| blob | 911e8c522f79816eb57f6dc6db591b541d9f771b |
1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3 <refentry id="wbinfo.1">
5 <refmeta>
6 <refentrytitle>wbinfo</refentrytitle>
7 <manvolnum>1</manvolnum>
8 <refmiscinfo class="source">Samba</refmiscinfo>
9 <refmiscinfo class="manual">User Commands</refmiscinfo>
10 <refmiscinfo class="version">&doc.version;</refmiscinfo>
11 </refmeta>
14 <refnamediv>
15 <refname>wbinfo</refname>
16 <refpurpose>Query information from winbind daemon</refpurpose>
17 </refnamediv>
19 <refsynopsisdiv>
20 <cmdsynopsis>
21 <command>wbinfo</command>
22 <arg choice="opt">-a user%password</arg>
23 <arg choice="opt">--all-domains</arg>
24 <arg choice="opt">--allocate-gid</arg>
25 <arg choice="opt">--allocate-uid</arg>
26 <arg choice="opt">-c</arg>
27 <arg choice="opt">--ccache-save</arg>
28 <arg choice="opt">--change-user-password</arg>
29 <arg choice="opt">-D domain</arg>
30 <arg choice="opt">--dc-info domain</arg>
31 <arg choice="opt">--domain domain</arg>
32 <arg choice="opt">--dsgetdcname domain</arg>
33 <arg choice="opt">-g</arg>
34 <arg choice="opt">--getdcname domain</arg>
35 <arg choice="opt">--get-auth-user</arg>
36 <arg choice="opt">-G gid</arg>
37 <arg choice="opt">--gid-info gid</arg>
38 <arg choice="opt">--group-info group</arg>
39 <arg choice="opt">--help|-?</arg>
40 <arg choice="opt">-i user</arg>
41 <arg choice="opt">-I ip</arg>
42 <arg choice="opt">-K user%password</arg>
43 <arg choice="opt">--krb5ccname cctype</arg>
44 <arg choice="opt">--lanman</arg>
45 <arg choice="opt">--logoff</arg>
46 <arg choice="opt">--logoff-uid uid</arg>
47 <arg choice="opt">--logoff-user username</arg>
48 <arg choice="opt">--lookup-sids</arg>
49 <arg choice="opt">-m</arg>
50 <arg choice="opt">-n name</arg>
51 <arg choice="opt">-N netbios-name</arg>
52 <arg choice="opt">--ntlmv1</arg>
53 <arg choice="opt">--ntlmv2</arg>
54 <arg choice="opt">--online-status</arg>
55 <arg choice="opt">--own-domain</arg>
56 <arg choice="opt">-p</arg>
57 <arg choice="opt">-P|--ping-dc</arg>
58 <arg choice="opt">--pam-logon user%password</arg>
59 <arg choice="opt">-r user</arg>
60 <arg choice="opt">-R|--lookup-rids</arg>
61 <arg choice="opt">--remove-gid-mapping gid,sid</arg>
62 <arg choice="opt">--remove-uid-mapping uid,sid</arg>
63 <arg choice="opt">-s sid</arg>
64 <arg choice="opt">--separator</arg>
65 <arg choice="opt">--set-auth-user user%password</arg>
66 <arg choice="opt">--set-gid-mapping gid,sid</arg>
67 <arg choice="opt">--set-uid-mapping uid,sid</arg>
68 <arg choice="opt">-S sid</arg>
69 <arg choice="opt">--sid-aliases sid</arg>
70 <arg choice="opt">--sid-to-fullname sid</arg>
71 <arg choice="opt">--sids-to-unix-ids sidlist</arg>
72 <arg choice="opt">-t</arg>
73 <arg choice="opt">-u</arg>
74 <arg choice="opt">--uid-info uid</arg>
75 <arg choice="opt">--usage</arg>
76 <arg choice="opt">--user-domgroups sid</arg>
77 <arg choice="opt">--user-sidinfo sid</arg>
78 <arg choice="opt">--user-sids sid</arg>
79 <arg choice="opt">-U uid</arg>
80 <arg choice="opt">-V</arg>
81 <arg choice="opt">--verbose</arg>
82 <arg choice="opt">-Y sid</arg>
84 </cmdsynopsis>
85 </refsynopsisdiv>
87 <refsect1>
88 <title>DESCRIPTION</title>
90 <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
91 <manvolnum>7</manvolnum></citerefentry> suite.</para>
93 <para>The <command>wbinfo</command> program queries and returns information
94 created and used by the <citerefentry><refentrytitle>winbindd</refentrytitle>
95 <manvolnum>8</manvolnum></citerefentry> daemon. </para>
97 <para>The <citerefentry><refentrytitle>winbindd</refentrytitle>
98 <manvolnum>8</manvolnum></citerefentry> daemon must be configured
99 and running for the <command>wbinfo</command> program to be able
100 to return information.</para>
101 </refsect1>
103 <refsect1>
104 <title>OPTIONS</title>
106 <variablelist>
107 <varlistentry>
108 <term>-a|--authenticate <replaceable>username%password</replaceable></term>
109 <listitem><para>Attempt to authenticate a user via <citerefentry>
110 <refentrytitle>winbindd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
111 This checks both authentication methods and reports its results.
112 </para><note><para>Do not be tempted to use this
113 functionality for authentication in third-party
114 applications. Instead use <citerefentry><refentrytitle>ntlm_auth</refentrytitle>
115 <manvolnum>1</manvolnum></citerefentry>.</para></note></listitem>
116 </varlistentry>
118 <varlistentry>
119 <term>--allocate-gid</term>
120 <listitem><para>Get a new GID out of idmap
121 </para></listitem>
122 </varlistentry>
124 <varlistentry>
125 <term>--allocate-uid</term>
126 <listitem><para>Get a new UID out of idmap
127 </para></listitem>
128 </varlistentry>
130 <varlistentry>
131 <term>--all-domains</term>
132 <listitem><para>List all domains (trusted and
133 own domain).
134 </para></listitem>
135 </varlistentry>
137 <varlistentry>
138 <term>-c|--change-secret</term>
139 <listitem><para>Change the trust account password. May be used
140 in conjunction with <option>domain</option> in order to change
141 interdomain trust account passwords.
142 </para></listitem>
143 </varlistentry>
145 <varlistentry>
146 <term>--change-secret-at <replaceable>domain-controller</replaceable></term>
147 <listitem><para>Change the trust account password at a specific
148 domain controller. Fails if the specified domain controller
149 cannot be contacted.
150 </para></listitem>
151 </varlistentry>
153 <varlistentry>
154 <term>--ccache-save <replaceable>username%password</replaceable></term>
155 <listitem><para>Store user and password for ccache.
156 </para></listitem>
157 </varlistentry>
159 <varlistentry>
160 <term>--change-user-password <replaceable>username</replaceable></term>
161 <listitem><para>Change the password of a user. The old and new password will be prompted.
162 </para></listitem>
163 </varlistentry>
165 <varlistentry>
166 <term>--dc-info <replaceable>domain</replaceable></term>
167 <listitem><para>Displays information about the current domain controller for a domain.
168 </para></listitem>
169 </varlistentry>
171 <varlistentry>
172 <term>--domain <replaceable>name</replaceable></term>
173 <listitem><para>This parameter sets the domain on which any specified
174 operations will performed. If special domain name '.' is used to represent
175 the current domain to which <citerefentry><refentrytitle>winbindd</refentrytitle>
176 <manvolnum>8</manvolnum></citerefentry> belongs. A '*' as the domain name
177 means to enumerate over all domains (NOTE: This can take a long time and use
178 a lot of memory).
179 </para></listitem>
180 </varlistentry>
182 <varlistentry>
183 <term>-D|--domain-info <replaceable>domain</replaceable></term>
184 <listitem><para>Show most of the info we have about the
185 specified domain.
186 </para></listitem>
187 </varlistentry>
189 <varlistentry>
190 <term>--dsgetdcname <replaceable>domain</replaceable></term>
191 <listitem><para>Find a DC for a domain.
192 </para></listitem>
193 </varlistentry>
195 <varlistentry>
196 <term>--gid-info <replaceable>gid</replaceable></term>
197 <listitem><para>Get group info from gid.
198 </para></listitem>
199 </varlistentry>
201 <varlistentry>
202 <term>--group-info <replaceable>group</replaceable></term>
203 <listitem><para>Get group info from group name.
204 </para></listitem>
205 </varlistentry>
207 <varlistentry>
208 <term>-g|--domain-groups</term>
209 <listitem><para>This option will list all groups available
210 in the Windows NT domain for which the <citerefentry><refentrytitle>samba</refentrytitle>
211 <manvolnum>7</manvolnum></citerefentry> daemon is operating in. Groups in all trusted domains
212 can be listed with the --domain='*' option. Note that this operation does not assign
213 group ids to any groups that have not already been
214 seen by <citerefentry><refentrytitle>winbindd</refentrytitle>
215 <manvolnum>8</manvolnum></citerefentry>. </para></listitem>
216 </varlistentry>
218 <varlistentry>
219 <term>--get-auth-user</term>
220 <listitem><para>Print username and password used by <citerefentry>
221 <refentrytitle>winbindd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
222 during session setup to a domain controller. Username
223 and password can be set using <option>--set-auth-user</option>.
224 Only available for root.</para></listitem>
225 </varlistentry>
227 <varlistentry>
228 <term>--getdcname <replaceable>domain</replaceable></term>
229 <listitem><para>Get the DC name for the specified domain.
230 </para></listitem>
231 </varlistentry>
233 <varlistentry>
234 <term>-G|--gid-to-sid <replaceable>gid</replaceable></term>
235 <listitem><para>Try to convert a UNIX group id to a Windows
236 NT SID. If the gid specified does not refer to one within
237 the idmap gid range then the operation will fail. </para></listitem>
238 </varlistentry>
240 <varlistentry>
241 <term>-?</term>
242 <listitem><para>Print brief help overview.
243 </para></listitem>
244 </varlistentry>
246 <varlistentry>
247 <term>-i|--user-info <replaceable>user</replaceable></term>
248 <listitem><para>Get user info.
249 </para></listitem>
250 </varlistentry>
252 <varlistentry>
253 <term>-I|--WINS-by-ip <replaceable>ip</replaceable></term>
254 <listitem><para>The <parameter>-I</parameter> option
255 queries <citerefentry><refentrytitle>winbindd</refentrytitle>
256 <manvolnum>8</manvolnum></citerefentry> to send a node status
257 request to get the NetBIOS name associated with the IP address
258 specified by the <parameter>ip</parameter> parameter.
259 </para></listitem>
260 </varlistentry>
262 <varlistentry>
263 <term>-K|--krb5auth <replaceable>username%password</replaceable></term>
264 <listitem><para>Attempt to authenticate a user via Kerberos.
265 </para></listitem>
266 </varlistentry>
268 <varlistentry>
269 <term>--krb5ccname <replaceable>KRB5CCNAME</replaceable></term>
270 <listitem><para>Allows one to request a specific kerberos credential
271 cache type used for authentication.
272 </para></listitem>
273 </varlistentry>
275 <varlistentry>
276 <term>--lanman</term>
277 <listitem><para>Use lanman cryptography for user authentication.
278 </para></listitem>
279 </varlistentry>
281 <varlistentry>
282 <term>--logoff</term>
283 <listitem><para>Logoff a user.
284 </para></listitem>
285 </varlistentry>
287 <varlistentry>
288 <term>--logoff-uid <replaceable>UID</replaceable></term>
289 <listitem><para>Define user uid used during logoff request.
290 </para></listitem>
291 </varlistentry>
293 <varlistentry>
294 <term>--logoff-user <replaceable>USERNAME</replaceable></term>
295 <listitem><para>Define username used during logoff request.
296 </para></listitem>
297 </varlistentry>
299 <varlistentry>
300 <term>--lookup-sids <replaceable>SID1,SID2...</replaceable></term>
301 <listitem><para>Looks up SIDs. SIDs must be specified as ASCII strings in the traditional Microsoft
302 format. For example, S-1-5-21-1455342024-3071081365-2475485837-500.
303 </para></listitem>
304 </varlistentry>
306 <varlistentry>
307 <term>-m|--trusted-domains</term>
308 <listitem><para>Produce a list of domains trusted by the
309 Windows NT server <citerefentry><refentrytitle>winbindd</refentrytitle>
310 <manvolnum>8</manvolnum></citerefentry> contacts
311 when resolving names. This list does not include the Windows
312 NT domain the server is a Primary Domain Controller for.
313 </para></listitem>
314 </varlistentry>
316 <varlistentry>
317 <term>-n|--name-to-sid <replaceable>name</replaceable></term>
318 <listitem><para>The <parameter>-n</parameter> option
319 queries <citerefentry><refentrytitle>winbindd</refentrytitle>
320 <manvolnum>8</manvolnum></citerefentry> for the SID
321 associated with the name specified. Domain names can be specified
322 before the user name by using the winbind separator character.
323 For example CWDOM1/Administrator refers to the Administrator
324 user in the domain CWDOM1. If no domain is specified then the
325 domain used is the one specified in the <citerefentry><refentrytitle>smb.conf</refentrytitle>
326 <manvolnum>5</manvolnum></citerefentry> <parameter>workgroup
327 </parameter> parameter. </para></listitem>
328 </varlistentry>
330 <varlistentry>
331 <term>-N|--WINS-by-name <replaceable>name</replaceable></term>
332 <listitem><para>The <parameter>-N</parameter> option
333 queries <citerefentry><refentrytitle>winbindd</refentrytitle>
334 <manvolnum>8</manvolnum></citerefentry> to query the WINS
335 server for the IP address associated with the NetBIOS name
336 specified by the <parameter>name</parameter> parameter.
337 </para></listitem>
338 </varlistentry>
340 <varlistentry>
341 <term>--ntlmv1</term>
342 <listitem><para>Use NTLMv1 cryptography for user authentication.
343 </para></listitem>
344 </varlistentry>
346 <varlistentry>
347 <term>--ntlmv2</term>
348 <listitem><para>Use NTLMv2 cryptography for user
349 authentication. NTLMv2 is the default method, this
350 option is only maintained for compatibility.
351 </para></listitem>
352 </varlistentry>
354 <varlistentry>
355 <term>--online-status <replaceable>domain</replaceable></term>
356 <listitem><para>Display whether winbind currently maintains an
357 active connection or not. An optional domain
358 argument limits the output to the online status
359 of a given domain.
360 </para></listitem>
361 </varlistentry>
363 <varlistentry>
364 <term>--own-domain</term>
365 <listitem><para>List own domain.
366 </para></listitem>
367 </varlistentry>
369 <varlistentry>
370 <term>--pam-logon <replaceable>username%password</replaceable></term>
371 <listitem><para>Attempt to authenticate a user in the same way
372 pam_winbind would do.
373 </para></listitem>
374 </varlistentry>
376 <varlistentry>
377 <term>-p|--ping</term>
378 <listitem><para>Check whether <citerefentry><refentrytitle>winbindd</refentrytitle>
379 <manvolnum>8</manvolnum></citerefentry> is still alive.
380 Prints out either 'succeeded' or 'failed'.
381 </para></listitem>
382 </varlistentry>
384 <varlistentry>
385 <term>-P|--ping-dc</term>
386 <listitem><para>Issue a no-effect command to our DC. This
387 checks if our secure channel connection to our domain
388 controller is still alive. It has much less impact than
389 wbinfo -t.
390 </para></listitem>
391 </varlistentry>
393 <varlistentry>
394 <term>-r|--user-groups <replaceable>username</replaceable></term>
395 <listitem>
396 <para>
397 Try to obtain the list of UNIX group ids to which the
398 user belongs. This only works for users defined on a
399 Domain Controller.
400 </para>
402 <para>There are two scenaries:</para>
403 <orderedlist>
404 <listitem>
405 <para>
406 User authenticated: When the user has been
407 authenticated, the access token for the user is
408 cached. The correct group memberships are then
409 returned from the cached user token (which can
410 be outdated).
411 </para>
412 </listitem>
414 <listitem>
415 <para>
416 User *NOT* authenticated: The information is
417 queries from the domain controller using the
418 machine account credentials which have limited
419 permissions. The result is normally incomplete
420 and can be also incorrect.
421 </para></listitem>
422 </orderedlist>
423 </listitem>
424 </varlistentry>
426 <varlistentry>
427 <term>-R|--lookup-rids <replaceable>rid1, rid2, rid3...</replaceable></term>
428 <listitem><para>Converts RIDs to names. Uses a comma separated
429 list of rids.
430 </para></listitem>
431 </varlistentry>
433 <varlistentry>
434 <term>--remove-gid-mapping <replaceable>GID,SID</replaceable></term>
435 <listitem><para>Removes an existing GID to SID mapping from the database.
436 </para></listitem>
437 </varlistentry>
439 <varlistentry>
440 <term>--remove-uid-mapping <replaceable>UID,SID</replaceable></term>
441 <listitem><para>Removes an existing UID to SID mapping from the database.
442 </para></listitem>
443 </varlistentry>
445 <varlistentry>
446 <term>-s|--sid-to-name <replaceable>sid</replaceable></term>
447 <listitem><para>Use <parameter>-s</parameter> to resolve
448 a SID to a name. This is the inverse of the <parameter>-n
449 </parameter> option above. SIDs must be specified as ASCII strings
450 in the traditional Microsoft format. For example,
451 S-1-5-21-1455342024-3071081365-2475485837-500. </para></listitem>
452 </varlistentry>
454 <varlistentry>
455 <term>--separator</term>
456 <listitem><para>Get the active winbind separator.
457 </para></listitem>
458 </varlistentry>
460 <varlistentry>
461 <term>--set-auth-user <replaceable>username%password</replaceable></term>
462 <listitem><para>Store username and password used by <citerefentry>
463 <refentrytitle>winbindd</refentrytitle><manvolnum>8</manvolnum>
464 </citerefentry> during session setup to a domain controller. This enables
465 winbindd to operate in a Windows 2000 domain with Restrict
466 Anonymous turned on (a.k.a. Permissions compatible with
467 Windows 2000 servers only).
468 </para></listitem>
469 </varlistentry>
471 <varlistentry>
472 <term>--set-gid-mapping <replaceable>GID,SID</replaceable></term>
473 <listitem><para>Create a GID to SID mapping in the database.
474 </para></listitem>
475 </varlistentry>
477 <varlistentry>
478 <term>--set-uid-mapping <replaceable>UID,SID</replaceable></term>
479 <listitem><para>Create a UID to SID mapping in the database.
480 </para></listitem>
481 </varlistentry>
483 <varlistentry>
484 <term>-S|--sid-to-uid <replaceable>sid</replaceable></term>
485 <listitem><para>Convert a SID to a UNIX user id. If the SID
486 does not correspond to a UNIX user mapped by <citerefentry>
487 <refentrytitle>winbindd</refentrytitle><manvolnum>8</manvolnum>
488 </citerefentry> then the operation will fail. </para></listitem>
489 </varlistentry>
491 <varlistentry>
492 <term>--sid-aliases <replaceable>sid</replaceable></term>
493 <listitem><para>Get SID aliases for a given SID.
494 </para></listitem>
495 </varlistentry>
497 <varlistentry>
498 <term>--sid-to-fullname <replaceable>sid</replaceable></term>
499 <listitem><para>Converts a SID to a full username
500 (DOMAIN\username).
501 </para></listitem>
502 </varlistentry>
504 <varlistentry>
505 <term>--sids-to-unix-ids <replaceable>sid1,sid2,sid3...</replaceable></term>
506 <listitem><para>Resolve SIDs to Unix IDs.
507 SIDs must be specified as ASCII strings
508 in the traditional Microsoft format. For example,
509 S-1-5-21-1455342024-3071081365-2475485837-500. </para></listitem>
510 </varlistentry>
512 <varlistentry>
513 <term>-t|--check-secret</term>
514 <listitem><para>Verify that the workstation trust account
515 created when the Samba server is added to the Windows NT
516 domain is working. May be used in conjunction with
517 <option>domain</option> in order to verify interdomain
518 trust accounts.</para></listitem>
519 </varlistentry>
521 <varlistentry>
522 <term>-u|--domain-users</term>
523 <listitem><para>This option will list all users available
524 in the Windows NT domain for which the <citerefentry><refentrytitle>winbindd</refentrytitle>
525 <manvolnum>8</manvolnum></citerefentry> daemon is operating in. Users in all trusted domains
526 can be listed with the --domain='*' option. Note that this operation does not assign
527 user ids to any users that have not already been seen by <citerefentry>
528 <refentrytitle>winbindd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
529 .</para></listitem>
530 </varlistentry>
532 <varlistentry>
533 <term>--uid-info <replaceable>uid</replaceable></term>
534 <listitem><para>Get user info for the user connected to
535 user id UID.</para></listitem>
536 </varlistentry>
538 <varlistentry>
539 <term>--usage</term>
540 <listitem><para>Print brief help overview.
541 </para></listitem>
542 </varlistentry>
544 <varlistentry>
545 <term>--user-domgroups <replaceable>sid</replaceable></term>
546 <listitem><para>Get user domain groups.
547 </para></listitem>
548 </varlistentry>
550 <varlistentry>
551 <term>--user-sidinfo <replaceable>sid</replaceable></term>
552 <listitem><para>Get user info by sid.
553 </para></listitem>
554 </varlistentry>
557 <varlistentry>
558 <term>--user-sids <replaceable>sid</replaceable></term>
559 <listitem><para>Get user group SIDs for user.
560 </para></listitem>
561 </varlistentry>
563 <varlistentry>
564 <term>-U|--uid-to-sid <replaceable>uid</replaceable></term>
565 <listitem><para>Try to convert a UNIX user id to a Windows NT
566 SID. If the uid specified does not refer to one within
567 the idmap range then the operation will fail. </para></listitem>
568 </varlistentry>
570 <varlistentry>
571 <term>--verbose</term>
572 <listitem><para>
573 Print additional information about the query results.
574 </para></listitem>
575 </varlistentry>
577 <varlistentry>
578 <term>-Y|--sid-to-gid <replaceable>sid</replaceable></term>
579 <listitem><para>Convert a SID to a UNIX group id. If the SID
580 does not correspond to a UNIX group mapped by <citerefentry>
581 <refentrytitle>winbindd</refentrytitle><manvolnum>8</manvolnum></citerefentry> then
582 the operation will fail. </para></listitem>
583 </varlistentry>
585 &cmdline.version;
586 &popt.autohelp;
588 </variablelist>
589 </refsect1>
592 <refsect1>
593 <title>EXIT STATUS</title>
595 <para>The wbinfo program returns 0 if the operation
596 succeeded, or 1 if the operation failed. If the <citerefentry>
597 <refentrytitle>winbindd</refentrytitle><manvolnum>8</manvolnum>
598 </citerefentry> daemon is not working <command>wbinfo</command> will always return
599 failure. </para>
600 </refsect1>
603 <refsect1>
604 <title>VERSION</title>
606 <para>This man page is part of version &doc.version; of
607 the Samba suite.</para>
608 </refsect1>
610 <refsect1>
611 <title>SEE ALSO</title>
612 <para><citerefentry><refentrytitle>winbindd</refentrytitle>
613 <manvolnum>8</manvolnum></citerefentry> and <citerefentry><refentrytitle>ntlm_auth</refentrytitle>
614 <manvolnum>1</manvolnum></citerefentry></para>
615 </refsect1>
617 <refsect1>
618 <title>AUTHOR</title>
620 <para>The original Samba software and related utilities
621 were created by Andrew Tridgell. Samba is now developed
622 by the Samba Team as an Open Source project similar
623 to the way the Linux kernel is developed.</para>
625 <para><command>wbinfo</command> and <command>winbindd</command>
626 were written by Tim Potter.</para>
628 <para>The conversion to DocBook for Samba 2.2 was done
629 by Gerald Carter. The conversion to DocBook XML 4.2 for Samba
630 3.0 was done by Alexander Bokovoy.</para>
631 </refsect1>
633 </refentry>