1 .\" This manpage has been automatically generated by docbook2man-spec
2 .\" from a DocBook document. docbook2man-spec can be found at:
3 .\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/>
4 .\" Please send any bug reports, improvements, comments, patches,
5 .\" etc. to Steve Cheng <steve@ggi-project.org>.
6 .TH "SMBPASSWD" "8" "28 January 2002" "" ""
8 smbpasswd \- change a user's SMB password
11 \fBsmbpasswd\fR [ \fB-a\fR ] [ \fB-x\fR ] [ \fB-d\fR ] [ \fB-e\fR ] [ \fB-D debuglevel\fR ] [ \fB-n\fR ] [ \fB-r <remote machine>\fR ] [ \fB-R <name resolve order>\fR ] [ \fB-m\fR ] [ \fB-j DOMAIN\fR ] [ \fB-U username[%password]\fR ] [ \fB-h\fR ] [ \fB-s\fR ] [ \fB-w pass\fR ] [ \fBusername\fR ]
14 This tool is part of the Sambasuite.
16 The smbpasswd program has several different
17 functions, depending on whether it is run by the \fBroot\fR
18 user or not. When run as a normal user it allows the user to change
19 the password used for their SMB sessions on any machines that store
22 By default (when run with no arguments) it will attempt to
23 change the current user's SMB password on the local machine. This is
24 similar to the way the \fBpasswd(1)\fR program works.
25 \fBsmbpasswd\fR differs from how the passwd program works
26 however in that it is not \fBsetuid root\fR but works in
27 a client-server mode and communicates with a locally running
28 \fBsmbd(8)\fR. As a consequence in order for this to
29 succeed the smbd daemon must be running on the local machine. On a
30 UNIX machine the encrypted SMB passwords are usually stored in
31 the \fIsmbpasswd(5)\fR file.
33 When run by an ordinary user with no options. smbpasswd
34 will prompt them for their old SMB password and then ask them
35 for their new password twice, to ensure that the new password
36 was typed correctly. No passwords will be echoed on the screen
37 whilst being typed. If you have a blank SMB password (specified by
38 the string "NO PASSWORD" in the smbpasswd file) then just press
39 the <Enter> key when asked for your old password.
41 smbpasswd can also be used by a normal user to change their
42 SMB password on remote machines, such as Windows NT Primary Domain
43 Controllers. See the (-r) and -U options below.
45 When run by root, smbpasswd allows new users to be added
46 and deleted in the smbpasswd file, as well as allows changes to
47 the attributes of the user in this file to be made. When run by root,
48 \fBsmbpasswd\fR accesses the local smbpasswd file
49 directly, thus enabling changes to be made even if smbd is not
54 This option specifies that the username
55 following should be added to the local smbpasswd file, with the
56 new password typed (type <Enter> for the old password). This
57 option is ignored if the username following already exists in
58 the smbpasswd file and it is treated like a regular change
59 password command. Note that the default passdb backends require
60 the user to already exist in the system password file (usually
61 \fI/etc/passwd\fR), else the request to add the
64 This option is only available when running smbpasswd
68 This option specifies that the username
69 following should be deleted from the local smbpasswd file.
71 This option is only available when running smbpasswd as
75 This option specifies that the username following
76 should be disabled in the local smbpasswd
77 file. This is done by writing a 'D' flag
78 into the account control space in the smbpasswd file. Once this
79 is done all attempts to authenticate via SMB using this username
82 If the smbpasswd file is in the 'old' format (pre-Samba 2.0
83 format) there is no space in the user's password entry to write
84 this information and the command will FAIL. See \fBsmbpasswd(5)
85 \fRfor details on the 'old' and new password file formats.
87 This option is only available when running smbpasswd as
91 This option specifies that the username following
92 should be enabled in the local smbpasswd file,
93 if the account was previously disabled. If the account was not
94 disabled this option has no effect. Once the account is enabled then
95 the user will be able to authenticate via SMB once again.
97 If the smbpasswd file is in the 'old' format, then \fB smbpasswd\fR will FAIL to enable the account.
98 See \fBsmbpasswd (5)\fR for
99 details on the 'old' and new password file formats.
101 This option is only available when running smbpasswd as root.
104 \fIdebuglevel\fR is an integer
105 from 0 to 10. The default value if this parameter is not specified
108 The higher this value, the more detail will be logged to the
109 log files about the activities of smbpasswd. At level 0, only
110 critical errors and serious warnings will be logged.
112 Levels above 1 will generate considerable amounts of log
113 data, and should only be used when investigating a problem. Levels
114 above 3 are designed for use only by developers and generate
115 HUGE amounts of log data, most of which is extremely cryptic.
118 This option specifies that the username following
119 should have their password set to null (i.e. a blank password) in
120 the local smbpasswd file. This is done by writing the string "NO
121 PASSWORD" as the first part of the first password stored in the
124 Note that to allow users to logon to a Samba server once
125 the password has been set to "NO PASSWORD" in the smbpasswd
126 file the administrator must set the following parameter in the [global]
127 section of the \fIsmb.conf\fR file :
129 \fBnull passwords = yes\fR
131 This option is only available when running smbpasswd as
134 \fB-r remote machine name\fR
135 This option allows a user to specify what machine
136 they wish to change their password on. Without this parameter
137 smbpasswd defaults to the local host. The \fIremote
138 machine name\fR is the NetBIOS name of the SMB/CIFS
139 server to contact to attempt the password change. This name is
140 resolved into an IP address using the standard name resolution
141 mechanism in all programs of the Samba suite. See the \fI-R
142 name resolve order\fR parameter for details on changing
143 this resolving mechanism.
145 The username whose password is changed is that of the
146 current UNIX logged on user. See the \fI-U username\fR
147 parameter for details on changing the password for a different
150 Note that if changing a Windows NT Domain password the
151 remote machine specified must be the Primary Domain Controller for
152 the domain (Backup Domain Controllers only have a read-only
153 copy of the user account database and will not allow the password
156 \fBNote\fR that Windows 95/98 do not have
157 a real password database so it is not possible to change passwords
158 specifying a Win95/98 machine as remote machine target.
160 \fB-R name resolve order\fR
161 This option allows the user of smbpasswd to determine
162 what name resolution services to use when looking up the NetBIOS
163 name of the host being connected to.
165 The options are :"lmhosts", "host", "wins" and "bcast". They cause
166 names to be resolved as follows :
170 lmhosts : Lookup an IP
171 address in the Samba lmhosts file. If the line in lmhosts has
172 no name type attached to the NetBIOS name (see the lmhosts(5)for details) then
173 any name type matches for lookup.
176 host : Do a standard host
177 name to IP address resolution, using the system \fI/etc/hosts
178 \fR, NIS, or DNS lookups. This method of name resolution
179 is operating system depended for instance on IRIX or Solaris this
180 may be controlled by the \fI/etc/nsswitch.conf\fR
181 file). Note that this method is only used if the NetBIOS name
182 type being queried is the 0x20 (server) name type, otherwise
186 wins : Query a name with
187 the IP address listed in the \fIwins server\fR
188 parameter. If no WINS server has been specified this method
192 bcast : Do a broadcast on
193 each of the known local interfaces listed in the
194 \fIinterfaces\fR parameter. This is the least
195 reliable of the name resolution methods as it depends on the
196 target host being on a locally connected subnet.
199 The default order is \fBlmhosts, host, wins, bcast\fR
200 and without this parameter or any entry in the
201 \fIsmb.conf\fR file the name resolution methods will
202 be attempted in this order.
206 This option tells smbpasswd that the account
207 being changed is a MACHINE account. Currently this is used
208 when Samba is being used as an NT Primary Domain Controller.
210 This option is only available when running smbpasswd as root.
213 This option may only be used in conjunction
214 with the \fI-r\fR option. When changing
215 a password on a remote machine it allows the user to specify
216 the user name on that machine whose password will be changed. It
217 is present to allow users who have different user names on
218 different systems to change these passwords.
221 This option prints the help string for \fB smbpasswd\fR, selecting the correct one for running as root
222 or as an ordinary user.
225 This option causes smbpasswd to be silent (i.e.
226 not issue prompts) and to read its old and new passwords from
227 standard input, rather than from \fI/dev/tty\fR
228 (like the \fBpasswd(1)\fR program does). This option
229 is to aid people writing scripts to drive smbpasswd
232 This parameter is only available is Samba
233 has been configured to use the experiemental
234 \fB--with-ldapsam\fR option. The \fI-w\fR
235 switch is used to specify the password to be used with the
237 dn\fR. Note that the password is stored in
238 the \fIprivate/secrets.tdb\fR and is keyed off
239 of the admin's DN. This means that if the value of \fIldap
240 admin dn\fR ever changes, the password will beed to be
241 manually updated as well.
244 This specifies the username for all of the
245 \fBroot only\fR options to operate on. Only root
246 can specify this parameter as only root has the permission needed
247 to modify attributes directly in the local smbpasswd file.
250 Since \fBsmbpasswd\fR works in client-server
251 mode communicating with a local smbd for a non-root user then
252 the smbd daemon must be running for this to work. A common problem
253 is to add a restriction to the hosts that may access the \fB smbd\fR running on the local machine by specifying a
254 \fIallow hosts\fR or \fIdeny hosts\fR
255 entry in the \fIsmb.conf\fR file and neglecting to
256 allow "localhost" access to the smbd.
258 In addition, the smbpasswd command is only useful if Samba
259 has been set up to use encrypted passwords. See the file
260 \fIENCRYPTION.txt\fR in the docs directory for details
264 This man page is correct for version 3.0 of
272 The original Samba software and related utilities
273 were created by Andrew Tridgell. Samba is now developed
274 by the Samba Team as an Open Source project similar
275 to the way the Linux kernel is developed.
277 The original Samba man pages were written by Karl Auer.
278 The man page sources were converted to YODL format (another
279 excellent piece of Open Source software, available at
280 ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the Samba 2.0
281 release by Jeremy Allison. The conversion to DocBook for
282 Samba 2.2 was done by Gerald Carter