'\" t .\" Title: wbinfo .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 08/09/2022 .\" Manual: User Commands .\" Source: Samba 4.16.4 .\" Language: English .\" .TH "WBINFO" "1" "08/09/2022" "Samba 4\&.16\&.4" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" wbinfo \- Query information from winbind daemon .SH "SYNOPSIS" .HP \w'\ 'u wbinfo [\-a\ user%password] [\-\-all\-domains] [\-\-allocate\-gid] [\-\-allocate\-uid] [\-c] [\-\-ccache\-save] [\-\-change\-user\-password] [\-D\ domain] [\-\-dc\-info\ domain] [\-\-domain\ domain] [\-\-dsgetdcname\ domain] [\-g] [\-\-getdcname\ domain] [\-\-get\-auth\-user] [\-G\ gid] [\-\-gid\-info\ gid] [\-\-group\-info\ group] [\-\-help|\-?] [\-i\ user] [\-I\ ip] [\-K\ user%password] [\-\-krb5ccname\ cctype] [\-\-lanman] [\-\-logoff] [\-\-logoff\-uid\ uid] [\-\-logoff\-user\ username] [\-\-lookup\-sids] [\-m] [\-n\ name] [\-N\ netbios\-name] [\-\-ntlmv1] [\-\-ntlmv2] [\-\-online\-status] [\-\-own\-domain] [\-p] [\-P|\-\-ping\-dc] [\-\-pam\-logon\ user%password] [\-r\ user] [\-R|\-\-lookup\-rids] [\-\-remove\-gid\-mapping\ gid,sid] [\-\-remove\-uid\-mapping\ uid,sid] [\-s\ sid] [\-\-separator] [\-\-sequence] [\-\-set\-auth\-user\ user%password] [\-\-set\-gid\-mapping\ gid,sid] [\-\-set\-uid\-mapping\ uid,sid] [\-S\ sid] [\-\-sid\-aliases\ sid] [\-\-sid\-to\-fullname\ sid] [\-\-sids\-to\-unix\-ids\ sidlist] [\-t] [\-u] [\-\-uid\-info\ uid] [\-\-usage] [\-\-user\-domgroups\ sid] [\-\-user\-sidinfo\ sid] [\-\-user\-sids\ sid] [\-U\ uid] [\-V] [\-\-verbose] [\-Y\ sid] .SH "DESCRIPTION" .PP This tool is part of the \fBsamba\fR(7) suite\&. .PP The wbinfo program queries and returns information created and used by the \fBwinbindd\fR(8) daemon\&. .PP The \fBwinbindd\fR(8) daemon must be configured and running for the wbinfo program to be able to return information\&. .SH "OPTIONS" .PP \-a|\-\-authenticate \fIusername%password\fR .RS 4 Attempt to authenticate a user via \fBwinbindd\fR(8)\&. This checks both authentication methods and reports its results\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br Do not be tempted to use this functionality for authentication in third\-party applications\&. Instead use \fBntlm_auth\fR(1)\&. .sp .5v .RE .RE .PP \-\-allocate\-gid .RS 4 Get a new GID out of idmap .RE .PP \-\-allocate\-uid .RS 4 Get a new UID out of idmap .RE .PP \-\-all\-domains .RS 4 List all domains (trusted and own domain)\&. .RE .PP \-c|\-\-change\-secret .RS 4 Change the trust account password\&. May be used in conjunction with \fBdomain\fR in order to change interdomain trust account passwords\&. .RE .PP \-\-ccache\-save \fIusername%password\fR .RS 4 Store user and password for ccache\&. .RE .PP \-\-change\-user\-password \fIusername\fR .RS 4 Change the password of a user\&. The old and new password will be prompted\&. .RE .PP \-\-dc\-info \fIdomain\fR .RS 4 Displays information about the current domain controller for a domain\&. .RE .PP \-\-domain \fIname\fR .RS 4 This parameter sets the domain on which any specified operations will performed\&. If special domain name \*(Aq\&.\*(Aq is used to represent the current domain to which \fBwinbindd\fR(8) belongs\&. A \*(Aq*\*(Aq as the domain name means to enumerate over all domains (NOTE: This can take a long time and use a lot of memory)\&. .RE .PP \-D|\-\-domain\-info \fIdomain\fR .RS 4 Show most of the info we have about the specified domain\&. .RE .PP \-\-dsgetdcname \fIdomain\fR .RS 4 Find a DC for a domain\&. .RE .PP \-\-gid\-info \fIgid\fR .RS 4 Get group info from gid\&. .RE .PP \-\-group\-info \fIgroup\fR .RS 4 Get group info from group name\&. .RE .PP \-g|\-\-domain\-groups .RS 4 This option will list all groups available in the Windows NT domain for which the \fBsamba\fR(7) daemon is operating in\&. Groups in all trusted domains can be listed with the \-\-domain=\*(Aq*\*(Aq option\&. Note that this operation does not assign group ids to any groups that have not already been seen by \fBwinbindd\fR(8)\&. .RE .PP \-\-get\-auth\-user .RS 4 Print username and password used by \fBwinbindd\fR(8) during session setup to a domain controller\&. Username and password can be set using \fB\-\-set\-auth\-user\fR\&. Only available for root\&. .RE .PP \-\-getdcname \fIdomain\fR .RS 4 Get the DC name for the specified domain\&. .RE .PP \-G|\-\-gid\-to\-sid \fIgid\fR .RS 4 Try to convert a UNIX group id to a Windows NT SID\&. If the gid specified does not refer to one within the idmap gid range then the operation will fail\&. .RE .PP \-? .RS 4 Print brief help overview\&. .RE .PP \-i|\-\-user\-info \fIuser\fR .RS 4 Get user info\&. .RE .PP \-I|\-\-WINS\-by\-ip \fIip\fR .RS 4 The \fI\-I\fR option queries \fBwinbindd\fR(8) to send a node status request to get the NetBIOS name associated with the IP address specified by the \fIip\fR parameter\&. .RE .PP \-K|\-\-krb5auth \fIusername%password\fR .RS 4 Attempt to authenticate a user via Kerberos\&. .RE .PP \-\-krb5ccname \fIKRB5CCNAME\fR .RS 4 Allows one to request a specific kerberos credential cache type used for authentication\&. .RE .PP \-\-lanman .RS 4 Use lanman cryptography for user authentication\&. .RE .PP \-\-logoff .RS 4 Logoff a user\&. .RE .PP \-\-logoff\-uid \fIUID\fR .RS 4 Define user uid used during logoff request\&. .RE .PP \-\-logoff\-user \fIUSERNAME\fR .RS 4 Define username used during logoff request\&. .RE .PP \-\-lookup\-sids \fISID1,SID2\&.\&.\&.\fR .RS 4 Looks up SIDs\&. SIDs must be specified as ASCII strings in the traditional Microsoft format\&. For example, S\-1\-5\-21\-1455342024\-3071081365\-2475485837\-500\&. .RE .PP \-m|\-\-trusted\-domains .RS 4 Produce a list of domains trusted by the Windows NT server \fBwinbindd\fR(8) contacts when resolving names\&. This list does not include the Windows NT domain the server is a Primary Domain Controller for\&. .RE .PP \-n|\-\-name\-to\-sid \fIname\fR .RS 4 The \fI\-n\fR option queries \fBwinbindd\fR(8) for the SID associated with the name specified\&. Domain names can be specified before the user name by using the winbind separator character\&. For example CWDOM1/Administrator refers to the Administrator user in the domain CWDOM1\&. If no domain is specified then the domain used is the one specified in the \fBsmb.conf\fR(5) \fIworkgroup \fR parameter\&. .RE .PP \-N|\-\-WINS\-by\-name \fIname\fR .RS 4 The \fI\-N\fR option queries \fBwinbindd\fR(8) to query the WINS server for the IP address associated with the NetBIOS name specified by the \fIname\fR parameter\&. .RE .PP \-\-ntlmv1 .RS 4 Use NTLMv1 cryptography for user authentication\&. .RE .PP \-\-ntlmv2 .RS 4 Use NTLMv2 cryptography for user authentication\&. NTLMv2 is the default method, this option is only maintained for compatibility\&. .RE .PP \-\-online\-status \fIdomain\fR .RS 4 Display whether winbind currently maintains an active connection or not\&. An optional domain argument limits the output to the online status of a given domain\&. .RE .PP \-\-own\-domain .RS 4 List own domain\&. .RE .PP \-\-pam\-logon \fIusername%password\fR .RS 4 Attempt to authenticate a user in the same way pam_winbind would do\&. .RE .PP \-p|\-\-ping .RS 4 Check whether \fBwinbindd\fR(8) is still alive\&. Prints out either \*(Aqsucceeded\*(Aq or \*(Aqfailed\*(Aq\&. .RE .PP \-P|\-\-ping\-dc .RS 4 Issue a no\-effect command to our DC\&. This checks if our secure channel connection to our domain controller is still alive\&. It has much less impact than wbinfo \-t\&. .RE .PP \-r|\-\-user\-groups \fIusername\fR .RS 4 Try to obtain the list of UNIX group ids to which the user belongs\&. This only works for users defined on a Domain Controller\&. .sp There are two scenaries: .RS .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} User authenticated: When the user has been authenticated, the access token for the user is cached\&. The correct group memberships are then returned from the cached user token (which can be outdated)\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} User *NOT* authenticated: The information is queries from the domain controller using the machine account credentials which have limited permissions\&. The result is normally incomplete and can be also incorrect\&. .RE .sp .RE .RE .PP \-R|\-\-lookup\-rids \fIrid1, rid2, rid3\&.\&.\&.\fR .RS 4 Converts RIDs to names\&. Uses a comma separated list of rids\&. .RE .PP \-\-remove\-gid\-mapping \fIGID,SID\fR .RS 4 Removes an existing GID to SID mapping from the database\&. .RE .PP \-\-remove\-uid\-mapping \fIUID,SID\fR .RS 4 Removes an existing UID to SID mapping from the database\&. .RE .PP \-s|\-\-sid\-to\-name \fIsid\fR .RS 4 Use \fI\-s\fR to resolve a SID to a name\&. This is the inverse of the \fI\-n \fR option above\&. SIDs must be specified as ASCII strings in the traditional Microsoft format\&. For example, S\-1\-5\-21\-1455342024\-3071081365\-2475485837\-500\&. .RE .PP \-\-separator .RS 4 Get the active winbind separator\&. .RE .PP \-\-sequence .RS 4 This command has been deprecated\&. Please use the \-\-online\-status option instead\&. .RE .PP \-\-set\-auth\-user \fIusername%password\fR .RS 4 Store username and password used by \fBwinbindd\fR(8) during session setup to a domain controller\&. This enables winbindd to operate in a Windows 2000 domain with Restrict Anonymous turned on (a\&.k\&.a\&. Permissions compatible with Windows 2000 servers only)\&. .RE .PP \-\-set\-gid\-mapping \fIGID,SID\fR .RS 4 Create a GID to SID mapping in the database\&. .RE .PP \-\-set\-uid\-mapping \fIUID,SID\fR .RS 4 Create a UID to SID mapping in the database\&. .RE .PP \-S|\-\-sid\-to\-uid \fIsid\fR .RS 4 Convert a SID to a UNIX user id\&. If the SID does not correspond to a UNIX user mapped by \fBwinbindd\fR(8) then the operation will fail\&. .RE .PP \-\-sid\-aliases \fIsid\fR .RS 4 Get SID aliases for a given SID\&. .RE .PP \-\-sid\-to\-fullname \fIsid\fR .RS 4 Converts a SID to a full username (DOMAIN\eusername)\&. .RE .PP \-\-sids\-to\-unix\-ids \fIsid1,sid2,sid3\&.\&.\&.\fR .RS 4 Resolve SIDs to Unix IDs\&. SIDs must be specified as ASCII strings in the traditional Microsoft format\&. For example, S\-1\-5\-21\-1455342024\-3071081365\-2475485837\-500\&. .RE .PP \-t|\-\-check\-secret .RS 4 Verify that the workstation trust account created when the Samba server is added to the Windows NT domain is working\&. May be used in conjunction with \fBdomain\fR in order to verify interdomain trust accounts\&. .RE .PP \-u|\-\-domain\-users .RS 4 This option will list all users available in the Windows NT domain for which the \fBwinbindd\fR(8) daemon is operating in\&. Users in all trusted domains can be listed with the \-\-domain=\*(Aq*\*(Aq option\&. Note that this operation does not assign user ids to any users that have not already been seen by \fBwinbindd\fR(8) \&. .RE .PP \-\-uid\-info \fIuid\fR .RS 4 Get user info for the user connected to user id UID\&. .RE .PP \-\-usage .RS 4 Print brief help overview\&. .RE .PP \-\-user\-domgroups \fIsid\fR .RS 4 Get user domain groups\&. .RE .PP \-\-user\-sidinfo \fIsid\fR .RS 4 Get user info by sid\&. .RE .PP \-\-user\-sids \fIsid\fR .RS 4 Get user group SIDs for user\&. .RE .PP \-U|\-\-uid\-to\-sid \fIuid\fR .RS 4 Try to convert a UNIX user id to a Windows NT SID\&. If the uid specified does not refer to one within the idmap range then the operation will fail\&. .RE .PP \-\-verbose .RS 4 Print additional information about the query results\&. .RE .PP \-Y|\-\-sid\-to\-gid \fIsid\fR .RS 4 Convert a SID to a UNIX group id\&. If the SID does not correspond to a UNIX group mapped by \fBwinbindd\fR(8) then the operation will fail\&. .RE .PP \-V|\-\-version .RS 4 Prints the program version number\&. .RE .PP \-?|\-\-help .RS 4 Print a summary of command line options\&. .RE .PP \-\-usage .RS 4 Display brief usage message\&. .RE .SH "EXIT STATUS" .PP The wbinfo program returns 0 if the operation succeeded, or 1 if the operation failed\&. If the \fBwinbindd\fR(8) daemon is not working wbinfo will always return failure\&. .SH "VERSION" .PP This man page is part of version 4\&.16\&.4 of the Samba suite\&. .SH "SEE ALSO" .PP \fBwinbindd\fR(8) and \fBntlm_auth\fR(1) .SH "AUTHOR" .PP The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&. .PP wbinfo and winbindd were written by Tim Potter\&. .PP The conversion to DocBook for Samba 2\&.2 was done by Gerald Carter\&. The conversion to DocBook XML 4\&.2 for Samba 3\&.0 was done by Alexander Bokovoy\&.