smbpasswd

The smbpasswd program has several different functions, depending on whether it is run by the root user or not. When run as a normal user it allows the user to change the password used for their SMB sessions on any machines that store SMB passwords.^[1]

By default (when run with no arguments) it will attempt to change the current user's SMB password on the local machine. This is similar to the way the passwd program works. smbpasswd differs from how the passwd program works however in that it is not setuid root but works in a client-server mode and communicates with a locally running smbd. As a consequence in order for this to succeed the smbd daemon must be running on the local machine. On a UNIX machine the encrypted SMB passwords are usually stored in the smbpasswd file.^[1]

When run by an ordinary user with no options, smbpasswd will prompt them for their old SMB password and then ask them for their new password twice, to ensure that the new password was typed correctly. No passwords will be echoed on the screen whilst being typed. If you have a blank SMB password (specified by the string "NO PASSWORD" in the smbpasswd file) then just press the <Enter> key when asked for your old password.^[1]

Documentation

man 8 'smbpasswd' [EN]

Syntax

smbpasswd [PARAMETER ...] [USER]

Parameters

-a: This option specifies that the username following should be added to the local smbpasswd file, with the new password typed (type <Enter> for the old password). This option is ignored if the username following already exists in the smbpasswd file and it is treated like a regular change password command.; NOTE:
This option is only available when running smbpasswd as root.
-d: This option specifies that the username following should be disabled in the local smbpasswd file. This is done by writing a 'D' flag into the account control space in the smbpasswd file. Once this is done all attempts to authenticate via SMB using this username will fail.; NOTE:
This option is only available when running smbpasswd as root.
-e: This option specifies that the username following should be enabled in the local smbpasswd file, if the account was previously disabled. If the account was not disabled this option has no effect. Once the account is enabled then the user will be able to authenticate via SMB once again.; NOTE:
This option is only available when running smbpasswd as root.

-m: This option tells smbpasswd that the account being changed is a MACHINE account. Currently this is used when Samba is being used as an NT Primary Domain Controller.; NOTE:
This option is only available when running smbpasswd as root.
-r MACHINE: This option allows a user to specify what MACHINE they wish to change their password on. Without this parameter smbpasswd defaults to the local host. The remote machine name is the NetBIOS name of the SMB/CIFS server to contact to attempt the password change.
-U USERNAME: This option may only be used in conjunction with the -r option. When changing a password on a remote machine it allows the user to specify the USERNAME on that machine whose password will be changed. It is present to allow users who have different user names on different systems to change these passwords.
-x: This option specifies that the username following should be deleted from the local smbpasswd file.; NOTE:
This option is only available when running smbpasswd as root.

Examples

Add a new user 'alex' to the local /etc/samba/smbpasswd file

useradd 'alex'
smbpasswd -a 'alex'

Add a new machine 'oxygen' to the local /etc/samba/smbpasswd file

useradd -d '/dev/null' -s '/bin/false' 'oxygen$'
smbpasswd -a -m 'oxygen'

References

↑ ^1.0 ^1.1 ^1.2 man 8 'smbpasswd'

[man8smbpasswd-1] 1.0 ^1.1 ^1.2 man 8 'smbpasswd'

[1]