1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smbpasswd</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smbpasswd.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smbpasswd — change a user's SMB password</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">smbpasswd</code> [-a] [-c <config file>] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-U username[%password]] [-h] [-s] [-w pass] [-W] [-i] [-L] [username]</p></div></div><div class="refsect1" lang="en"><a name="id259391"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The smbpasswd program has several different 2 functions, depending on whether it is run by the <span class="emphasis"><em>root</em></span> user 3 or not. When run as a normal user it allows the user to change 4 the password used for their SMB sessions on any machines that store 5 SMB passwords. </p><p>By default (when run with no arguments) it will attempt to 6 change the current user's SMB password on the local machine. This is 7 similar to the way the <code class="literal">passwd(1)</code> program works. <code class="literal"> 8 smbpasswd</code> differs from how the passwd program works 9 however in that it is not <span class="emphasis"><em>setuid root</em></span> but works in 10 a client-server mode and communicates with a 11 locally running <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>. As a consequence in order for this to 12 succeed the smbd daemon must be running on the local machine. On a 13 UNIX machine the encrypted SMB passwords are usually stored in 14 the <a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a> file. </p><p>When run by an ordinary user with no options, smbpasswd 15 will prompt them for their old SMB password and then ask them 16 for their new password twice, to ensure that the new password 17 was typed correctly. No passwords will be echoed on the screen 18 whilst being typed. If you have a blank SMB password (specified by 19 the string "NO PASSWORD" in the smbpasswd file) then just press 20 the <Enter> key when asked for your old password. </p><p>smbpasswd can also be used by a normal user to change their 21 SMB password on remote machines, such as Windows NT Primary Domain 22 Controllers. See the (<em class="parameter"><code>-r</code></em>) and <em class="parameter"><code>-U</code></em> options 23 below. </p><p>When run by root, smbpasswd allows new users to be added 24 and deleted in the smbpasswd file, as well as allows changes to 25 the attributes of the user in this file to be made. When run by root, <code class="literal"> 26 smbpasswd</code> accesses the local smbpasswd file 27 directly, thus enabling changes to be made even if smbd is not 28 running. </p></div><div class="refsect1" lang="en"><a name="id260409"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">-a</span></dt><dd><p> 29 This option specifies that the username following should be added to the local smbpasswd file, with the new 30 password typed (type <Enter> for the old password). This option is ignored if the username following 31 already exists in the smbpasswd file and it is treated like a regular change password command. Note that the 32 default passdb backends require the user to already exist in the system password file (usually 33 <code class="filename">/etc/passwd</code>), else the request to add the user will fail. 34 </p><p>This option is only available when running smbpasswd 35 as root. </p></dd><dt><span class="term">-c</span></dt><dd><p> 36 This option can be used to specify the path and file name of the <code class="filename">smb.conf</code> configuration file when it 37 is important to use other than the default file and / or location. 38 </p></dd><dt><span class="term">-x</span></dt><dd><p> 39 This option specifies that the username following should be deleted from the local smbpasswd file. 40 </p><p> 41 This option is only available when running smbpasswd as root. 42 </p></dd><dt><span class="term">-d</span></dt><dd><p>This option specifies that the username following 43 should be <code class="constant">disabled</code> in the local smbpasswd 44 file. This is done by writing a <code class="constant">'D'</code> flag 45 into the account control space in the smbpasswd file. Once this 46 is done all attempts to authenticate via SMB using this username 47 will fail. </p><p>If the smbpasswd file is in the 'old' format (pre-Samba 2.0 48 format) there is no space in the user's password entry to write 49 this information and the command will FAIL. See <a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a> for details on the 'old' and new password file formats. 50 </p><p>This option is only available when running smbpasswd as 51 root.</p></dd><dt><span class="term">-e</span></dt><dd><p>This option specifies that the username following 52 should be <code class="constant">enabled</code> in the local smbpasswd file, 53 if the account was previously disabled. If the account was not 54 disabled this option has no effect. Once the account is enabled then 55 the user will be able to authenticate via SMB once again. </p><p>If the smbpasswd file is in the 'old' format, then <code class="literal"> 56 smbpasswd</code> will FAIL to enable the account. 57 See <a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a> for 58 details on the 'old' and new password file formats. </p><p>This option is only available when running smbpasswd as root. 59 </p></dd><dt><span class="term">-D debuglevel</span></dt><dd><p><em class="replaceable"><code>debuglevel</code></em> is an integer 60 from 0 to 10. The default value if this parameter is not specified 61 is zero. </p><p>The higher this value, the more detail will be logged to the 62 log files about the activities of smbpasswd. At level 0, only 63 critical errors and serious warnings will be logged. </p><p>Levels above 1 will generate considerable amounts of log 64 data, and should only be used when investigating a problem. Levels 65 above 3 are designed for use only by developers and generate 66 HUGE amounts of log data, most of which is extremely cryptic. 67 </p></dd><dt><span class="term">-n</span></dt><dd><p>This option specifies that the username following 68 should have their password set to null (i.e. a blank password) in 69 the local smbpasswd file. This is done by writing the string "NO 70 PASSWORD" as the first part of the first password stored in the 71 smbpasswd file. </p><p>Note that to allow users to logon to a Samba server once 72 the password has been set to "NO PASSWORD" in the smbpasswd 73 file the administrator must set the following parameter in the [global] 74 section of the <code class="filename">smb.conf</code> file : </p><p><code class="literal">null passwords = yes</code></p><p>This option is only available when running smbpasswd as 75 root.</p></dd><dt><span class="term">-r remote machine name</span></dt><dd><p>This option allows a user to specify what machine 76 they wish to change their password on. Without this parameter 77 smbpasswd defaults to the local host. The <em class="replaceable"><code>remote 78 machine name</code></em> is the NetBIOS name of the SMB/CIFS 79 server to contact to attempt the password change. This name is 80 resolved into an IP address using the standard name resolution 81 mechanism in all programs of the Samba suite. See the <em class="parameter"><code>-R 82 name resolve order</code></em> parameter for details on changing 83 this resolving mechanism. </p><p>The username whose password is changed is that of the 84 current UNIX logged on user. See the <em class="parameter"><code>-U username</code></em> 85 parameter for details on changing the password for a different 86 username. </p><p>Note that if changing a Windows NT Domain password the 87 remote machine specified must be the Primary Domain Controller for 88 the domain (Backup Domain Controllers only have a read-only 89 copy of the user account database and will not allow the password 90 change).</p><p><span class="emphasis"><em>Note</em></span> that Windows 95/98 do not have 91 a real password database so it is not possible to change passwords 92 specifying a Win95/98 machine as remote machine target. </p></dd><dt><span class="term">-R name resolve order</span></dt><dd><p>This option allows the user of smbpasswd to determine 93 what name resolution services to use when looking up the NetBIOS 94 name of the host being connected to. </p><p>The options are :"lmhosts", "host", "wins" and "bcast". They 95 cause names to be resolved as follows: </p><div class="itemizedlist"><ul type="disc"><li><p><code class="constant">lmhosts</code>: Lookup an IP 96 address in the Samba lmhosts file. If the line in lmhosts has 97 no name type attached to the NetBIOS name (see the <a href="lmhosts.5.html"><span class="citerefentry"><span class="refentrytitle">lmhosts</span>(5)</span></a> for details) then 98 any name type matches for lookup.</p></li><li><p><code class="constant">host</code>: Do a standard host 99 name to IP address resolution, using the system <code class="filename">/etc/hosts 100 </code>, NIS, or DNS lookups. This method of name resolution 101 is operating system depended for instance on IRIX or Solaris this 102 may be controlled by the <code class="filename">/etc/nsswitch.conf</code> 103 file). Note that this method is only used if the NetBIOS name 104 type being queried is the 0x20 (server) name type, otherwise 105 it is ignored.</p></li><li><p><code class="constant">wins</code>: Query a name with 106 the IP address listed in the <em class="parameter"><code>wins server</code></em> 107 parameter. If no WINS server has been specified this method 108 will be ignored.</p></li><li><p><code class="constant">bcast</code>: Do a broadcast on 109 each of the known local interfaces listed in the 110 <em class="parameter"><code>interfaces</code></em> parameter. This is the least 111 reliable of the name resolution methods as it depends on the 112 target host being on a locally connected subnet.</p></li></ul></div><p>The default order is <code class="literal">lmhosts, host, wins, bcast</code> 113 and without this parameter or any entry in the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file the name resolution methods will 114 be attempted in this order. </p></dd><dt><span class="term">-m</span></dt><dd><p>This option tells smbpasswd that the account 115 being changed is a MACHINE account. Currently this is used 116 when Samba is being used as an NT Primary Domain Controller.</p><p>This option is only available when running smbpasswd as root. 117 </p></dd><dt><span class="term">-U username</span></dt><dd><p>This option may only be used in conjunction 118 with the <em class="parameter"><code>-r</code></em> option. When changing 119 a password on a remote machine it allows the user to specify 120 the user name on that machine whose password will be changed. It 121 is present to allow users who have different user names on 122 different systems to change these passwords. </p></dd><dt><span class="term">-h</span></dt><dd><p>This option prints the help string for <code class="literal"> 123 smbpasswd</code>, selecting the correct one for running as root 124 or as an ordinary user. </p></dd><dt><span class="term">-s</span></dt><dd><p>This option causes smbpasswd to be silent (i.e. 125 not issue prompts) and to read its old and new passwords from 126 standard input, rather than from <code class="filename">/dev/tty</code> 127 (like the <code class="literal">passwd(1)</code> program does). This option 128 is to aid people writing scripts to drive smbpasswd</p></dd><dt><span class="term">-w password</span></dt><dd><p>This parameter is only available if Samba 129 has been compiled with LDAP support. The <em class="parameter"><code>-w</code></em> 130 switch is used to specify the password to be used with the 131 <a class="indexterm" name="id300725"></a>ldap admin dn. Note that the password is stored in 132 the <code class="filename">secrets.tdb</code> and is keyed off 133 of the admin's DN. This means that if the value of <em class="parameter"><code>ldap 134 admin dn</code></em> ever changes, the password will need to be 135 manually updated as well. 136 </p></dd><dt><span class="term">-W</span></dt><dd><p><code class="literal">NOTE: </code> This option is same as "-w" 137 except that the password should be entered using stdin. 138 </p><p>This parameter is only available if Samba 139 has been compiled with LDAP support. The <em class="parameter"><code>-W</code></em> 140 switch is used to specify the password to be used with the 141 <a class="indexterm" name="id300773"></a>ldap admin dn. Note that the password is stored in 142 the <code class="filename">secrets.tdb</code> and is keyed off 143 of the admin's DN. This means that if the value of <em class="parameter"><code>ldap 144 admin dn</code></em> ever changes, the password will need to be 145 manually updated as well. 146 </p></dd><dt><span class="term">-i</span></dt><dd><p>This option tells smbpasswd that the account 147 being changed is an interdomain trust account. Currently this is used 148 when Samba is being used as an NT Primary Domain Controller. 149 The account contains the info about another trusted domain.</p><p>This option is only available when running smbpasswd as root. 150 </p></dd><dt><span class="term">-L</span></dt><dd><p>Run in local mode.</p></dd><dt><span class="term">username</span></dt><dd><p>This specifies the username for all of the 151 <span class="emphasis"><em>root only</em></span> options to operate on. Only root 152 can specify this parameter as only root has the permission needed 153 to modify attributes directly in the local smbpasswd file. 154 </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id300843"></a><h2>NOTES</h2><p>Since <code class="literal">smbpasswd</code> works in client-server 155 mode communicating with a local smbd for a non-root user then 156 the smbd daemon must be running for this to work. A common problem 157 is to add a restriction to the hosts that may access the <code class="literal"> 158 smbd</code> running on the local machine by specifying either <em class="parameter"><code>allow 159 hosts</code></em> or <em class="parameter"><code>deny hosts</code></em> entry in 160 the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file and neglecting to 161 allow "localhost" access to the smbd. </p><p>In addition, the smbpasswd command is only useful if Samba 162 has been set up to use encrypted passwords. </p></div><div class="refsect1" lang="en"><a name="id300892"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id300902"></a><h2>SEE ALSO</h2><p><a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a>, <a href="Samba.7.html"><span class="citerefentry"><span class="refentrytitle">Samba</span>(7)</span></a>.</p></div><div class="refsect1" lang="en"><a name="id300927"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities 163 were created by Andrew Tridgell. Samba is now developed 164 by the Samba Team as an Open Source project similar 165 to the way the Linux kernel is developed.</p><p>The original Samba man pages were written by Karl Auer. 166 The man page sources were converted to YODL format (another 167 excellent piece of Open Source software, available at <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top"> 168 ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0 169 release by Jeremy Allison. The conversion to DocBook for 170 Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 171 for Samba 3.0 was done by Alexander Bokovoy.</p></div></div></body></html> 172