RPCCLIENT(1) | User Commands | RPCCLIENT(1) |
rpcclient - tool for executing client side MS-RPC functions
rpcclient [-c|--command=COMMANDS] [-I|--dest-ip=IP] [-p|--port=PORT] [-?|--help] [--usage] [-d|--debuglevel=DEBUGLEVEL] [--debug-stdout] [--configfile=CONFIGFILE] [--option=name=value] [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full] [-R|--name-resolve=NAME-RESOLVE-ORDER] [-O|--socket-options=SOCKETOPTIONS] [-m|--max-protocol=MAXPROTOCOL] [-n|--netbiosname=NETBIOSNAME] [--netbios-scope=SCOPE] [-W|--workgroup=WORKGROUP] [--realm=REALM] [-U|--user=[DOMAIN/]USERNAME[%PASSWORD]] [-N|--no-pass] [--password=STRING] [--pw-nt-hash] [-A|--authentication-file=FILE] [-P|--machine-pass] [--simple-bind-dn=DN] [--use-kerberos=desired|required|off] [--use-krb5-ccache=CCACHE] [--use-winbind-ccache] [--client-protection=sign|encrypt|off] [-V|--version] {BINDING-STRING|HOST}
This tool is part of the samba(7) suite.
rpcclient is a utility initially developed to test MS-RPC functionality in Samba itself. It has undergone several stages of development and stability. Many system administrators have now written scripts around it to manage Windows NT clients from their UNIX workstation.
BINDING-STRING|HOST
The format is:
TRANSPORT:host[options]
where TRANSPORT is either ncacn_np (named pipes) for SMB or ncacn_ip_tcp for DCERPC over TCP/IP.
"host" is an IP or hostname or netbios name. If the binding string identifies the server side of an endpoint, "host" may be an empty string. See below for more details.
"options" can include a SMB pipe name if using the ncacn_np transport or a TCP port number if using the ncacn_ip_tcp transport, otherwise they will be auto-determined.
Examples:
-c|--command=<command string>
-I|--dest-ip IP-address
Normally the client would attempt to locate a named SMB/CIFS server by looking it up via the NetBIOS name resolution mechanism described above in the name resolve order parameter above. Using this parameter will force the client to assume that the server is on the machine with the specified IP address and the NetBIOS name component of the resource being connected to will be ignored.
There is no default for this parameter. If not supplied, it will be determined automatically by the client as described above.
-p|--port port
-?|--help
--usage
-d|--debuglevel=DEBUGLEVEL
The higher this value, the more detail will be logged to the log files about the activities of the server. At level 0, only critical errors and serious warnings will be logged. Level 1 is a reasonable level for day-to-day running - it generates a small amount of information about operations carried out.
Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.
Note that specifying this parameter here will override the log level parameter in the /etc/samba/smb.conf file.
--debug-stdout
--configfile=<configuration file>
--option=<name>=<value>
-l|--log-basename=logdirectory
--leak-report
--leak-report-full
-V|--version
-R|--name-resolve=NAME-RESOLVE-ORDER
The options are: "lmhosts", "host", "wins" and "bcast". They cause names to be resolved as follows:
The default order is lmhosts, host, wins, bcast. Without this parameter or any entry in the name resolve order parameter of the /etc/samba/smb.conf file, the name resolution methods will be attempted in this order.
-O|--socket-options=SOCKETOPTIONS
-m|--max-protocol=MAXPROTOCOL
Note that specifying this parameter here will override the client max protocol parameter in the /etc/samba/smb.conf file.
-n|--netbiosname=NETBIOSNAME
--netbios-scope=SCOPE
-W|--workgroup=WORKGROUP
Note that specifying this parameter here will override the workgroup parameter in the /etc/samba/smb.conf file.
-r|--realm=REALM
Note that specifying this parameter here will override the realm parameter in the /etc/samba/smb.conf file.
-U|--user=[DOMAIN\]USERNAME[%PASSWORD]
If %PASSWORD is not specified, the user will be prompted. The client will first check the USER environment variable (which is also permitted to also contain the password separated by a %), then the LOGNAME variable (which is not permitted to contain a password) and if either exists, the value is used. If these environmental variables are not found, the username found in a Kerberos Credentials cache may be used.
A third option is to use a credentials file which contains the plaintext of the username and password. This option is mainly provided for scripts where the admin does not wish to pass the credentials on the command line or via environment variables. If this method is used, make certain that the permissions on the file restrict access from unwanted users. See the -A for more details.
Be cautious about including passwords in scripts or passing user-supplied values onto the command line. For security it is better to let the Samba client tool ask for the password if needed, or obtain the password once with kinit.
While Samba will attempt to scrub the password from the process title (as seen in ps), this is after startup and so is subject to a race.
-N|--no-pass
Unless a password is specified on the command line or this parameter is specified, the client will request a password.
If a password is specified on the command line and this option is also defined the password on the command line will be silently ignored and no password will be used.
--password
Be cautious about including passwords in scripts or passing user-supplied values onto the command line. For security it is better to let the Samba client tool ask for the password if needed, or obtain the password once with kinit.
If --password is not specified, the tool will check the PASSWD environment variable, followed by PASSWD_FD which is expected to contain an open file descriptor (FD) number.
Finally it will check PASSWD_FILE (containing a file path to be opened). The file should only contain the password. Make certain that the permissions on the file restrict access from unwanted users!
While Samba will attempt to scrub the password from the process title (as seen in ps), this is after startup and so is subject to a race.
--pw-nt-hash
-A|--authentication-file=filename
username = <value> password = <value> domain = <value>
Make certain that the permissions on the file restrict access from unwanted users!
-P|--machine-pass
--simple-bind-dn=DN
--use-kerberos=desired|required|off
Note that specifying this parameter here will override the client use kerberos parameter in the /etc/samba/smb.conf file.
--use-krb5-ccache=CCACHE
This will set --use-kerberos=required too.
--use-winbind-ccache
--client-protection=sign|encrypt|off
Note that specifying this parameter here will override the client protection parameter in the /etc/samba/smb.conf file.
In case you need more fine grained control you can use: --option=clientsmbencrypt=OPTION, --option=clientipcsigning=OPTION, --option=clientsigning=OPTION.
lsaquery
lookupsids
lookupsids3
lookupsids_level
lookupnames
lookupnames4
lookupnames_level
enumtrust
enumprivs
getdispname
lsaenumsid
lsacreateaccount
lsaenumprivsaccount
lsaenumacctrights
lsaaddpriv
lsadelpriv
lsaaddacctrights
lsaremoveacctrights
lsalookupprivvalue
lsaquerysecobj
lsaquerytrustdominfo
lsaquerytrustdominfobyname
lsaquerytrustdominfobysid
lsasettrustdominfo
getusername
createsecret
deletesecret
querysecret
setsecret
retrieveprivatedata
storeprivatedata
createtrustdom
deletetrustdom
dsroledominfo
dfsversion
dfsadd
dfsremove
dfsgetinfo
dfsenum
dfsenumex
shutdowninit
shutdownabort
srvinfo
netshareenum
netshareenumall
netsharegetinfo
netsharesetinfo
netsharesetdfsflags
netfileenum
netremotetod
netnamevalidate
netfilegetsec
netsessdel
netsessenum
netdiskenum
netconnenum
netshareadd
netsharedel
queryuser
querygroup
queryusergroups
queryuseraliases
querygroupmem
queryaliasmem
queryaliasinfo
deletealias
querydispinfo
querydispinfo2
querydispinfo3
querydominfo
enumdomusers
enumdomgroups
enumalsgroups
enumdomains
createdomuser
createdomgroup
createdomalias
samlookupnames
samlookuprids
deletedomgroup
deletedomuser
samquerysecobj
getdompwinfo
getusrdompwinfo
lookupdomain
chgpasswd
chgpasswd2
chgpasswd3
chgpasswd4
getdispinfoidx
setuserinfo
setuserinfo2
adddriver <arch> <config> [<version>]
Long Driver Name:\ Driver File Name:\ Data File Name:\ Config File Name:\ Help File Name:\ Language Monitor Name:\ Default Data Type:\ Comma Separated list of Files
Any empty fields should be enter as the string "NULL".
Samba does not need to support the concept of Print Monitors since these only apply to local printers whose driver can make use of a bi-directional link for communication. This field should be "NULL". On a remote NT print server, the Print Monitor for a driver must already be installed prior to adding the driver or else the RPC will fail.
The version parameter lets you specify the printer driver version number. If omitted, the default driver version for the specified architecture will be used. This option can be used to upload Windows 2000 (version 3) printer drivers.
addprinter <printername> <sharename> <drivername> <port>
deldriver <driver>
deldriverex <driver> [architecture] [version] [flags]
enumdata
enumdataex
enumkey
enumjobs <printer>
getjob
setjob
enumports [level]
enumdrivers [level]
enumprinters [level]
getdata <printername> <valuename;>
getdataex
getdriver <printername>
getdriverdir <arch>
getdriverpackagepath
getprinter <printername>
openprinter <printername>
openprinter_ex <printername>
setdriver <printername> <drivername>
See also the enumprinters and enumdrivers commands for obtaining a list of of installed printers and drivers.
getprintprocdir
addform
setform
getform
deleteform
enumforms
setprinter
setprinterdata
setprintername <printername> <newprintername>
rffpcnex
printercmp
enumprocs
enumprocdatatypes
enummonitors
createprinteric
playgdiscriptonprinteric
getcoreprinterdrivers
enumpermachineconnections
addpermachineconnection
delpermachineconnection
logonctrl2
getanydcname
getdcname
dsr_getdcname
dsr_getdcnameex
dsr_getdcnameex2
dsr_getsitename
dsr_getforesttrustinfo
logonctrl
samlogon
change_trust_pw
gettrustrid
dsr_enumtrustdom
dsenumdomtrusts
deregisterdnsrecords
netrenumtrusteddomains
netrenumtrusteddomainsex
getdcsitecoverage
capabilities
logongetdomaininfo
fss_is_path_sup
fss_get_sup_version
fss_create_expose
fss_delete
fss_has_shadow_copy
fss_get_mapping
fss_recovery_complete
clusapi_open_cluster
clusapi_get_cluster_name
clusapi_get_cluster_version
clusapi_get_quorum_resource
clusapi_create_enum
clusapi_create_enumex
clusapi_open_resource
clusapi_online_resource
clusapi_offline_resource
clusapi_get_resource_state
clusapi_get_cluster_version2
clusapi_pause_node
clusapi_resume_node
dscracknames
dsgetdcinfo
dsgetncchanges
dswriteaccountspn
echoaddone
echodata
sinkdata
sourcedata
epmmap
epmlookup
eventlog_readlog
eventlog_numrecord
eventlog_oldestrecord
eventlog_reportevent
eventlog_reporteventsource
eventlog_registerevsource
eventlog_backuplog
eventlog_loginfo
winspool_AsyncOpenPrinter
winspool_AsyncCorePrinterDriverInstalled
ntsvcs_getversion
ntsvcs_validatedevinst
ntsvcs_hwprofflags
ntsvcs_hwprofinfo
ntsvcs_getdevregprop
ntsvcs_getdevlistsize
ntsvcs_getdevlist
fetch_properties
fetch_attributes
winreg_enumkey
querymultiplevalues
querymultiplevalues2
GetInterfaceList
Register
UnRegister
AsyncNotify
RegisterEx
wkssvc_wkstagetinfo
wkssvc_getjoininformation
wkssvc_messagebuffersend
wkssvc_enumeratecomputernames
wkssvc_enumerateusers
help
?
debuglevel
debug
list
exit
quit
sign
seal
packet
schannel
schannelsign
timeout
transport
none
rpcclient is designed as a developer testing tool and may not be robust in certain areas (such as command line parsing). It has been known to generate a core dump upon failures when invalid parameters where passed to the interpreter.
From Luke Leighton's original rpcclient man page:
WARNING! The MSRPC over SMB code has been developed from examining Network traces. No documentation is available from the original creators (Microsoft) on how MSRPC over SMB works, or how the individual MSRPC services work. Microsoft's implementation of these services has been demonstrated (and reported) to be... a bit flaky in places.
The development of Samba's implementation is also a bit rough, and as more of the services are understood, it can even result in versions of smbd(8) and rpcclient(1) that are incompatible for some commands or services. Additionally, the developers are sending reports to Microsoft, and problems found or reported to Microsoft are fixed in Service Packs, which may result in incompatibilities.
This man page is part of version 4.17.12-Debian of the Samba suite.
The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
The original rpcclient man page was written by Matthew Geddes, Luke Kenneth Casson Leighton, and rewritten by Gerald Carter. The conversion to DocBook for Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was done by Alexander Bokovoy.
10/10/2023 | Samba 4.17.12-Debian |