smbpasswd

The smbpasswd program provides the general function of managing encrypted passwords. How it works depends on whether it is run by the superuser or an ordinary user .

For the superuser, smbpasswd can be used to maintain Samba's smbpasswd file. It can add or delete users, change their passwords, and modify other attributes pertaining to the user that are held in the smbpasswd file.

When run by ordinary users, smbpasswd can be used only to change their encrypted passwords. In this mode of operation, smbpasswd acts as a client to the smbd daemon. The program will fail if smbd is not operating, if the hosts allow or hosts deny parameters in the Samba configuration file do not permit connections from localhost (IP address 127.0.0.1), or if the encrypted passwords option is set to no . It is also possible for smbpasswd to change a user's password when it is maintained on a remote system, including a Windows NT domain controller.

Command synopsis

When run by the superuser:

 smbpasswd   [options] [username] [password]   

In this case, the username of the user whose smbpasswd entry is to be modified is provided as the second argument.

Otherwise:

 smbpasswd   [options] [password]   

Superuser-only options

-a username

Adds a user to the encrypted password file. The user must already exist in the system password file ( /etc/passwd ). If the user already exists in the smbpasswd file, the -a option changes the existing password.

-d username

Disables a user in the encrypted password file. The user's entry in the file will remain , but will be marked with a flag disabling the user from authenticating.

-e username

Enables a disabled user in the encrypted password file. This overrides the effect of the -d option.

-j domain

Joins the Samba server to a Windows NT domain as a domain member server. The domain argument is the NetBIOS name of the Windows NT domain that is being joined. See also the -r and -U options.

-m

Indicates that the account is a computer account in a Windows NT domain rather than a domain user account.

-n

Sets the user's password to a null password. For the user to authenticate, the parameter null passwords = yes must exist in the [global] section of the Samba configuration file.

-R resolve_order_list

Sets the resolve order of the name servers. This option is similar to the resolve order configuration option and can take any of the four parameters lmhosts , host , wins , and bcast , in any order. If more than one is specified, the argument is specified as a space-separated list.

-w password

For use when Samba has been compiled with the --with-ldapsam configure option. Specifies the password that goes with the value of the ldap admin dn Samba configuration file parameter.

-x username

Deletes the user from the smbpasswd file. This is a one-way operation, and all information associated with the entry is lost. To disable the account without deleting the user's entry in the file, see the -d option.

Other options

-c filename

Specifies the Samba configuration file, overriding the compiled-in default.

-D debug_level

Sets the debug (also called logging) level. The level can range from to 10. Debug level 0 logs only the most important messages; level 1 is normal; levels 3 and above are primarily for debugging and slow the program considerably.

-h

Prints command-line usage information.

-L

Causes smbpasswd to run in local mode, in which ordinary users are allowed to use the superuser-only options. This requires that the smbpasswd file be made readable and writable by the user. This is for testing purposes.

-r NetBIOS_name

Specifies on which machine the password should change. If changing a Windows NT domain password, the remote system specified by NetBIOS_name must be the PDC for the domain. The user's username on the local system is used by default. See also the -U option for use when the user's Samba username is different from the local username.

-R resolve_order

Sets the resolve order of the name servers. This option is similar to the resolve order configuration option and can take any of the four parameters lmhosts , host , wins , and bcast , in any order. If more than one is specified, the argument is specified as a space-separated list.

-s username

Causes smbpasswd not to prompt for passwords from /dev/tty , but instead to read the old and new passwords from the standard input. This is useful when calling smbpasswd from a script.

-S

Queries the domain controller of the domain, as specified by the workgroup parameter in the Samba configuration file, and retrieves the domain's SID. This will then be used as the SID for the local system. A specific PDC can be selected by combining this option with the -r option, and its domain's SID will be used. This option is for migrating domain accounts from a Windows NT primary domain controller to a Samba PDC.

-U username[ % password]

Changes the password for username on the remote system. This is to handle instances in which the remote username and local username are different. This option requires that -r also be used. Often used with -j to provide the username of the administrative user on the primary domain controller for adding computer accounts.