rpcclient (8)

rpcclient (8)

Samba-TNG

4 Sep 2005

NAME

rpcclient - developer's tool

SYNOPSIS

rpcclient [-d debuglevel] [-S <server>] [-p portnumber] [-n <netbiosname>] [-N] [-U <username>] [-W <domain>] [-A <filename>] [-c `command string`] [-i <scope>] [-O <socketoptions>] [-s smb.conf] [-l <logbasename>] [-E] [-m maxprotocol] [-h]

DESCRIPTION

rpcclient is a utility for developers that combines the commands found in regedit, samedit and others. To find out more about the commands found in rpcclient refer to the samedit(8), regedit(1) and other manual pages. These commands together perform the tasks seen by the Windows NT Server Tools.

OPTIONS

-d debuglevel
Sets the debuglevel to an integer between 0 and 100. Debug level 0 is the lowest and 100 being the highest. To submit a bug report to the Samba-TNG Team, use debug level 100 (see BUGS.txt).

-S <server>
NetBIOS name of server to connect to (\\. or . for localhost). The server can be any SMB/CIFS server. The name is resolved using the "name resolve order =" line.

-p portnumber
Connects to the specified TCP port.

-n <netbiosname>
NetBIOS name of the local machine. This option is only needed if your Samba-TNG client cannot find it automatically. Samba-TNG should use the uppercase of the machine's hostname.

-N
Tells rpcclient not to ask for a password. rpcclient will prompt the user by default.

-U <username>[%pass]
Sets the SMB username or username and password. If %pass is not specified, The user will be prompted. The client will first check the USER environment variable, then the LOGNAME variable and if either exist, the string is uppercased. Anything in these variables following a % sign will be treated as the password. If these environmental variables are not found, the username GUEST is used.

-W <domain>
Sets the SMB domain. Note that this is very different from the DNS domain name. This overrides the default domain which is the domain of the server specified with the bt(-S) option. If the domain specified is the same as the server's NetBIOS name, it causes the client to log on using the server's local SAM (as opposed to the Domain SAM).

-A <filename>
Sets the name of the file with authentication credentials.

-c 'command string'
Execute semicolon separated commands (listed below).

-i <scope>
Defines the NetBIOS scope. For more information on NetBIOS scopes, see rfc1001 and rfc1002. NetBIOS scopes are rarely used.

-O <socketoptions>
These socket options are the same as in smb.conf (under the bt(socket options =) section).

-s smb.conf
Specifies the location of the smb.conf file.

-l <logbasename>
File name for log/debug files. .client will be appended. The log file is never removed by the client.

-E
Causes rpcclient to write messages to stderr instead of stdout.

-m maxprotocol
Is ignored in Samba-TNG. It is included only for backwards compatibility.

-h
Prints the help information (usage) for rpcclient.

COMMANDS

SAMEDIT Commands

ntlogin, domlist, enumdomains, dominfo, lookupnames samquerysec, ntpass, creategroup, delgroup, enumgroups, samgroup, addgroupmem, delgroupmem, samgroupmem, createuser, deluser, enumusers, samuser, samuserset, samuserset2, createalias, delalias, enumaliases, samalias, addaliasmem, delaliasmem, samaliasmem, enumprivs, lsaenumsids

samedit comes with some commands for developers which might be useful to advanced users too. Use 'help devel' inside rpcclient to see the currently available subcommands and be prepared for incompatible changes.
devel trustinfo, devel domtrust, devel samsync, devel lookupdomain, devel lookuprids, devel samlookupnames, devel dispinfo, devel samtest, devel unjoin

ntlogin [DOMAIN\]<username> [<password>] [-d <trust-domain>] [-p <trust-pw>] [-i]
Tests whether username can do an interactive login. If username's password is not specified on the command line, it will be asked for.
-d <trust-domain> the domain of the workstation that tries the nt style login.
-p <trust-pw> the plaintext trust-password for this login test. It will be queried from the local machine, if you don't give it.
-i will try an inter-domain login instead of a workstation member login.

domlist
Lists trusted domains.

enumdomains
Lists the domains in the SAM.

dominfo
Domain info query.

lookupnames <domainname> [<domainname> ...]
Returns the SID string for the specified domainname/s.

samquerysec <username>
Queries SAM security object for the specified username.

ntpass [<username>]
Let's users change their password.

creategroup <group> [<description>]
Creates a domainwide (global) group in the domain.

delgroup <group>
Removes a group from the domain.

enumgroups
SAM group query which shows all groups in the current domain.

samgroup <group>
Does a SAM query on a group account.

addgroupmem <group> [<member1>] [<member2>] ...
Adds a user to the group specified by group.

delgroupmem <grouprid> [<memberrid1>] [<memberrid2>] ...
Removes members from the group specified by grouprid.

samgroupmem <group>
Does a SAM query on group members.

createuser <username> [-i] [-s] [-p <password>]
Creates an account in the NT domain. To create a machine trust account, append a '$' sign.
-i Inter-Domain trust
-s Server Trust (BDC)
-p <password> Password to assign to the account

deluser <username>
Removes an account from the domain.

enumusers
SAM database query command that shows all users in the current domain.

samuser <username> [-a | -u | -g]
Does a query on a username in the SAM database. The option that follows the username can be used to show user aliases -a, user account details -u (default) or user groups -g.

samuserset <username> [-p <password> [-F <fullname>] [-H <homedir>] [-D <homedrive>] [-P <profilepath>] [-L <loginscript>]]
Where username is the account name (append a '$' sign for a machine account).
-p <password> Change password to 'password'
-F <fullname> Change full name to 'fullname'
-H <homedir> Change home directory to 'homedir'
-D <homedrive> Change home directory drive to 'homedrive'
-P <profilepath> Set profile path to 'profilepath'
-L <loginscript> Set login script to 'loginscript'

samuserset2 <username> [-p <password>] [-s acb_bits] [-c acb_bits] [-H LM#:NT#]
Where username is the account name (append a '$' sign for a machine account). The values for acb_bits can be determined by adding wanted values from the following:

	N  User password not required
	D  User account disabled
	H  Home directory required
	T  Temporary duplicate account
	U  Normal user account
	M  MNS logon user account
	W  Workstation trust account
	S  Server trust account
	L  Account locked
	X  User password does not expire
	I  Interdomain trust account
	P  Password is locked and cannot be
	   changed remotely

-p <password> change password to 'password'
-s acb_bits set ACB bits
-c acb_bits clear ACB bits
-H LM#:NT# set the LM- and NT-hash directly. Use with caution!

Example:
samedit -S . -U root -c 'samuserset2 test_user -c D'

Hints:

  1. samuserset2 without any option prints out all implemented acb_bits.
  2. Example to read out the acb_bits from ldap:
    ldapsearch -D 'cn=root,dc=samba-tng,dc=org' 'ntuid=Administrator' acctFlags -W

createalias <aliasname> [<description>]
Creates a domain alias.

delalias <aliasname>
Removes an alias from the domain.

enumaliases
SAM alias query which shows all aliases in the SAM.

samalias <aliasname>
Does a SAM query on an alias account.

addaliasmem <aliasname> [<member1>] [<member2>] ...
Adds a Domain Alias member.

delaliasmem <aliasrid> [<membersid1>] [<membersid2>] ...
Removes a Domain Alias member.

samaliasmem [DOMAIN\]<aliasname>
Does a SAM query on alias members.

enumprivs [-i]
Lists the short (internal) names of all the privileges/rights known by the current server. With the -i, it will also show the long textual representation (currently in German).

lsaenumsids
Shows the SIDs that have privileges assigned to them.

SAMEDIT Commands for Developers

devel trustinfo <domainsid>
Show LSA info about trusts (experimental).

devel domtrust <domainname>
NT Inter-Domain test.

devel samsync
SAM synchronization test (experimental).

devel lookupdomain <domainname>
Returns the SID string for the specified domainname.

devel samlookuprids [-d <domainname>] <rid> [<rid> ...]
Returns a value associated with a specified RID in the specified NT domain.

devel samlookupnames [-d <domainname>] <name> [<name> ...]
Returns a RID associated with the specified name(s) in the specified NT domain.

devel dispinfo
SAM query display info.

devel samtest
Encrypted RPC-based SAM test (experimental).

devel unjoin
Let the workstation leave its domain (experimental).

REGEDIT Commands

registry key enum, registry key query, registry key create, registry key delete, registry key getsec, registry key testsec, registry value query, registry value create, registry value delete, registry dump, shutdown, abortshutdown

registry key enum <keyname>
Registry key enumeration.

registry key query <keyname>
Registry Key Query.

registry key create <keyname> [<keyclass>]
Creates the specified registry key.

registry key delete <keyname>
Deletes the specified registry key.

registry key getsec <keyname>
Gets registry key security.

registry key testsec <keyname>
Tests registry key security.

registry value query <valname>
Registry Value Query.

registry value create <valname> <valtype> <val>
Creates a registry value where <valtype> is one of:
REG_NONE no data
REG_SZ a string, which will be converted to unicode
REG_EXPAND_SZ like REG_SZ, but apps will interpolate %VARIABLE% strings
REG_BINARY arbitrary binary data; input as hexadecimal, with leading 0s
REG_DWORD a 32-bit integer
REG_SZ_MULTI a list of strings, converted to unicode
REG_FULL_RESOURCE_DESCRIPTOR treated like REG_BINARY
REG_RESOURCE_REQUIREMENTS_LIST treated like REG_BINARY

registry value delete <valname>
Deletes registry key specified by valname.

registry dump [-o <file>] <keyname>
Dumps registry key and its children to the screen or the specified output file.

shutdown [-m message] [-t timeout] [-r or --reboot] [-f or --force-close]
Forces a remote shutdown or reboot (if the -r option is set) of a NT machine.

abortshutdown
Aborts ongoing shutdown initiated by the shutdown command.

Other RPC Commands

srvtransports

srvtransports
Lists the NetBIOS transports configured on the server. This shows, among other things, the server's 48-bit MAC (Ethernet) addresses: look in the "address name" field of each transport. You can use ARP to get this information, but that only works within a broadcast domain.

In the case of multiple network interfaces, you can correlate a NetBIOS transport with a specific IP number if the server is NT 5 (Win2k/XP): The "transport name" field in the srvtransports output will end with a GUID - for example, {3A1AC65C-F1D4-4ADD-B288-082DF3118F95}. Use registry key enum to retrieve the list of values in HKLM\System\CurrentControlSet\Services\{3A1AC65C-F1D4-4ADD-B288-082DF3118F95}\Parameters\Tcpip, which will include IPAddress and DhcpIPAddress. (Unlike the srvtransports call, registry key enum cannot be made anonymously.)

Controlling rpcclient

set, use, help, quit

set [OPTIONS...]
Runs rpcclient within itself (thus allowing command line options to be changed).

use [\\server] [-U <username>%pass] [-W <domain>] [-d] [-f]
or

use -u
Equivalent of the net use command in Windows NT. Can be used to connect to remote services.

help, ?
Shows all commands or help on a specific command.

quit, exit, bye
Exits the utility.

SEE ALSO

regedit(1), samba(7), samedit(8)

AUTHOR

The original Samba software and related utilities were created by Andrew Tridgell.

Samba-TNG is now developed by the Samba-TNG Team as an independent Open Source project. Take a look at the Samba-TNG Forum for more informations.

This manual page originally was written by Luke Kenneth Casson Leighton and was adapted 2000 by Matthew Geddes.

2005 the manpage was adapted to the current version of the Samba-TNG project.