Appendix C. Summary of Samba Daemons and Commands

This appendix is a reference listing of command-line options and other information to help you use the programs that come with the Samba distribution.

Samba Daemons

The following sections provide information about the command-line parameters for smbd, nmbd, and winbindd.

smbd

The smbd program provides Samba's file and printer services, using one TCP/IP stream and one daemon per client. It is controlled from /usr/local/samba/lib/smb.conf, the default configuration file, which can be overridden by command-line options.

The configuration file is automatically reevaluated every minute. If it has changed, most new options are immediately effective. You can force Samba to reload the configuration file immediately by sending a SIGHUP signal to smbd. Reloading the configuration file does not affect any clients that are already connected. To escape this condition, a client would need to disconnect and reconnect, or the server itself would have to be restarted, forcing all clients to reconnect.

Other Signals

To shut down an smbd process, send it the termination signal SIGTERM (15), which allows it to die gracefully, instead of a SIGKILL (9). With Samba versions prior to 2.2, the debugging level could be raised or lowered using SIGUSR1 or SIGUSR2. This is no longer supported. Use smbcontrol instead.

Command synopsis

smbd [options]

Options

-a

Causes each new connection to the Samba server to append all logging messages to the log file. This option is the opposite of -o and is the default.

-D

Runs the smbd program as a daemon. This is the recommended way to use smbd. It is also the default action when smbd is run from an interactive command line. In addition, smbd can be run from inetd.

-d debug_level

Sets the debug (sometimes called logging) level. The level can range from 0 to 10. Specifying the value on the command line overrides the value specified in the smb.conf file. Debug level 0 logs only the most important messages; level 1 is normal; levels 3 and above are primarily for debugging and slow smbd considerably.

-h

Prints usage information for the smbd command.

-i

Runs smbd interactively, rather than as a daemon. This option is used to override the default daemon mode when smbd is run from the command line.

-l log_ directory

Sends the log messages to somewhere other than the location compiled into the executable or specified in the smb.conf file. The default is often /usr/local/samba/var/, /usr/samba/var/, or /var/log/. The log file is placed in the specified directory and named log.smbd. If the directory does not exist, Samba's compiled-in default will be used.

-O socket_options

Sets the TCP/IP socket options, using the same parameters as the socket options configuration option. Often used for performance tuning and testing.

-o

Causes log files to be overwritten when opened (the opposite of -a). Using this option saves you from hunting for the right log entries if you are performing a series of tests and inspecting the log file each time.

-p port_number

Sets the TCP/IP port number from which the server will accept requests. All Microsoft clients send to the default port of 139, except for Windows 2000/XP, which can use port 445 for SMB networking, without the NetBIOS protocol layer.

-P

Causes smbd to run in "passive" mode, in which it just listens, and does not transmit any network traffic. This is useful only for debugging by developers.

-s configuration_ file

Specifies the location of the Samba configuration file. Although the file defaults to /usr/local/samba/lib/smb.conf, you can override it on the command line. Typically used for debugging.

-v

Prints the current version of Samba.

nmbd

The nmbd program is Samba's NetBIOS name service and browsing daemon. It replies to NetBIOS over TCP/IP (also called NetBT or NBT) name-service requests broadcast from SMB clients, and optionally to Microsoft's Windows Internet Name Service (WINS) requests. Both are versions of the name-to-address lookup required by SMB clients. The broadcast version uses UDP broadcast on the local subnet only, while WINS uses TCP, which can be routed. If running as a WINS server, nmbd keeps a current name and address database in the file /usr/local/samba/var/locks/wins.dat.

An active nmbd daemon also responds to browsing protocol requests used by the Windows Network Neighborhood. This protocol provides a dynamic directory of servers, as well as the disks and printers that the servers are providing. As with WINS, this was initially done by making UDP broadcasts on the local subnet. With the addition of the local master browser to the network architecture, it is done by making TCP connections to a server. If nmbd is acting as a local master browser, it stores the browsing database in the file /usr/local/samba/var/locks/browse.dat.

Some clients (especially older ones) cannot use the WINS protocol. To support these clients, nmbd can act as a WINS proxy, accepting broadcast requests from the non-WINS clients, contacting a WINS server on their behalf, and returning the WINS server's response to them.

Signals

Like smbd, the nmbd program responds to several Unix signals. Sending nmbd a SIGHUP signal causes it to dump the names it knows about to the /usr/local/samba/var/locks/namelist.debug file. To shut down an nmbd process and allow it to die gracefully, send it a SIGTERM (15) signal, rather than a SIGKILL (9). With Samba versions prior to 2.2, the debugging level could be raised or lowered using SIGUSR1 or SIGUSR2. This is no longer supported. Use smbcontrol instead.

Command synopsis

nmbd [options]

Options

-a

Causes each new connection to the Samba server to append all logging messages to the log file. This option is the opposite of -o and is the default.

-d debug_level

Sets the debug (sometimes called logging) level. The level can range from 0 to 10. Specifying the value on the command line overrides the value specified in the smb.conf file. Debug level 0 logs only the most important messages; level 1 is normal; levels 3 and above are primarily for debugging and slow nmbd considerably.

-D

Instructs the nmbd program to run as a daemon. This is the recommended way to use nmbd and is the default when nmbd is run from an interactive shell. In addition, nmbd can be run from inetd.

-h

Prints usage information for the nmbd command.

-H lmhosts_ file

Specifies the location of the lmhosts file for name resolution. This file is used only to resolve names for the local server, and not to answer queries from remote systems. The compiled-in default is commonly /usr/local/samba/lib/lmhosts, /usr/samba/lib/lmhosts, or /etc/lmhosts.

-i

Runs nmbd interactively, rather than as a daemon. This option is used to override the default daemon mode when nmbd is run from the command line.

-l log_ file

Sends the log messages to somewhere other than the location compiled into the executable or specified in the smb.conf file. The default is often /usr/local/samba/var/log.nmbd, /usr/samba/var/log.nmbd, or /var/log /log.nmbd.

-n NetBIOS_name

Allows you to override the NetBIOS name by which the daemon advertises itself. Specifying this option on the command line overrides the netbios name option in the Samba configuration file.

-O socket_options

Sets the TCP/IP socket options, using the same parameters as the socket options configuration option. Often used for performance tuning and testing.

-o

Causes log files to be overwritten when opened (the opposite of -a). This option saves you from hunting for the right log entries if you are performing a series of tests and inspecting the log file each time.

-p port_number

Sets the UDP port number from which the server accepts requests. Currently, all Microsoft clients use only the default port, 137.

-s configuration_ file

Specifies the location of the Samba configuration file. Although the file defaults to /usr/local/samba/lib/smb.conf, you can override it here on the command line. Typically used for debugging.

-v

Prints the current version of Samba.

winbindd

The winbindd daemon is part of the winbind service and is used to allow Unix systems to obtain user and group information from a Windows NT/2000 server. Winbind maps Windows relative IDs (RIDs) to Unix UIDs and GIDs and allows accounts stored on the Windows server to be used for Unix authentication. Its purpose is to ease integration of Microsoft and Unix networks when a preexisting Windows domain controller is set up to handle user and computer accounts.

The daemon is accessed by users via the name service switch and PAM. The name service switch calls a library (/lib/libnss_winbind.so), which calls the daemon, which in turn calls the Windows NT/2000 server using Microsoft RPC. The PAM module for winbind can call the daemon similarly, allowing users whose accounts are stored on the Windows server to log in to the Unix system and run an interactive shell, FTP, or any other program that authenticates users through PAM.

The winbind subsystem is currently available only for the Linux operating system and a few other systems that use shared libraries, nsswitch and PAM.

Command synopsis

winbindd [options]

Options

-d debuglevel

Sets the debug (sometimes called logging) level. The level can range from 0 to 10. Specifying the value on the command line overrides the value specified in the smb.conf file. Debug level 0 logs only the most important messages; level 1 is normal; levels 3 and above are primarily for debugging.

-i

Runs winbindd interactively. This option is used to override the default, which is for winbindd to detach and run as a daemon.

Samba Distribution Programs

This section lists the command-line options and subcommands provided by each nondaemon program in the Samba distribution.

findsmb

This Perl script reports information about systems on the subnet that respond to SMB name-query requests. The report includes the IP address, NetBIOS name, workgroup/domain, and operating system of each system.

Command synopsis

findsmb [subnet_broadcast_address]

If a different subnet's broadcast address is provided, it will find SMB servers on that subnet. If no subnet broadcast address is supplied, findsmb will look on the local subnet.

The output from findsmb looks like this:

$ findsmb
                                *=DMB
                                +=LMB
IP ADDR         NETBIOS NAME     WORKGROUP/OS/VERSION
---------------------------------------------------------------------
172.16.1.1      TOLTEC         *[METRAN] [Unix] [Samba 2.2.6]
172.16.1.3      MIXTEC         +[METRAN] [Unix] [Samba 2.2.6]
172.16.1.4      ZAPOTEC         [METRAN] [Windows 5.0] [Windows 2000 LAN Manager]
172.16.1.5      HUASTEC         [       METRAN        ]
172.16.1.6      MAYA            [       METRAN        ]
172.16.1.7      OLMEC           [METRAN] [Windows 5.1] [Windows 2000 LAN Manager]
172.16.1.10     UTE             [       METRAN        ]
172.16.1.13     DINE            [METRAN] [Windows NT 4.0] [NT LAN Manager 4.0]

The system with an asterisk (*) in front of its workgroup name is the domain master browser for the workgroup/domain, and the system with a plus sign (+) preceding its workgroup name is the local master browser.

The findsmb command was introduced during the development of Samba 2.2 and is installed by default in Samba Versions 2.2.5 and later.

make_smbcodepage

This program is part of the internationalization features of Samba 2.2 and is obsolete in Samba 3.0, which supports Unicode automatically. The make_smbcodepage program compiles a binary codepage file from a text-format codepage definition. It can also perform the reverse operation, decompiling a binary codepage file into a text version. Examples of text-format codepage files can be found in the Samba distribution in the source/codepages directory. After Samba has been installed, examples of binary codepages can be found in the directory /usr/local/samba/lib/codepages.

Command synopsis

make_smbcodepage c|d codepage_number input_file output_file

For the first argument, use c to compile a codepage and d to decompile a codepage file. The codepage_number argument is the number of the codepage being processed (e.g., 850). The input_file and output_file are the text- and binary-format codepages, with the types dependent on the operation (compiling or decompiling) that is being performed.

make_unicodemap

This program is part of the internationalization features of Samba 2.2 and is obsolete in Samba 3.0, which supports Unicode automatically. The make_unicodemap command compiles binary Unicode maps from text files, so Samba can display non-ASCII characters in file and directory names via the Unicode international alphabets. Examples of input mapping files can be found in the directory source/codepages in the Samba source distribution.

Command synopsis

make_unicodemap codepage_number inputfile outputfile

The input file is an ASCII map; the output file is a binary file loadable by Samba. The codepage is the number of the DOS codepage (e.g., 850) for the map.

net

The net command, new to Samba 3.0, is a program with a syntax similar to the MS-DOS/Windows command of the same name. It is used for performing various administrative functions related to Windows networking, which can be executed either locally or on a remote system.

Command synopsis

net [method] function [misc_options] [target_options]

The function argument is made up of one or more space-separated words. In Windows terminology, it is sometimes referred to as a function with options. Here we list every function in its complete form, including multiple words.

By default, the action is performed on the local system. The target_options argument can be used to specify a remote system (either by hostname or IP address), a domain, or a workgroup.

Depending on the function, the method argument can be optional, required, or disallowed. It specifies one of three methods for performing the operation specified by the rest of the command. It can be ads (Active Directory), rpc (Microsoft's DCE/RPC), or rap (Microsoft's original SMB remote procedure call). To determine which methods (if any) can be used with a function, the net help ads, net help rap, and net help rpc commands can be used to list the functions for each method.

Miscellaneous options

-d level
--debug=level

Sets the debug (sometimes called logging) level. The level can range from 0 to 10.

-l
--long

Specifies the long listing mode. This is provided for functions that print informational listings.

-n name
--myname=name

Specifies the NetBIOS name for the client.

-p port
--port=port

Specifies the port number to use.

-s filename
--conf=filename

Specifies the name of the Samba configuration file, overriding the compiled-in default.

-U username[%password]
--user=username[%password]

Specifies the username and, optionally, the password to use for functions that require authentication.

-W name
--myworkgroup=name

Specifies the name of the client's workgroup, overriding the definition of the workgroup parameter in the Samba configuration file.

Target options

-S hostname

Specifies the remote system using a hostname or NetBIOS name.

-I ip_address

Specifies the remote system using its IP address.

-w workgroup

Specifies the name of the target domain or workgroup.

Functions

abortshutdown

See the rpc abortshutdown function.

ads info

Prints information about the Active Directory server. The method (ads) must be specified to differentiate this function from the rpc info function.

ads join OU

Joins the local system to the Active Directory realm (organizational unit) specified by OU. The method (ads) must be specified to differentiate this function from the rpc join function.

ads leave

Removes the local system from the Active Directory realm.

ads password username@REALM -Uadmin_username@REALM%admin_password

Changes the Active Directory password for the user specified by username@REALM. The administrative account authentication information is specified with the -U option. The Active Directory realm must be supplied in all uppercase.

ads printer info [printer] [server]

Prints information on the specified printer on the specified server. The printer argument defaults to an asterisk (*), meaning all printers, and the server argument defaults to localhost.

ads printer publish printer_name

Publishes the specified printer in Active Directory.

ads printer remove printer_name

Removes the specified printer from Active Directory.

ads search expr attrib

Performs a raw Active Directory search, using the standard LDAP search expression and attributes specified by the expr and attrib arguments, respectively.

ads status

Prints details about the Active Directory computer account of the system.

change localhost pass

Changes the Active Directory password for the local system's computer trust account.

domain

Lists the domains or workgroups on the network.

file

Lists open files on the server.

file close file_id

Closes the specified file.

file info file_id

Prints information about the specified file, which must be open.

file user username

Lists all files opened on the server by the user specified by username.

group add group_name

Adds the specified group. This function accepts the miscellaneous option -C comment (which can also be specified as - -comment=string) to set the descriptive comment for the group.

group delete group_name

Deletes the specified group.

groupmember add group_name username

Adds the user specified by username to the group specified by group_name.

groupmember delete group_name username

Deletes the user specified by username from the group specified by group_name.

groupmember list group_name

Lists the users who are members of the specified group.

help

Prints a help message for the net command.

help method

Prints a help message for method, which can be ads, rap, or rpc. This lists the functions that can use the method, along with a brief description.

help function

Prints a help message for the specified function, which can be more than one word.

info

Must be preceded by a method. See the ads info and rpc info functions.

join

Joins the computer to a Windows NT domain or Active Directory realm. If the method argument is not specified, a check is made to determine if Active Directory is in use, and if so, ads join is performed. Otherwise, rpc join is run. See also the ads join and rpc join functions.

leave

Must be preceded by a method. See the ads leave function.

lookup dc [domain]

Prints the IP address of the specified domain's domain controllers. The domain defaults to the value of the workgroup parameter in the Samba configuration file.

lookup host hostname [type]

Prints the IP address of the specified host.

lookup kdc [realm]

Prints the IP address of the specified realm's Kerberos domain controller. If realm is not specified, it defaults to the value of the realm parameter in the Samba configuration file.

lookup ldap [domain]

Prints the IP address of the specified domain's LDAP server. If domain is not specified, it defaults to the value of the workgroup parameter in the Samba configuration file.

lookup master [domain]

Prints the IP address of the master browser of the specified domain or workgroup. If domain is not specified, it defaults to the value of the workgroup parameter in the Samba configuration file.

password username old_password new_password

Changes the password for the user specified by the username argument. The user's old and new passwords are provided in plain text as part of the command. Be careful regarding security issues. See also the ads password function.

printer info

See the ads printer info function.

printer publish

See the ads printer publish function.

printer remove

See the ads printer remove function.

printq

Prints information (including the job IDs) about printer queues on the server.

printq delete queue_name

Deletes the specified printer queue. The -j job_id (which can also be specified as --jobid=job_id ) option may be used to specify the job ID of the queue.

rpc abortshutdown

Aborts the shutdown of a remote server.

rpc info

Prints information about the server's domain. The method (rpc) must be specified to differentiate this function from the ads info function.

rpc join

Joins a computer to a Windows NT domain. If the -U username%password option is included, the specified username and password will be used as the administrative account required for authenticating with the PDC. If the -U option is not included, this function can be used only to join the computer to the domain after the computer account has been created using the Server Manager. The method (rpc) must be specified to differentiate this function from the ads join function.

rpc shutdown

Shuts down a server. This function accepts the -r, -f, -t, and -c miscellaneous options. The -r option (which can also be specified as --reboot) requests that the system reboot after shutting down. The -f option (which can also be specified as --force) forces a shutdown. The -t timeout option (which can also be specified as - -timeout=number) specifies the number of seconds to wait before shutting down, and the -c comment option (which can also be specified as - -comment=string) can be used to specify a message to the client user. On Windows, the comment appears in the Message area in the System Shutdown dialog box.

rpc trustdom add domain_name

Adds an account for the trust relationship with the specified Windows NT domain.

rpc trustdom establish domain_name

Establishes a trust relationship with the specified Windows NT domain.

rpc trustdom revoke domain_name

Revokes the trust relationship with the specified Windows NT domain.

search

See the ads search function.

server

Lists servers in the domain or workgroup, which defaults to the value of the workgroup parameter in the Samba configuration file.

session

Lists clients with open sessions to the server.

session delete NetBIOS_name

Closes the session to the server from the specified client. A synonym is session close.

session close

A synonym for session delete.

share

Lists the shares offered by the server. When a Windows 95/98/Me server is the target system, it might be necessary to specify the method as rap for this to work properly.

share add share_name=server_path

Adds a share on the target server. The name of the share and the folder to be shared are specified by the share_name=server_path argument, with server_path the Windows directory name, with spaces and other special characters (if any) quoted and with the backslashes escaped (e.g., "data=C:\\Documents and Settings\\jay\\Desktop\\data"). The -C comment option (which can also be specified as - -comment=string) can be used to define a description for the share. The -M number option (which can also be specified as --maxusers=number) can be used to set the maximum number of users that can connect to the share. The method (rap or rpc) might need to be specified for this function to work. The regular folder icon cannot change into a "shared folder" icon in Windows Explorer until the display is refreshed.

share delete share_name

Deletes a share from the target server. The share_name argument is simply the name of the share on the target server, not a UNC. The method (rap or rpc) might need to be specified for this function to work. The "shared folder" icon in Windows Explorer cannot change back to the regular folder icon until the display is refreshed.

shutdown

See the rpc shutdown function.

status

See the ads status function.

time

Displays the system time—in Unix date command format—on the target system.

time set

Sets the local system's hardware clock using the time obtained from the operating system.

time system

Sets the time on the local system using the time obtained from the remote system.

time zone

Prints the time zone (in hours from GMT) in use on the system.

trustdom add

See the rpc trustdom add function.

trustdom establish

See the rpc trustdom establish function.

trustdom revoke

See the rpc trustdom revoke function.

user

Lists user accounts. The method can be specified as ads, rap, or rpc.

user add username [password]

Adds a user account for the user specified by username. The -c comment option (which can also be specified as - -comment=string) can be used to set a comment for the account. The -F user_flags option can be used to set flags (specified in numeric format) for the account. The method can be specified as ads, rap, or rpc.

user delete username

Deletes the specified user's account. The method can be specified as ads, rap, or rpc.

user info username

Lists the domain groups to which the specified user belongs. The method can be specified as ads, rap, or rpc.

nmblookup

The nmblookup program is a client program that allows command-line access to NetBIOS name service for resolving NetBIOS computer names into IP addresses. The program works by broadcasting its queries on the local subnet until a machine with the specified name responds. You can think of it as a Windows analog of nslookup or dig. This is useful for looking up regular computer names, as well as special-purpose names, such as _ _MSBROWSE_ _ . If you wish to query for a particular type of NetBIOS name, add the NetBIOS type to the end of the name, using the format netbios_name#<dd>.

Command synopsis

nmblookup [options] netbios_name

Options

-A

Interprets netbios_name as an IP address and does a node status query on it.

-B broadcast_address

Sends the query to the given broadcast address. The default is to send the query to the broadcast address of the primary network interface.

-d debug_level

Sets the debug (sometimes called logging) level. The level can range from 0 to 10. Debug level 0 logs only the most important messages. Level 1 is normal; levels 3 and above are primarily used by developers for debugging the nmblookup program itself and slow the program considerably.

-f

Prints the flags in the packet headers.

-h

Prints command-line usage information for the program.

-i scope

Sets a NetBIOS scope identifier. NetBIOS scope is a rarely used precursor to workgroups.

-M

Searches for a local master browser by looking up netbios_name<1d>. If netbios_name is specified as a dash (-), a lookup is done on the special name _ _MSBROWSE_ _ .

-R

Sets the "recursion desired" bit in the packet. This causes the system that responds to try a WINS lookup and return the address and any other information the WINS server has saved.

-r

Uses the root port of 137. This option exists as a bug workaround for Windows 95. This option might require the user to be superuser.

-S

Performs a node status query once the name query has returned an IP address. This returns all the resource types that the system knows about, including their numeric attributes. For example:

$ nmblookup -S toltec
querying toltec on 172.16.1.255
172.16.1.1 toltec<00>
Looking up status of 172.16.1.1
    TOLTEC          <00> -         M <ACTIVE>
    TOLTEC          <03> -         M <ACTIVE>
    TOLTEC          <20> -         M <ACTIVE>
    ..__MSBROWSE__. <01> - <GROUP> M <ACTIVE>
    METRAN          <00> - <GROUP> M <ACTIVE>
    METRAN          <1b> -         M <ACTIVE>
    METRAN          <1c> - <GROUP> M <ACTIVE>
    METRAN          <1d> -         M <ACTIVE>
    METRAN          <1e> - <GROUP> M <ACTIVE>
-s configuration_ file

Specifies the location of the Samba configuration file. Although the file defaults to /usr/local/samba/lib/smb.conf, you can override it here on the command line. Normally used for debugging.

-T

Translates IP addresses into resolved names.

-U unicast_address

Performs a unicast query to the specified address. Used with -R to query WINS servers.

Note that nmblookup has no option for setting the workgroup. You can get around this by putting workgroup = workgroup_name in a file and passing it to nmblookup with the -s option.

pdbedit

This program, new to Samba 3.0, can be used to manage accounts that are held in a SAM database. The implementation of the database can be any of the types supported by Samba, including the smbpasswd file, LDAP, NIS+ and the tdb database library. The user must be the superuser to use this tool.

Command synopsis

pdbedit [options]

Options

-a

Adds the user specified by the -u option to the SAM database. The command issues a prompt for the user's password.

-d drive_letter

Sets the Windows drive letter to which to map the user's home directory. The drive letter should be specified as a letter followed by a colon—e.g., H:.

-D debug_level

Sets the debug (sometimes called logging) level. The level can range from 0 to 10. Debug level 0 logs only the most important messages. Level 1 is normal, and levels 3 and above are primarily for debugging.

-e pwdb_backend

Exports the user account database to another format, written to the specified location. Used for migrating from one type of account database to another. The pwdb_backend argument is specified in the format of a database type, followed by a colon, then the location of the database. For example, to export the existing account database to an smbpasswd database in the file /usr/local/samba/private/smbpw, pwdb_backend would be specified as smbpasswd:/usr/local/samba/private/smbpw. The allowable database types are smbpasswd, smbpasswd nua, tdbsam, tdbsam nua, ldapsam, ldapsam_nua, and plugin.

-f full_name

Sets the full name of the user specified with the -u option.

-h unc

Sets the home directory path (as a UNC) for the user specified with the -u option.

-i pwdb_backend

Specifies a password database backend from which to retrieve account information, overriding the one specified by the passdb backend parameter in the Samba configuration file. This, along with the -e option, is useful for migrating user accounts from one type of account database to another. See the -e option regarding how to specify the pwdb_backend argument.

-l

Lists the user accounts in the database. See also the -v option.

-m

Indicates that the account is a computer account rather than a user account. Used only with the -a option when creating the account. In this case, the -u option specifies the computer name rather than a username.

-p unc

Sets the directory in which the user's profile is kept. The directory is specified as a UNC.

-s unc

Specifies the UNC of the user's logon script.

-u username

Specifies the username of the account to add (with the -a option), delete (with the -x option), or modify.

-v

Selects verbose mode when listing accounts with the -l option. The account fields will be printed.

-w

Selects the smbpasswd listing mode, for use with the -l option, which prints information in the same format as it would appear in an smbpasswd file.

-x

Deletes the user (specified with the -u option) from the account database.

rpcclient

This is a program for issuing administrative commands that are implemented using Microsoft RPCs. It provides access to the RPCs that Windows administrative GUIs use for system management. The rpcclient command is mainly for use by advanced users who understand the RPCs. More information on these can be found in Microsoft's Platform Software Development Kit (SDK), available for download from the Microsoft web site at http://www.microsoft.com.

You can run a single rpcclient command by using the -c command string option, or interactively with rpcclient prompting for commands.

Command Synopsis

rpcclient server [options]

Options

-A filename

Specifies a file from which to read the authentication values used in the connection. The format of the file is as follows:

username = value
password = value
domain   = value

This option is used to avoid password prompts or to have the password appear in plain text inside scripts. The permissions on the file should be very restrictive (0600, for example) to prevent access from unwanted users.

-c command_string

Executes a sequence of semicolon-separated commands. Commands are listed in the following section.

-d debuglevel

Sets the debug (sometimes called logging) level. The level can range from 0 to 10. Specifying the value on the command line overrides the value specified in the smb.conf file. Debug level 0 logs only the most important messages; level 1 is normal; levels 3 and above are primarily for debugging and slow the program considerably.

-h

Prints a summary of options.

-l logbasename

Sets the filename for log/debug files. The extension .client is appended to the filename.

-N

Does not prompt for a password. This is used when Samba is configured for share-mode security and a service with no password is being accessed.

-s filename

Specifies the location of the Samba configuration file, which by default is usually /usr/local/samba/lib/smb.conf.

-U username[%password]

Sets the SMB username or username and password to use. Be careful when specifying the password with %password; this is a major security risk. If %password is not specified, the user will be prompted for the password, which will not be echoed. Normally the user is set from the USER or LOGNAME environment variable. The -U option by itself means to use the guest account. See also -A.

-W domain

Sets the domain, overriding the workgroup parameter in the Samba configuration file. If the domain is the server's NetBIOS name, it causes the client to log on using the server's local SAM database rather than the SAM of the domain.

rpcclient commands

Aside from a few miscellaneous commands, the rpclient commands fall into three groups: LSARPC, SAMR, and SPOOLSS. The function names mentioned in some of the commands are those documented in the Microsoft Platform SDK.

General commands

debuglevel level

Sets the debugging level to level. With no argument, the current debugging level is printed.

help

Prints help on the commands.

quit

Exits rpcclient. A synonym is exit.

Local Security Authority Remote Procedure Calls (LSARPC) commands

enumprivs

Lists the types of privileges known to this domain.

enumtrust

Lists the domains trusted by this domain.

getdispname priv_name

Prints information on the privilege named priv_name.

lookupsids name

Finds a name that corresponds to a security identifier (SID).

lookupnames sid

Finds the SID for one or more names.

lsaquery

Queries the LSA object.

lsaenumsid

Lists SIDs for the local LSA.

lsaquerysecobj

Prints information on security objects for the LSA.

Security Access Manager RPC (SAMR) commands

createdomuser username

Adds a new user in the domain.

deletedomuser username

Removes a user from the domain.

enumalsgroups type

Lists alias groups in the domain, along with their group RIDs. The type argument can be either builtin, to list Windows built-in groups such as Administrators and Power Users, or domain, to list groups in the domain. See also the queryuseraliases command.

enumdomgroups

Lists the groups in the domain, along with their group RIDs.

queryaliasmem user_rid

Prints information regarding alias membership. See also the queryuseraliases command.

querydispinfo

Prints out the account database. The information printed includes the RID, username, and full name of each user. The RID is printed in hexadecimal notation and can be used in this form for commands that take a RID as an argument.

querydominfo

Prints information regarding the domain. This includes the name of the domain, as well as the number of users, groups, and aliases.

querygroup group_rid

Given a group RID, prints the group name, description, number of members, and group description.

queryuser user_rid

Given a user RID, prints the corresponding username, full name, and other information pertaining to the user.

queryuseraliases type user_rid

Prints aliases for the user. The type argument can be either builtin or domain. Aliases are used with the Windows messaging service and act like usernames, but they can be attached to a computer rather than a user. This allows messages intended for a user to be sent to a computer on which the user is either not logged on, or logged on under another username.

queryusergroups user_rid

Prints information on each group inhabited by the user.

querygroupmem group_rid

Prints the RID and attributes for each member of the group.

samlookupnames type username

Looks up the username in the SAM database and prints its associated RID. The type argument can be either builtin, to look up built-in Windows usernames, or domain, to look up names in the domain.

samlookuprids type rid

Looks up rid in the SAM database and prints its associated group or username. The type argument can be either builtin, to look up built-in Windows usernames, or domain, to look up names in the domain. The RID argument can be given in either 0xDDD hexadecimal notation or decimal.

samquerysecobj

Prints information on security objects (such as ACLs) in the SAM database.

Windows NT/2000/XP Printing Services (SPOOLSS) commands

adddriver arch config_file

Adds a printer driver to the server. The driver files must already exist in the directory returned by getdriverdir. The arch argument can be one of Windows 4.0 for Windows 95/98/Me, or Windows NT x86, Windows NT PowerPC, Windows Alpha_AXP, and Windows NT R4000. Others might be introduced in the future.

The config_file should contain:

Long Printer Name:\
Driver File Name:\
Data File Name:\
Config File Name:\
Help File Name:\
NULL:\
Default Data Type:\

followed by a comma-separated list of files. Any empty fields should contain the string NULL.

addprinter printername sharename drivername port

Adds a printer on the remote server as sharename. The printer driver must already be installed on the server with adddriver, and the port must be a valid port name returned by enumports.

deldriver drivername

Deletes a printer driver (for all architectures) from the server's list of printer drivers.

enumports [level]

Prints information regarding the printer ports on the server. The level argument can be 1 or 2. Level 1 is the default and prints out only the Port Name. Information level 2 is the Port Name, Monitor Name, Description, and Port Type.

enumdrivers [level]

Lists all the printer drivers on the system. The level argument specifies the information level. Level 1 is the default and prints the Driver Name(s). Level 2 prints the Version, Driver Name, Architecture, Driver Path, Data File, and Config File. Level 3 prints the contents of Level 2, plus the Help File, one or more Dependent Files, Monitor Name, and Default Data Type.

enumprinters [level]

Lists all installed printers, regardless of whether they are shared. The level argument specifies the information level. Level 1 is the default, and prints Flags, Name, Description, and Comment. Level 2 prints the Server Name, Printer Name, Share Name, Port Name, Driver Name, Comment, Location, Separator File, Print Processor, Data Type, Parameters, Attributes, Priority, Default Priority, Start Time, Until Time, Status, Current Jobs, Average PPM (pages per minute), and a Security Descriptor.

getdriver [level] printername

Prints the printer driver information for the given printer. The level argument specifies the information level.

Level 1 is the default, and prints the Driver Name. Level 2 prints the Version, Driver Name, Architecture, Driver Path, Data File, and Config File. Level 3 prints the contents of level 2, plus the Help File, one or more Dependent Files, Monitor Name, and Default Data Type.

getdriverdir arch

Retrieves the share name and directory for storing printer driver files for a given architecture. Possible values for arch are "Windows 4.0" for Windows 95/98/Me, "Windows NT x86" for Windows NT on Intel, "Windows NT PowerPC" for Windows NT on PowerPC, "Windows Alpha AXP" for Windows NT on Alpha, and "Windows NT R4000" for Windows NT on MIPS. Include the quote marks in the command.

getprinter printername

Prints the current printer information. The level argument specifies the information level.

openprinter printername

Attempts to open and close a specified printer and reports whether it was successful.

setdriver printername drivername

Unconditionally updates the printer driver used by an installed printer. Both the printer and printer driver must already be correctly installed on the print server.

setprinter printername comment

Assigns a comment string to a printer.

smbcacls

This program provides a way of modifying Windows NT ACLs on files and directories shared by the Samba server.

Command synopsis

smbcacls //server/share filename [options]

Options

-A acls

Adds one or more ACLs to the file or directory. Any ACLs already existing for the file or directory are unchanged.

-M acls

Modifies the mask of the ACLs specified. Refer to the following section, "Specifying ACLs," for details.

-D acls

Deletes the specified ACLs.

-S acls

Sets the specified ACLs, deleting any ACLs previously set on the file or directory. The ACLs must contain at least a revision, type, owner, and group.

-U username

Sets the username used to connect to the specified service. The user is prompted for a password unless the argument is specified as username%password. (Specifying the password on the command line is a security risk.) If -U domain\\username is specified, the specified domain or workgroup will be used in place of the one specified in the smb.conf file.

-C username

Changes the owner of the file or directory. This is a shortcut for -M OWNER:username. The username argument can be given as a username or a SID in the form S-1-N-N-D-D-D-R.

-G groupname

Changes the group of the file or directory. This is a shortcut for -M GROUP:groupname. The groupname argument can be given as a group name or a SID in the form S-1-N-N-D-D-D-R.

-n

Causes all ACL information to be displayed in numeric format rather than in readable strings.

-h

Prints a help message.

Specifying ACLs

In the previous options, the same format is always used when specifying ACLs. An ACL is made up of one or more Access Control Entries (ACEs), separated by either commas or escaped newlines. An ACE can be one of the following:

REVISION:revision_number

OWNER:username_or_SID

GROUP:group_name_or_SID

ACL:name_or_SID:type/flags/mask

The revision_number should always be 1. The OWNER and GROUP entries can be used to set the owner and group for the file or directory. The names can be the textual ones or SIDs in the form S-1-N-N-D-D-D-R.

The ACL entry specifies what access rights to apply to the file or directory. The name_or_SID field specifies to which user or group the permissions apply and can be supplied either as a textual name or a SID. An ACE can be used to either allow or deny access. The type field is set to 1 to specify a permission to be allowed or 0 for specifying a permission to deny. The mask field is the name of the permission and is one of the following:

R

Read access.

W

Write access.

X

Execute permission.

D

Permission to delete.

P

Change permissions on the object.

O

Take ownership.

The following combined permissions can also be specified:

READ

Equivalent to RX permissions

CHANGE

Equivalent to RWXD permissions

FULL

Equivalent to RWXDPO permissions

The flags field is for specifying how objects in directories are to inherit their default permissions from their parent directory. For files, flags is normally set to 0. For directories, flags is usually set to either 9 or 2.

smbclient

The smbclient program is the "Swiss army knife" of the Samba suite. Initially developed as a testing tool, it has become a command shell capable of acting as a general-purpose Unix client, with a command set very similar to that of ftp. It offers the following set of functions:

Command synopsis

smbclient //server/share [ password] [options]

It is possible to run smbclient noninteractively, for use in scripts, by specifying the -c option along with a list of commands to execute. Otherwise, smbclient runs in interactive mode, prompting for commands such as this:

smb:\>

The backslash in the prompt is replaced by the current directory within the share as you change your working directory with smbclient's cd command.

Options

-A authfile

Specifies a file from which to read the username and password used for the connection. The format of the file is as follows:

username = value
password = value
domain   = value

This is to avoid having the password prompted for or have it appear in plain text in scripts. The permissions on the file should be very restrictive (0600, for example) to prevent access by unwanted users.

-b buffer_size

Sets the size of the buffer used when transferring files. It defaults to 65520 bytes and can be changed as a tuning measure. Generally it should be quite large or set to match the size of the buffer on the remote system. It can be set smaller to work around Windows bugs: some Windows 98 systems work best with a buffer size of 1200.

-B IP_addr

Sets the broadcast address.

-c command_string

Passes a command string to the smbclient command interpreter. The argument consists of a semicolon-separated list of commands to be executed.

-d debug_level

Sets the debug (logging) level, from 0 to 10, with A for all. Overrides the value in smb.conf. Debug level 0 logs only the most important messages; level 1 is normal; debug levels 3 and above are for debugging and slow smbclient considerably.

-D init_dir

Upon starting up, causes smbclient to change its working directory to init_dir on the remote host.

-E

Sends output from commands to stderr instead of stdout.

-h

Prints the command-line help information (usage) for smbclient.

-I IP_address

Sets the IP address of the server to which the client connects.

-i scope

Sets a NetBIOS scope identifier.

-l log_ file

Sends the log messages to log_file rather than to the log file specified in the Samba configuration file or the compiled-in default.

-L server

Lists services (shares) offered by the server. This can be used as a quick way to test an SMB server to see if it is working. If there is a name-service problem, use the -I option to specify the server.

-M NetBIOS_name

Allows you to send messages using the Windows messaging protocol. Once a connection is established, you can type your message, pressing Ctrl-D to end. The -U and -I options can be used to control the "From" and "To" parts of the message.

-N

Suppresses the password prompt. Useful when using share mode security and accessing a service that has no password.

-n NetBIOS_name

Allows you to override the NetBIOS name by which smbclient will advertise itself.

-O socket_options

Sets the TCP/IP socket options using the same parameters as the socket options configuration option. Often used for performance tuning and testing.

-p port_number

Sets the port number with which smbclient will connect.

-R resolve_order

Sets the resolve order of the name servers. This option is similar to the resolve order configuration option and can take any of the four parameters lmhosts, host, wins, and bcast, in any order. If more than one is specified, the argument is specified as a space-separated list. This option can be used to test name service by specifying only the name service to be tested.

-s filename

Specifies the location of the Samba configuration file. Used for debugging.

-t terminal_code

Sets the terminal code for Asian languages.

-T command_string tarfile

Runs the tar archiver, which is gtar compatible. The tar file that is written to or read from is specified by tarfile. The two main commands are c (create) and x (extract), which can be followed by any of these:

a

Resets the archive attribute on files after they have been saved. See also the g option.

b size

Sets the block size for writing the tar file, in 512-byte units.

g

Backs up only files that have their archive bit set. See also the a option.

I filename

Includes files and directories. This is the default, so specifying this is redundant. To perform pattern matching, see also the r option.

N filename

Backs up only those files newer than file.

q

Suppresses diagnostics.

r

Performs regular expression matching, which can be used along with the I or E option to include or exclude files.

X filename

Excludes files and directories.

-U username

Sets the username and, optionally, the password used for authentication when connecting to the share.

-W workgroup

Specifies the workgroup/domain in which smbclient will claim to be a member.

smbclient commands

help [smbclient_command]

With no command specified, prints a list of available commands. If a command is specified as an argument, a brief help message will be printed for it.

! [shell_command]

Shell escape. With no command specified, runs a Unix shell. If a command is specified, runs the command in a Unix shell.

altname filename

Causes smbclient to request from the server and then print the old-style, 8.3-format filename for the specified file.

cancel print_jobid [...]

Causes smbclient to request the server to cancel one or more print jobs, as specified by the numeric job IDs provided as arguments. See also the queue command, which prints job IDs.

chmod filename octal_mode

Requests that the server change the Unix file permissions on filename to octal_mode, specified in octal numeric format. Works only if the server supports Unix CIFS extensions.

chown filename UID GID

Requests that the server change the owner and group of the file specified by filename to those provided as decimal numeric arguments UID and GID. Works only if the server supports Unix CIFS extensions.

cd [directory]

With no argument, prints the current working directory on the remote system. If a directory name is supplied as an argument, changes the working directory on the remote system to that specified.

del filename

Requests that the server delete one or more files, as specified by the argument, from the current working directory. The argument can be a filename globbing pattern using the * and ? characters.

dir [filename]

With no arguments, prints a list of files and directories in the working directory on the server. If an argument is provided, only files and directories whose names match the argument will be listed. The argument can be a filename globbing pattern using the * and ? characters.

exit

Quits the smbclient program after terminating the SMB connection to the server.

get remote_file [local_file]

Copies the file specified by remote_file from the server to the local system. If no local_file argument is specified, smbclient will name the local file the same as it is named on the server. If local_file is specified, it will be used as the name of the local copy. See also the lowercase command.

help [command]

A synonym for the ? command.

lcd [directory]

If no argument is provided, prints the name of smbclient's working directory on the local system. If a directory name is provided as an argument, changes smbclient's working directory to the directory specified.

link link_name filename

Requests that the server create a hard link to filename and name it link_name. This command works only if the server supports Unix CIFS extensions.

lowercase

Toggles the boolean lowercasing setting. When this setting is on, names of files copied from the server with the get and mget commands will be changed to all lowercase. This is mainly used for accessing servers that report filenames in all uppercase only.

ls [filename]

A synonym for dir.

mask [globbing_pattern]

Sets the filename globbing pattern for use with the mget and mput commands when recursion is turned on. (When recursion is off, the setting has no effect.) Both mget and mput accept a globbing pattern as arguments; however, those patterns apply only to the current directory. This command specifies the pattern used for all subdirectories that are recursively traversed. The pattern stays in effect until it is changed with another mask command. To return the setting to its original default, specify a globbing_pattern of an asterisk (*), which matches all files. See also the mget, mput, and recurse commands.

mdir directory

A synonym for the mkdir command.

mget pattern

When recursion is turned off, copies files matching the file-globbing pattern, as specified by the argument, from the current working directory on the server to the local system. When recursion is on, the pattern argument is used to match directories in the current working directory, and the pattern specified by the mask command is used for matching files within each directory and all subdirectories. See also the lowercase, mask, and recurse commands.

print filename

Prints the specified file. This requires that smbclient be connected to a print share. See also the printmode command.

printmode mode

Sets the mode that is used by the print command. The mode can be either text, for printing text files such as the ASCII files commonly found on Unix, or graphics, for printing binary files.

prompt

Toggles the prompting mode. When prompting is on (the default), the mget and mput commands will interactively prompt the user for permission to transfer each file. The user can answer either y (yes) or n (no), followed by a newline, to this prompt. When prompting is off, all the files will be transferred with no prompts issued.

put local_file [remote_file]

Copies the file specified by local_file from the local to the remote system. If no remote_file argument is specified, smbclient will name the remote file the same as it is named on the local system. If remote_file is specified, it will be used as the name of the remote copy. See also the lowercase command.

queue

Prints information on the print queue on the server. This requires that smbclient is connected to a print share.

quit

A synonym for exit.

rd directory

A synonym for rmdir.

recurse

Toggles the recursion mode, which affects the mget and mput commands. When recursion is off (the default), the mget and mput commands will copy only files from the current working directory that match the file-globbing pattern specified as an argument to the command, and the pattern set by the mask command is ignored. When recursion is turned on, the mget and mput commands recursively traverse any directories that match the pattern specified as the argument to the command, and the pattern set by the mask command is used to match files in those directories.

rm filename

A synonym for del.

rmdir directory

Requests that the server remove the specified directory.

setmode filename attributes

Requests that the server assign the specified MS-DOS file attributes on the specified file. The attributes argument has the format of a leading plus sign (+) or minus sign (-) either to set or to unset the attribute(s), respectively, followed by one or more of the characters r (read), s (system), h (hidden), or a (archive).

symlink link_name filename

Requests that the server create a symbolic link named link_name to filename. This command works only if the server supports Unix CIFS extensions. The server will not create a link that refers to a file not in the share to which smbclient is connected.

tar cmd_str

Performs an archiving operation using the tar format. This is the interactive form of the -T command-line operation, and the cmd_str argument is specified in the same manner. See also the tarmode command.

blocksize size

Sets the block size, in units of 512 bytes, for files written by the tar command.

tarmode mode ...

Specifies how the tar command performs its archiving, including how it handles the archive attribute on files. Multiple mode arguments can be provided, chosen from the following:

full

All files will be included, regardless of whether their archive attribute is set. This is the default.

inc

Only files that have the archive attribute set will be included in the backup.

reset

The archive attribute will be unset by tar after the file is included in the archive.

noreset

The archive attribute will be left unchanged. This is the default.

system

Files with the system attribute set will be included in the archive. This is the default.

nosystem

Files with the system attribute set will not be included in the archive.

hidden

Files with the hidden attribute set will be included in the archive. This is the default.

nohidden

Files with the hidden attribute set will not be included in the archive.

verbose

As files are included in the archive (when creating the archive) or are read from the archive (when extracting it), the name of each file will be printed. This is the default.

noverbose

This turns verbose mode off, causing tar to perform its work quietly.

quiet

An antonym for the verbose mode. When quiet is on, verbose is off, and vice versa.

smbcontrol

The smbcontrol command sends control messages to running smbd or nmbd processes.

Command synopsis

smbcontrol -i [options]

or:

smbcontrol [options] process message-type [parameters]

Options

-i

Runs smbcontrol interactively, executing commands until a blank line or "q" is read. The user must have superuser privileges.

-s filename

Specifies the location of the Samba configuration file.

-d debuglevel

Sets the debugging level for logging. The debug level can be set from to 10.

Whether smbcontrol commands are issued in interactive mode or from the command line, the commands are in the same format. Each command has up to three parts:

process

Specifies the process or group of processes to which to send the message. If process is smbd, all smbd processes will receive the message. If process is nmbd, only the main nmbd process (identified by Samba's nmbd.pid file) receives the message. If process is the numeric PID of a running process on the system, that process will receive the message.

message-type

Specifies the type of message that is sent. For more information, see smbcontrol message types that follows.

parameters

Specifies additional parameters required by some messages.

smbcontrol message types

close-share share_name

Closes the connection to a share or shares. If share_name is specified as an asterisk (*), connections to all shares will be closed. To close a single connection, share_name is given as the name of a share, as specified in the Samba configuration file, not including the enclosing brackets. Warning: no message is printed if there is an error in specifying share_name.

debug num

Sets the debugging level. The num parameter specifies the level, which can be from 0 to 10.

debuglevel

Prints the current debugging level.

force-election

Can be used only with nmbd, telling it to force a master browser election.

ping number

Sends number of pings and reports when they receive a reply or timeout. Used for connectivity testing.

profile mode

Controls profiling statistics collection. If mode is on, profile statistics will be collected. If mode is off, collection of statistics is turned off. If mode is specified as count, only counting statistics are collected (and not timing statistics). If mode is flush, the data set is cleared (initialized).

profilelevel

Prints the current profiling level.

printer-notify printer_name

Sends a printer notify message to Windows NT/2000/XP for the specified printer. This message can be sent only to smbd. Warning: no message is printed if the printer_name parameter is specified incorrectly.

smbgroupedit

This command, new to Samba 3.0, sets up mappings between Unix groups and Windows NT/2000/XP groups and also allows a Unix group to become a domain group. This command must be run by the superuser.

Command synopsis

smbgroupedit [options]

Options

-a Unix_group_name

Adds a mapping for the specified Unix group. The -n option is used along with this option to specify the Windows NT group to which the Unix group is mapped.

-c SID

Changes a mapping between a Windows NT group and a Unix group. The Windows NT group is specified as a SID with this option, and the Unix group is specified with the -u option.

-d description

Specifies a comment for the mapping, which will be stored along with it.

-l

When used with the -v option, prints a long listing. This is the default. The information printed includes the name of the Windows NT group, its SID, its corresponding Unix group (if a mapping has been defined), the group type, the comment, and the privileges of the group.

-n Windows_group_name

Specifies the name of the Windows NT group. Used with the -a option.

-p privilege

Used along with the -a option to specify a Windows NT privilege to be given to the Unix group.

-s

When used with the -v option, prints a short listing. The information printed includes just the name of the Windows NT group, its SID, and, if a mapping has been defined, its corresponding Unix group. This option is useful for determining the SID of a group, for use with the -c option.

-t TYPE

Assigns a Windows group type to the group. TYPE is a single character, and is one of b (built-in), d (domain), or l (local).

-u Unix_group_name

Specifies the name of the Unix group to map to the Windows NT group. Used with the -c option.

-v

Prints a list of groups in the Windows NT domain in which the Samba server is operating. See also the -l and -s options.

-x Unix_group_name

Deletes the mapping for the Unix group specified.

smbmnt

This is a low-level helper program for mounting smbfs filesystems. It used by smbmount to do the privileged part of the mount operation on behalf of an ordinary user. Generally, users should not run this command directly.

Command synopsis

smbmnt mnt_point [options]

Options

-r

Mounts the filesystem as read-only.

-u uid

Specifies the UID to use for the owner of the files.

-g gid

Specifies the GID to use for the group of the files.

-f mask

Specifies the octal file mask.

-d mask

Specifies the octal directory mask.

-o options

Specifies the list of options that are passed to the smbfs module.

To allow users to mount SMB shares without help from an administrator, set the "set user ID" permission on the smbmnt executable. However, note that this can raise security issues.

smbmount

This program mounts an smbfs filesystem on a mount point in the Unix filesystem. It is typically called as mount.smb from mount, although it can also be run directly by users. After mounting the smbfs filesystem, smbmount continues to run as a daemon as long as the filesystem is mounted. It logs events in the file log.smbmount in the same directory as the other Samba log files (which is commonly /usr/local/samba/var by default). The logging level is controlled by the debug level parameter in the Samba configuration file.

Command synopsis

smbmount service mount_point [-o options]

The service argument specifies the SMB share to mount, given as a UNC. The mount_point argument specifies a directory to use as the mount point. The options to smbmount are specified as a comma-separated list of key=value pairs. The documented options are as follows. Others can be passed if the kernel supports them.

Options

username=name

Specifies the username to connect as. If this is not provided, the environment variable USER will be tried. The name can be specified as username%password, user/workgroup, or user/workgroup%password.

password=string

Specifies the SMB password. If no password is provided using this option, the username option, or the credentials option, the environment variable PASSWD is used. If that also does not exist, smbmount will prompt interactively for a password.

credentials=filename

Specifies a file that contains a username and password in the following format:

username = value
password = value
uid=number

Sets the Unix user ID to be used as the owner of all files in the mounted filesystem. It can be specified as a username or numeric UID. Defaults to the UID of the user running smbmount.

gid=number

Sets the Unix group ID to be used as the group for all files in the mounted filesystem. It can be specified as a group name or a numeric GID. Defaults to the GID of the user running smbmount.

port=number

Sets the TCP port number. This is 139, which is required by most Windows versions.

fmask=octal_mask

Sets the Unix permissions of all files in the mounted filesystem. Defaults to the user's current umask.

dmask=octal_mask

Sets the Unix permissions of all directories in the mounted filesystem. Defaults to the current umask.

debug=number

Sets the debugging level.

ip=host

Sets the destination hostname or IP address.

netbiosname=name

Sets the computer name to connect as. This defaults to the hostname of the local system.

workgroup=name

Sets the workgroup or domain.

sockopt=opts

Sets TCP socket options.

scope=num

Sets the NetBIOS scope.

guest

Don't expect or prompt for a password.

ro

Mounts the share read-only.

rw

Mounts the share read-write.

iocharset=charset

Sets the charset used by the Linux machine for codepage-to-charset translation. See also the codepage option.

codepage=page

Sets the DOS code page. See also the iocharset option.

ttl=milliseconds

Sets the time to live, in milliseconds, for entries in the directory cache. A higher value gives better performance on large directories and/or slower connections. The default is 1000ms. Try 10000ms (10 seconds) as a starting value if directory operations are visibly slow.

smbpasswd

The smbpasswd program provides the general function of managing encrypted passwords. How it works depends on whether it is run by the superuser or an ordinary user.

For the superuser, smbpasswd can be used to maintain Samba's smbpasswd file. It can add or delete users, change their passwords, and modify other attributes pertaining to the user that are held in the smbpasswd file.

When run by ordinary users, smbpasswd can be used only to change their encrypted passwords. In this mode of operation, smbpasswd acts as a client to the smbd daemon. The program will fail if smbd is not operating, if the hosts allow or hosts deny parameters in the Samba configuration file do not permit connections from localhost (IP address 127.0.0.1), or if the encrypted passwords option is set to no. It is also possible for smbpasswd to change a user's password when it is maintained on a remote system, including a Windows NT domain controller.

Command synopsis

When run by the superuser:

smbpasswd [options] [username] [password]

In this case, the username of the user whose smbpasswd entry is to be modified is provided as the second argument.

Otherwise:

smbpasswd [options] [password]

Superuser-only options

-a username

Adds a user to the encrypted password file. The user must already exist in the system password file (/etc/passwd ). If the user already exists in the smbpasswd file, the -a option changes the existing password.

-d username

Disables a user in the encrypted password file. The user's entry in the file will remain, but will be marked with a flag disabling the user from authenticating.

-e username

Enables a disabled user in the encrypted password file. This overrides the effect of the -d option.

-j domain

Joins the Samba server to a Windows NT domain as a domain member server. The domain argument is the NetBIOS name of the Windows NT domain that is being joined. See also the -r and -U options.

-m

Indicates that the account is a computer account in a Windows NT domain rather than a domain user account.

-n

Sets the user's password to a null password. For the user to authenticate, the parameter null passwords = yes must exist in the [global] section of the Samba configuration file.

-R resolve_order_list

Sets the resolve order of the name servers. This option is similar to the resolve order configuration option and can take any of the four parameters lmhosts, host, wins, and bcast, in any order. If more than one is specified, the argument is specified as a space-separated list.

-w password

For use when Samba has been compiled with the --with-ldapsam configure option. Specifies the password that goes with the value of the ldap admin dn Samba configuration file parameter.

-x username

Deletes the user from the smbpasswd file. This is a one-way operation, and all information associated with the entry is lost. To disable the account without deleting the user's entry in the file, see the -d option.

Other options

-c filename

Specifies the Samba configuration file, overriding the compiled-in default.

-D debug_level

Sets the debug (also called logging) level. The level can range from to 10. Debug level 0 logs only the most important messages; level 1 is normal; levels 3 and above are primarily for debugging and slow the program considerably.

-h

Prints command-line usage information.

-L

Causes smbpasswd to run in local mode, in which ordinary users are allowed to use the superuser-only options. This requires that the smbpasswd file be made readable and writable by the user. This is for testing purposes.

-r NetBIOS_name

Specifies on which machine the password should change. If changing a Windows NT domain password, the remote system specified by NetBIOS_name must be the PDC for the domain. The user's username on the local system is used by default. See also the -U option for use when the user's Samba username is different from the local username.

-R resolve_order

Sets the resolve order of the name servers. This option is similar to the resolve order configuration option and can take any of the four parameters lmhosts, host, wins, and bcast, in any order. If more than one is specified, the argument is specified as a space-separated list.

-s username

Causes smbpasswd not to prompt for passwords from /dev/tty, but instead to read the old and new passwords from the standard input. This is useful when calling smbpasswd from a script.

-S

Queries the domain controller of the domain, as specified by the workgroup parameter in the Samba configuration file, and retrieves the domain's SID. This will then be used as the SID for the local system. A specific PDC can be selected by combining this option with the -r option, and its domain's SID will be used. This option is for migrating domain accounts from a Windows NT primary domain controller to a Samba PDC.

-U username[%password]

Changes the password for username on the remote system. This is to handle instances in which the remote username and local username are different. This option requires that -r also be used. Often used with -j to provide the username of the administrative user on the primary domain controller for adding computer accounts.

smbsh

The smbsh program allows SMB shares to be accessed from a Unix system. When smbsh is run, an extra directory tree called /smb becomes available to dynamically linked shell commands. The first level of directories under /smb represent available workgroups, the next level of subdirectories represent the SMB servers in each workgroup, and the third level of subdirectories represent the disk and printer shares of each server.

Samba must be compiled with the --with-smbwrappers option to enable smbsh.

Options

-d debug_level

Sets the debug (sometimes called logging) level. The level can range from 0, the default, to 10. Debug level 0 logs only the most important messages; level 1 is normal; levels 3 and above are primarily for debugging and slow smbsh considerably.

-l filename

Sets the name of the logging file. By default, messages are sent to stderr.

-L directory

Specifies the location of smbsh's shared libraries, overriding the compiled-in default.

-P prefix

Sets the name of the root directory to use for the SMB filesystem. The default is /smb.

-R resolve_order

Sets the resolve order of the name servers. This option is similar to the resolve order configuration option and can take any of the four parameters lmhosts, host, wins, and bcast, in any order. If more than one is specified, the argument is specified as a space-separated list.

-U username

Provides the username, and optionally the password, for authenticating the connection to the SMB server. The password can be supplied using the username%password format. If either or both the username and password are not provided, smbsh will prompt interactively for them.

-W workgroup

Specifies the NetBIOS workgroup or domain to which the client will connect. This overrides the workgroup parameter in the Samba configuration file and is sometimes necessary to connect to some servers.

smbspool

The smbspool program provides a CUPS-compatible interface to Samba printing by providing a way to send a print job to an SMB printer using the command-line format specified by CUPS printers. Although smbspool is designed to work best with CUPS printers, it can be used to send print jobs to non-CUPS Samba printers as well.

Command synopsis

smbspool job user title copies options filename

The arguments for smbspool, as shown here, are those used in the CUPS printing system. However, some of the arguments are currently ignored because they don't correspond to the Samba printing system. These arguments must be supplied in the command and can be filled in with "dummy" values.

The job argument refers to the job number and is currently ignored. The user argument is the name of the user who submitted the print job and is also ignored. The title argument is the name of the print job and must be supplied. It is used as the name of the remote print file. The copies argument is the number of copies that will be printed. This number is used only if the (optional) filename argument is supplied. Otherwise, only one copy is printed. The options argument, for specifying printing options, is ignored. The filename argument is used for specifying the name of the file to be printed. If it is not provided, the standard input will be used.

The printer that the job is to be sent to is specified in the DEVICE_URI environment variable. The format for the printer name is a device Universal Resource Indicator, which can be in any of the following formats:

smb://server/printer

smb://workgroup/server/printer

smb://username:password@server/printer

smb://username:password@workgroup/server/printer

smbstatus

This program lists the current connections on a Samba server.

Options

-b

Causes smbstatus to produce brief output. This includes the version of Samba and auditing information about the users that are connected to the server.

-d

Gives verbose output, which includes a list of services, a list of locked files, and memory usage statistics. This is the default.

-L

Prints only the list of current file locks.

-p

Prints only a list of smbd process IDs.

-P

Prints only the contents of the profiling memory area. Requires that Samba has been compiled with the profiling option.

-S

Prints only a list of shares and their connections.

-s filename

Specifies the Samba configuration file to use when processing this command.

-u username

Limits the report to the activity of a single user.

smbtar

The smbtar program is a shell-script wrapper around smbclient for doing tar-format archiving operations. It is functionally very similar to the Unix tar program.

Command synopsis

smbtar [options]

Options

-a

Resets (clears) the archive attribute on files after they are backed up. The default is to leave the archive attribute unchanged.

-b blocksize

Sets block size, in units of 512 bytes, for reading or writing the archive file. Defaults to 20, which results in a block size of 10240 bytes.

-d directory

Changes the working directory on the remote system to directory before starting the restore or backup operation.

-i

Specifies incremental mode; files are backed up only if they have the DOS archive attribute set. The archive attribute is reset (cleared) after each file is read.

-l log_level

Sets the logging level. This corresponds to the -d option of smbclient and other Samba programs.

-N filename

Backs up only files newer than filename. For incremental backups.

-p password

Specifies the password to use to access a share. An alternative to using the username%password format with the -u option.

-r

Restores files to the share from the tar file.

-s server

Specifies the SMB server. See also the -x option.

-t filename

Specifies the file or Unix device to use as the archiving medium. The default is tar.out or the value of the TAPE environment variable, if it has been set.

-u username

Specifies the user account to use when connecting to the share. You can specify the password as well, in the format username%password. The username defaults to the user's Unix username.

-v

Operates in verbose mode, printing error messages and additional information that can be used in debugging and monitoring. Backup and restore operations will list each file as it is processed.

-x share

States the name of the share on the server to which to connect. The default is backup. See also the -s option.

-X file_list

Tells smbtar to exclude the specified files from the backup or restore operation.

smbumount

The smbumount command exists to allow an ordinary (nonsuperuser) user to unmount a smbfs filesystem, which the user had previously mounted using smbmount.

Command synopsis

smbumount mount_point

For ordinary users to issue the command, smbumount must be made suid root.

testparm

The testparm program checks a Samba configuration file for obvious errors.

Command synopsis

testparm [options] [filename] [hostname IP_addr]

If the configuration file is not provided using the filename argument, then it defaults to /usr/local/samba/lib/smb.conf. If the hostname and an IP address of a system are included, an extra check is made to ensure that the system is allowed to connect to each service defined in the configuration file. This is done by comparing the hostname and IP address to the definitions of the hosts allow and hosts deny parameters.

Options

-h

Prints usage information for the program.

-L server_name

Sets the %L configuration variable to the specified server name.

-s

Disables the default behavior of prompting for the Enter key to be pressed before printing the list of configuration options for the server.

testprns

This is a very simple program that checks to see if a specified printer name exists in the system printer capabilities (printcap) file.

Command synopsis

testprns printername [printcapname]

If printcapname isn't specified, Samba attempts to use the one specified in the Samba configuration file with the printcap name parameter. If none is specified there, Samba will try /etc/printcap.

wbinfo

This program retrieves and prints information from the winbindd daemon, which must be running for wbinfo to function.

Command synopsis

wbinfo [options]

Options

-u

Prints all usernames that have been mapped from the Windows NT domain to Unix users. Users in all trusted domains are also listed.

-g

Prints all group names that have been mapped from the Windows NT domain to Unix groups. Groups in all trusted domains are also reported.

-h NetBIOS_name

Queries the WINS server and prints the IP address of the specified system.

-n name

Prints the SID corresponding to the name specified. The argument can be specified as DOMAIN/name (or by using a character other than the slash, as defined by the winbind separator character) to specify both the domain and the name. If the domain and separator are omitted, the value of the workgroup parameter in the Samba configuration file is used as the name of the domain.

-s SID

Prints the name mapped to a SID, which is specified in the format S-1-N-N-D-D-D-R.

-U UID

Prints the SID mapped to a Unix UID, if one exists in the current domain.

-G gid

Prints the SID mapped to a Unix group ID, if one exists in the current domain.

-S SID

Prints the Unix UID that winbind has mapped to the specified SID, if one exists.

-Y SID

Prints the Unix group ID that winbind has mapped to the specified SID, if one exists.

-t

Tests to see that the workstation trust account for the Samba server is valid.

-m

Prints a list of Windows NT domains trusted by the Windows server. This does not include the PDC's domain.

-r username

Prints the list of Unix group IDs to which the user belongs. This works only if the user's account is maintained on a domain controller.

-a username%password

Checks to see if a user can authenticate through winbindd using the specified username and password.

-A username%password

Saves the username and password used by winbindd to the domain controller. For use when operating in a Windows 2000 domain.


TOC