Section A.3. Samba Client Programs

A.3. Samba Client Programs

This section lists the command-line options and subcommands provided by each nondaemon program in the Samba distribution.

A.3.1. Common Options

Many Samba commands share groups of command-line parameters. The common options fall into three categories:

A.3.1.1. General options

-?|--help

Print usage information for the command.

--usage

Print a brief command usage description.

-d|--debuglevel debug_level

Set the debug (sometimes called logging) level. The level normally ranges from 0 to 10. Specifying the value on the command line overrides the value specified in the smb.conf file. Debug level 0 logs only the most important messages; level 1 is normal; levels 3 and above are primarily for debugging Samba and can slow the tool considerably.

-l|--log-basename log_directory

Send the log messages to somewhere other than the location compiled into the executable or specified in the smb.conf file. If the directory does not exist, Samba's compiled-in default will be used.

-s|--configfile configuration_file

The location of the Samba configuration file, overriding any compile time default location.

-V|--version

Print the program's version information.

A.3.1.2. Authentication options

-A|--authentication-file filename

Specify a file containing the user credentials to be used for the connection request rather than passing the information as command-line parameters. Parameters in the file can be one of three keywords: username, password, or domain. Each keyword is followed by an equal sign (=) and the option's value. The format of the file is as follows:

 username = value password = value domain   = value 

Parameters defined in the authentication file take precedence over their command-line counterparts. The permissions on the file should be very restrictive (0600, for example) to prevent access by unwanted users. You can find examples of authentication files in Chapter 11.

-k|--kerberos

Enable Kerberos 5 authentication when connecting to the remote server. This requires that you have previously obtained a TGT using the kinit command. When you enable Kerberos authentication, the -U and -A options will be ignored. More information about Kerberos can be found in Chapter 10.

-N|--no-pass

Request an anonymous connection.

-P|--machine-pass

Use the machine's trust account when connecting to remote servers.

-S|--signing=[on,off,required]

Specify the SMB signing policy to use when connecting to a remote server. The keyword on enables negotiation of SMB signing, and required makes the capability mandatory. To disable client support entirely, even if SMB signing is supported by the server, set the parameter to off.

-U|--user name

Specify the user name to use in the authentication request when connecting to a remote server. You can append the user's password to the login name by specifying a percent sign (%) and then the passphrase.

A.3.1.3. Connection options

-i|--scope netbios_scope

The NetBIOS scope value to be used when communicating with other NetBIOS hosts. You should never use this option unless absolutely required by the remote server.

-n|--netbiosname name

The calling name to be used in the NetBIOS session request. This is not needed for most network environments.

-O|--socket-options option_list

Define a list of socket options to be used in the client connection. The range of options will vary from system to system and is described fully in the manpage for the setsockopt( ) function call. This parameter is normally useful when testing performance and running benchmarks.

-W|--workgroup name

The list client's workgroup (or domain) name. This is useful when you need to specify a user's domain as part of the authentication requests.

The eventlogadm command is used to manage Samba's EventLog tdb files and related settings. Its primary use is to write new EventLog entries. Unlike other Samba command-line tools, eventlogadm does not share any of the common options. Eventlogs are covered in Chapter 9.

Command synopsis

 eventlogadm [options] 

Options

-d

Enable the tool's debug output.

-h

Print command-line usage.

-o write EventLogName

Write a a log entry to the file EventLogName.tdb in Samba's lock directory. The logfile name must be listed in the eventlog list parameter in smb.conf.

-o addsource EventLogName SourceName MessageFileDLL

The Windows message file DLL location that will be downloaded by Windows clients when viewing Eventlog records.

This Perl script reports information about systems on the subnet that respond to SMB name-query requests. The report includes the IP address, NetBIOS name, workgroup/domain, and operating system of each system.

The output from findsmb looks like this:

 $ ./findsmb                                 *=DMB                                 +=LMB IP ADDR         NAME     WORKGROUP/OS/VERSION --------------------------------------------------------------------- 192.168.1.46    FIR       [VALE] [Unix] [Samba 3.0.20b] 192.168.1.47    OAK      +[COLOR] [Unix] [Samba 3.0.14a] 192.168.1.74    MAPLE    *[VALE] [Unix] [Samba 3.0.22] 192.168.1.101   SPUD     *[AD] [Windows 5.0] [Windows 2000 LAN Manager] 

The system with an asterisk (*) in front of its workgroup name is the domain master browser for the workgroup/domain, and the system with a plus sign (+) preceding its workgroup name is the local master browser.

Command synopsis

 findsmb [options] 

Options

-B

Specify the broadcast address when calling nmblookup to resolve master browsers and server names. If no subnet broadcast address is supplied, findsmb will look on the local subnet.

-d|-D

Enable debug messages in the findsmb code.

-r

Enable the root-only flag when calling nmblookup. This is useful when locating Windows 95 hosts on the network.

The net command is a program with a syntax similar to the MS-DOS/Windows command of the same name. It is used for performing various administrative functions related to Windows networking, which can be executed either locally or on a remote system.

This utility has the same general, authentication, and connection command-line options as many Samba tools.

Command synopsis

 net [method] function [target_options] [misc_options] 

The function argument is made up of one or more space-separated words. In Windows terminology, it is sometimes referred to as a function with options.

By default, the action is performed on the local system. The target_options argument can be used to specify a remote system (either by hostname or IP address), a domain, or a workgroup.

Depending on the function, the method argument can be optional, required, or disallowed. It specifies one of three methods for performing the operation specified by the rest of the command. It can be ads (Active Directory), rpc (Microsoft's DCE/ RPC), or rap (Microsoft's original SMB remote procedure call). To determine which methods (if any) can be used with a function, the net help ads, net help rap, and net help rpc commands can be used to list the functions for each method.

Chapter 11 contains more information on the net command as well as examples.

Target options

-S|--server hostname

Specify the remote system using a hostname or NetBIOS name.

-I|--ipaddress ip_address

Specify the remote system using its IP address.

-w|--workgroup workgroup

Specify the name of the target domain or workgroup.

Miscellaneous options

-d|--debuglevel level

Define Samba's log for displaying information debug messages.

-l|--long

Long listing mode. This is provided for functions that print informational listings.

-n|--myname name

The NetBIOS name for the client.

-p|--port port

The port number to use when connecting to the server.

-P|--machine-pass

Use the machine's trust account when connecting to remote servers.

-s|--configfile configuration_file

The location of the Samba configuration file, overriding any compile time default location.

-U|--user name

The user name to use in the authentication request when connecting to a remote server. You can append the user's password to the login name by specifying a percent sign (%) and then the passphrase.

-V|--version

Print the Samba's version information.

-W|--workgroup name

The list client's workgroup (or domain) name. This is useful when you need to specify a user's domain as part of the authentication requests.

RAP functions

domain

Enumerate the list of known browsing domains and browse masters.

file [user|close|info]

Enumerate all open files or ones opened by a specific user. You can also request the server to close a given file.

group [add|delete]

The basic form of the group command allows you enumerate groups on the server as well as create new ones or remove existing ones.

groupmember

Manage group membership.

password username old_password new_password

Send a user password change request for username.

printq [list|delete]

Enumerate jobs in a print queue or remove specific jobs.

server

Enumerate hosts in the server's workgroup.

session [close|info]

Enumerate open sessions on the server. You may also request additional information regarding a specific session or request that the server close the active session.

share

Enumerate shares on the server similar to the smbclient -L command.

user [add|delete|rename|info]

Basic user management functions such as enumerating, creating, removing, and renaming accounts.

validate username password

Authenticate a username/password pair against the server's list of accounts.

RPC functions

abortshutdown

Abort the shutdown of a remote server.

changetrustpw

Change the machine's trust account password.

file [user|close]

Enumerate all open files or ones opened by a specific user. You can also request the server to close a given file.

getsid

Retrieve the domain SID from the remote server specified using the --server option and store the result in secrets.tdb. This is often used as part of the net rpc vampire process.

group [add|delete|members|addmem|delmem]

The basic form of the group command allows you enumerate groups on the server as well as create new ones or remove existing ones. The membership-related subcommands can be used to list or modify the collection of users belonging to a group.

info

Print information about the remote server and its domain.

join

Join a Windows or Samba domain for use with security = domain configurations. If the -U username%password option is included, the specified username and password will be used as the administrative account required for authenticating with the PDC. If the -U option is not included, this function can be used only to join the computer to the domain after the computer account has been created using the Server Manager.

password username new_password

Set the password for a user account. You must specify an account with administrative rights using the --user option in order to force the password change.

printer [list|driver|publish|migrate]

Enumerate printers or drivers installed on the server. If the remote host is joined to an AD domain, you can also have the server publish the printer's information in the directory service. The final option allows you to migrate printers, drivers, or settings from the remote server to the local Samba host.

registry [enumerate|save|dump]

Simple interface for viewing remote registry files as well as saving them to a local file. This is an experimental feature currently.

rights [list|grant|revoke]

Manage the user privilege assignments on a server. You can enumerate the available rights and assignments. The grant and revoke subcommands allow you to add and remove assignments respectively. Chapter 5 discusses user rights in detail.

service [list|stop|start|pause|resume|status]

Manage a server's collection of services. This includes listing installed services and their current state as well as toggling the state of running, paused. or stopped services. Chapter 9 covers the steps to setup service control on Samba hosts.

share [add|delete|allowedusers|migrate]

Manage file shares on the server. This includes listing active shares as well as creating new ones and unsharing existing ones. You can also migrate shares and files from the remote server to the local Samba host. Share management is discussed in Chapters 9 and 11.

shutdown

Shut down a server. This function accepts the -r, -f, -t, and -c miscellaneous options. The -r option (which can also be specified as --reboot) requests that the system reboot after shutting down. The -f option (which can also be specified as --force) forces a shutdown. The -t timeout option (which can also be specified as --timeout=number) specifies the number of seconds to wait before shutting down, and the -c comment option (which can also be specified as --comment= string) can be used to specify a message to the client user. On Windows, the comment appears in the Message area in the System Shutdown dialog box.

testjoin

Validate the local host's machine trust account password in the domain.

trustdom [list|add|del|establish|revoke]

Manage domain trust relationships on a Samba domain controller. Chapter 9 discusses the configuration details for establishing domain trusts.

user [add|delete|rename]

Basic user management functions such as enumerating, creating, removing, and renaming accounts.

vampire

Migrate user, group, and computer accounts from a Windows NT Primary Domain Controller onto a Samba PDC. Successfully running this command requires a large amount of prior server configuration. Chapter 9 covers the complete steps for migrating from a Windows domain to Samba.

ADS functions

changetrustpw

Change the machine's trust account password.

group [add|delete]

Enumerate groups on the server, as well as create new ones or remove existing ones.

info

Print information about the Active Directory server.

join

Join the local system to the Active Directory realm. This function must be used if your server is configured to make use of security = ads and Kerberos authentication.

keytab [create|add|flush]

Manage a local Kerberos keytab file based on Samba's machine trust account password and domain membership. This incldues creating an initial keytab file from the information stored in secrets.tdb as well as adding new service principal names to the machine's account in AD. Chapter 10 explains how to use keytab files with Samba member servers in an AD environment.

leave

Remove the local system from the Active Directory realm. Newer versions of net will disable the account rather than removing it.

lookup

Send a CLDAP request to an AD domain controller and display the query results.

password username@ REALM

Change the Active Directory password for the user specified by username@REALM. The administrative account authentication information is specified with the -U option. The Active Directory realm must be supplied in all uppercase.

printer [search|info|publish|remove]

Manage printer information stored in AD. This does not affect printers or print shares, but only the information about the printer stored in the directory services.

search expr attrib

Perform a raw Active Directory search, using the standard LDAP search expression and attributes specified by the expr and attrib arguments, respectively.

status

Print details about the Active Directory computer account of the system.

testjoin

Validate the local host machine's trust account password in the domain.

user [add|delete|rename]

Basic user management functions such as enumerating, creating, removing, and renaming accounts.

Miscellaneous functions

cache [add|set|del|flush|get|search|list]

A simple database management tool for Samba's gencache.tdb. This can be helpful, for example, when tracking down name resolution errors caused by incorrect cached information.

getlocalsid [ name]

Print the machine's local SID stored in secrets.tdb. You may supply an optional domain name, in which case the SID for that name will be displayed instead.

groupmap [add|modify|delete]

Manage Samba's group mapping table. You can establish new mapping records and update or remove existing ones. Samba's group mapping feature is discussed in Chapter 5.

help [ command]

Print the help text for a specific command. Not all commands have help text available.

idmap [dump|restore]

Backup the idmap table to a text file or restore the table from a previous backup. The dump subcommand prints the table contexts to standard output.

lookup [host|ldap|kdc|master]

Perform basic name resolution queries for determining the address of hostnames, directory servers, Kerberos KDCs, and local master browsers.

time [set|system|zone]

Display the system timein Unix date command formaton the target system. You can use the set and system subcommands to update the local host's clock.

setlocalsid

Define the SID to store for the local machine in secrets.tdb.

The nmblookup program is a client program that allows command-line access to NetBIOS name service for resolving NetBIOS computer names into IP addresses. The program works by broadcasting its queries on the local subnet until a machine with the specified name responds. You can think of it as a Windows analog of nslookup or dig. This is useful for looking up regular computer names, as well as special-purpose names, such as _ _MSBROWSE_ _. If you wish to query for a particular type of NetBIOS name, add the NetBIOS type to the end of the name, using the format netbios_name#dd, where dd is the hexidecimal representation of the resource byte.

Command synopsis

 nmblookup [options] netbios_name [netbios_name] 

The nmblookup tool supports both the general and the connection option sets described in the beginning of this section.

Options

-A|--lookup-by-ip

Interpret netbios_name as an IP address and does a node status query on it.

-B|--broadcast broadcast_address

Send the query to the given broadcast address. The default is to send broadcast queries using all detected network interfaces.

-f|--flags

Print the NetBIOS flags in the packet headers.

-M|--master-browser

Search for a local master browser by looking up netbios_name<1d>. If netbios_name is specified as a dash (-), a lookup is done on the special name _ _ MSBROWSE_ _.

-R|--recursion

Set the "recursion desired" bit in the packet. This causes the system that responds to try a WINS lookup and return the address and any other information the WINS server has saved.

-r|--root-port

Use the root port of 137. This option exists as a bug workaround for Windows 95. This option might require the user to be superuser.

-S|--status

Perform a node status query once the name query has returned an IP address. This returns all the resource types that the system knows about, including their numeric attributes.

-T|--translate

Translate IP addresses into resolved names.

-U|--unicast unicast_address

Perform a unicast query to the specified address. Used with -R to query WINS servers.

The ntlm_auth tool similar to a command-line version of the pam_winbind library and is provided for Unix daemons that require support for the NTLM challenge/response authentication. The most popular use of a ntlm_auth is in combination with the Squid Web Proxy server, although the tool has also been used in conjunction with PPP services, Apache authentication modules, and RADIUS servers, to name a few examples.

Command synopsis

 ntlm_auth [options] 

The ntlm_auth commands supports the general option set used by many Samba client tools and discussed earlier in this appendix.

Options

--challenge hex_string

The NTLMSSP challenge, as a hexadecimal-encoded string.

--diagnostics

Print additional information in order to help debug failures in the authentication process.

--domain name

The user's domain name to use during authentication.

--helper-protocol protocol_version

Use the standard input helper protocol_version. The list of currently valid protocol names is:

gss-spnego

gss-spnego-client

ntlm-server-1

ntlmssp-client-1

squid-2.4-basic

squid-2.5-basic

squid-2.5-ntlmssp

--lm-response hex_string

The LanManager response string as a hexadecimal encoded string.

--nt-response hex_string

The NT response string, as a hexadecimal encoded string.

--password passphrase

The user's clear-text password to use in the authentication request.

--request-lm-key

Request that the LanManager session key be displayed on standard output.

--request-nt-key

Request that the NT session key be displayed on standard output.

--require-membership-of SID

Verify that the user is a member of the domain group specified by the SID.

--username name

The user's login name to use in the authentication request.

--workstation name

The user's workstation name to use in the authentication request.

This program can be used to manage accounts that are held in a passdb module. Because this tool uses the passdb storage mechanisms directly and not MS-RPC, you must be the superuser to operate this tool.

Command synopsis

 pdbedit [options] username 

The pdbedit utility supports the general option set common to many Samba client tools.

Options

-a|--create

Add the username to the SAM database. The command issues a prompt for the user's password.

-b|--backend pwdb_name

Specifiy the passdb backend name to use for the current operation, in place of the value define in smb.conf.

-C|--value integer

The value of an account policy. Refer to the --account-policy option for details on available policy names.

-c|--account-control flags

Define the account control flags for a user. The flags value must be a collection of one or more of the following types: N, D, H, L, or X. The account control flags must be enclosed using square brackets ([]). Discussions regarding the meaning of flags can be found in Chapter 5.

-D|--drive drive_letter

Set the Windows drive letter to which to map the user's home directory. The drive letter should be specified as a letter followed by a colone.g., H:.

-e|--export pwdb_backend

Export the user account database to another passdb format, written to the specified location. Used for migrating from one type of account database to another. The pwdb_backend argument is specified in the format of a valid passdb backend name, followed by a colon, then the location of the database. For example, to export the existing account database to an smbpasswd database in the file /etc/samba/smbpw, pwdb_backend would be specified as smbpasswd:/etc/samba/smbpw.

-f|--fullname full_name

Set the full name of the user specified with the -u option.

-h|--homedir unc

Set the home directory path (as a UNC) for the user specified with the -u option.

-I|--domain name

Set the user's domain.

-i|--import pwdb_backend

A password database backend from which to retrieve account information, overriding the one specified by the passdb backend parameter in the Samba configuration file. This, along with the --export option, is useful for migrating user accounts from one type of account database to another. See the --export option regarding how to specify the pwdb_backend argument.

-L|--list

List the user accounts in the database. See also the --verbose option.

-m|--machine

Indicate that the account is a computer account rather than a user account. Used only with the -a option when creating the account.

-N|--account-desc string

Set the user's account description string.

-P|--account-policy policy_name

Define the policy to be modified by the --value parameter. Because the policy names contain whitespace, be sure to enclose the string in quotes. Valid policy names are as follows:

bad lockout attempt

disconnect time

lockout duration

maximum password age

min password length

minimum password age

password history

refuse machine password change

reset count minutes

user must logon to change password

-p|--profile UNC_path

Set the directory in which the user's profile is kept. The directory is specified as a UNC.

-r|--modify

Update an existing user rather than creating a new user.

-S|--script UNC_path

The UNC of the user's logon script.

-t|--password-from-stdin passphrase

Sets the user's password from standard input rather than prompting.

-U|--user-sid SID

Explicitly define the user's SID.

-u|--user username

The username of the account to add (with the -a option), delete (with the -x option), or modify.

-v|--verbose

Use verbose mode when listing accounts with the --list option. The account fields will be printed.

-w|--smbpasswd-style

Use the smbpasswd listing mode, for use with the --list option, which prints information in the same format as it would appear in an smbpasswd file.

-x|--delete

Delete the user (specified with the -u option) from the account database.

-Z|--logon-hours-reset

Reset a user's login hours acccount restrictions.

-z|--bad-password-count-reset

Reset a user's bad password count to 0. Frequently, you will need to unlock the account as well, unless the time specified by the "lockout duration" policy has elapsed.

The profiles program is a small utility for changing the SID in registry ACLs such as those found in user roaming profiles (NTUSER.DAT). This is useful when migrating user profiles from one domain to another.

Command synopsis

 profiles [options] filename 

The profiles command supports the general option set common to many Samba client tools.

Options

-c|--change-sid SID

The original SID that should be modified in access control entries.

-n|--new-sid SID

The new SID that should replace any occurrences of the --change-sid value.

This program provides a way of remotely modifying Windows ACLs on files and directories stored on an SMB/CIFS share.

Command synopsis

 smbcacls //server/share filename [options] 

The smbcacls tool supports the standard general and authentication options described earlier in this appendix.

Options

-a|--add ACLs

Add one or more ACLs to the file or directory. Any ACLs already existing for the file or directory are unchanged.

-C|--chown username

Change the owner of the file or directory. This is a shortcut for -M OWNER:username. The username argument can be given as a username or as the string format of a SID.

-D|--delete ACLS

Delete the specified ACLs.

-G groupname

Change the group of the file or directory. This is a shortcut for -M GROUP:groupname. The groupname argument can be given as a group name or as the string format of a SID.

-M acls

Modify the mask of the ACLs specified. Refer to the following section, "Specifying ACLs" for details.

--numeric

Don't resolve SIDs or access masks to their corresponding string representations.

-S|--set ACLS

Set the specified ACLs, deleting any ACLs previously set on the file or directory. The ACLs must contain at least a revision, type, owner, and group.

-t|--test-args

Validate the command-line arguments, but do not actually perform the requested modifications.

Specifying ACLs

In the previous options, the same format is always used when specifying ACLs. An ACL is made up of one or more Access Control Entries (ACEs), separated by either commas or escaped newlines. An ACE can be one of the following:

REVISION:revision_number

OWNER:username_or_SID

GROUP:group_name_or_SID

ACL:name_or_SID:type/flags/mask

The revision_number should always be 1. The OWNER and GROUP entries can be used to set the owner and group for the file or directory. The names can be the textual ones or the string representation of the SIDs.

The ACL entry specifies what access rights to apply to the file or directory. The name_or_SID field specifies to which user or group the permissions apply and can be supplied either as a textual name or a SID. An ACE can be used to either allow or deny access. The type field is set to 1 to specify a permission to be allowed or 0 for specifying a permission to deny. The mask field is the name of the permission and is one of the following:

R

Read access.

W

Write access.

X

Execute permission.

D

Permission to delete.

P

Change permissions on the object.

O

Take ownership.

The following combined permissions can also be specified:

READ

Equivalent to RX permissions

CHANGE

Equivalent to RWXD permissions

FULL

Equivalent to RWXDPO permissions

The flags field is for specifying how objects in directories are to inherit their default permissions from their parent directory. For files, flags is normally set to 0. For directories, flags is usually set to either 9 or 2.

The smbclient program is the "Swiss Army knife" of the Samba suite. Initially developed as a testing tool, it has become a command shell capable of acting as a general-purpose Unix client, with a command set very similar to that of ftp. It offers the following set of functions:

• Interactive file transfer, similar to ftp

• Interactive printing to shared SMB printers

• Interactive tar format archiving

• Sending messages on the SMB network

• Batch mode tar format archiving

• Enumerating shares and workgroup contents on remote servers

• Debugging

Command synopsis

 smbclient //server/share [password] [options] 

It is possible to run smbclient noninteractively, for use in scripts, by specifying the -c option along with a list of commands to execute. Otherwise, smbclient runs in interactive mode, prompting for commands like this:

 smb:\> 

The backslash in the prompt is replaced by the current directory within the share as you change your working directory with smbclient's cd command.

The smbclient command supports all three sets of command-line options (general, authentication, and connection) common to other Samba client tools.

Options

-b|--send-buffer buffer_size

The size of the buffer used when transferring files. It defaults to 65,520 bytes and can be changed as a tuning measure. Generally, it should be quite large or set to match the size of the buffer on the remote system.

-c|--command command_string

Pass a command string to the smbclient command interpreter. The argument consists of a semicolon-separated list of commands to be executed.

-D|--directory init_dir

Upon starting up, causes smbclient to change its working directory to init_dir on the remote host.

-E|--stderr

Send output from commands to stderr instead of stdout.

-g|--grepable

When used in conjuction with the -L option, this parameter instructs smbclient to display share, server, and workgroup lists in a format that is easily parseable in shell scripts.

-I|--ip-address IP_address

Set the IP address of the server to which the client connects.

-L|--list server

List services (shares) offered by the server. This can be used as a quick way to test an SMB/CIFS server to see if it is working. If there is a name-service problem, use the -I option to specify the server.

-M|--message NetBIOS_name

Allows you to send messages using the Windows messaging protocol. Once a connection is established, you can type your message, pressing Ctrl-D to end. The -U and -I options can be used to control the "From" and "To" parts of the message.

-m|--max-protocol level

The maximum SMB/CIFS protocol dialoect that smbclient will advertise when negotiating a connection with a remote server. Valid protocol names are:

NT1

LANMAN2

LANMAN1

CORE

COREPLUS

-p|--port port_number

The port number used by smbclient to connect to the server.

-R|--name-resolve resolve_order

Set the resolve order of the name servers. This option is similar to the resolve order configuration option and can take any of the four parameters lmhosts, host, wins, and bcast, in any order. If more than one parameter is specified, the argument is specified as a space-separated list. This option can be used to test name service by specifying only the name service to be tested.

-T|--tar command_string tarfile

Run the tar archiver, which is gtar compatible. The tar file that is written to or read from is specified by tarfile. The two main commands are c (create) and x (extract), which can be followed by any of these options:

a

Reset the archive attribute on files after they have been saved. See also the g option.

b size

The block size for writing the tar file, in 512-byte units.

g

Back up only files that have their archive bit set. See also the a option.

I filename

Includes files and directories. This is the default behavior, so specifying this is redundant. To perform pattern matching, see also the r option.

N filename

Back up only those files newer than filename.

q

Suppress diagnostics.

r

Perform regular expression matching, which can be used along with the I or X option to include or exclude files.

X filename

Exclude specified files and directories.

Commands

?|help [ smbclient_command

With no command specified, print a list of available commands. If a command is specified as an argument, a brief help message will be printed for it.

! shell_command

Shell escape. Run the specified command in a Unix shell.

altname filename

Cause smbclient to request from the server and then print the old-style, 8.3-format filename for the specified file.

archive level

This controls the behavior in relation to the DOS archive bit when retrieving files. The available levels are:

0

Ignore the archive bit entirely.

1

Retrieve only files whose archive bit is set.

2

Same as level 1 but resets the archive bit after the file copy.

3

Same as level 0 but resets the archive bit after the file copy.

blocksize

The blocksize to be used when writing tar files. The value must be between 0 and 65535.

cancel print_jobid [...]

Cause smbclient to request the server to cancel one or more print jobs, as specified by the numeric job IDs provided as arguments. See also the queue command, which prints job ids.

case_sensitive

Allows you to toggle case-sensitive and -insensitive filename lookups. The default is to match Windows behavior and use case-insensitive lookups.

cd [ directory]

With no argument, print the current working directory on the remote system. If a directory name is supplied as an argument, change the working directory on the remote system to that specified.

chmod filename octal_mode

Requests that the server change the Unix file permissions on filename to octal_mode, specified in octal numeric format. Works only if the server supports CIFS Unix extensions.

chown filename UID GID

Change the owner and group of the file specified by filename to those provided as decimal numeric arguments uid and gid. Works only if the server supports CIFS Unix extensions.

del filename

Delete one or more files, as specified by the argument, from the current working directory. The argument can be a filename globbing pattern using the * and ? characters.

dir [ filename]

With no arguments, print a list of files and directories in the working directory on the server. If an argument is provided, only files and directories whose names match the argument will be listed. The argument can be a filename globbing pattern using the * and ? characters.

du

Calculate the disk usage and free space available for the share.

exit

Quit the smbclient program after terminating the SMB connection to the server. The q and quit commands are aliases for exit.

get remote_file [ local_file]

Copy the file specified by remote_file from the server to the local system. If no local_file argument is specified, smbclient will name the local file the same as it is named on the server. If local_file is specified, it will be used as the name of the local copy. See also the lowercase command.

getfacl filename

Display the POSIX ACL for filename. This operation is supported only if the remote server supports the CIFS Unix Extensions.

hardlink source destination

A Windows hardlink from destination to source. Refer to the link command for creating Unix hard links.

history

Display a list of recently executed smbclient commands.

lcd [ directory]

If no argument is provided, print the name of smbclient's working directory on the local system. If a directory name is provided as an argument, changes smbclient's working directory to the directory specified.

link link_name filename

Create a hard link to filename and name it link_name. This command works only if the server supports CIFS Unix extensions.

listconnect

Display all current SMB/CIFS connections held by the current smbclient session. This is really only of interest when connecting to MS-DFS root shares and following referrals.

lowercase

Toggle the Boolean lowercasing setting. When this setting is on, names of files copied from the server with the get and mget commands will be changed to all lowercase. This is mainly used for accessing servers that report filenames in all uppercase only.

mask [ globbing_pattern]

Set the filename globbing pattern for use with the mget and mput commands when recursion is turned on. (When recursion is off, the setting has no effect.) Both mget and mput accept a globbing pattern as arguments; however, those patterns apply only to the current directory. This command specifies the pattern used for all subdirectories that are recursively traversed. The pattern stays in effect until it is changed with another mask command. To return the setting to its original default, specify a globbing_pattern of an asterisk (*), which matches all files. See also the mget, mput, and recurse commands.

mget pattern

When recursion is turned off, copy files matching the file-globbing pattern, as specified by the argument, from the current working directory on the server to the local system. When recursion is on, the pattern argument is used to match directories in the current working directory, and the pattern specified by the mask command is used for matching files within each directory and all subdirectories. See also the lowercase, mask, and recurse commands.

mkdir

Create a directory on the remote share.

more

View a remote file using the local system's configured pager tool (e.g., the more command).

mput pattern

When recursion is turned off, copy files matching the file-globbing pattern, as specified by the argument, from the current working directory on local system to the remote server. When recursion is on, the pattern argument is used to match directories in the current working directory, and the pattern specified by the mask command is used for matching files within each directory and all subdirectories. See also the lowercase, mask, and recurse commands.

newer filename

Retrieve files with a timestamp newer than the one assigned to filename.

print filename

Print the specified file. This command requires that smbclient be connected to a print share.

prompt

Toggle the prompting mode. When prompting is on (the default), the mget and mput commands will interactively prompt the user for permission to transfer each file. The user can answer either y (yes) or n (no), followed by a newline, to this prompt. When prompting is off, all the files will be transferred with no prompts issued.

put local_file [ remote_file]

Copy the file specified by local_file from the local to the remote system. If no remote_file argument is specified, smbclient will name the remote file the same as it is named on the local system. If remote_file is specified, it will be used as the name of the remote copy. See also the lowercase command.

pwd

Print the current working directory on the server.

queue

Print information on the print queue on the server. This command requires that smbclient is connected to a print share.

recurse

Toggle the recursion mode, which affects the mget and mput commands. When recursion is off (the default), the mget and mput commands will copy only files from the current working directory that match the file-globbing pattern specified as an argument to the command, and the pattern set by the mask command is ignored. When recursion is turned on, the mget and mput commands recursively traverse any directories that match the pattern specified as the argument to the command, and the pattern set by the mask command is used to match files in those directories.

rename source destination

Rename the source file (or directory) to destination.

reput filename [ remote_filename]

Append a file from the local server to filename (or remote_filename if specified) on the remote server.

rmdir directory

Requests that the server remove the specified directory.

setmode filename attributes

Assign the specified MS-DOS file attributes on the specified file. The attributes argument has the format of a leading plus sign (+) or minus sign (-) either to set or to unset the attribute(s), respectively, followed by one or more of the characters r (read), s (system), h (hidden), or a (archive).

showconnect

Display the active connenction for the current working directory. This command allows you to determine what server you are connected to after following a MS-DFS referral.

stat filename

Perform a Unix stat( ) call on the remote filename. This call requires that the server support the CIFS Unix Extensions.

symlink link_name filename

Request that the server create a symbolic link named link_name to filename. This command works only if the server supports Unix CIFS extensions. The server will not create a link that refers to a file not in the share to which smbclient is connected.

tar cmd_str

Perform an archiving operation using the tar format. This is the interactive form of the -T command-line operation, and the cmd_str argument is specified in the same manner. See also the tarmode command.

blocksize size

The block size, in units of 512 bytes, for files written by the tar command.

tarmode mode ...

Specify how the tar command performs its archiving, including how it handles the archive attribute on files. Multiple mode arguments can be provided:

full

All files will be included, regardless of whether their archive attribute is set. This is the default behavior.

inc

Only files that have the archive attribute set will be included in the backup.

reset

The archive attribute will be unset by tar after the file is included in the archive.

noreset

The archive attribute will be left unchanged. This is the default.

hidden|nohidden

Controls whether files with the hidden attribute set will be included in the archive. The default is to include files with the hidden bit set.

system|nosystem

Determines whether files with the system attribute set will be included in the archive. The default is to include files with the system bit set.

verbose|noverbose

If verbose mode is enabled (the default), file names will be printed as each one is included in the archive (when creating the archive) or is read from the archive (when extracting it).

volume

Display the volume name of the share containing the current working directory. The volume name is dependent on the current connect when following MS-DFS referrals. Also refer to the showconnect command.

The smbcontrol command sends control messages to running smbd, nmbd, or winbindd processes.

Command synopsis

 smbcontrol [options]        process message-type [parameters] 

smbcontrol supports the standard --version , --help, and the --configfile options described in the previous General Options section.

Options

-t|--timeout seconds

The period before timing out while waiting for a response to a message.

Each smbcontrol command has up to three parts:

process

The process or group of processes to which to send the message. If process is smbd or winbindd, all named processes will receive the message. If process is nmbd, only the main nmbd process (identified by Samba's nmbd.pid file) receives the message. If process is the numeric PID of a running process on the system, that process will receive the message.

message-type

The type of message that is sent. For more information, see the section "smbcontrol message types" that follows.

parameters

Additional parameters required by some messages.

smbcontrol message types

close-share share_name

Close the connection to a share or shares. If share_name is specified as an asterisk (*), connections to all shares will be closed. To close a single connection, share_name is given as the name of a share, as specified in the Samba configuration file, not including the enclosing brackets. No message is printed if there is an error in specifying share_name.

debug num

The debugging level. The num parameter specifies the level, which can be from 0 to 10.

debuglevel

Print the current debugging level.

dmalloc-mark

Instruct a process to remember a memory watermark. This option is of use only when the --enable-dmalloc option was included during the initial compilation.

dmalloc-log-changed

Display the memory allocation statistics since the last dmalloc-mark command. This option is of use only when the --enable-dmalloc option was included during the initial compilation.

drvupgrade driver_name

Send a notify message to smbd that driver_name has been changed so that the daemon can rebind driver initialization data to associated printers.

force-election

Can be used only with nmbd, telling it to force a master browser election.

nodestatus

Ask the nmbd daemon to perform a NetBIOS node status request.

ping number

Sends number of pings and reports when they receive a reply or timeout. Used for connectivity testing.

profile mode

This command controls profiling statistics collection. If mode is on, profile statistics will be collected. If mode is off, collection of statistics is turned off. If mode is specified as count, only counting statistics are collected (and not timing statistics). If mode is flush, the data set is cleared (initialized).

profilelevel

Print the current profiling level.

pool-usage

Dump the statistics for all current talloc( ) memory allocation.

printer-notify printer_name

Send a notify message to smbd that printer_name has been changed so that the daemon can send a notification to any cliented monitoring that printer.

reload-config

Instruct a daemon to reload its configuration information. This is an alternative to sending a process the HUP signal.

shutdown

Ask a running process to gracefully terminate.

The smbcquotas program provides a simple interface to query and set filesystem quotas on remote SMB/CIFS shares.

Command synopsis

 smbcquotas //server/share [options] 

The smbcquotas tool supports the standard general and authentication options described earlier in this appendix.

Options

-F|--fs

Display filesystem quotas configured on the share.

-L|--list

Display all user quotas configured on the share.

-n|--numeric

Don't resolve SIDs or access masks to their corresponding string representations.

-S|--set quota_string

Set the quota_string value for the SMB/CIFS share. The format of quota_string is covered in the Quota Settings section.

-t|--test-args

Validate the command-line arguments but do not actually perform the requested modifications.

-u|--user username

Display the quota settings for username.

-v|--verbose

Increase the amount of information messages written to standard output.

Quota settings

Quota strings passed to the --set parameter can be in one of three forms. The first form is used to set a user quota policy. The username refers to the user whose quota is being set or modified. The softlimit and hardlimit values are given in bytes.

 UQLIM:username/softlimit/hardlimit 

The second type of quota string controls the filesystem quota setings. Once again the softlimit and hardlimit values are given in bytes.

 FSQLIM:softlimit/hardlimit 

The final format of the quota string defines overall quota behavior.

 FSQFLAGS:flags 

The flags argument is one of more of the following values, using the forward slash character (/) to delimit entries:

QUOTA_ENABLED

DENY_DISK

LOG_SOFTLIMIT

LOG_HARD_LIMIT

The smbpasswd program provides the general function of managing encrypted passwords. How it works depends on whether it is run by the superuser or an ordinary user.

For the superuser, smbpasswd can be used to maintain Samba's passdb backend. It can add or delete users, change their passwords, and modify other attributes pertaining to the users that are held in (for example) an smbpasswd file, the tdbsam database, or an LDAP directory service using ldapsam.

When run by ordinary users, smbpasswd can be used only to update their encrypted passwords using the SMB/CIFS password change mechanisms. In this mode of operation, smbpasswd acts as a client to the Samba or Windows server.

Command synopsis

When run by the superuser:

 smbpasswd [options] username 

In this case, the username of the user whose passdb entry is to be modified is provided as the second argument.

Otherwise:

 smbpasswd [options] 

The smbpasswd command does not support any of the common Samba command-line parameters in order to ensure better backwards compatibility with older Samba releases.

Superuser-only options

-a username

Add a user to the encrypted password file. The user must already exist in the system password file (/etc/passwd). If the user already exists in the passdb backend, the -a option changes the existing password.

-d username

Disable a user in Samba's list of accounts. The user's entry in the file will remain, but will be marked with a flag disabling the user from authenticating.

-e username

Enable a disabled user in the encrypted password file. This option overrides the effect of the -d option.

-m

This option indicates that the account is a computer account rather than a user account. This older method of creating machine trust accounts in a Samba domain is strongly discouraged. Alternative methods of joining clients to a Samba domain are covered in Chapter 9.

-n

Set the user's password to a null password. For the user to authenticate, the parameter null passwords = yes must exist in the [global] section of the Samba configuration file.

-R resolve_order_list

Set the resolve order of the name servers. This option is similar to the resolve order configuration option and can take any of the four parameters lmhosts, host, wins, and bcast, in any order. If more than one parameter is specified, the argument is specified as a space-separated list.

-w password

The password that goes with the value of the ldap admin dn Samba configuration file parameter.

-W

Same as -w, but prompts for the password rather than reading it in as a command-line parameter.

-x username

Delete the user from Samba's list of user accounts. This is a one-way operation, and all information associated with the entry is lost. To disable the account without deleting the user's entry in the file, see the -d option.

Other options

-c filename

Specifies the Samba configuration file, overriding the compiled default.

-D debug_level

The debug (also called logging) level. The level can range from 0 to 10. Debug level 0 logs only the most important messages; level 1 is normal; levels 3 and above are primarily for debugging and slow the program considerably.

-h

Print command-line usage information.

-r NetBIOS_name

Specify on which machine the password should change. If changing a Windows (or Samba) domain password, the remote system specified by NetBIOS_name must be the PDC for the domain. The user's username on the local system is used by default. See also the -U option for use when the user's Samba username is different from the local username.

-s

Cause smbpasswd not to prompt for passwords, but instead to read the old and new passwords from the standard input. This is useful when calling smbpasswd from a script.

-U username

Change the password for username on the remote system. This is to handle instances in which the remote username and local username are different. This option requires that -r also be used.

The smbget command is an SMB/CIFS variant of the Unix wget command. The tool is similar to smbclient's get (or mget) command but makes use of the SMB URI syntax instead of UNC paths. Multiple file locations can be specified to be retrieved sequentially.

Command synopsis

 smbget [options] SMB_URI [SMB_URI . . .] 

Options

-a|--guest

Use an anonymous connection.

-b|--blocksize size

Define the blocksize to be size bytes for SMB/CIFS file transfers.

-D|--dots

Display progress dots during the file download.

-d|--debuglevel level

The verbosity of log messages to write to the console.

-f|--rcfile filename

Parse smbget options from the resource file filename.

-n|--nonprompt

Do not prompt for user interaction when downloading files or overwriting local files.

-O|--stdout

Write the retreived file to standard output.

-o|--outputfile filename

Write the retreived file to filename.

-P|--keep-permissions

Ensure that the local file has the same permission set as the original copy on the remote server.

-p|--password passphrase

Specify the password to send in the authentication request.

-q|--quiet

Write only minimal information messages during file downloads.

-R|--recursive

When the SMB_URI specifies a directory, recursively download files from the directory tree.

-r|--resume

Resume an incomplete file transfer.

-u|--username name

The login name to send in the authentication request.

-w|--workgroup name

The domain name to send in the authentication request.

-v|--verbose

Generate extra output to trace connection operations.

The smbspool program provides the SMB/CIFS backend interface to the Common Unix Printing System. Although smbspool can be made to work with non-CUPS printing systems, it is recommend that you use smbclient instead in these environments.

Command synopsis

 smbspool [DEVICE_URI] job-id user title copies options [filename] 

The arguments for smbspool, as shown here, are those used in the CUPS printing system. The printer that the job is to be sent to is specified in the SMB URI format as the first argument or in the DEVICE_URI environment variable.

The job argument refers to the job number. The user argument is the name of the user who submitted the print job. The title argument is the name of the print job and must be supplied. It is used as the name of the remote print file. The copies argument is the number of copies that will be printed. This number is used only if the (optional) filename argument is supplied. Otherwise, only one copy is printed. The options argument, for specifying printing options, is ignored. The filename argument is used for specifying the name of the file to be printed. If it is not provided, the standard input will be used.

This program lists the current connections on a Samba server.

Command synopsis

 smbstatus [options] 

The smbstatus tool supports the set of general command-line options previously described in this appendix.

Options

-B|--byterange

Produce information about byte range locks only.

-b|--brief

Cause smbstatus to produce brief output. This includes the version of Samba and auditing information about the users that are connected to the server.

-L|--locks

Print only the list of current file locks.

-n|--numeric

Do not convert Unix uids and gids to their associated names.

-p|--processes

Print only a list of smbd process IDs.

-S|--shares

Print only a list of shares and their connections.

-u|--user username

Limit the report to the activity of a single user.

-v|--verbose

Include additional information about current connections, locks, and processes.

The smbtar program is a shell-script wrapper around smbclient for doing tar-format archiving operations. It is functionally very similar to the Unix tar program.

Command synopsis

 smbtar [options] [include|exclude filenames] 

Options

-a

Reset (clears) the archive attribute on files after they are backed up. The default is to leave the archive attribute unchanged.

-b blocksize

The block size, in units of 512 bytes, for reading or writing the archive file. Defaults to 20, which results in a block size of 10,240 bytes.

-d directory

Changes the working directory on the remote system to directory before starting the restore or backup operation.

-i

Specify incremental mode; files are backed up only if they have the DOS archive attribute set. The archive attribute is reset (cleared) after each file is read. The default behavior is to ignore the archive bit and perform a full backup

-l log_level

The logging level. This corresponds to the --debuglevel option of smbclient and other Samba programs.

-N filename

Backs up only files newer than filename. For incremental backups.

-p password

The password to use to access a share. An alternative to using the username%password format with the -u option.

-r

Restore files to the share from the tar file.

-s server

The SMB server. See also the -x option.

-t filename

The file or Unix device to use as the archiving medium. The default is tar.out or the value of the TAPE environment variable, if it has been set.

-u username

The user account to use when connecting to the share. You can specify the password as well, in the format username%password. The username defaults to the user's Unix username.

-v

Operate in verbose mode, printing error messages and additional information that can be used in debugging and monitoring. Backup and restore operations will list each file as it is processed.

-x share

The name of the share on the server to which to connect. The default is backup. See also the -s option.

-X file_list

Exclude the specified files from the backup or restore operation.

The smbtree program is similar to the findsmb Perl script, in that it enumerates workgroup contents. However, smbtree groups servers by workgroup and can includes a list of available shares on each server.

Command synopsis

 smbtree [options] 

The smbtree command supports the general and authentication option sets common to many Samba client tools.

Options

-b|--broadcast

Broadcast requests for workgroup contents rather than attempting to query the master browser.

-D|--domains

Only enumerate workgroups names.

-S|--servers

Do not enumerate shares on servers. List only the workgroup names and the servers contained in each workgroup.

The tdbbackup program validates a tdb file and creates a backup copy of the original database. This tool can be use to create backup copies while Samba is running. The structure-generated tdb file is guaranteed to be consistent, but if a Samba daemon possessed data cached in memory, the original tdb file itself may have been in a inconsistent state. Therefore, it is best to perform backups when the server is under a light load.

Command synopsis

 tdbbackup [options] filename.tdb 

Options

-h

Display a brief help listing.

-s suffix

Specify the suffix to append to backup files.

-v

Validate a tdb file. If file corruption is detected, you must restore it from a valid backup copy.

The tdbdump tool prints the contexts of a tdb file to standard output.

Command synopsis

 tdbdump filename.tdb 

The tdbtool program is an interactive utility for viewing and modifying tdb files. It should be viewed as a very low-level database management tool and used only as a last resort.

Command synopsis

 tdbtool filename.TDb 

After opening filename.tdb, you will be presented with a basic TDb> prompt. You can view the list of available commands by running the help command.

tdbtool commands

create dbname

Create a new tdb file named dbname.

cdump

Dump the tdb contents as a series of connection records.

delete key

Remove a record from the tdb.

dump

Dump the tdb contents as strings.

erase

Remove all records in the current open tdb file.

freelist

Display the database internal freelist structure.

hexkeys

Dump the database keys as hexadecimal strings.

info

Print summary information about the tdb structure and records.

insert key data

Add a new record to the tdb.

keys

Dump the database keys as ASCII strings.

list

Display the database's internal hashlist and freelist structures.

move key newfilename.tdb

Move a record referenced by key in the current open tdb to newfilename.tdb.

open dbname

Open an existing tdb filename dbname.

show key

Display the record indexed by key.

store key data

Replace an existing record in the tdb.

quit

Exit the current tdbtool interactive session.

The testparm program checks a Samba configuration file for obvious errors.

Command synopsis

 testparm [options] [filename] [hostname] [IP_addr] 

If the configuration file is not provided using the filename argument, then it defaults to the compile time location (e.g., /usr/local/samba/lib/smb.conf). If the hostname and an IP address of a system are included, an extra check is made to ensure that the system is allowed to connect to each service defined in the configuration file. This is done by comparing the hostname and IP address to the definitions of the hosts allow and hosts deny parameters.

In addition to the following options, testparm also supports the standard --help, --usage, and --version arguments.

Options

-L|--server server_name

Set the %L configuration variable to the specified server name.

--parameter-name parameter_name

Print only the value of parameter_name to standard output.

-s|--suppress-prompt

Disable the default behavior of prompting for the Enter key to be pressed before printing the list of configuration options for the server.

--section-name share

Limit the parameter listing to the smb.conf section share.

--show-all-parameters

Display a listing of all parameter names, type, and possible values. The output is formatted so that it can easily be parsed in shell scripts.

-t|--encoding encoding_name

Print the smb.conf parameters and values using the specified character encoding_name.

-v|--verbose

Enable verbose output that includes listing all smb.conf parameters, even if set to the default value. The default behavior is to provide a brief listing on only nondefault settings.

This program retrieves and prints information from the winbindd daemon, which must be running for wbinfo to function.

Command synopsis

 wbinfo [options] [--domain=name] 

Some command-line parameters allow you to limit the request to a specific domain defined by the --domain argument.

In addition to the following options, wbinfo also supports the standard --help, --usage, and --version arguments.

Options

-A|--allocate-rid

Allocate a new RID from the passdb backend and print the assigned value.

-a|--authenticate username% password

Check to see whether a user can authenticate through winbindd using the specified username and password. Any user may request the clear text authentication, but only the root user is able to test the challenge/response authentication mechanism.

-D|--domain-info DOMAIN

Print information about the specified DOMAIN such as the domain SID, status of AD services, and realm name, if available.

-G|--gid-to-sid gid

Convert the Unix gid to a Windows SID.

-g|--domain-groups

Prints all groups that exist in Winbind's own domain as well as any trusted domains.

--getdcname DOMAIN

Query a domain controller in Winbind's own domain for the name of a valid DC in the trusted DOMAIN.

--get-auth-user

Print the currently defined auth-user, if one has been specified using the --set-auth-user option.

-I|--WINS-by-ip ip_address

Send a request to the WINS server configured in smb.conf to convert the ip_address to a NetBIOS name.

-m|--trusted-domains

List all trusted domains known by winbindd included in the BUILTIN and local machine domains.

-N|--WINS-by-name name

Send a request to the WINS server configured in smb.conf to convert the name to an IP address.

-n|--name-to-sid name

Print the SID corresponding to the name specified. The argument can be specified as DOMAIN/name (or by using a character other than the slash, as defined by the Winbind separator character) to specify both the domain and the name. If the domain and separator are omitted, the value of the workgroup parameter in the Samba configuration file is used as the name of the domain.

-p|--ping

Send a simple ping request to winbindd to determine whether it is running.

-r|--user-groups username

Print the list of Unix group IDs to which the domain user belongs.

-S|--sid-to-uid SID

Convert the SID to a Unix uid and prints the result.

-s|--sid-to-name SID

Convert the specified SID to a user or group name.

--separator

Print the current winbind separator character.

--set-auth-user username% password

An alternative set of credentials to use when connecting to a domain controller. This option is normally not needed in current Samba releases.

--sequence

Print the current known sequence numbers for all trusted domains. This can be helpful in debugging problems since unavailable domains will be listed as DISCONNECTED.

-t|--check-secret

Request winbindd to validate the Samba's current machine trust account.

-U|--uid-to-sid uid

Convert the Unix uid to a Windows SID.

-u|--domain-users

Print all users that exist in Winbind's own domain, as well as any trusted domains.

--user-domgroups SID

List the SIDs of all domain groups to which the user belongs.

--user-sids SID

Retrieve a list of SIDs for all groups to which the user belongs, including domain local groups.