| blob | 9b517006c3c38424048099aa61aacfdffe4b14e1 |
1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3 <refentry id="wbinfo.1">
5 <refmeta>
6 <refentrytitle>wbinfo</refentrytitle>
7 <manvolnum>1</manvolnum>
8 <refmiscinfo class="source">Samba</refmiscinfo>
9 <refmiscinfo class="manual">User Commands</refmiscinfo>
10 <refmiscinfo class="version">&doc.version;</refmiscinfo>
11 </refmeta>
14 <refnamediv>
15 <refname>wbinfo</refname>
16 <refpurpose>Query information from winbind daemon</refpurpose>
17 </refnamediv>
19 <refsynopsisdiv>
20 <cmdsynopsis>
21 <command>wbinfo</command>
22 <arg choice="opt">-a user%password</arg>
23 <arg choice="opt">--all-domains</arg>
24 <arg choice="opt">--allocate-gid</arg>
25 <arg choice="opt">--allocate-uid</arg>
26 <arg choice="opt">-c</arg>
27 <arg choice="opt">--ccache-save</arg>
28 <arg choice="opt">--change-user-password</arg>
29 <arg choice="opt">-D domain</arg>
30 <arg choice="opt">--dc-info domain</arg>
31 <arg choice="opt">--domain domain</arg>
32 <arg choice="opt">--dsgetdcname domain</arg>
33 <arg choice="opt">-g</arg>
34 <arg choice="opt">--getdcname domain</arg>
35 <arg choice="opt">--get-auth-user</arg>
36 <arg choice="opt">-G gid</arg>
37 <arg choice="opt">--gid-info gid</arg>
38 <arg choice="opt">--group-info group</arg>
39 <arg choice="opt">--help|-?</arg>
40 <arg choice="opt">-i user</arg>
41 <arg choice="opt">-I ip</arg>
42 <arg choice="opt">-K user%password</arg>
43 <arg choice="opt">--krb5ccname cctype</arg>
44 <arg choice="opt">--lanman</arg>
45 <arg choice="opt">--logoff</arg>
46 <arg choice="opt">--logoff-uid uid</arg>
47 <arg choice="opt">--logoff-user username</arg>
48 <arg choice="opt">--lookup-sids</arg>
49 <arg choice="opt">-m</arg>
50 <arg choice="opt">-n name</arg>
51 <arg choice="opt">-N netbios-name</arg>
52 <arg choice="opt">--ntlmv1</arg>
53 <arg choice="opt">--ntlmv2</arg>
54 <arg choice="opt">--online-status</arg>
55 <arg choice="opt">--own-domain</arg>
56 <arg choice="opt">-p</arg>
57 <arg choice="opt">-P|--ping-dc</arg>
58 <arg choice="opt">--pam-logon user%password</arg>
59 <arg choice="opt">-r user</arg>
60 <arg choice="opt">-R|--lookup-rids</arg>
61 <arg choice="opt">--remove-gid-mapping gid,sid</arg>
62 <arg choice="opt">--remove-uid-mapping uid,sid</arg>
63 <arg choice="opt">-s sid</arg>
64 <arg choice="opt">--separator</arg>
65 <arg choice="opt">--sequence</arg>
66 <arg choice="opt">--set-auth-user user%password</arg>
67 <arg choice="opt">--set-gid-mapping gid,sid</arg>
68 <arg choice="opt">--set-uid-mapping uid,sid</arg>
69 <arg choice="opt">-S sid</arg>
70 <arg choice="opt">--sid-aliases sid</arg>
71 <arg choice="opt">--sid-to-fullname sid</arg>
72 <arg choice="opt">--sids-to-unix-ids sidlist</arg>
73 <arg choice="opt">-t</arg>
74 <arg choice="opt">-u</arg>
75 <arg choice="opt">--uid-info uid</arg>
76 <arg choice="opt">--usage</arg>
77 <arg choice="opt">--user-domgroups sid</arg>
78 <arg choice="opt">--user-sidinfo sid</arg>
79 <arg choice="opt">--user-sids sid</arg>
80 <arg choice="opt">-U uid</arg>
81 <arg choice="opt">-V</arg>
82 <arg choice="opt">--verbose</arg>
83 <arg choice="opt">-Y sid</arg>
85 </cmdsynopsis>
86 </refsynopsisdiv>
88 <refsect1>
89 <title>DESCRIPTION</title>
91 <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
92 <manvolnum>7</manvolnum></citerefentry> suite.</para>
94 <para>The <command>wbinfo</command> program queries and returns information
95 created and used by the <citerefentry><refentrytitle>winbindd</refentrytitle>
96 <manvolnum>8</manvolnum></citerefentry> daemon. </para>
98 <para>The <citerefentry><refentrytitle>winbindd</refentrytitle>
99 <manvolnum>8</manvolnum></citerefentry> daemon must be configured
100 and running for the <command>wbinfo</command> program to be able
101 to return information.</para>
102 </refsect1>
104 <refsect1>
105 <title>OPTIONS</title>
107 <variablelist>
108 <varlistentry>
109 <term>-a|--authenticate <replaceable>username%password</replaceable></term>
110 <listitem><para>Attempt to authenticate a user via <citerefentry>
111 <refentrytitle>winbindd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
112 This checks both authentication methods and reports its results.
113 </para><note><para>Do not be tempted to use this
114 functionality for authentication in third-party
115 applications. Instead use <citerefentry><refentrytitle>ntlm_auth</refentrytitle>
116 <manvolnum>1</manvolnum></citerefentry>.</para></note></listitem>
117 </varlistentry>
119 <varlistentry>
120 <term>--allocate-gid</term>
121 <listitem><para>Get a new GID out of idmap
122 </para></listitem>
123 </varlistentry>
125 <varlistentry>
126 <term>--allocate-uid</term>
127 <listitem><para>Get a new UID out of idmap
128 </para></listitem>
129 </varlistentry>
131 <varlistentry>
132 <term>--all-domains</term>
133 <listitem><para>List all domains (trusted and
134 own domain).
135 </para></listitem>
136 </varlistentry>
138 <varlistentry>
139 <term>-c|--change-secret</term>
140 <listitem><para>Change the trust account password. May be used
141 in conjunction with <option>domain</option> in order to change
142 interdomain trust account passwords.
143 </para></listitem>
144 </varlistentry>
146 <varlistentry>
147 <term>--change-secret-at <replaceable>domain-controller</replaceable></term>
148 <listitem><para>Change the trust account password at a specific
149 domain controller. Fails if the specified domain controller
150 cannot be contacted.
151 </para></listitem>
152 </varlistentry>
154 <varlistentry>
155 <term>--ccache-save <replaceable>username%password</replaceable></term>
156 <listitem><para>Store user and password for ccache.
157 </para></listitem>
158 </varlistentry>
160 <varlistentry>
161 <term>--change-user-password <replaceable>username</replaceable></term>
162 <listitem><para>Change the password of a user. The old and new password will be prompted.
163 </para></listitem>
164 </varlistentry>
166 <varlistentry>
167 <term>--dc-info <replaceable>domain</replaceable></term>
168 <listitem><para>Displays information about the current domain controller for a domain.
169 </para></listitem>
170 </varlistentry>
172 <varlistentry>
173 <term>--domain <replaceable>name</replaceable></term>
174 <listitem><para>This parameter sets the domain on which any specified
175 operations will performed. If special domain name '.' is used to represent
176 the current domain to which <citerefentry><refentrytitle>winbindd</refentrytitle>
177 <manvolnum>8</manvolnum></citerefentry> belongs. A '*' as the domain name
178 means to enumerate over all domains (NOTE: This can take a long time and use
179 a lot of memory).
180 </para></listitem>
181 </varlistentry>
183 <varlistentry>
184 <term>-D|--domain-info <replaceable>domain</replaceable></term>
185 <listitem><para>Show most of the info we have about the
186 specified domain.
187 </para></listitem>
188 </varlistentry>
190 <varlistentry>
191 <term>--dsgetdcname <replaceable>domain</replaceable></term>
192 <listitem><para>Find a DC for a domain.
193 </para></listitem>
194 </varlistentry>
196 <varlistentry>
197 <term>--gid-info <replaceable>gid</replaceable></term>
198 <listitem><para>Get group info from gid.
199 </para></listitem>
200 </varlistentry>
202 <varlistentry>
203 <term>--group-info <replaceable>group</replaceable></term>
204 <listitem><para>Get group info from group name.
205 </para></listitem>
206 </varlistentry>
208 <varlistentry>
209 <term>-g|--domain-groups</term>
210 <listitem><para>This option will list all groups available
211 in the Windows NT domain for which the <citerefentry><refentrytitle>samba</refentrytitle>
212 <manvolnum>7</manvolnum></citerefentry> daemon is operating in. Groups in all trusted domains
213 can be listed with the --domain='*' option. Note that this operation does not assign
214 group ids to any groups that have not already been
215 seen by <citerefentry><refentrytitle>winbindd</refentrytitle>
216 <manvolnum>8</manvolnum></citerefentry>. </para></listitem>
217 </varlistentry>
219 <varlistentry>
220 <term>--get-auth-user</term>
221 <listitem><para>Print username and password used by <citerefentry>
222 <refentrytitle>winbindd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
223 during session setup to a domain controller. Username
224 and password can be set using <option>--set-auth-user</option>.
225 Only available for root.</para></listitem>
226 </varlistentry>
228 <varlistentry>
229 <term>--getdcname <replaceable>domain</replaceable></term>
230 <listitem><para>Get the DC name for the specified domain.
231 </para></listitem>
232 </varlistentry>
234 <varlistentry>
235 <term>-G|--gid-to-sid <replaceable>gid</replaceable></term>
236 <listitem><para>Try to convert a UNIX group id to a Windows
237 NT SID. If the gid specified does not refer to one within
238 the idmap gid range then the operation will fail. </para></listitem>
239 </varlistentry>
241 <varlistentry>
242 <term>-?</term>
243 <listitem><para>Print brief help overview.
244 </para></listitem>
245 </varlistentry>
247 <varlistentry>
248 <term>-i|--user-info <replaceable>user</replaceable></term>
249 <listitem><para>Get user info.
250 </para></listitem>
251 </varlistentry>
253 <varlistentry>
254 <term>-I|--WINS-by-ip <replaceable>ip</replaceable></term>
255 <listitem><para>The <parameter>-I</parameter> option
256 queries <citerefentry><refentrytitle>winbindd</refentrytitle>
257 <manvolnum>8</manvolnum></citerefentry> to send a node status
258 request to get the NetBIOS name associated with the IP address
259 specified by the <parameter>ip</parameter> parameter.
260 </para></listitem>
261 </varlistentry>
263 <varlistentry>
264 <term>-K|--krb5auth <replaceable>username%password</replaceable></term>
265 <listitem><para>Attempt to authenticate a user via Kerberos.
266 </para></listitem>
267 </varlistentry>
269 <varlistentry>
270 <term>--krb5ccname <replaceable>KRB5CCNAME</replaceable></term>
271 <listitem><para>Allows one to request a specific kerberos credential
272 cache type used for authentication.
273 </para></listitem>
274 </varlistentry>
276 <varlistentry>
277 <term>--lanman</term>
278 <listitem><para>Use lanman cryptography for user authentication.
279 </para></listitem>
280 </varlistentry>
282 <varlistentry>
283 <term>--logoff</term>
284 <listitem><para>Logoff a user.
285 </para></listitem>
286 </varlistentry>
288 <varlistentry>
289 <term>--logoff-uid <replaceable>UID</replaceable></term>
290 <listitem><para>Define user uid used during logoff request.
291 </para></listitem>
292 </varlistentry>
294 <varlistentry>
295 <term>--logoff-user <replaceable>USERNAME</replaceable></term>
296 <listitem><para>Define username used during logoff request.
297 </para></listitem>
298 </varlistentry>
300 <varlistentry>
301 <term>--lookup-sids <replaceable>SID1,SID2...</replaceable></term>
302 <listitem><para>Looks up SIDs. SIDs must be specified as ASCII strings in the traditional Microsoft
303 format. For example, S-1-5-21-1455342024-3071081365-2475485837-500.
304 </para></listitem>
305 </varlistentry>
307 <varlistentry>
308 <term>-m|--trusted-domains</term>
309 <listitem><para>Produce a list of domains trusted by the
310 Windows NT server <citerefentry><refentrytitle>winbindd</refentrytitle>
311 <manvolnum>8</manvolnum></citerefentry> contacts
312 when resolving names. This list does not include the Windows
313 NT domain the server is a Primary Domain Controller for.
314 </para></listitem>
315 </varlistentry>
317 <varlistentry>
318 <term>-n|--name-to-sid <replaceable>name</replaceable></term>
319 <listitem><para>The <parameter>-n</parameter> option
320 queries <citerefentry><refentrytitle>winbindd</refentrytitle>
321 <manvolnum>8</manvolnum></citerefentry> for the SID
322 associated with the name specified. Domain names can be specified
323 before the user name by using the winbind separator character.
324 For example CWDOM1/Administrator refers to the Administrator
325 user in the domain CWDOM1. If no domain is specified then the
326 domain used is the one specified in the <citerefentry><refentrytitle>smb.conf</refentrytitle>
327 <manvolnum>5</manvolnum></citerefentry> <parameter>workgroup
328 </parameter> parameter. </para></listitem>
329 </varlistentry>
331 <varlistentry>
332 <term>-N|--WINS-by-name <replaceable>name</replaceable></term>
333 <listitem><para>The <parameter>-N</parameter> option
334 queries <citerefentry><refentrytitle>winbindd</refentrytitle>
335 <manvolnum>8</manvolnum></citerefentry> to query the WINS
336 server for the IP address associated with the NetBIOS name
337 specified by the <parameter>name</parameter> parameter.
338 </para></listitem>
339 </varlistentry>
341 <varlistentry>
342 <term>--ntlmv1</term>
343 <listitem><para>Use NTLMv1 cryptography for user authentication.
344 </para></listitem>
345 </varlistentry>
347 <varlistentry>
348 <term>--ntlmv2</term>
349 <listitem><para>Use NTLMv2 cryptography for user
350 authentication. NTLMv2 is the default method, this
351 option is only maintained for compatibility.
352 </para></listitem>
353 </varlistentry>
355 <varlistentry>
356 <term>--online-status <replaceable>domain</replaceable></term>
357 <listitem><para>Display whether winbind currently maintains an
358 active connection or not. An optional domain
359 argument limits the output to the online status
360 of a given domain.
361 </para></listitem>
362 </varlistentry>
364 <varlistentry>
365 <term>--own-domain</term>
366 <listitem><para>List own domain.
367 </para></listitem>
368 </varlistentry>
370 <varlistentry>
371 <term>--pam-logon <replaceable>username%password</replaceable></term>
372 <listitem><para>Attempt to authenticate a user in the same way
373 pam_winbind would do.
374 </para></listitem>
375 </varlistentry>
377 <varlistentry>
378 <term>-p|--ping</term>
379 <listitem><para>Check whether <citerefentry><refentrytitle>winbindd</refentrytitle>
380 <manvolnum>8</manvolnum></citerefentry> is still alive.
381 Prints out either 'succeeded' or 'failed'.
382 </para></listitem>
383 </varlistentry>
385 <varlistentry>
386 <term>-P|--ping-dc</term>
387 <listitem><para>Issue a no-effect command to our DC. This
388 checks if our secure channel connection to our domain
389 controller is still alive. It has much less impact than
390 wbinfo -t.
391 </para></listitem>
392 </varlistentry>
394 <varlistentry>
395 <term>-r|--user-groups <replaceable>username</replaceable></term>
396 <listitem>
397 <para>
398 Try to obtain the list of UNIX group ids to which the
399 user belongs. This only works for users defined on a
400 Domain Controller.
401 </para>
403 <para>There are two scenaries:</para>
404 <orderedlist>
405 <listitem>
406 <para>
407 User authenticated: When the user has been
408 authenticated, the access token for the user is
409 cached. The correct group memberships are then
410 returned from the cached user token (which can
411 be outdated).
412 </para>
413 </listitem>
415 <listitem>
416 <para>
417 User *NOT* authenticated: The information is
418 queries from the domain controller using the
419 machine account credentials which have limited
420 permissions. The result is normally incomplete
421 and can be also incorrect.
422 </para></listitem>
423 </orderedlist>
424 </listitem>
425 </varlistentry>
427 <varlistentry>
428 <term>-R|--lookup-rids <replaceable>rid1, rid2, rid3...</replaceable></term>
429 <listitem><para>Converts RIDs to names. Uses a comma separated
430 list of rids.
431 </para></listitem>
432 </varlistentry>
434 <varlistentry>
435 <term>--remove-gid-mapping <replaceable>GID,SID</replaceable></term>
436 <listitem><para>Removes an existing GID to SID mapping from the database.
437 </para></listitem>
438 </varlistentry>
440 <varlistentry>
441 <term>--remove-uid-mapping <replaceable>UID,SID</replaceable></term>
442 <listitem><para>Removes an existing UID to SID mapping from the database.
443 </para></listitem>
444 </varlistentry>
446 <varlistentry>
447 <term>-s|--sid-to-name <replaceable>sid</replaceable></term>
448 <listitem><para>Use <parameter>-s</parameter> to resolve
449 a SID to a name. This is the inverse of the <parameter>-n
450 </parameter> option above. SIDs must be specified as ASCII strings
451 in the traditional Microsoft format. For example,
452 S-1-5-21-1455342024-3071081365-2475485837-500. </para></listitem>
453 </varlistentry>
455 <varlistentry>
456 <term>--separator</term>
457 <listitem><para>Get the active winbind separator.
458 </para></listitem>
459 </varlistentry>
461 <varlistentry>
462 <term>--sequence</term>
463 <listitem><para>This command has been deprecated. Please use
464 the --online-status option instead.
465 </para></listitem>
466 </varlistentry>
468 <varlistentry>
469 <term>--set-auth-user <replaceable>username%password</replaceable></term>
470 <listitem><para>Store username and password used by <citerefentry>
471 <refentrytitle>winbindd</refentrytitle><manvolnum>8</manvolnum>
472 </citerefentry> during session setup to a domain controller. This enables
473 winbindd to operate in a Windows 2000 domain with Restrict
474 Anonymous turned on (a.k.a. Permissions compatible with
475 Windows 2000 servers only).
476 </para></listitem>
477 </varlistentry>
479 <varlistentry>
480 <term>--set-gid-mapping <replaceable>GID,SID</replaceable></term>
481 <listitem><para>Create a GID to SID mapping in the database.
482 </para></listitem>
483 </varlistentry>
485 <varlistentry>
486 <term>--set-uid-mapping <replaceable>UID,SID</replaceable></term>
487 <listitem><para>Create a UID to SID mapping in the database.
488 </para></listitem>
489 </varlistentry>
491 <varlistentry>
492 <term>-S|--sid-to-uid <replaceable>sid</replaceable></term>
493 <listitem><para>Convert a SID to a UNIX user id. If the SID
494 does not correspond to a UNIX user mapped by <citerefentry>
495 <refentrytitle>winbindd</refentrytitle><manvolnum>8</manvolnum>
496 </citerefentry> then the operation will fail. </para></listitem>
497 </varlistentry>
499 <varlistentry>
500 <term>--sid-aliases <replaceable>sid</replaceable></term>
501 <listitem><para>Get SID aliases for a given SID.
502 </para></listitem>
503 </varlistentry>
505 <varlistentry>
506 <term>--sid-to-fullname <replaceable>sid</replaceable></term>
507 <listitem><para>Converts a SID to a full username
508 (DOMAIN\username).
509 </para></listitem>
510 </varlistentry>
512 <varlistentry>
513 <term>--sids-to-unix-ids <replaceable>sid1,sid2,sid3...</replaceable></term>
514 <listitem><para>Resolve SIDs to Unix IDs.
515 SIDs must be specified as ASCII strings
516 in the traditional Microsoft format. For example,
517 S-1-5-21-1455342024-3071081365-2475485837-500. </para></listitem>
518 </varlistentry>
520 <varlistentry>
521 <term>-t|--check-secret</term>
522 <listitem><para>Verify that the workstation trust account
523 created when the Samba server is added to the Windows NT
524 domain is working. May be used in conjunction with
525 <option>domain</option> in order to verify interdomain
526 trust accounts.</para></listitem>
527 </varlistentry>
529 <varlistentry>
530 <term>-u|--domain-users</term>
531 <listitem><para>This option will list all users available
532 in the Windows NT domain for which the <citerefentry><refentrytitle>winbindd</refentrytitle>
533 <manvolnum>8</manvolnum></citerefentry> daemon is operating in. Users in all trusted domains
534 can be listed with the --domain='*' option. Note that this operation does not assign
535 user ids to any users that have not already been seen by <citerefentry>
536 <refentrytitle>winbindd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
537 .</para></listitem>
538 </varlistentry>
540 <varlistentry>
541 <term>--uid-info <replaceable>uid</replaceable></term>
542 <listitem><para>Get user info for the user connected to
543 user id UID.</para></listitem>
544 </varlistentry>
546 <varlistentry>
547 <term>--usage</term>
548 <listitem><para>Print brief help overview.
549 </para></listitem>
550 </varlistentry>
552 <varlistentry>
553 <term>--user-domgroups <replaceable>sid</replaceable></term>
554 <listitem><para>Get user domain groups.
555 </para></listitem>
556 </varlistentry>
558 <varlistentry>
559 <term>--user-sidinfo <replaceable>sid</replaceable></term>
560 <listitem><para>Get user info by sid.
561 </para></listitem>
562 </varlistentry>
565 <varlistentry>
566 <term>--user-sids <replaceable>sid</replaceable></term>
567 <listitem><para>Get user group SIDs for user.
568 </para></listitem>
569 </varlistentry>
571 <varlistentry>
572 <term>-U|--uid-to-sid <replaceable>uid</replaceable></term>
573 <listitem><para>Try to convert a UNIX user id to a Windows NT
574 SID. If the uid specified does not refer to one within
575 the idmap range then the operation will fail. </para></listitem>
576 </varlistentry>
578 <varlistentry>
579 <term>--verbose</term>
580 <listitem><para>
581 Print additional information about the query results.
582 </para></listitem>
583 </varlistentry>
585 <varlistentry>
586 <term>-Y|--sid-to-gid <replaceable>sid</replaceable></term>
587 <listitem><para>Convert a SID to a UNIX group id. If the SID
588 does not correspond to a UNIX group mapped by <citerefentry>
589 <refentrytitle>winbindd</refentrytitle><manvolnum>8</manvolnum></citerefentry> then
590 the operation will fail. </para></listitem>
591 </varlistentry>
593 &cmdline.version;
594 &popt.autohelp;
596 </variablelist>
597 </refsect1>
600 <refsect1>
601 <title>EXIT STATUS</title>
603 <para>The wbinfo program returns 0 if the operation
604 succeeded, or 1 if the operation failed. If the <citerefentry>
605 <refentrytitle>winbindd</refentrytitle><manvolnum>8</manvolnum>
606 </citerefentry> daemon is not working <command>wbinfo</command> will always return
607 failure. </para>
608 </refsect1>
611 <refsect1>
612 <title>VERSION</title>
614 <para>This man page is part of version &doc.version; of
615 the Samba suite.</para>
616 </refsect1>
618 <refsect1>
619 <title>SEE ALSO</title>
620 <para><citerefentry><refentrytitle>winbindd</refentrytitle>
621 <manvolnum>8</manvolnum></citerefentry> and <citerefentry><refentrytitle>ntlm_auth</refentrytitle>
622 <manvolnum>1</manvolnum></citerefentry></para>
623 </refsect1>
625 <refsect1>
626 <title>AUTHOR</title>
628 <para>The original Samba software and related utilities
629 were created by Andrew Tridgell. Samba is now developed
630 by the Samba Team as an Open Source project similar
631 to the way the Linux kernel is developed.</para>
633 <para><command>wbinfo</command> and <command>winbindd</command>
634 were written by Tim Potter.</para>
636 <para>The conversion to DocBook for Samba 2.2 was done
637 by Gerald Carter. The conversion to DocBook XML 4.2 for Samba
638 3.0 was done by Alexander Bokovoy.</para>
639 </refsect1>
641 </refentry>