*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->IRIX man pages -> smbpasswd.8 (8)              


     SMBPASSWD(8)    UNIX System V (01 February	2003)	  SMBPASSWD(8)

     NAME    [Toc]    [Back]
	  smbpasswd - change a user's SMB password

     SYNOPSIS    [Toc]    [Back]
	  When run by root:

	  smbpasswd [ options ]	 [ username ]  [ password ]


	  smbpasswd [ options ]	 [ password ]

     DESCRIPTION    [Toc]    [Back]
	  This tool is part of the  Samba suite.

	  The smbpasswd	program	has several different functions,
	  depending on whether it is run by the	root user or not. When
	  run as a normal user it allows the user to change the
	  password used	for their SMB sessions on any machines that
	  store	SMB passwords.

	  By default (when run with no arguments) it will attempt to
	  change the current user's SMB	password on the	local machine.
	  This is similar to the way the passwd(1) program works.
	  smbpasswd differs from how the passwd	program	works however
	  in that it is	not setuid root	but works in a client-server
	  mode and communicates	with a locally running smbd(8).	As a
	  consequence in order for this	to succeed the smbd daemon
	  must be running on the local machine.	On a UNIX machine the
	  encrypted SMB	passwords are usually stored in	the
	  smbpasswd(5) file.

	  When run by an ordinary user with no options.	smbpasswd will
	  prompt them for their	old SMB	password and then ask them for
	  their	new password twice, to ensure that the new password
	  was typed correctly. No passwords will be echoed on the
	  screen whilst	being typed. If	you have a blank SMB password
	  (specified by	the string "NO PASSWORD" in the	smbpasswd
	  file)	then just press	the <Enter> key	when asked for your
	  old password.

	  smbpasswd can	also be	used by	a normal user to change	their
	  SMB password on remote machines, such	as Windows NT Primary
	  Domain Controllers. See the (-r) and -U options below.

	  When run by root, smbpasswd allows new users to be added and
	  deleted in the smbpasswd file, as well as allows changes to
	  the attributes of the	user in	this file to be	made. When run
	  by root, smbpasswd accesses the local	smbpasswd file
	  directly, thus enabling changes to be	made even if smbd is
	  not running.

     Page 1					     (printed 2/13/04)

     SMBPASSWD(8)    UNIX System V (01 February	2003)	  SMBPASSWD(8)

	  smbpasswd can	also be	used to	retrieve the SIDs related to
	  previous incarnations	of this	server on the same machine, as
	  well as set the SID of this domain. This is needed in	those
	  cases	when the admin changes the NetBIOS or DNS name of the
	  server without realizing that	doing so will change the SID
	  of the server	as well. See the -W and	-X options below.

     OPTIONS    [Toc]    [Back]
	  -L   Run the smbpasswd command in local mode.	This allows a
	       non-root	user to	specify	the root-only options. This is
	       used mostly in test environments	where a	non-root user
	       needs to	make changes to	the local smbpasswd file.  The
	       smbpasswd file must have	read/write permissions for the
	       user running the	command.

	  -h   This option prints the help string for smbpasswd.

	  -c smb.conf file
	       This option specifies that the configuration file
	       specified should	be used	instead	of the default value
	       specified at compile time.

	  -D debuglevel
	       debuglevel is an	integer	from 0 to 10. The default
	       value if	this parameter is not specified	is zero.

	       The higher this value, the more detail will be logged
	       to the log files	about the activities of	smbpasswd. At
	       level 0,	only critical errors and serious warnings will
	       be logged.

	       Levels above 1 will generate considerable amounts of
	       log data, and should only be used when investigating a
	       problem.	Levels above 3 are designed for	use only by
	       developers and generate HUGE amounts of log data, most
	       of which	is extremely cryptic.

	  -r remote machine name
	       This option allows a user to specify what machine they
	       wish to change their password on. Without this
	       parameter smbpasswd defaults to the local host. The
	       remote machine name is the NetBIOS name of the SMB/CIFS
	       server to contact to attempt the	password change. This
	       name is resolved	into an	IP address using the standard
	       name resolution mechanism in all	programs of the	Samba
	       suite. See the -R name resolve order parameter for
	       details on changing this	resolving mechanism.

	       The username whose password is changed is that of the
	       current UNIX logged on user. See	the -U username
	       parameter for details on	changing the password for a
	       different username.

     Page 2					     (printed 2/13/04)

     SMBPASSWD(8)    UNIX System V (01 February	2003)	  SMBPASSWD(8)

	       Note that if changing a Windows NT Domain password the
	       remote machine specified	must be	the Primary Domain
	       Controller for the domain (Backup Domain	Controllers
	       only have a read-only copy of the user account database
	       and will	not allow the password change).

	       Note that Windows 95/98 do not have a real password
	       database	so it is not possible to change	passwords
	       specifying a Win95/98 machine as	remote machine target.

	  -s   This option causes smbpasswd to be silent (i.e. not
	       issue prompts) and to read its old and new passwords
	       from standard input, rather than	from /dev/tty (like
	       the passwd(1) program does). This option	is to aid
	       people writing scripts to drive smbpasswd

	  -S   This option causes smbpasswd to query a domain
	       controller of the domain	specified by the workgroup
	       parameter in smb.conf and store the domain SID in the
	       secrets.tdb file	as its own machine SID.	This is	only
	       useful when configuring a Samba PDC and Samba BDC, or
	       when migrating from a Windows PDC to a Samba PDC.

	       The -r options can be used as well to indicate a
	       specific	domain controller which	should be contacted.
	       In this case, the domain	SID obtained is	the one	for
	       the domain to which the remote machine belongs.

	  -t   This option is used to force smbpasswd to change	the
	       current password	assigned to the	machine	trust account
	       when operating in domain	security mode. This is really
	       meant to	be used	on systems that	only run winbindd
	       Under server installations, smbd	handle the password
	       updates automatically.

	  -U username[%pass]
	       This option may only be used in conjunction with	the -r
	       option. When changing a password	on a remote machine it
	       allows the user to specify the user name	on that
	       machine whose password will be changed. It is present
	       to allow	users who have different user names on
	       different systems to change these passwords. The
	       optional	%pass may be used to specify to	old password.

	       In particular, this parameter specifies the username
	       used to create the machine account when invoked with -j

	  -W S-1-5-21-x-y-z
	       This option forces the SID S-1-5-21-x-y-z to be the
	       server and domain SID for the current Samba server. It
	       does this by updating the appropriate keys in the
	       secrets file.

     Page 3					     (printed 2/13/04)

     SMBPASSWD(8)    UNIX System V (01 February	2003)	  SMBPASSWD(8)

	  -X server|domain
	       This option allows the admin to retrieve	the SID
	       associated with a former	servername or domain name that
	       this Samba server might have used. It does this by
	       retrieving the appropriate entry	from the secrets file.

	       The following options are available only	when the
	       smbpasswd command is run	as root	or in local mode.

	  -a   This option specifies that the username following
	       should be added to the local smbpasswd file, with the
	       new password typed. This	option is ignored if the
	       username	specified already exists in the	smbpasswd file
	       and it is treated like a	regular	change password
	       command.	Note that the user to be added must already
	       exist in	the system password file (usually /etc/passwd)
	       else the	request	to add the user	will fail.

	  -d   This option specifies that the username following
	       should be disabled in the local smbpasswd file. This is
	       done by writing a 'D' flag into the account control
	       space in	the smbpasswd file. Once this is done all
	       attempts	to authenticate	via SMB	using this username
	       will fail.

	       If the smbpasswd	file is	in the 'old' format (pre-Samba
	       2.0 format) there is no space in	the user's password
	       entry to	write this information and so the user is
	       disabled	by writing 'X' characters into the password
	       space in	the smbpasswd file. See	smbpasswd(5) for
	       details on the 'old' and	new password file formats.

	  -e   This option specifies that the username following
	       should be enabled in the	local smbpasswd	file, if the
	       account was previously disabled.	If the account was not
	       disabled	this option has	no effect. Once	the account is
	       enabled then the	user will be able to authenticate via
	       SMB once	again.

	       If the smbpasswd	file is	in the 'old' format, then
	       smbpasswd will prompt for a new password	for this user,
	       otherwise the account will be enabled by	removing the
	       'D' flag	from account control space in the  smbpasswd
	       file. See smbpasswd (5) for details on the 'old'	and
	       new password file formats.

	  -m   This option tells smbpasswd that	the account being
	       changed is a MACHINE account. Currently this is used
	       when Samba is being used	as an NT Primary Domain

     Page 4					     (printed 2/13/04)

     SMBPASSWD(8)    UNIX System V (01 February	2003)	  SMBPASSWD(8)

	  -n   This option specifies that the username following
	       should have their password set to null (i.e. a blank
	       password) in the	local smbpasswd	file. This is done by
	       writing the string "NO PASSWORD"	as the first part of
	       the first password stored in the	smbpasswd file.

	       Note that to allow users	to logon to a Samba server
	       once the	password has been set to "NO PASSWORD" in the
	       smbpasswd file the administrator	must set the following
	       parameter in the	[global] section of the	smb.conf file

	       null passwords =	yes

	  -w password
	       This parameter is only available	is Samba has been
	       configured to use the experimental --with-ldapsam
	       option. The -w switch is	used to	specify	the password
	       to be used with the ldap	admin dn Note that the
	       password	is stored in the private/secrets.tdb and is
	       keyed off of the	admin's	DN. This means that if the
	       value of	ldap admin dn ever changes, the	password will
	       need to be manually updated as well.

	  -x   This option specifies that the username following
	       should be deleted from the local	smbpasswd file.

	  -j DOMAIN
	       This option is used to add a Samba server into a
	       Windows NT Domain, as a Domain member capable of
	       authenticating user accounts to any Domain Controller
	       in the same way as a Windows NT Server. See the
	       security	= domain option	in the smb.conf(5) man page.

	       This command can	work both with and without the -U

	       When invoked with -U, that username (and	optional
	       password) are used to contact the PDC (which must be
	       specified with -r) to both create a machine account,
	       and to set a password on	it.

	       Alternately, if -U is omitted, Samba will contact its
	       PDC and attempt to change the password on a preexisting

	       In order	to be used in this way,	the Administrator for
	       the Windows NT Domain must have used the	program
	       "Server Manager for Domains" to add the primary NetBIOS
	       name of the Samba server	as a member of the Domain.

	       After this has been done, to join the Domain invoke

     Page 5					     (printed 2/13/04)

     SMBPASSWD(8)    UNIX System V (01 February	2003)	  SMBPASSWD(8)

	       smbpasswd with this parameter. smbpasswd	will then look
	       up the Primary Domain Controller	for the	Domain (found
	       in the smb.conf file in the parameter password server
	       and change the machine account password used to create
	       the secure Domain communication.

	       Either way, this	password is then stored	by smbpasswd
	       in a TDB, writeable only	by root, called	secrets.tdb

	       Once this operation has been performed the  smb.conf
	       file may	be updated to set the  security	= domain
	       option and all future logins to the Samba server	will
	       be authenticated	to the Windows NT PDC.

	       Note that even though the authentication	is being done
	       to the PDC all users accessing the Samba	server must
	       still have a valid UNIX account on that machine.	The
	       winbindd(8) daemon can be used to create	UNIX accounts
	       for NT users.

	  -R name resolve order
	       This option allows the user of smbpasswd	to determine
	       what name resolution services to	use when looking up
	       the NetBIOS name	of the host being connected to.

	       The options are :"lmhosts", "host", "wins" and "bcast".
	       They cause names	to be resolved as follows :

	       o lmhosts : Lookup an IP	address	in the Samba lmhosts
		 file. If the line in lmhosts has no name type
		 attached to the NetBIOS name (see the lmhosts(5) for
		 details) then any name	type matches for lookup.

	       o host :	Do a standard host name	to IP address
		 resolution, using the system /etc/hosts , NIS,	or DNS
		 lookups. This method of name resolution is operating
		 system	dependent. For instance, on IRIX or Solaris
		 this may be controlled	by the /etc/nsswitch.conf
		 file).	Note that this method is only used if the
		 NetBIOS name type being queried is the	0x20 (server)
		 name type, otherwise it is ignored.

	       o wins :	Query a	name with the IP address listed	in the
		 wins server parameter.	If no WINS server has been
		 specified this	method will be ignored.

	       o bcast : Do a broadcast	on each	of the known local
		 interfaces listed in the interfaces parameter.	This
		 is the	least reliable of the name resolution methods
		 as it depends on the target host being	on a locally
		 connected subnet.

     Page 6					     (printed 2/13/04)

     SMBPASSWD(8)    UNIX System V (01 February	2003)	  SMBPASSWD(8)

	  The default order is lmhosts,	host, wins, bcast and without
	  this parameter or any	entry in the smb.conf file the name
	  resolution methods will be attempted in this order.

	       This specifies the username for all of the root only
	       options to operate on. Only root	can specify this
	       parameter as only root has the permission needed	to
	       modify attributes directly in the local smbpasswd file.

	       This specifies the new password.	If this	parameter is
	       specified you will not be prompted for the new

     NOTES    [Toc]    [Back]
	  Since	smbpasswd works	in client-server mode communicating
	  with a local smbd for	a non-root user	then the smbd daemon
	  must be running for this to work. A common problem is	to add
	  a restriction	to the hosts that may access the  smbd running
	  on the local machine by specifying a allow hosts or deny
	  hosts	entry in the smb.conf file and neglecting to allow
	  "localhost" access to	the smbd.

	  In addition, the smbpasswd command is	only useful if Samba
	  has been set up to use encrypted passwords. See the file
	  ENCRYPTION.txt in the	docs directory for details on how to
	  do this.

     VERSION    [Toc]    [Back]
	  This man page	is correct for version 2.2 of the Samba	suite.

     SEE ALSO    [Toc]    [Back]
	  smbpasswd(5) samba(7)

     AUTHOR    [Toc]    [Back]
	  The original Samba software and related utilities were
	  created by Andrew Tridgell. Samba is now developed by	the
	  Samba	Team as	an Open	Source project similar to the way the
	  Linux	kernel is developed.

	  The original Samba man pages were written by Karl Auer. The
	  man page sources were	converted to YODL format (another
	  excellent piece of Open Source software, available at
	  <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the
	  Samba	2.0 release by Jeremy Allison. The conversion to
	  DocBook for Samba 2.2	was done by Gerald Carter

     Page 7					     (printed 2/13/04)

[ Back ]
 Similar pages
Name OS Title
passwd Linux change user password
skeyinit OpenBSD change password or add user to S/Key authentication system
chage Linux change user password expiry information
passwd IRIX change login password and password attributes
yppasswd Tru64 Update user password in Network Information Service (NIS) password map.
nispasswd HP-UX change NIS+ password information
yppasswd Linux change your password in the NIS database
yppasswd IRIX change NIS login password
dpasswd Linux change dialup password
login_chpass OpenBSD change password authentication type
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service