1SMBPASSWD(8)                                                      SMBPASSWD(8)
2
3
4

NAME

6       smbpasswd - change a user's SMB password
7

SYNOPSIS

9       smbpasswd  [-a]  [-c <config file>] [-x] [-d] [-e] [-D debuglevel] [-n]
10        [-r <remote machine>]   [-R <name resolve order>]    [-m]    [-U user‐
11        name[%password]] [-h] [-s] [-w pass] [-W] [-i] [-L] [username]
12

DESCRIPTION

14       This tool is part of the samba(7) suite.
15
16       The  smbpasswd  program  has  several different functions, depending on
17       whether it is run by the root user or not. When run as a normal user it
18       allows  the  user to change the password used for their SMB sessions on
19       any machines that store SMB passwords.
20
21       By default (when run with no arguments) it will attempt to  change  the
22       current  user's  SMB  password on the local machine. This is similar to
23       the way the passwd(1) program works.  smbpasswd differs  from  how  the
24       passwd program works however in that it is not setuid root but works in
25       a client-server mode and communicates with a locally  running  smbd(8).
26       As  a  consequence in order for this to succeed the smbd daemon must be
27       running on the local machine. On a UNIX machine the encrypted SMB pass‐
28       words are usually stored in the smbpasswd(5) file.
29
30       When  run  by  an  ordinary user with no options, smbpasswd will prompt
31       them for their old SMB password and then ask them for their  new  pass‐
32       word  twice,  to  ensure  that the new password was typed correctly. No
33       passwords will be echoed on the screen whilst being typed. If you  have
34       a blank SMB password (specified by the string "NO PASSWORD" in the smb‐
35       passwd file) then just press the <Enter> key when asked  for  your  old
36       password.
37
38       smbpasswd  can  also be used by a normal user to change their SMB pass‐
39       word on remote machines, such as Windows NT Primary Domain Controllers.
40       See the (-r) and -U options below.
41
42       When run by root, smbpasswd allows new users to be added and deleted in
43       the smbpasswd file, as well as allows changes to the attributes of  the
44       user  in this file to be made. When run by root, smbpasswd accesses the
45       local smbpasswd file directly, thus enabling changes to be made even if
46       smbd is not running.
47

OPTIONS

49       -a
50          This option specifies that the username following should be added to
51          the local smbpasswd file, with the new password typed (type  <Enter>
52          for  the  old password). This option is ignored if the username fol‐
53          lowing already exists in the smbpasswd file and it is treated like a
54          regular  change password command. Note that the default passdb back‐
55          ends require the user to already exist in the system  password  file
56          (usually /etc/passwd), else the request to add the user will fail.
57
58          This option is only available when running smbpasswd as root.
59
60       -c
61          This  option  can  be  used to specify the path and file name of the
62          smb.conf configuration file when it is important to use  other  than
63          the default file and / or location.
64
65       -x
66          This  option specifies that the username following should be deleted
67          from the local smbpasswd file.
68
69          This option is only available when running smbpasswd as root.
70
71       -d
72          This option specifies that the username following should be disabled
73          in the local smbpasswd file. This is done by writing a 'D' flag into
74          the account control space in the smbpasswd file. Once this  is  done
75          all attempts to authenticate via SMB using this username will fail.
76
77          If  the smbpasswd file is in the 'old' format (pre-Samba 2.0 format)
78          there is no space in the user's password entry to write this  infor‐
79          mation  and  the  command will FAIL. See smbpasswd(5) for details on
80          the 'old' and new password file formats.
81
82          This option is only available when running smbpasswd as root.
83
84       -e
85          This option specifies that the username following should be  enabled
86          in the local smbpasswd file, if the account was previously disabled.
87          If the account was not disabled this option has no effect. Once  the
88          account  is  enabled  then the user will be able to authenticate via
89          SMB once again.
90
91          If the smbpasswd file is in the 'old' format,  then  smbpasswd  will
92          FAIL  to  enable  the  account.  See smbpasswd(5) for details on the
93          'old' and new password file formats.
94
95          This option is only available when running smbpasswd as root.
96
97       -D debuglevel
98          debuglevel is an integer from 0 to 10. The  default  value  if  this
99          parameter is not specified is zero.
100
101          The  higher  this  value,  the more detail will be logged to the log
102          files about the activities of smbpasswd. At level 0,  only  critical
103          errors and serious warnings will be logged.
104
105          Levels  above  1 will generate considerable amounts of log data, and
106          should only be used when investigating a problem. Levels above 3 are
107          designed for use only by developers and generate HUGE amounts of log
108          data, most of which is extremely cryptic.
109
110       -n
111          This option specifies that the username following should have  their
112          password  set to null (i.e. a blank password) in the local smbpasswd
113          file. This is done by writing the string "NO PASSWORD" as the  first
114          part of the first password stored in the smbpasswd file.
115
116          Note  that  to allow users to logon to a Samba server once the pass‐
117          word has been set to "NO PASSWORD" in the smbpasswd file the  admin‐
118          istrator must set the following parameter in the [global] section of
119          the smb.conf file :
120
121          null passwords = yes
122
123          This option is only available when running smbpasswd as root.
124
125       -r remote machine name
126          This option allows a user to  specify  what  machine  they  wish  to
127          change  their password on. Without this parameter smbpasswd defaults
128          to the local host. The remote machine name is the  NetBIOS  name  of
129          the  SMB/CIFS server to contact to attempt the password change. This
130          name is resolved into an IP address using the standard name  resolu‐
131          tion  mechanism  in all programs of the Samba suite. See the -R name
132          resolve order parameter for details on changing this resolving mech‐
133          anism.
134
135          The  username  whose password is changed is that of the current UNIX
136          logged on user. See the -U username parameter for details on  chang‐
137          ing the password for a different username.
138
139          Note  that  if  changing  a  Windows  NT  Domain password the remote
140          machine specified must be the  Primary  Domain  Controller  for  the
141          domain  (Backup Domain Controllers only have a read-only copy of the
142          user account database and will not allow the password change).
143
144          Note that Windows 95/98 do not have a real password database  so  it
145          is not possible to change passwords specifying a Win95/98 machine as
146          remote machine target.
147
148       -R name resolve order
149          This option allows the user of smbpasswd to determine what name res‐
150          olution services to use when looking up the NetBIOS name of the host
151          being connected to.
152
153          The options are :"lmhosts", "host", "wins" and "bcast".  They  cause
154          names to be resolved as follows:
155
156             ·  lmhosts:  Lookup  an  IP address in the Samba lmhosts file. If
157                the line in lmhosts has no name type attached to  the  NetBIOS
158                name  (see  the  lmhosts(5)  for  details)  then any name type
159                matches for lookup.
160
161             ·  host: Do a standard host name to IP address resolution,  using
162                the  system  /etc/hosts  , NIS, or DNS lookups. This method of
163                name resolution is operating system depended for  instance  on
164                IRIX  or  Solaris  this  may  be  controlled  by the /etc/nss‐
165                witch.conf file). Note that this method is only  used  if  the
166                NetBIOS  name  type  being  queried  is the 0x20 (server) name
167                type, otherwise it is ignored.
168
169             ·  wins: Query a name with the IP  address  listed  in  the  wins
170                server  parameter.  If  no WINS server has been specified this
171                method will be ignored.
172
173             ·  bcast: Do a broadcast on each of the  known  local  interfaces
174                listed in the interfaces parameter. This is the least reliable
175                of the name resolution methods as it  depends  on  the  target
176                host being on a locally connected subnet.
177
178             The  default order is lmhosts, host, wins, bcast and without this
179             parameter or any entry in the smb.conf(5) file the  name  resolu‐
180             tion methods will be attempted in this order.
181
182       -m
183          This  option  tells  smbpasswd  that  the account being changed is a
184          MACHINE account. Currently this is used when Samba is being used  as
185          an NT Primary Domain Controller.
186
187          This option is only available when running smbpasswd as root.
188
189       -U username
190          This option may only be used in conjunction with the -r option. When
191          changing a password on a remote machine it allows the user to  spec‐
192          ify the user name on that machine whose password will be changed. It
193          is present to allow users who have different user names on different
194          systems to change these passwords.
195
196       -h
197          This option prints the help string for smbpasswd, selecting the cor‐
198          rect one for running as root or as an ordinary user.
199
200       -s
201          This option causes smbpasswd to be silent (i.e. not  issue  prompts)
202          and  to  read  its old and new passwords from standard input, rather
203          than from /dev/tty (like the passwd(1) program does). This option is
204          to aid people writing scripts to drive smbpasswd
205
206       -w password
207          This  parameter  is  only  available if Samba has been compiled with
208          LDAP support. The -w switch is used to specify the  password  to  be
209          used with the ldap admin dn. Note that the password is stored in the
210          secrets.tdb and is keyed off of the admin's DN. This means  that  if
211          the  value  of ldap admin dn ever changes, the password will need to
212          be manually updated as well.
213
214       -W
215          NOTE: This option is same as "-w" except that the password should be
216          entered using stdin.
217
218          This  parameter  is  only  available if Samba has been compiled with
219          LDAP support. The -W switch is used to specify the  password  to  be
220          used with the ldap admin dn. Note that the password is stored in the
221          secrets.tdb and is keyed off of the admin's DN. This means  that  if
222          the  value  of ldap admin dn ever changes, the password will need to
223          be manually updated as well.
224
225       -i
226          This option tells smbpasswd that the account  being  changed  is  an
227          interdomain  trust  account.  Currently  this  is used when Samba is
228          being used as an NT Primary Domain Controller. The account  contains
229          the info about another trusted domain.
230
231          This option is only available when running smbpasswd as root.
232
233       -L
234          Run in local mode.
235
236       username
237          This  specifies  the  username  for  all of the root only options to
238          operate on. Only root can specify this parameter as  only  root  has
239          the  permission  needed  to  modify attributes directly in the local
240          smbpasswd file.
241

NOTES

243       Since smbpasswd works in client-server mode communicating with a  local
244       smbd  for a non-root user then the smbd daemon must be running for this
245       to work. A common problem is to add a restriction to the hosts that may
246       access the smbd running on the local machine by specifying either allow
247       hosts or deny hosts entry in the smb.conf(5)  file  and  neglecting  to
248       allow "localhost" access to the smbd.
249
250       In addition, the smbpasswd command is only useful if Samba has been set
251       up to use encrypted passwords.
252

VERSION

254       This man page is correct for version 3.0 of the Samba suite.
255

SEE ALSO

257       smbpasswd(5), Samba(7).
258

AUTHOR

260       The original Samba software  and  related  utilities  were  created  by
261       Andrew  Tridgell.  Samba  is now developed by the Samba Team as an Open
262       Source project similar to the way the Linux kernel is developed.
263
264       The original Samba man pages were written by Karl Auer.  The  man  page
265       sources  were converted to YODL format (another excellent piece of Open
266       Source  software,  available  at  ftp://ftp.icce.rug.nl/pub/unix/)  and
267       updated  for the Samba 2.0 release by Jeremy Allison. The conversion to
268       DocBook for Samba 2.2 was done by Gerald Carter. The conversion to Doc‐
269       Book XML 4.2 for Samba 3.0 was done by Alexander Bokovoy.
270
271
272
273
274                                                                  SMBPASSWD(8)
Impressum