SMBPASSWD(8)                                                      SMBPASSWD(8)

       smbpasswd - change a user's SMB password

       When run by root:

       smbpasswd [ options ]  [ username ]  [ password ]


       smbpasswd [ options ]  [ password ]

       This tool is part of the  Samba suite.

       The  smbpasswd  program  has  several different functions, depending on
       whether it is run by the root user or not. When run as a normal user it
       allows  the  user to change the password used for their SMB sessions on
       any machines that store SMB passwords.

       By default (when run with no arguments) it will attempt to  change  the
       current  user's  SMB  password on the local machine. This is similar to
       the way the passwd(1) program works.  smbpasswd differs  from  how  the
       passwd program works however in that it is not setuid root but works in
       a client-server mode and communicates with a locally  running  smbd(8).
       As  a  consequence in order for this to succeed the smbd daemon must be
       running on the local machine. On a UNIX machine the encrypted SMB pass-
       words are usually stored in the smbpasswd(5) file.

       When  run  by  an  ordinary user with no options. smbpasswd will prompt
       them for their old SMB password and then ask them for their  new  pass-
       word  twice,  to  ensure  that the new password was typed correctly. No
       passwords will be echoed on the screen whilst being typed. If you  have
       a blank SMB password (specified by the string "NO PASSWORD" in the smb-
       passwd file) then just press the <Enter> key when asked  for  your  old

       smbpasswd  can  also be used by a normal user to change their SMB pass-
       word on remote machines, such as Windows NT Primary Domain Controllers.
       See the (-r) and -U options below.

       When run by root, smbpasswd allows new users to be added and deleted in
       the smbpasswd file, as well as allows changes to the attributes of  the
       user  in this file to be made. When run by root, smbpasswd accesses the
       local smbpasswd file directly, thus enabling changes to be made even if
       smbd is not running.

       smbpasswd  can  also  be  used to retrieve the SIDs related to previous
       incarnations of this server on the same machine, as well as set the SID
       of  this  domain.  This is needed in those cases when the admin changes
       the NetBIOS or DNS name of the server without realizing that  doing  so
       will  change  the  SID of the server as well. See the -W and -X options

       -L     Run the smbpasswd command in local mode. This allows a  non-root
              user  to  specify  the root-only options. This is used mostly in
              test environments where a non-root user needs to make changes to
              the   local  smbpasswd  file.   The  smbpasswd  file  must  have
              read/write permissions for the user running the command.

       -h     This option prints the help string for smbpasswd.

       -c smb.conf file
              This option specifies  that  the  configuration  file  specified
              should be used instead of the default value specified at compile

       -D debuglevel
              debuglevel is an integer from 0 to 10. The default value if this
              parameter is not specified is zero.

              The higher this value, the more detail will be logged to the log
              files about the activities of smbpasswd. At level 0, only criti-
              cal errors and serious warnings will be logged.

              Levels  above  1 will generate considerable amounts of log data,
              and should only be used when  investigating  a  problem.  Levels
              above  3  are  designed  for use only by developers and generate
              HUGE amounts of log data, most of which is extremely cryptic.

       -r remote machine name
              This option allows a user to specify what machine they  wish  to
              change  their  password  on.  Without  this  parameter smbpasswd
              defaults to the local host. The remote machine name is the  Net-
              BIOS name of the SMB/CIFS server to contact to attempt the pass-
              word change. This name is resolved into an IP address using  the
              standard  name resolution mechanism in all programs of the Samba
              suite. See the -R name resolve order parameter  for  details  on
              changing this resolving mechanism.

              The  username  whose  password is changed is that of the current
              UNIX logged on user. See the -U username parameter  for  details
              on changing the password for a different username.

              Note  that  if  changing a Windows NT Domain password the remote
              machine specified must be the Primary Domain Controller for  the
              domain  (Backup Domain Controllers only have a read-only copy of
              the user account  database  and  will  not  allow  the  password

              Note  that Windows 95/98 do not have a real password database so
              it is not possible to change  passwords  specifying  a  Win95/98
              machine as remote machine target.

       -s     This  option  causes  smbpasswd  to  be  silent (i.e.  not issue
              prompts) and to read its old and  new  passwords  from  standard
              input,  rather  than  from  /dev/tty (like the passwd(1) program
              does). This option is to aid people  writing  scripts  to  drive

       -S     This option causes smbpasswd to query a domain controller of the
              domain specified by the  workgroup  parameter  in  smb.conf  and
              store  the domain SID in the secrets.tdb file as its own machine
              SID. This is only useful when configuring a Samba PDC and  Samba
              BDC, or when migrating from a Windows PDC to a Samba PDC.

              The -r options can be used as well to indicate a specific domain
              controller which should be contacted. In this case,  the  domain
              SID  obtained  is  the  one  for  the domain to which the remote
              machine belongs.

       -t     This option is used to force smbpasswd  to  change  the  current
              password assigned to the machine trust account when operating in
              domain security mode. This is really meant to be used on systems
              that  only  run winbindd Under server installations, smbd handle
              the password updates automatically.

       -U username[%pass]
              This option may only be used in conjunction with the -r  option.
              When  changing a password on a remote machine it allows the user
              to specify the user name on that machine whose password will  be
              changed.  It  is  present to allow users who have different user
              names on  different  systems  to  change  these  passwords.  The
              optional %pass may be used to specify to old password.

              In  particular,  this  parameter  specifies the username used to
              create the machine account when invoked with -j

       -W S-1-5-21-x-y-z
              This option forces the SID S-1-5-21-x-y-z to be the  server  and
              domain  SID for the current Samba server. It does this by updat-
              ing the appropriate keys in the secrets file.

       -X server|domain
              This option allows the admin to retrieve the SID associated with
              a  former servername or domain name that this Samba server might
              have used. It does this by retrieving the appropriate entry from
              the secrets file.

       NOTE:  The following options are available only when the smbpasswd com-
              mand is run as root or in local mode.

       -a     This option specifies that  the  username  following  should  be
              added  to the local smbpasswd file, with the new password typed.
              This option is ignored if the username specified already  exists
              in  the  smbpasswd  file and it is treated like a regular change
              password command. Note that the user to be  added  must  already
              exist in the system password file (usually /etc/passwd) else the
              request to add the user will fail.

       -d     This option specifies that the username following should be dis-
              abled in the local smbpasswd file. This is done by writing a 'D'
              flag into the account control space in the smbpasswd file.  Once
              this  is  done  all  attempts to authenticate via SMB using this
              username will fail.

              If the smbpasswd file is in the 'old' format (pre-Samba 2.0 for-
              mat)  there  is  no  space in the user's password entry to write
              this information and so the user  is  disabled  by  writing  'X'
              characters  into  the  password space in the smbpasswd file. See
              smbpasswd(5) for details on the 'old' and new password file for-

       -e     This  option  specifies  that  the  username following should be
              enabled in the local smbpasswd file, if the account  was  previ-
              ously  disabled. If the account was not disabled this option has
              no effect. Once the account is enabled then  the  user  will  be
              able to authenticate via SMB once again.

              If  the  smbpasswd  file is in the 'old' format, then  smbpasswd
              will prompt for a new password  for  this  user,  otherwise  the
              account  will  be  enabled by removing the 'D' flag from account
              control space in the  smbpasswd  file.  See  smbpasswd  (5)  for
              details on the 'old' and new password file formats.

       -m     This  option tells smbpasswd that the account being changed is a
              MACHINE account. Currently this is used when Samba is being used
              as an NT Primary Domain Controller.

       -n     This  option  specifies  that the username following should have
              their password set to null (i.e. a blank password) in the  local
              smbpasswd file. This is done by writing the string "NO PASSWORD"
              as the first part of the first password stored in the  smbpasswd

              Note  that  to  allow  users to logon to a Samba server once the
              password has been set to "NO PASSWORD" in the smbpasswd file the
              administrator  must  set the following parameter in the [global]
              section of the smb.conf file :

              null passwords = yes

       -w password
              This parameter is only available is Samba has been configured to
              use  the  experimental  --with-ldapsam  option. The -w switch is
              used to specify the password to be used with the ldap  admin  dn
              Note  that the password is stored in the private/secrets.tdb and
              is keyed off of the admin's DN. This means that if the value  of
              ldap  admin  dn ever changes, the password will need to be manu-
              ally updated as well.

       -x     This option specifies that  the  username  following  should  be
              deleted from the local smbpasswd file.

       -j DOMAIN
              This  option  is  used  to  add a Samba server into a Windows NT
              Domain, as  a  Domain  member  capable  of  authenticating  user
              accounts  to  any Domain Controller in the same way as a Windows
              NT Server. See the security = domain option in  the  smb.conf(5)
              man page.

              This command can work both with and without the -U parameter.

              When  invoked with -U, that username (and optional password) are
              used to contact the PDC (which must be  specified  with  -r)  to
              both create a machine account, and to set a password on it.

              Alternately,  if  -U  is omitted, Samba will contact its PDC and
              attempt to change the password on a pre-existing account.

              In order to be used in this way, the Administrator for the  Win-
              dows  NT  Domain  must have used the program "Server Manager for
              Domains" to add the primary NetBIOS name of the Samba server  as
              a member of the Domain.

              After  this  has been done, to join the Domain invoke  smbpasswd
              with this parameter. smbpasswd will then  look  up  the  Primary
              Domain  Controller for the Domain (found in the smb.conf file in
              the parameter password server and  change  the  machine  account
              password used to create the secure Domain communication.

              Either  way, this password is then stored by smbpasswd in a TDB,
              writeable only by root, called secrets.tdb

              Once this operation has been performed the  smb.conf file may be
              updated  to  set  the   security  = domain option and all future
              logins to the Samba server will be authenticated to the  Windows
              NT PDC.

              Note  that  even  though the authentication is being done to the
              PDC all users accessing the Samba server must still have a valid
              UNIX  account  on  that  machine.  The winbindd(8) daemon can be
              used to create UNIX accounts for NT users.

       -R name resolve order
              This option allows the user of smbpasswd to determine what  name
              resolution  services  to use when looking up the NetBIOS name of
              the host being connected to.

              The options are :"lmhosts", "host",  "wins"  and  "bcast".  They
              cause names to be resolved as follows :

              o lmhosts  :  Lookup an IP address in the Samba lmhosts file. If
                the line in lmhosts has no name type attached to  the  NetBIOS
                name  (see  the  lmhosts(5)  for  details)  then any name type
                matches for lookup.

              o host : Do a standard host name to IP address resolution, using
                the  system  /etc/hosts  , NIS, or DNS lookups. This method of
                name resolution is operating system dependent.  For  instance,
                on  IRIX  or  Solaris  this may be controlled by the /etc/nss-
                witch.conf file). Note that this method is only  used  if  the
                NetBIOS  name  type  being  queried  is the 0x20 (server) name
                type, otherwise it is ignored.

              o wins : Query a name with the IP address  listed  in  the  wins
                server  parameter.  If  no WINS server has been specified this
                method will be ignored.

              o bcast : Do a broadcast on each of the known  local  interfaces
                listed in the interfaces parameter. This is the least reliable
                of the name resolution methods as it  depends  on  the  target
                host being on a locally connected subnet.

       The default order is lmhosts, host, wins, bcast and without this param-
       eter or any entry in the smb.conf file the name resolution methods will
       be attempted in this order.

              This  specifies the username for all of the root only options to
              operate on. Only root can specify this parameter  as  only  root
              has  the  permission needed to modify attributes directly in the
              local smbpasswd file.

              This specifies the new password. If this parameter is  specified
              you will not be prompted for the new password.

       Since  smbpasswd works in client-server mode communicating with a local
       smbd for a non-root user then the smbd daemon must be running for  this
       to work. A common problem is to add a restriction to the hosts that may
       access the  smbd running on the local machine  by  specifying  a  allow
       hosts  or deny hosts entry in the smb.conf file and neglecting to allow
       "localhost" access to the smbd.

       In addition, the smbpasswd command is only useful if Samba has been set
       up  to use encrypted passwords. See the file ENCRYPTION.txt in the docs
       directory for details on how to do this.

       This man page is correct for version 2.2 of the Samba suite.

       smbpasswd(5) samba(7)

       The original Samba software  and  related  utilities  were  created  by
       Andrew  Tridgell.  Samba  is now developed by the Samba Team as an Open
       Source project similar to the way the Linux kernel is developed.

       The original Samba man pages were written by Karl Auer.  The  man  page
       sources  were converted to YODL format (another excellent piece of Open
       Source   software,   available    at
       <URL:>)  and  updated  for the Samba 2.0
       release by Jeremy Allison. The conversion to DocBook for Samba 2.2  was
       done by Gerald Carter

                               01 February 2003                   SMBPASSWD(8)