
+SMB/CIFS server\&. It is possible to run \fBsmbd (8)\fP
+an ordinary user - running that server as a daemon on a
+user-accessible port (typically any port number over 1024) would
+provide a suitable test server\&.
+Most diagnostics issued by the client are logged in a specified log
+file\&. The log file name is specified at compile time, but may be
+overridden on the command line\&.
+The number and nature of diagnostics available depends on the debug
+level used by the client\&. If you have problems, set the debug level to
+3 and peruse the log files\&.
+This man page is correct for version 2\&.0 of the Samba suite\&.
+The MSPRC over SMB code has been developed from examining Network traces\&.
+No documentation is available from the original creators (Microsoft) on
+how MSRPC over SMB works, or how the individual MSRPC services work\&.
+Microsoft\'s implementation of these services has been demonstrated (and
+reported) to be\&.\&.\&. a bit flakey in places\&.
+The development of Samba\'s implementation of these services is \fIalso\fP
+a bit rough, and as more of the services are understood, it can even result
+in versions of \fBsmbd (8)\fP and rpcclient that are
+incompatible for some commands or services\&. Additionally, the developers
+are sending reports to Microsoft, and problems found by or reported to
+Microsoft are fixed in Service Packs, which may also result in
+It is therefore not guaranteed that the execution of an rpcclient command will
+work\&. It is also not guaranteed that the target server will continue to
+operate, i\&.e the execution of an MSRPC command may cause a remote service to
+fail, or even cause the remote server to fail\&. Usual rules apply, of course:
+the developers bear absolutely no responsibility for the use, misuse, or
+lack of use of rpcclient, by any person or persons, whether legal,
+illegal, accidental, deliberate, intentional, malicious, curious, etc\&.
+.IP "Command Completion"
+Command-completion (available if you have the GNU readline library) used on
+certain commands may not operate correctly if the word being completed (such as a registry key) contains a space\&. Typically, the name will be completed, but
+you will have to go back and put quotes round it, yourself\&.
+.IP "SAM Database command-completion"
+Command-completion (available if you have the GNU readline library) of user,
+group and alias names does not work on remote Domains, which would normally
+be specified like this:
+The only names that can be completed in this fashion are the local names
+in the SAM database of the target server\&.
+The original Samba software and related utilities were created by
+Andrew Tridgell \fIsamba-bugs@samba\&.org\fP\&. Samba is now developed
+by the Samba Team as an Open Source project similar to the way the
+Linux kernel is developed\&.
+The original Samba man pages were written by Karl Auer\&. The man page
+sources were converted to YODL format (another excellent piece of Open
+Source software, available at
+and updated for the Samba2\&.0 release by Jeremy Allison\&. This man page
+was developed cut-and-paste style from the smbclient man page, by
+Luke Kenneth Casson Leighton\&.
+See \fBsamba (7)\fP to find out how to get a full
+list of contributors and details on how to submit bug reports,
+comments etc\&.