Appendix C. Summary of Samba Daemons and Commands

Other Signals

To shut down an smbd process, send it the termination signal SIGTERM (15), which allows it to die gracefully, instead of a SIGKILL (9). With Samba versions prior to 2.2, the debugging level could be raised or lowered using SIGUSR1 or SIGUSR2. This is no longer supported. Use smbcontrol instead.

Command synopsis

smbd [options]

Options

-a

Causes each new connection to the Samba server to append all logging messages to the log file. This option is the opposite of -o and is the default.

-D

Runs the smbd program as a daemon. This is the recommended way to use smbd. It is also the default action when smbd is run from an interactive command line. In addition, smbd can be run from inetd.

-d debug_level

Sets the debug (sometimes called logging) level. The level can range from 0 to 10. Specifying the value on the command line overrides the value specified in the smb.conf file. Debug level 0 logs only the most important messages; level 1 is normal; levels 3 and above are primarily for debugging and slow smbd considerably.

-h

Prints usage information for the smbd command.

-i

Runs smbd interactively, rather than as a daemon. This option is used to override the default daemon mode when smbd is run from the command line.

-l log_ directory

Sends the log messages to somewhere other than the location compiled into the executable or specified in the smb.conf file. The default is often /usr/local/samba/var/, /usr/samba/var/, or /var/log/. The log file is placed in the specified directory and named log.smbd. If the directory does not exist, Samba's compiled-in default will be used.

-O socket_options

Sets the TCP/IP socket options, using the same parameters as the socket options configuration option. Often used for performance tuning and testing.

-o

Causes log files to be overwritten when opened (the opposite of -a). Using this option saves you from hunting for the right log entries if you are performing a series of tests and inspecting the log file each time.

-p port_number

Sets the TCP/IP port number from which the server will accept requests. All Microsoft clients send to the default port of 139, except for Windows 2000/XP, which can use port 445 for SMB networking, without the NetBIOS protocol layer.

-P

Causes smbd to run in "passive" mode, in which it just listens, and does not transmit any network traffic. This is useful only for debugging by developers.

-s configuration_ file

Specifies the location of the Samba configuration file. Although the file defaults to /usr/local/samba/lib/smb.conf, you can override it on the command line. Typically used for debugging.

-v

Prints the current version of Samba.

Signals

Like smbd, the nmbd program responds to several Unix signals. Sending nmbd a SIGHUP signal causes it to dump the names it knows about to the /usr/local/samba/var/locks/namelist.debug file. To shut down an nmbd process and allow it to die gracefully, send it a SIGTERM (15) signal, rather than a SIGKILL (9). With Samba versions prior to 2.2, the debugging level could be raised or lowered using SIGUSR1 or SIGUSR2. This is no longer supported. Use smbcontrol instead.

Command synopsis

nmbd [options]

Options

-a

Causes each new connection to the Samba server to append all logging messages to the log file. This option is the opposite of -o and is the default.

-d debug_level

Sets the debug (sometimes called logging) level. The level can range from 0 to 10. Specifying the value on the command line overrides the value specified in the smb.conf file. Debug level 0 logs only the most important messages; level 1 is normal; levels 3 and above are primarily for debugging and slow nmbd considerably.

-D

Instructs the nmbd program to run as a daemon. This is the recommended way to use nmbd and is the default when nmbd is run from an interactive shell. In addition, nmbd can be run from inetd.

-h

Prints usage information for the nmbd command.

-H lmhosts_ file

Specifies the location of the lmhosts file for name resolution. This file is used only to resolve names for the local server, and not to answer queries from remote systems. The compiled-in default is commonly /usr/local/samba/lib/lmhosts, /usr/samba/lib/lmhosts, or /etc/lmhosts.

-i

Runs nmbd interactively, rather than as a daemon. This option is used to override the default daemon mode when nmbd is run from the command line.

-l log_ file

Sends the log messages to somewhere other than the location compiled into the executable or specified in the smb.conf file. The default is often /usr/local/samba/var/log.nmbd, /usr/samba/var/log.nmbd, or /var/log /log.nmbd.

-n NetBIOS_name

Allows you to override the NetBIOS name by which the daemon advertises itself. Specifying this option on the command line overrides the netbios name option in the Samba configuration file.

-O socket_options

Sets the TCP/IP socket options, using the same parameters as the socket options configuration option. Often used for performance tuning and testing.

-o

Causes log files to be overwritten when opened (the opposite of -a). This option saves you from hunting for the right log entries if you are performing a series of tests and inspecting the log file each time.

-p port_number

Sets the UDP port number from which the server accepts requests. Currently, all Microsoft clients use only the default port, 137.

-s configuration_ file

Specifies the location of the Samba configuration file. Although the file defaults to /usr/local/samba/lib/smb.conf, you can override it here on the command line. Typically used for debugging.

-v

Prints the current version of Samba.

Command synopsis

winbindd [options]

Options

-d debuglevel

Sets the debug (sometimes called logging) level. The level can range from 0 to 10. Specifying the value on the command line overrides the value specified in the smb.conf file. Debug level 0 logs only the most important messages; level 1 is normal; levels 3 and above are primarily for debugging.

-i

Runs winbindd interactively. This option is used to override the default, which is for winbindd to detach and run as a daemon.

Command synopsis

findsmb [subnet_broadcast_address]

If a different subnet's broadcast address is provided, it will find SMB servers on that subnet. If no subnet broadcast address is supplied, findsmb will look on the local subnet.

The output from findsmb looks like this:

$ findsmb
                                *=DMB
                                +=LMB
IP ADDR         NETBIOS NAME     WORKGROUP/OS/VERSION
---------------------------------------------------------------------
172.16.1.1      TOLTEC         *[METRAN] [Unix] [Samba 2.2.6]
172.16.1.3      MIXTEC         +[METRAN] [Unix] [Samba 2.2.6]
172.16.1.4      ZAPOTEC         [METRAN] [Windows 5.0] [Windows 2000 LAN Manager]
172.16.1.5      HUASTEC         [       METRAN        ]
172.16.1.6      MAYA            [       METRAN        ]
172.16.1.7      OLMEC           [METRAN] [Windows 5.1] [Windows 2000 LAN Manager]
172.16.1.10     UTE             [       METRAN        ]
172.16.1.13     DINE            [METRAN] [Windows NT 4.0] [NT LAN Manager 4.0]

The system with an asterisk (*) in front of its workgroup name is the domain master browser for the workgroup/domain, and the system with a plus sign (+) preceding its workgroup name is the local master browser.

The findsmb command was introduced during the development of Samba 2.2 and is installed by default in Samba Versions 2.2.5 and later.

Command synopsis

make_smbcodepage c|d codepage_number input_file output_file

For the first argument, use c to compile a codepage and d to decompile a codepage file. The codepage_number argument is the number of the codepage being processed (e.g., 850). The input_file and output_file are the text- and binary-format codepages, with the types dependent on the operation (compiling or decompiling) that is being performed.

Command synopsis

make_unicodemap codepage_number inputfile outputfile

The input file is an ASCII map; the output file is a binary file loadable by Samba. The codepage is the number of the DOS codepage (e.g., 850) for the map.

Command synopsis

net [method] function [misc_options] [target_options]

The function argument is made up of one or more space-separated words. In Windows terminology, it is sometimes referred to as a function with options. Here we list every function in its complete form, including multiple words.

By default, the action is performed on the local system. The target_options argument can be used to specify a remote system (either by hostname or IP address), a domain, or a workgroup.

Depending on the function, the method argument can be optional, required, or disallowed. It specifies one of three methods for performing the operation specified by the rest of the command. It can be ads (Active Directory), rpc (Microsoft's DCE/RPC), or rap (Microsoft's original SMB remote procedure call). To determine which methods (if any) can be used with a function, the net help ads, net help rap, and net help rpc commands can be used to list the functions for each method.

Miscellaneous options

-d level

--debug=level

Sets the debug (sometimes called logging) level. The level can range from 0 to 10.

-l

--long

Specifies the long listing mode. This is provided for functions that print informational listings.

-n name

--myname=name

Specifies the NetBIOS name for the client.

-p port

--port=port

Specifies the port number to use.

-s filename

--conf=filename

Specifies the name of the Samba configuration file, overriding the compiled-in default.

-U username[%password]

--user=username[%password]

Specifies the username and, optionally, the password to use for functions that require authentication.

-W name

--myworkgroup=name

Specifies the name of the client's workgroup, overriding the definition of the workgroup parameter in the Samba configuration file.

Target options

-S hostname

Specifies the remote system using a hostname or NetBIOS name.

-I ip_address

Specifies the remote system using its IP address.

-w workgroup

Specifies the name of the target domain or workgroup.

Functions

Command synopsis

nmblookup [options] netbios_name

Options

-A

Interprets netbios_name as an IP address and does a node status query on it.

-B broadcast_address

Sends the query to the given broadcast address. The default is to send the query to the broadcast address of the primary network interface.

-d debug_level

Sets the debug (sometimes called logging) level. The level can range from 0 to 10. Debug level 0 logs only the most important messages. Level 1 is normal; levels 3 and above are primarily used by developers for debugging the nmblookup program itself and slow the program considerably.

-f

Prints the flags in the packet headers.

-h

Prints command-line usage information for the program.

-i scope

Sets a NetBIOS scope identifier. NetBIOS scope is a rarely used precursor to workgroups.

-M

Searches for a local master browser by looking up netbios_name<1d>. If netbios_name is specified as a dash (-), a lookup is done on the special name _ _MSBROWSE_ _ .

-R

Sets the "recursion desired" bit in the packet. This causes the system that responds to try a WINS lookup and return the address and any other information the WINS server has saved.

-r

Uses the root port of 137. This option exists as a bug workaround for Windows 95. This option might require the user to be superuser.

-S

Performs a node status query once the name query has returned an IP address. This returns all the resource types that the system knows about, including their numeric attributes. For example:

$ nmblookup -S toltec
querying toltec on 172.16.1.255
172.16.1.1 toltec<00>
Looking up status of 172.16.1.1
    TOLTEC          <00> -         M <ACTIVE>
    TOLTEC          <03> -         M <ACTIVE>
    TOLTEC          <20> -         M <ACTIVE>
    ..__MSBROWSE__. <01> - <GROUP> M <ACTIVE>
    METRAN          <00> - <GROUP> M <ACTIVE>
    METRAN          <1b> -         M <ACTIVE>
    METRAN          <1c> - <GROUP> M <ACTIVE>
    METRAN          <1d> -         M <ACTIVE>
    METRAN          <1e> - <GROUP> M <ACTIVE>

-s configuration_ file

Specifies the location of the Samba configuration file. Although the file defaults to /usr/local/samba/lib/smb.conf, you can override it here on the command line. Normally used for debugging.

-T

Translates IP addresses into resolved names.

-U unicast_address

Performs a unicast query to the specified address. Used with -R to query WINS servers.

Note that nmblookup has no option for setting the workgroup. You can get around this by putting workgroup = workgroup_name in a file and passing it to nmblookup with the -s option.

Command synopsis

pdbedit [options]

Options

-a

Adds the user specified by the -u option to the SAM database. The command issues a prompt for the user's password.

-d drive_letter

Sets the Windows drive letter to which to map the user's home directory. The drive letter should be specified as a letter followed by a colon—e.g., H:.

-D debug_level

Sets the debug (sometimes called logging) level. The level can range from 0 to 10. Debug level 0 logs only the most important messages. Level 1 is normal, and levels 3 and above are primarily for debugging.

-e pwdb_backend

Exports the user account database to another format, written to the specified location. Used for migrating from one type of account database to another. The pwdb_backend argument is specified in the format of a database type, followed by a colon, then the location of the database. For example, to export the existing account database to an smbpasswd database in the file /usr/local/samba/private/smbpw, pwdb_backend would be specified as smbpasswd:/usr/local/samba/private/smbpw. The allowable database types are smbpasswd, smbpasswd nua, tdbsam, tdbsam nua, ldapsam, ldapsam_nua, and plugin.

-f full_name

Sets the full name of the user specified with the -u option.

-h unc

Sets the home directory path (as a UNC) for the user specified with the -u option.

-i pwdb_backend

Specifies a password database backend from which to retrieve account information, overriding the one specified by the passdb backend parameter in the Samba configuration file. This, along with the -e option, is useful for migrating user accounts from one type of account database to another. See the -e option regarding how to specify the pwdb_backend argument.

-l

Lists the user accounts in the database. See also the -v option.

-m

Indicates that the account is a computer account rather than a user account. Used only with the -a option when creating the account. In this case, the -u option specifies the computer name rather than a username.

-p unc

Sets the directory in which the user's profile is kept. The directory is specified as a UNC.

-s unc

Specifies the UNC of the user's logon script.

-u username

Specifies the username of the account to add (with the -a option), delete (with the -x option), or modify.

-v

Selects verbose mode when listing accounts with the -l option. The account fields will be printed.

-w

Selects the smbpasswd listing mode, for use with the -l option, which prints information in the same format as it would appear in an smbpasswd file.

-x

Deletes the user (specified with the -u option) from the account database.

Command Synopsis

rpcclient server [options]

Options

-A filename

Specifies a file from which to read the authentication values used in the connection. The format of the file is as follows:

username = value
password = value
domain   = value

This option is used to avoid password prompts or to have the password appear in plain text inside scripts. The permissions on the file should be very restrictive (0600, for example) to prevent access from unwanted users.

-c command_string

Executes a sequence of semicolon-separated commands. Commands are listed in the following section.

-d debuglevel

Sets the debug (sometimes called logging) level. The level can range from 0 to 10. Specifying the value on the command line overrides the value specified in the smb.conf file. Debug level 0 logs only the most important messages; level 1 is normal; levels 3 and above are primarily for debugging and slow the program considerably.

-h

Prints a summary of options.

-l logbasename

Sets the filename for log/debug files. The extension .client is appended to the filename.

-N

Does not prompt for a password. This is used when Samba is configured for share-mode security and a service with no password is being accessed.

-s filename

Specifies the location of the Samba configuration file, which by default is usually /usr/local/samba/lib/smb.conf.

-U username[%password]

Sets the SMB username or username and password to use. Be careful when specifying the password with %password; this is a major security risk. If %password is not specified, the user will be prompted for the password, which will not be echoed. Normally the user is set from the USER or LOGNAME environment variable. The -U option by itself means to use the guest account. See also -A.

-W domain

Sets the domain, overriding the workgroup parameter in the Samba configuration file. If the domain is the server's NetBIOS name, it causes the client to log on using the server's local SAM database rather than the SAM of the domain.

General commands

debuglevel level

Sets the debugging level to level. With no argument, the current debugging level is printed.

help

Prints help on the commands.

quit

Exits rpcclient. A synonym is exit.

Local Security Authority Remote Procedure Calls (LSARPC) commands

enumprivs

Lists the types of privileges known to this domain.

enumtrust

Lists the domains trusted by this domain.

getdispname priv_name

Prints information on the privilege named priv_name.

lookupsids name

Finds a name that corresponds to a security identifier (SID).

lookupnames sid

Finds the SID for one or more names.

lsaquery

Queries the LSA object.

lsaenumsid

Lists SIDs for the local LSA.

lsaquerysecobj

Prints information on security objects for the LSA.

Security Access Manager RPC (SAMR) commands

createdomuser username

Adds a new user in the domain.

deletedomuser username

Removes a user from the domain.

enumalsgroups type

Lists alias groups in the domain, along with their group RIDs. The type argument can be either builtin, to list Windows built-in groups such as Administrators and Power Users, or domain, to list groups in the domain. See also the queryuseraliases command.

enumdomgroups

Lists the groups in the domain, along with their group RIDs.

queryaliasmem user_rid

Prints information regarding alias membership. See also the queryuseraliases command.

querydispinfo

Prints out the account database. The information printed includes the RID, username, and full name of each user. The RID is printed in hexadecimal notation and can be used in this form for commands that take a RID as an argument.

querydominfo

Prints information regarding the domain. This includes the name of the domain, as well as the number of users, groups, and aliases.

querygroup group_rid

Given a group RID, prints the group name, description, number of members, and group description.

queryuser user_rid

Given a user RID, prints the corresponding username, full name, and other information pertaining to the user.

queryuseraliases type user_rid

Prints aliases for the user. The type argument can be either builtin or domain. Aliases are used with the Windows messaging service and act like usernames, but they can be attached to a computer rather than a user. This allows messages intended for a user to be sent to a computer on which the user is either not logged on, or logged on under another username.

queryusergroups user_rid

Prints information on each group inhabited by the user.

querygroupmem group_rid

Prints the RID and attributes for each member of the group.

samlookupnames type username

Looks up the username in the SAM database and prints its associated RID. The type argument can be either builtin, to look up built-in Windows usernames, or domain, to look up names in the domain.

samlookuprids type rid

Looks up rid in the SAM database and prints its associated group or username. The type argument can be either builtin, to look up built-in Windows usernames, or domain, to look up names in the domain. The RID argument can be given in either 0xDDD hexadecimal notation or decimal.

samquerysecobj

Prints information on security objects (such as ACLs) in the SAM database.

Windows NT/2000/XP Printing Services (SPOOLSS) commands

Command synopsis

smbcacls //server/share filename [options]

Options

-A acls

Adds one or more ACLs to the file or directory. Any ACLs already existing for the file or directory are unchanged.

-M acls

Modifies the mask of the ACLs specified. Refer to the following section, "Specifying ACLs," for details.

-D acls

Deletes the specified ACLs.

-S acls

Sets the specified ACLs, deleting any ACLs previously set on the file or directory. The ACLs must contain at least a revision, type, owner, and group.

-U username

Sets the username used to connect to the specified service. The user is prompted for a password unless the argument is specified as username%password. (Specifying the password on the command line is a security risk.) If -U domain\\username is specified, the specified domain or workgroup will be used in place of the one specified in the smb.conf file.

-C username

Changes the owner of the file or directory. This is a shortcut for -M OWNER:username. The username argument can be given as a username or a SID in the form S-1-N-N-D-D-D-R.

-G groupname

Changes the group of the file or directory. This is a shortcut for -M GROUP:groupname. The groupname argument can be given as a group name or a SID in the form S-1-N-N-D-D-D-R.

-n

Causes all ACL information to be displayed in numeric format rather than in readable strings.

-h

Prints a help message.

Specifying ACLs

In the previous options, the same format is always used when specifying ACLs. An ACL is made up of one or more Access Control Entries (ACEs), separated by either commas or escaped newlines. An ACE can be one of the following:

REVISION:revision_number

OWNER:username_or_SID

GROUP:group_name_or_SID

ACL:name_or_SID:type/flags/mask

The revision_number should always be 1. The OWNER and GROUP entries can be used to set the owner and group for the file or directory. The names can be the textual ones or SIDs in the form S-1-N-N-D-D-D-R.

The ACL entry specifies what access rights to apply to the file or directory. The name_or_SID field specifies to which user or group the permissions apply and can be supplied either as a textual name or a SID. An ACE can be used to either allow or deny access. The type field is set to 1 to specify a permission to be allowed or 0 for specifying a permission to deny. The mask field is the name of the permission and is one of the following:

R

Read access.

W

Write access.

X

Execute permission.

D

Permission to delete.

P

Change permissions on the object.

O

Take ownership.

The following combined permissions can also be specified:

READ

Equivalent to RX permissions

CHANGE

Equivalent to RWXD permissions

FULL

Equivalent to RWXDPO permissions

The flags field is for specifying how objects in directories are to inherit their default permissions from their parent directory. For files, flags is normally set to 0. For directories, flags is usually set to either 9 or 2.

Command synopsis

smbclient //server/share [ password] [options]

It is possible to run smbclient noninteractively, for use in scripts, by specifying the -c option along with a list of commands to execute. Otherwise, smbclient runs in interactive mode, prompting for commands such as this:

smb:\>

The backslash in the prompt is replaced by the current directory within the share as you change your working directory with smbclient's cd command.

Options

-A authfile

Specifies a file from which to read the username and password used for the connection. The format of the file is as follows:

username = value
password = value
domain   = value

This is to avoid having the password prompted for or have it appear in plain text in scripts. The permissions on the file should be very restrictive (0600, for example) to prevent access by unwanted users.

-b buffer_size

Sets the size of the buffer used when transferring files. It defaults to 65520 bytes and can be changed as a tuning measure. Generally it should be quite large or set to match the size of the buffer on the remote system. It can be set smaller to work around Windows bugs: some Windows 98 systems work best with a buffer size of 1200.

-B IP_addr

Sets the broadcast address.

-c command_string

Passes a command string to the smbclient command interpreter. The argument consists of a semicolon-separated list of commands to be executed.

-d debug_level

Sets the debug (logging) level, from 0 to 10, with A for all. Overrides the value in smb.conf. Debug level 0 logs only the most important messages; level 1 is normal; debug levels 3 and above are for debugging and slow smbclient considerably.

-D init_dir

Upon starting up, causes smbclient to change its working directory to init_dir on the remote host.

-E

Sends output from commands to stderr instead of stdout.

-h

Prints the command-line help information (usage) for smbclient.

-I IP_address

Sets the IP address of the server to which the client connects.

-i scope

Sets a NetBIOS scope identifier.

-l log_ file

Sends the log messages to log_file rather than to the log file specified in the Samba configuration file or the compiled-in default.

-L server

Lists services (shares) offered by the server. This can be used as a quick way to test an SMB server to see if it is working. If there is a name-service problem, use the -I option to specify the server.

-M NetBIOS_name

Allows you to send messages using the Windows messaging protocol. Once a connection is established, you can type your message, pressing Ctrl-D to end. The -U and -I options can be used to control the "From" and "To" parts of the message.

-N

Suppresses the password prompt. Useful when using share mode security and accessing a service that has no password.

-n NetBIOS_name

Allows you to override the NetBIOS name by which smbclient will advertise itself.

-O socket_options

Sets the TCP/IP socket options using the same parameters as the socket options configuration option. Often used for performance tuning and testing.

-p port_number

Sets the port number with which smbclient will connect.

-R resolve_order

Sets the resolve order of the name servers. This option is similar to the resolve order configuration option and can take any of the four parameters lmhosts, host, wins, and bcast, in any order. If more than one is specified, the argument is specified as a space-separated list. This option can be used to test name service by specifying only the name service to be tested.

-s filename

Specifies the location of the Samba configuration file. Used for debugging.

-t terminal_code

Sets the terminal code for Asian languages.

-T command_string tarfile

Runs the tar archiver, which is gtar compatible. The tar file that is written to or read from is specified by tarfile. The two main commands are c (create) and x (extract), which can be followed by any of these:

a

Resets the archive attribute on files after they have been saved. See also the g option.

b size

Sets the block size for writing the tar file, in 512-byte units.

g

Backs up only files that have their archive bit set. See also the a option.

I filename

Includes files and directories. This is the default, so specifying this is redundant. To perform pattern matching, see also the r option.

N filename

Backs up only those files newer than file.

q

Suppresses diagnostics.

r

Performs regular expression matching, which can be used along with the I or E option to include or exclude files.

X filename

Excludes files and directories.

-U username

Sets the username and, optionally, the password used for authentication when connecting to the share.

-W workgroup

Specifies the workgroup/domain in which smbclient will claim to be a member.

smbclient commands

Command synopsis

smbcontrol -i [options]

or:

smbcontrol [options] process message-type [parameters]

Options

-i

Runs smbcontrol interactively, executing commands until a blank line or "q" is read. The user must have superuser privileges.

-s filename

Specifies the location of the Samba configuration file.

-d debuglevel

Sets the debugging level for logging. The debug level can be set from to 10.

Whether smbcontrol commands are issued in interactive mode or from the command line, the commands are in the same format. Each command has up to three parts:

smbcontrol message types

close-share share_name

Closes the connection to a share or shares. If share_name is specified as an asterisk (*), connections to all shares will be closed. To close a single connection, share_name is given as the name of a share, as specified in the Samba configuration file, not including the enclosing brackets. Warning: no message is printed if there is an error in specifying share_name.

debug num

Sets the debugging level. The num parameter specifies the level, which can be from 0 to 10.

debuglevel

Prints the current debugging level.

force-election

Can be used only with nmbd, telling it to force a master browser election.

ping number

Sends number of pings and reports when they receive a reply or timeout. Used for connectivity testing.

profile mode

Controls profiling statistics collection. If mode is on, profile statistics will be collected. If mode is off, collection of statistics is turned off. If mode is specified as count, only counting statistics are collected (and not timing statistics). If mode is flush, the data set is cleared (initialized).

profilelevel

Prints the current profiling level.

printer-notify printer_name

Sends a printer notify message to Windows NT/2000/XP for the specified printer. This message can be sent only to smbd. Warning: no message is printed if the printer_name parameter is specified incorrectly.

Command synopsis

smbgroupedit [options]

Options

-a Unix_group_name

Adds a mapping for the specified Unix group. The -n option is used along with this option to specify the Windows NT group to which the Unix group is mapped.

-c SID

Changes a mapping between a Windows NT group and a Unix group. The Windows NT group is specified as a SID with this option, and the Unix group is specified with the -u option.

-d description

Specifies a comment for the mapping, which will be stored along with it.

-l

When used with the -v option, prints a long listing. This is the default. The information printed includes the name of the Windows NT group, its SID, its corresponding Unix group (if a mapping has been defined), the group type, the comment, and the privileges of the group.

-n Windows_group_name

Specifies the name of the Windows NT group. Used with the -a option.

-p privilege

Used along with the -a option to specify a Windows NT privilege to be given to the Unix group.

-s

When used with the -v option, prints a short listing. The information printed includes just the name of the Windows NT group, its SID, and, if a mapping has been defined, its corresponding Unix group. This option is useful for determining the SID of a group, for use with the -c option.

-t TYPE

Assigns a Windows group type to the group. TYPE is a single character, and is one of b (built-in), d (domain), or l (local).

-u Unix_group_name

Specifies the name of the Unix group to map to the Windows NT group. Used with the -c option.

-v

Prints a list of groups in the Windows NT domain in which the Samba server is operating. See also the -l and -s options.

-x Unix_group_name

Deletes the mapping for the Unix group specified.

Command synopsis

smbmnt mnt_point [options]

Options

-r

Mounts the filesystem as read-only.

-u uid

Specifies the UID to use for the owner of the files.

-g gid

Specifies the GID to use for the group of the files.

-f mask

Specifies the octal file mask.

-d mask

Specifies the octal directory mask.

-o options

Specifies the list of options that are passed to the smbfs module.

To allow users to mount SMB shares without help from an administrator, set the "set user ID" permission on the smbmnt executable. However, note that this can raise security issues.

Command synopsis

smbmount service mount_point [-o options]

The service argument specifies the SMB share to mount, given as a UNC. The mount_point argument specifies a directory to use as the mount point. The options to smbmount are specified as a comma-separated list of key=value pairs. The documented options are as follows. Others can be passed if the kernel supports them.

Options

username=name

Specifies the username to connect as. If this is not provided, the environment variable USER will be tried. The name can be specified as username%password, user/workgroup, or user/workgroup%password.

password=string

Specifies the SMB password. If no password is provided using this option, the username option, or the credentials option, the environment variable PASSWD is used. If that also does not exist, smbmount will prompt interactively for a password.

credentials=filename

Specifies a file that contains a username and password in the following format:

username = value
password = value

uid=number

Sets the Unix user ID to be used as the owner of all files in the mounted filesystem. It can be specified as a username or numeric UID. Defaults to the UID of the user running smbmount.

gid=number

Sets the Unix group ID to be used as the group for all files in the mounted filesystem. It can be specified as a group name or a numeric GID. Defaults to the GID of the user running smbmount.

port=number

Sets the TCP port number. This is 139, which is required by most Windows versions.

fmask=octal_mask

Sets the Unix permissions of all files in the mounted filesystem. Defaults to the user's current umask.

dmask=octal_mask

Sets the Unix permissions of all directories in the mounted filesystem. Defaults to the current umask.

debug=number

Sets the debugging level.

ip=host

Sets the destination hostname or IP address.

netbiosname=name

Sets the computer name to connect as. This defaults to the hostname of the local system.

workgroup=name

Sets the workgroup or domain.

sockopt=opts

Sets TCP socket options.

scope=num

Sets the NetBIOS scope.

guest

Don't expect or prompt for a password.

ro

Mounts the share read-only.

rw

Mounts the share read-write.

iocharset=charset

Sets the charset used by the Linux machine for codepage-to-charset translation. See also the codepage option.

codepage=page

Sets the DOS code page. See also the iocharset option.

ttl=milliseconds

Sets the time to live, in milliseconds, for entries in the directory cache. A higher value gives better performance on large directories and/or slower connections. The default is 1000ms. Try 10000ms (10 seconds) as a starting value if directory operations are visibly slow.

Command synopsis

When run by the superuser:

smbpasswd [options] [username] [password]

In this case, the username of the user whose smbpasswd entry is to be modified is provided as the second argument.

Otherwise:

smbpasswd [options] [password]

Superuser-only options

-a username

Adds a user to the encrypted password file. The user must already exist in the system password file (/etc/passwd ). If the user already exists in the smbpasswd file, the -a option changes the existing password.

-d username

Disables a user in the encrypted password file. The user's entry in the file will remain, but will be marked with a flag disabling the user from authenticating.

-e username

Enables a disabled user in the encrypted password file. This overrides the effect of the -d option.

-j domain

Joins the Samba server to a Windows NT domain as a domain member server. The domain argument is the NetBIOS name of the Windows NT domain that is being joined. See also the -r and -U options.

-m

Indicates that the account is a computer account in a Windows NT domain rather than a domain user account.

-n

Sets the user's password to a null password. For the user to authenticate, the parameter null passwords = yes must exist in the [global] section of the Samba configuration file.

-R resolve_order_list

Sets the resolve order of the name servers. This option is similar to the resolve order configuration option and can take any of the four parameters lmhosts, host, wins, and bcast, in any order. If more than one is specified, the argument is specified as a space-separated list.

-w password

For use when Samba has been compiled with the --with-ldapsam configure option. Specifies the password that goes with the value of the ldap admin dn Samba configuration file parameter.

-x username

Deletes the user from the smbpasswd file. This is a one-way operation, and all information associated with the entry is lost. To disable the account without deleting the user's entry in the file, see the -d option.

Other options

-c filename

Specifies the Samba configuration file, overriding the compiled-in default.

-D debug_level

Sets the debug (also called logging) level. The level can range from to 10. Debug level 0 logs only the most important messages; level 1 is normal; levels 3 and above are primarily for debugging and slow the program considerably.

-h

Prints command-line usage information.

-L

Causes smbpasswd to run in local mode, in which ordinary users are allowed to use the superuser-only options. This requires that the smbpasswd file be made readable and writable by the user. This is for testing purposes.

-r NetBIOS_name

Specifies on which machine the password should change. If changing a Windows NT domain password, the remote system specified by NetBIOS_name must be the PDC for the domain. The user's username on the local system is used by default. See also the -U option for use when the user's Samba username is different from the local username.

-R resolve_order

Sets the resolve order of the name servers. This option is similar to the resolve order configuration option and can take any of the four parameters lmhosts, host, wins, and bcast, in any order. If more than one is specified, the argument is specified as a space-separated list.

-s username

Causes smbpasswd not to prompt for passwords from /dev/tty, but instead to read the old and new passwords from the standard input. This is useful when calling smbpasswd from a script.

-S

Queries the domain controller of the domain, as specified by the workgroup parameter in the Samba configuration file, and retrieves the domain's SID. This will then be used as the SID for the local system. A specific PDC can be selected by combining this option with the -r option, and its domain's SID will be used. This option is for migrating domain accounts from a Windows NT primary domain controller to a Samba PDC.

-U username[%password]

Changes the password for username on the remote system. This is to handle instances in which the remote username and local username are different. This option requires that -r also be used. Often used with -j to provide the username of the administrative user on the primary domain controller for adding computer accounts.

Options

-d debug_level

Sets the debug (sometimes called logging) level. The level can range from 0, the default, to 10. Debug level 0 logs only the most important messages; level 1 is normal; levels 3 and above are primarily for debugging and slow smbsh considerably.

-l filename

Sets the name of the logging file. By default, messages are sent to stderr.

-L directory

Specifies the location of smbsh's shared libraries, overriding the compiled-in default.

-P prefix

Sets the name of the root directory to use for the SMB filesystem. The default is /smb.

-R resolve_order

Sets the resolve order of the name servers. This option is similar to the resolve order configuration option and can take any of the four parameters lmhosts, host, wins, and bcast, in any order. If more than one is specified, the argument is specified as a space-separated list.

-U username

Provides the username, and optionally the password, for authenticating the connection to the SMB server. The password can be supplied using the username%password format. If either or both the username and password are not provided, smbsh will prompt interactively for them.

-W workgroup

Specifies the NetBIOS workgroup or domain to which the client will connect. This overrides the workgroup parameter in the Samba configuration file and is sometimes necessary to connect to some servers.

Command synopsis

smbspool job user title copies options filename

The arguments for smbspool, as shown here, are those used in the CUPS printing system. However, some of the arguments are currently ignored because they don't correspond to the Samba printing system. These arguments must be supplied in the command and can be filled in with "dummy" values.

The job argument refers to the job number and is currently ignored. The user argument is the name of the user who submitted the print job and is also ignored. The title argument is the name of the print job and must be supplied. It is used as the name of the remote print file. The copies argument is the number of copies that will be printed. This number is used only if the (optional) filename argument is supplied. Otherwise, only one copy is printed. The options argument, for specifying printing options, is ignored. The filename argument is used for specifying the name of the file to be printed. If it is not provided, the standard input will be used.

The printer that the job is to be sent to is specified in the DEVICE_URI environment variable. The format for the printer name is a device Universal Resource Indicator, which can be in any of the following formats:

smb://server/printer

smb://workgroup/server/printer

smb://username:password@server/printer

smb://username:password@workgroup/server/printer

Options

-b

Causes smbstatus to produce brief output. This includes the version of Samba and auditing information about the users that are connected to the server.

-d

Gives verbose output, which includes a list of services, a list of locked files, and memory usage statistics. This is the default.

-L

Prints only the list of current file locks.

-p

Prints only a list of smbd process IDs.

-P

Prints only the contents of the profiling memory area. Requires that Samba has been compiled with the profiling option.

-S

Prints only a list of shares and their connections.

-s filename

Specifies the Samba configuration file to use when processing this command.

-u username

Limits the report to the activity of a single user.

Command synopsis

smbtar [options]

Options

-a

Resets (clears) the archive attribute on files after they are backed up. The default is to leave the archive attribute unchanged.

-b blocksize

Sets block size, in units of 512 bytes, for reading or writing the archive file. Defaults to 20, which results in a block size of 10240 bytes.

-d directory

Changes the working directory on the remote system to directory before starting the restore or backup operation.

-i

Specifies incremental mode; files are backed up only if they have the DOS archive attribute set. The archive attribute is reset (cleared) after each file is read.

-l log_level

Sets the logging level. This corresponds to the -d option of smbclient and other Samba programs.

-N filename

Backs up only files newer than filename. For incremental backups.

-p password

Specifies the password to use to access a share. An alternative to using the username%password format with the -u option.

-r

Restores files to the share from the tar file.

-s server

Specifies the SMB server. See also the -x option.

-t filename

Specifies the file or Unix device to use as the archiving medium. The default is tar.out or the value of the TAPE environment variable, if it has been set.

-u username

Specifies the user account to use when connecting to the share. You can specify the password as well, in the format username%password. The username defaults to the user's Unix username.

-v

Operates in verbose mode, printing error messages and additional information that can be used in debugging and monitoring. Backup and restore operations will list each file as it is processed.

-x share

States the name of the share on the server to which to connect. The default is backup. See also the -s option.

-X file_list

Tells smbtar to exclude the specified files from the backup or restore operation.

Command synopsis

smbumount mount_point

For ordinary users to issue the command, smbumount must be made suid root.

Command synopsis

testparm [options] [filename] [hostname IP_addr]

If the configuration file is not provided using the filename argument, then it defaults to /usr/local/samba/lib/smb.conf. If the hostname and an IP address of a system are included, an extra check is made to ensure that the system is allowed to connect to each service defined in the configuration file. This is done by comparing the hostname and IP address to the definitions of the hosts allow and hosts deny parameters.

Options

-h

Prints usage information for the program.

-L server_name

Sets the %L configuration variable to the specified server name.

-s

Disables the default behavior of prompting for the Enter key to be pressed before printing the list of configuration options for the server.

Command synopsis

testprns printername [printcapname]

If printcapname isn't specified, Samba attempts to use the one specified in the Samba configuration file with the printcap name parameter. If none is specified there, Samba will try /etc/printcap.

Command synopsis

wbinfo [options]

Options

-u

Prints all usernames that have been mapped from the Windows NT domain to Unix users. Users in all trusted domains are also listed.

-g

Prints all group names that have been mapped from the Windows NT domain to Unix groups. Groups in all trusted domains are also reported.

-h NetBIOS_name

Queries the WINS server and prints the IP address of the specified system.

-n name

Prints the SID corresponding to the name specified. The argument can be specified as DOMAIN/name (or by using a character other than the slash, as defined by the winbind separator character) to specify both the domain and the name. If the domain and separator are omitted, the value of the workgroup parameter in the Samba configuration file is used as the name of the domain.

-s SID

Prints the name mapped to a SID, which is specified in the format S-1-N-N-D-D-D-R.

-U UID

Prints the SID mapped to a Unix UID, if one exists in the current domain.

-G gid

Prints the SID mapped to a Unix group ID, if one exists in the current domain.

-S SID

Prints the Unix UID that winbind has mapped to the specified SID, if one exists.

-Y SID

Prints the Unix group ID that winbind has mapped to the specified SID, if one exists.

-t

Tests to see that the workstation trust account for the Samba server is valid.

-m

Prints a list of Windows NT domains trusted by the Windows server. This does not include the PDC's domain.

-r username

Prints the list of Unix group IDs to which the user belongs. This works only if the user's account is maintained on a domain controller.

-a username%password

Checks to see if a user can authenticate through winbindd using the specified username and password.

-A username%password

Saves the username and password used by winbindd to the domain controller. For use when operating in a Windows 2000 domain.