path: root/docs/textdocs/rpcclient.1.txt

!==
!== rpcclient.1.txt for Samba release TNG-prealpha 04 Apr 2000
!==

TITLE INFORMATION: rpcclient (1) 
AUTHOR INFORMATION: Samba SAMBA 
DATE INFORMATION: 23 Oct 1998 

NAME
rpcclient - utility to manage MSRPC resources on servers

SYNOPSIS

rpcclient
[password]
-S servername
[-U [username][%][password]]
[-W domain]
[-l log basename]
[-d debuglevel]
[-O socket options]
[-i scope]
[-N]
[-n NetBIOS name]
[-h]
[-I dest IP]
[-E]
[-t terminal code]
[-c command string]
[-B IP addr]
[-s smb.conf]
[-m max protocol]

DESCRIPTION

This program is part of the Samba suite.

rpcclient is a client that can 'talk' to an SMB/CIFS MSRPC server.
Operations include things like managing a SAM Database (users, groups
and aliases) in the same way as the Windows NT programs
User Manager for Domains and Server Manager for Domains;
managing a remote registry in the same way as the Windows NT programs
REGEDT32.EXE and REGEDIT.EXE; viewing a remote event log (same
as EVENTVWR.EXE) etc.

Typical usage is like this: 

rpcclient -I 192.168.32.1 -S "*SMBSERVER" -U fred%secret -l log

OPTIONS

o servername servername is the name of the server you want
to use on the server.  This should be the NetBIOS name of the SMB/CIFS
server, which can be *SMBSERVER on Windows NT 4.0 or Samba Servers.

Note that the server name required is NOT necessarily the IP (DNS)
host name of the server! The name required is a NetBIOS server name,
which may or may not be the same as the IP hostname of the machine
running the server.  Also, remember that having a period in a NetBIOS
name (such as an IP hostname) may cause connectivity problems on your
network: NT tends to strip NetBIOS names from the leading period
onwards.

The server name is looked up according to either the
-R parameter to rpcclient or using the
name resolve order
parameter in the smb.conf file, allowing an administrator to change
the order and methods by which server names are looked up.

o password password is the password required to access the
specified service on the specified server. If this parameter is
supplied, the -N option (suppress password prompt) is assumed.

There is no default password. If no password is supplied on the
command line (either by using this parameter or adding a password to
the -U option (see below)) and the -N option is not specified,
the client will prompt for a password, even if the desired service
does not require one. (If no password is required, simply press ENTER
to provide a null password.)

Note: Some servers (including OS/2 and Windows for Workgroups) insist
on an uppercase password. Lowercase or mixed case passwords may be
rejected by these servers.

Be cautious about including passwords in scripts.

o -s smb.conf This parameter specifies the pathname to the
Samba configuration file, smb.conf. This file controls all aspects of
the Samba setup on the machine and rpcclient also needs to read this
file.

o -B IP addr The IP address to use when sending a broadcast packet.

o -O socket options TCP socket options to set on the client
socket. See the socket options
parameter in the smb.conf (5) manpage for
the list of valid options.

o -R name resolve order This option allows the user of
rpcclient to determine what name resolution services to use when
looking up the NetBIOS name of the host being connected to.

The options are :"lmhosts", "host", "wins" and "bcast". They cause
names to be resolved as follows :

o  lmhosts : Lookup an IP address in the Samba lmhosts file.
The lmhosts file is stored in the same directory as the
smb.conf file.

o  host : Do a standard host name to IP address resolution,
using the system /etc/hosts, NIS, or DNS lookups. This method of name
resolution is operating system depended for instance on IRIX or
Solaris this may be controlled by the /etc/nsswitch.conf file).  

o  wins : Query a name with the IP address listed in the wins
server parameter in the smb.conf file. If 
no WINS server has been specified this method will be ignored.

o  bcast : Do a broadcast on each of the known local interfaces
listed in the interfaces parameter
in the smb.conf file. This is the least reliable of the name resolution
methods as it depends on the target host being on a locally connected
subnet. To specify a particular broadcast address the -B option 
may be used.

If this parameter is not set then the name resolve order defined
in the smb.conf file parameter 
(name resolve order)
will be used.

The default order is lmhosts, host, wins, bcast and without this
parameter or any entry in the "name resolve
order" parameter of the
smb.conf file the name resolution methods
will be attempted in this order.

o -i scope This specifies a NetBIOS scope that rpcclient will use
to communicate with when generating NetBIOS names. For details on the
use of NetBIOS scopes, see rfc1001.txt and rfc1002.txt. NetBIOS scopes
are very rarely used, only set this parameter if you are the
system administrator in charge of all the NetBIOS systems you
communicate with.

o -N If specified, this parameter suppresses the normal
password prompt from the client to the user. This is useful when
accessing a service that does not require a password.

Unless a password is specified on the command line or this parameter
is specified, the client will request a password.

o -n NetBIOS name By default, the client will use the local
machine's hostname (in uppercase) as its NetBIOS name. This parameter
allows you to override the host name and use whatever NetBIOS name you
wish.

o -d debuglevel debuglevel is an integer from 0 to 10, or the
letter 'A'.

The default value if this parameter is not specified is zero.

The higher this value, the more detail will be logged to the log files
about the activities of the client. At level 0, only critical errors
and serious warnings will be logged. Level 1 is a reasonable level for
day to day running - it generates a small amount of information about
operations carried out.

Levels above 1 will generate considerable amounts of log data, and
should only be used when investigating a problem. Levels above 3 are
designed for use only by developers and generate HUGE amounts of log
data, most of which is extremely cryptic. If debuglevel is set to the
letter 'A', then all debug messages will be printed. This setting
is for developers only (and people who really want to know how the
code works internally).

Note that specifying this parameter here will override the log
level parameter in the smb.conf
(5) file.

o -p port This number is the TCP port number that will be used
when making connections to the server. The standard (well-known) TCP
port number for an SMB/CIFS server is 139, which is the default.

o -l logfilename If specified, logfilename specifies a base
filename into which operational data from the running client will be
logged.

The default base name is specified at compile time.

The base name is used to generate actual log file names. For example,
if the name specified was "log", the debug file would be
log.client.

The log file generated is never removed by the client.

o -h Print the usage message for the client.

o -I IP address IP address is the address of the server to
connect to. It should be specified in standard "a.b.c.d" notation.

Normally the client would attempt to locate a named SMB/CIFS server by
looking it up via the NetBIOS name resolution mechanism described
above in the name resolve order parameter
above. Using this parameter will force the client to assume that the
server is on the machine with the specified IP address and the NetBIOS
name component of the resource being connected to will be ignored.

There is no default for this parameter. If not supplied, it will be
determined automatically by the client as described above.

o -E This parameter causes the client to write messages to the
standard error stream (stderr) rather than to the standard output
stream.

By default, the client writes messages to standard output - typically
the user's tty.

Note that by default, debug information is always sent to stderr.
Debug information can instead be sent to a file, using the
-l log basename option.

o -U username This specifies the user name that will be used by
the client to make a connection, assuming your server is not a downlevel
server that is running a protocol level that uses passwords on shares,
not on usernames.

Some servers are fussy about the case of this name, and some insist
that it must be a valid NetBIOS name.

If no username is supplied, it will default to an uppercase version of
the environment variable USER or LOGNAME in that order.  If no
username is supplied and neither environment variable exists the
username "GUEST" will be used.

If the USER environment variable contains a '%' character,
everything after that will be treated as a password. This allows you
to set the environment variable to be USER=username%password so
that a password is not passed on the command line (where it may be
seen by the ps command).

If the service you are connecting to requires a password, it can be
supplied using the -U option, by appending a percent symbol ("%")
then the password to username.  For example, to attach to a service as
user "fred" with password "secret", you would specify. 

-U fred%secret 

on the command line. Note that there are no spaces around the percent
symbol.

If you specify the password as part of username then the -N option
(suppress password prompt) is assumed.

If you specify the password as a parameter AND as part of username
then the password as part of username will take precedence. Putting
nothing before or nothing after the percent symbol will cause an empty
username or an empty password to be used, respectively.

The password may also be specified by setting up an environment
variable called PASSWORD that contains the users password. Note
that this may be very insecure on some systems but on others allows
users to script rpcclient commands without having a password appear in
the command line of a process listing.

Note: Some servers (including OS/2 and Windows for Workgroups) insist
on an uppercase password. Lowercase or mixed case passwords may be
rejected by these servers.

Be cautious about including passwords in scripts or in the
PASSWORD environment variable. Also, on many systems the command
line of a running process may be seen via the ps command to be
safe always allow rpcclient to prompt for a password and type it in
directly.

o -t terminal code This option tells rpcclient how to interpret
filenames coming from the remote server. Usually Asian language
multibyte UNIX implementations use different character sets than
SMB/CIFS servers (EUC instead of SJIS for example). Setting
this parameter will let rpcclient convert between the UNIX filenames
and the SMB filenames correctly. This option has not been seriously
tested and may have some problems.

The terminal codes include sjis, euc, jis7, jis8,
junet, hex, cap. This is not a complete list, check the
Samba source code for the complete list.

o -m max protocol level With the new code in Samba2.0,
rpcclient always attempts to connect at the maximum
protocols level the server supports. This parameter is
preserved for backwards compatibility, but any string
following the -m will be ignored.

o -W Domain Override the default Domain, which is the remote server's
Domain.  This option may be needed to connect to some servers.  It is also
possible to specify the remote server name as the Domain, which will
force the username and password to be authenticated against the remote
server's local SAM instead of the Domain SAM.

o -c command string command string is a semicolon separated
list of commands to be executed instead of prompting from stdin.
-N is implied by -c.

This is particularly useful in scripts, e.g. -c 'lsaquery; enumusers -u'.

OPERATIONS

Once the client is running, the user is presented with a prompt :

smb:\>

The prompt indicates that the client is ready and waiting to carry out
a user command. Each command is a single word, optionally followed by
parameters specific to that command. Command and parameters are
space-delimited unless these notes specifically state otherwise. All
commands are case-insensitive.  Parameters to commands may or may not
be case sensitive, depending on the command.

You can specify names (e.g registry keys; user or group names;
service names) which have spaces in them by quoting the
name with double quotes, for example "dRMON SmartAgent".

Parameters shown in square brackets (e.g., "[parameter]") are
optional. If not given, the command will use suitable
defaults. Parameters shown in angle brackets (e.g., "<parameter>") are
required.

Note that all commands operating on the server are actually performed
by issuing a request to the server. Thus the behavior may vary from
server to server, depending on how the server was implemented.

The commands available are listed in groups relating to different services:

o Misccellaneous

		o ? [command] If "command" is specified,
	the ? command will display a brief informative message about the
	specified command.  If no command is specified, a list of available
	commands will be displayed.

		o ! [shell command] If "shell command"
	is specified, the !  command will execute a shell locally and run
	the specified shell command. If no command is specified, a local shell
	will be run.

	 o exit Terminate the connection with the server and
	exit from the program.

	 o help [command] See the ?
	command above.

	 o quit See the exit command.

o Event Log

		o eventlog
		list the events

o Service Control

	It is possible to use command-line completion (if you have
	the GNU readline library) for Service names, by pressing the
	tab key.

		o svcenum
		[-i] Lists Services Manager

		o svcinfo
		<service> Service Information

		o svcstart
		<service> [arg 0] [arg 1] ... Start Service

		o svcstop
		<service> Stop Service

o Scheduler

		o at
		Scheduler control (at /? for syntax)

o Registry

	It is possible to use command-line completion (if you have
	the GNU readline library) for registry key and value names,
	by pressing the tab key.

		o regenum
		<keyname> Registry Enumeration (keys, values)

		o regdeletekey
		<keyname> Registry Key Delete

		o regcreatekey
		<keyname> [keyclass] Registry Key Create

		o shutdown
		[-m message] [-t timeout] [-r or --reboot] Server Shutdown

		o regqueryval
		<valname> Registry Value Query

		o regquerykey
		<keyname> Registry Key Query

		o regdeleteval
		<valname> Registry Value Delete

		o regcreateval
		<valname> <valtype> <value> Registry Key Create

		o reggetsec
		<keyname> Registry Key Security

		o regtestsec
		<keyname> Test Registry Key Security

o Printing

	It is possible to use command-line completion (if you have
	the GNU readline library) for Printer and job names, by
	pressing the tab key.

		o spoolenum
		Enumerate Printers

		o spooljobs
		<printer name> Enumerate Printer Jobs

		o spoolopen
		<printer name> Spool Printer Open Test

o Server

		o time
		Display remote time

		o brsinfo
		Browser Query Info

		o wksinfo
		Workstation Query Info

		o srvinfo
		Server Query Info

		o srvsessions
		List sessions on a server

		o srvshares
		List shares on a server

		o srvtransports
		List transports on a server

		o srvconnections
		List connections on a server

		o srvfiles
		List files on a server

o Local Security Authority

		o lsaquery
		Query Info Policy (domain member or server)

		o lsaenumdomains
		Enumerate Trusted Domains

		o lookupsids
		Resolve names from SIDs

		o lookupnames
		Resolve SIDs from names

		o querysecret
		LSA Query Secret (developer use)

o NETLOGON

		o ntlogin
		[username] [password] NT Domain login test

		o domtrust
		<domain> NT Inter-Domain test

		o samsync
		SAM Synchronization Test (experimental)

o SAM Database

	It is possible to use command-line completion (if you have
	the GNU readline library) for user, group, alias and domain
	names, by pressing the tab key.

		o lookupdomain
		Obtain SID for a local domain

		o enumusers
		SAM User Database Query (experimental!)

		o addgroupmem
		<group rid> [user] [user] ... SAM Add Domain Group Member

		o addaliasmem
		<alias rid> [member sid1] [member sid2] ... SAM Add Domain Alias Member

		o delgroupmem
		<group rid> [user] [user] ... SAM Delete Domain Group Member

		o delaliasmem
		<alias rid> [member sid1] [member sid2] ... SAM Delete Domain Alias Member

		o creategroup
		SAM Create Domain Group

		o createalias
		SAM Create Domain Alias

		o createuser
		<username> SAM Create Domain User

		o delgroup
		SAM Delete Domain Group

		o delalias
		SAM Delete Domain Alias

		o ntpass
		NT SAM Password Change

		o samuserset2
		<username> [-s acb_bits] SAM User Set Info 2 (experimental!)

		o samuserset
		<username> [-p password] SAM User Set Info (experimental!)

		o samuser
		<username> SAM User Query (experimental!)

		o samgroup
		<groupname> SAM Group Query (experimental!)

		o samalias
		<aliasname> SAM Alias Query

		o samaliasmem
		<aliasname> SAM Alias Members

		o samgroupmem
		SAM Group Members

		o samtest
		SAM User Encrypted RPC test (experimental!)

		o enumaliases
		SAM Aliases Database Query (experimental!)

		o enumdomains
		SAM Domains Database Query (experimental!)

		o enumgroups
		SAM Group Database Query (experimental!)

		o dominfo
		SAM Query Domain Info

		o dispinfo
		SAM Query Display Info

NOTES

Some servers are fussy about the case of supplied usernames,
passwords, share names (AKA service names) and machine names. If you
fail to connect try giving all parameters in uppercase.

It is often necessary to use the -n option when connecting
to some types of servers. For example OS/2 LanManager insists on a valid
NetBIOS name being used, so you need to supply a valid name that would
be known to the server.

rpcclient only works on servers that support MSRPC over SMB.  This includes
all versions of Windows NT, including the ports to Unix such as AS/U and
AFPS.  Support for MSRPC over SMB in other servers is currently rare and
patchy, for example Samba 2.0 only supports a limited set of MSRPC commands,
and some of those are not supported very well.

ENVIRONMENT VARIABLES

The variable USER may contain the username of the person using the
client.  This information is used only if the protocol level is high
enough to support session-level passwords.

The variable PASSWORD may contain the password of the person using
the client.  This information is used only if the protocol level is
high enough to support session-level passwords.

INSTALLATION

The location of the client program is a matter for individual system
administrators. The following are thus suggestions only.

It is recommended that the rpcclient software be installed in the
/usr/local/samba/bin or /usr/samba/bin directory, this directory
readable by all, writeable only by root. The client program itself
should be executable by all. The client should NOT be setuid or
setgid!

The client log files should be put in a directory readable and
writeable only by the user.

To test the client, you will need to know the name of a running
SMB/CIFS server. It is possible to run smbd (8)
an ordinary user - running that server as a daemon on a
user-accessible port (typically any port number over 1024) would
provide a suitable test server.

DIAGNOSTICS

Most diagnostics issued by the client are logged in a specified log
file. The log file name is specified at compile time, but may be
overridden on the command line.

The number and nature of diagnostics available depends on the debug
level used by the client. If you have problems, set the debug level to
3 and peruse the log files.

VERSION

This man page is correct for version 2.0 of the Samba suite.

BUGS

o WARNING!
The MSPRC over SMB code has been developed from examining Network traces.
No documentation is available from the original creators (Microsoft) on
how MSRPC over SMB works, or how the individual MSRPC services work.
Microsoft's implementation of these services has been demonstrated (and
reported) to be... a bit flakey in places.

The development of Samba's implementation of these services is also
a bit rough, and as more of the services are understood, it can even result
in versions of smbd (8) and rpcclient that are
incompatible for some commands or services.  Additionally, the developers
are sending reports to Microsoft, and problems found by or reported to
Microsoft are fixed in Service Packs, which may also result in
incompatibilities.

It is therefore not guaranteed that the execution of an rpcclient command will
work.  It is also not guaranteed that the target server will continue to
operate, i.e the execution of an MSRPC command may cause a remote service to
fail, or even cause the remote server to fail.  Usual rules apply, of course:
the developers bear absolutely no responsibility for the use, misuse, or
lack of use of rpcclient, by any person or persons, whether legal,
illegal, accidental, deliberate, intentional, malicious, curious, etc.

o Command Completion
Command-completion (available if you have the GNU readline library) used on
certain commands may not operate correctly if the word being completed (such as a registry key) contains a space.  Typically, the name will be completed, but
you will have to go back and put quotes round it, yourself.

o SAM Database command-completion
Command-completion (available if you have the GNU readline library) of user,
group and alias names does not work on remote Domains, which would normally
be specified like this: 

DOMAIN_name\\user_name. 

The only names that can be completed in this fashion are the local names
in the SAM database of the target server.

AUTHOR

The original Samba software and related utilities were created by
Andrew Tridgell samba-bugs@samba.org. Samba is now developed
by the Samba Team as an Open Source project similar to the way the
Linux kernel is developed.

The original Samba man pages were written by Karl Auer. The man page
sources were converted to YODL format (another excellent piece of Open
Source software, available at
ftp://ftp.icce.rug.nl/pub/unix/)
and updated for the Samba2.0 release by Jeremy Allison.  This man page
was developed cut-and-paste style from the smbclient man page, by
Luke Kenneth Casson Leighton.
samba-bugs@samba.org.

See samba (7) to find out how to get a full
list of contributors and details on how to submit bug reports,
comments etc.