rpcclient — tool for executing client side MS-RPC functions
rpcclient
[-c|--command=COMMANDS] [-I|--dest-ip=IP] [-p|--port=PORT] [-?|--help] [--usage] [-d|--debuglevel=DEBUGLEVEL] [--debug-stdout] [--configfile=CONFIGFILE] [--option=name=value] [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full] [-R|--name-resolve=NAME-RESOLVE-ORDER] [-O|--socket-options=SOCKETOPTIONS] [-m|--max-protocol=MAXPROTOCOL] [-n|--netbiosname=NETBIOSNAME] [--netbios-scope=SCOPE] [-W|--workgroup=WORKGROUP] [--realm=REALM] [-U|--user=[DOMAIN/]USERNAME[%PASSWORD]] [-N|--no-pass] [--password=STRING] [--pw-nt-hash] [-A|--authentication-file=FILE] [-P|--machine-pass] [--simple-bind-dn=DN] [--use-kerberos=desired|required|off] [--use-krb5-ccache=CCACHE] [--use-winbind-ccache] [--client-protection=sign|encrypt|off] [-V|--version] {BINDING-STRING|HOST}
This tool is part of the samba(7) suite.
rpcclient
is a utility initially developed
to test MS-RPC functionality in Samba itself. It has undergone
several stages of development and stability. Many system administrators
have now written scripts around it to manage Windows NT clients from
their UNIX workstation.
When connecting to a dcerpc service you need to specify a binding string.
The format is:
TRANSPORT:host[options]
where TRANSPORT is either ncacn_np (named pipes) for SMB or ncacn_ip_tcp for DCERPC over TCP/IP.
"host" is an IP or hostname or netbios name. If the binding string identifies the server side of an endpoint, "host" may be an empty string. See below for more details.
"options" can include a SMB pipe name if using the ncacn_np transport or a TCP port number if using the ncacn_ip_tcp transport, otherwise they will be auto-determined.
Examples:
ncacn_ip_tcp:samba.example.com[1024]
ncacn_ip_tcp:samba.example.com[sign,seal,krb5]
ncacn_ip_tcp:samba.example.com[sign,spnego]
ncacn_np:samba.example.com
ncacn_np:samba.example.com[samr]
ncacn_np:samba.example.com[samr,sign,print]
ncalrpc:/path/to/unix/socket
//SAMBA
The supported transports are:
ncacn_np
- Connect using named pipes
ncacn_ip_tcp
- Connect over TCP/IP
ncalrpc
- Connect over local RPC (unix sockets)
The supported options are:
sign
- Use RPC integrity authentication level
seal
- Enable RPC privacy (encryption) authentication level
connect
- Use RPC connect level authentication (auth, but no sign or seal)
packet
- Use RPC packet authentication level
spnego
- Use SPNEGO instead of NTLMSSP authentication
ntlm
- Use plain NTLM instead of SPNEGO or NTLMSSP
krb5
- Use Kerberos instead of NTLMSSP authentication
schannel
- Create a schannel connection
smb1
- Use SMB1 for named pipes
smb2
- Use SMB2/3 for named pipes
validate
- Enable the NDR validator
print
- Enable debug output of packets
padcheck
- Check reply data for non-zero pad bytes
bigendian
- Use big endian for RPC
ndr64
- Use NDR64 for RPC
Execute semicolon separated commands (listed below)
IP address
is the address of the server to connect to.
It should be specified in standard "a.b.c.d" notation.
Normally the client would attempt to locate a named
SMB/CIFS server by looking it up via the NetBIOS name resolution
mechanism described above in the name resolve order
parameter above. Using this parameter will force the client
to assume that the server is on the machine with the specified IP
address and the NetBIOS name component of the resource being
connected to will be ignored.
There is no default for this parameter. If not supplied, it will be determined automatically by the client as described above.
This number is the TCP port number that will be used when making connections to the server. The standard (well-known) TCP port number for an SMB/CIFS server is 139, which is the default.
Print a summary of command line options.
Display brief usage message.
level
is an integer from 0
to 10. The default value if this parameter is not
specified is 1 for client applications.
The higher this value, the more detail will be logged to the log files about the activities of the server. At level 0, only critical errors and serious warnings will be logged. Level 1 is a reasonable level for day-to-day running - it generates a small amount of information about operations carried out.
Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.
Note that specifying this parameter here will override
the log level parameter in the
${prefix}/etc/smb.conf
file.
This will redirect debug output to STDOUT. By default all clients are logging to STDERR.
The file specified contains the configuration details
required by the client. The information in this file
can be general for client and server or only provide
client specific like options such as
client smb encrypt. See
${prefix}/etc/smb.conf
for more information. The default
configuration file name is determined at compile time.
Set the smb.conf(5) option "<name>" to value "<value>" from the command line. This overrides compiled-in defaults and options read from the configuration file. If a name or a value includes a space, wrap whole --option=name=value into quotes.
Base directory name for log/debug files. The extension
".progname"
will be appended (e.g.
log.smbclient, log.smbd, etc...). The log file is never
removed by the client.
Enable talloc leak reporting on exit.
Enable full talloc leak reporting on exit.
Prints the program version number.
This option is used to determine what naming services and in what order to resolve host names to IP addresses. The option takes a space-separated string of different name resolution options. The best ist to wrap the whole --name-resolve=NAME-RESOLVE-ORDER into quotes.
The options are: "lmhosts", "host", "wins" and "bcast". They cause names to be resolved as follows:
lmhosts
: Lookup an
IP address in the Samba lmhosts file.
If the line in lmhosts has no name type
attached to the NetBIOS name (see the
lmhosts(5)
for details) then any name type matches
for lookup.
host
: Do a
standard host name to IP address
resolution, using the system
/etc/hosts
, NIS,
or DNS lookups. This method of name
resolution is operating system
dependent, for instance on IRIX or
Solaris this may be controlled by the
/etc/nsswitch.conf
file). Note that this
method is only used if the NetBIOS name
type being queried is the 0x20 (server)
name type, otherwise it is ignored.
wins
: Query a name
with the IP address listed in the
wins server
parameter. If no WINS server has been
specified this method will be ignored.
bcast
: Do a
broadcast on each of the known local
interfaces listed in the
interfaces
parameter. This is the least reliable
of the name resolution methods as it
depends on the target host being on a
locally connected subnet.
If this parameter is not set then the name resolve
order defined in the ${prefix}/etc/smb.conf
file parameter
(name resolve order) will be
used.
The default order is lmhosts, host, wins, bcast.
Without this parameter or any entry in the
name resolve order parameter
of the ${prefix}/etc/smb.conf
file, the name resolution methods
will be attempted in this order.
TCP socket options to set on the client socket. See the
socket options parameter in the ${prefix}/etc/smb.conf
manual page
for the list of valid options.
The value of the parameter (a string) is the highest protocol level that will be supported by the client.
Note that specifying this parameter here will override
the client max protocol
parameter in the ${prefix}/etc/smb.conf
file.
This option allows you to override the NetBIOS name
that Samba uses for itself. This is identical to
setting the netbios name
parameter in the ${prefix}/etc/smb.conf
file. However, a command
line setting will take precedence over settings in
${prefix}/etc/smb.conf
.
This specifies a NetBIOS scope that
nmblookup
will use to communicate
with when generating NetBIOS names. For details on the
use of NetBIOS scopes, see rfc1001.txt and rfc1002.txt.
NetBIOS scopes are very rarely
used, only set this parameter if you are the system
administrator in charge of all the NetBIOS systems you
communicate with.
Set the SMB domain of the username. This overrides the default domain which is the domain defined in smb.conf. If the domain specified is the same as the servers NetBIOS name, it causes the client to log on using the servers local SAM (as opposed to the Domain SAM).
Note that specifying this parameter here will override
the workgroup parameter in the
${prefix}/etc/smb.conf
file.
Set the realm for the domain.
Note that specifying this parameter here will override
the realm parameter in the
${prefix}/etc/smb.conf
file.
Sets the SMB username or username and password.
If %PASSWORD is not specified, the user will be
prompted. The client will first check the
USER
environment variable
(which is also permitted to also contain the
password separated by a %), then the
LOGNAME
variable (which is not
permitted to contain a password) and if either exists,
the value is used. If these environmental
variables are not found, the username
found in a Kerberos Credentials cache may be used.
A third option is to use a credentials file which
contains the plaintext of the username and password.
This option is mainly provided for scripts where the
admin does not wish to pass the credentials on the
command line or via environment variables. If this
method is used, make certain that the permissions on
the file restrict access from unwanted users. See the
-A
for more details.
Be cautious about including passwords in scripts
or passing user-supplied values onto the command line. For
security it is better to let the Samba client tool ask for the
password if needed, or obtain the password once with kinit
.
While Samba will attempt to scrub the password from the process title (as seen in ps), this is after startup and so is subject to a race.
If specified, this parameter suppresses the normal password prompt from the client to the user. This is useful when accessing a service that does not require a password.
Unless a password is specified on the command line or this parameter is specified, the client will request a password.
If a password is specified on the command line and this option is also defined the password on the command line will be silently ignored and no password will be used.
Specify the password on the commandline.
Be cautious about including passwords in
scripts or passing user-supplied values onto
the command line. For security it is better to
let the Samba client tool ask for the password
if needed, or obtain the password once with
kinit
.
If --password is not specified,
the tool will check the PASSWD
environment variable, followed by PASSWD_FD
which is expected to contain an open
file descriptor (FD) number.
Finally it will check PASSWD_FILE
(containing
a file path to be opened). The file should only
contain the password. Make certain that the
permissions on the file restrict
access from unwanted users!
While Samba will attempt to scrub the password from the process title (as seen in ps), this is after startup and so is subject to a race.
The supplied password is the NT hash.
This option allows you to specify a file from which to read the username and password used in the connection. The format of the file is:
username = <value> password = <value> domain = <value>
Make certain that the permissions on the file restrict access from unwanted users!
Use stored machine account password.
DN to use for a simple bind.
This parameter determines whether Samba client tools will try to authenticate using Kerberos. For Kerberos authentication you need to use dns names instead of IP addresses when connecting to a service.
Note that specifying this parameter here will override
the client use kerberos
parameter in the ${prefix}/etc/smb.conf
file.
Specifies the credential cache location for Kerberos authentication.
This will set --use-kerberos=required too.
Try to use the credential cache by winbind.
Sets the connection protection the client tool should use.
Note that specifying this parameter here will override
the client protection
parameter in the ${prefix}/etc/smb.conf
file.
In case you need more fine grained control you can use:
--option=clientsmbencrypt=OPTION
,
--option=clientipcsigning=OPTION
,
--option=clientsigning=OPTION
.
Query info policy
Convert SIDs to names
Convert SIDs to names
Convert SIDs to names
Convert names to SIDs
Convert names to SIDs
Convert names to SIDs
Enumerate trusted domains
Enumerate privileges
Get the privilege name
Enumerate the LSA SIDS
Create a new lsa account
Enumerate the privileges of an SID
Enumerate the rights of an SID
Assign a privilege to a SID
Revoke a privilege from a SID
Add rights to an account
Remove rights from an account
Get a privilege value given its name
Query LSA security object
Query LSA trusted domains info (given a SID)
Query LSA trusted domains info (given a name), only works for Windows > 2k
Query LSA trusted domains info (given a SID)
Set LSA trusted domain info
Get username
Create Secret
Delete Secret
Query Secret
Set Secret
Retrieve Private Data
Store Private Data
Create Trusted Domain
Delete Trusted Domain
Query DFS support
Add a DFS share
Remove a DFS share
Query DFS share info
Enumerate dfs shares
Enumerate dfs shares
Server query info
Enumerate shares
Enumerate all shares
Get Share Info
Set Share Info
Set DFS flags
Enumerate open files
Fetch remote time of day
Validate sharename
Get File security
Delete Session
Enumerate Sessions
Enumerate Disks
Enumerate Connections
Add share
Delete share
Query user info
Query group info
Query user groups
Query user aliases
Query group membership
Query alias membership
Query alias info
Delete an alias
Query display info
Query display info
Query display info
Query domain info
Enumerate domain users
Enumerate domain groups
Enumerate alias groups
Enumerate domains
Create domain user
Create domain group
Create domain alias
Look up names
Look up names
Delete domain group
Delete domain user
Query SAMR security object
Retrieve domain password info
Retrieve user domain password info
Lookup Domain Name
Change user password
Change user password
Change user password (RC4 encrypted)
Change user password (AES encrypted)
Get Display Information Index
Set user info
Set user info2
Execute an AddPrinterDriver() RPC to install the printer driver
information on the server. Note that the driver files should
already exist in the directory returned by
getdriverdir
. Possible values for
arch
are the same as those for
the getdriverdir
command.
The config
parameter is defined as
follows:
Long Driver Name:\ Driver File Name:\ Data File Name:\ Config File Name:\ Help File Name:\ Language Monitor Name:\ Default Data Type:\ Comma Separated list of Files
Any empty fields should be enter as the string "NULL".
Samba does not need to support the concept of Print Monitors since these only apply to local printers whose driver can make use of a bi-directional link for communication. This field should be "NULL". On a remote NT print server, the Print Monitor for a driver must already be installed prior to adding the driver or else the RPC will fail.
The version
parameter lets you
specify the printer driver version number. If omitted, the
default driver version for the specified architecture will
be used. This option can be used to upload Windows 2000
(version 3) printer drivers.
Add a printer on the remote server. This printer
will be automatically shared. Be aware that the printer driver
must already be installed on the server (see adddriver
)
and the port
must be a valid port name (see
enumports
.
Delete the specified printer driver for all architectures. This does not delete the actual driver files from the server, only the entry from the server's list of drivers.
Delete the specified printer driver and optionally files
associated with the driver.
You can limit this action to a specific architecture and a specific version.
If no architecture is given, all driver files of that driver will be deleted.
flags
correspond to numeric DPD_* values, i.e. a value
of 3 requests (DPD_DELETE_UNUSED_FILES | DPD_DELETE_SPECIFIC_VERSION).
Enumerate all printer setting data stored on the server. On Windows NT clients, these values are stored in the registry, while Samba servers store them in the printers TDB. This command corresponds to the MS Platform SDK GetPrinterData() function (* This command is currently unimplemented).
Enumerate printer data for a key
Enumerate printer keys
List the jobs and status of a given printer. This command corresponds to the MS Platform SDK EnumJobs() function
Get print job
Set print job
Executes an EnumPorts() call using the specified info level. Currently only info levels 1 and 2 are supported.
Execute an EnumPrinterDrivers() call. This lists the various installed printer drivers for all architectures. Refer to the MS Platform SDK documentation for more details of the various flags and calling options. Currently supported info levels are 1, 2, and 3.
Execute an EnumPrinters() call. This lists the various installed and share printers. Refer to the MS Platform SDK documentation for more details of the various flags and calling options. Currently supported info levels are 1, 2 and 5.
Retrieve the data for a given printer setting. See
the enumdata
command for more information.
This command corresponds to the GetPrinterData() MS Platform
SDK function.
Get printer driver data with keyname
Retrieve the printer driver information (such as driver file, config file, dependent files, etc...) for the given printer. This command corresponds to the GetPrinterDriver() MS Platform SDK function. Currently info level 1, 2, and 3 are supported.
Execute a GetPrinterDriverDirectory()
RPC to retrieve the SMB share name and subdirectory for
storing printer driver files for a given architecture. Possible
values for arch
are "Windows 4.0"
(for Windows 95/98), "Windows NT x86", "Windows NT PowerPC", "Windows
Alpha_AXP", and "Windows NT R4000".
Get print driver package download directory
Retrieve the current printer information. This command corresponds to the GetPrinter() MS Platform SDK function.
Execute an OpenPrinterEx() and ClosePrinter() RPC against a given printer.
Open printer handle
Execute a SetPrinter() command to update the printer driver associated with an installed printer. The printer driver must already be correctly installed on the print server.
See also the enumprinters
and
enumdrivers
commands for obtaining a list of
of installed printers and drivers.
Get print processor directory
Add form
Set form
Get form
Delete form
Enumerate form
Set printer comment
Set REG_SZ printer data
Set printer name
Rffpcnex test
Printer comparison test
Enumerate Print Processors
Enumerate Print Processor Data Types
Enumerate Print Monitors
Create Printer IC
Create Printer IC
Get CorePrinterDriver
Enumerate Per Machine Connections
Add Per Machine Connection
Delete Per Machine Connection
Logon Control 2
Get trusted DC name
Get trusted PDC name
Get trusted DC name
Get trusted DC name
Get trusted DC name
Get sitename
Get Forest Trust Info
Logon Control
Sam Logon
Change Trust Account Password
Get trust rid
Enumerate trusted domains
Enumerate all trusted domains in an AD forest
Deregister DNS records
Enumerate trusted domains
Enumerate trusted domains
Get the Site-Coverage from a DC
Return Capabilities
Return LogonGetDomainInfo
Check whether a share supports shadow-copy
Get supported FSRVP version from server
Request shadow-copy creation and exposure
Request shadow-copy share deletion
Check for an associated share shadow-copy
Get shadow-copy share mapping information
Flag read-write snapshot as recovery complete,
Open cluster
Get cluster name
Get cluster version
Get quorum resource
Create enum query
Create enumex query
Open cluster resource
Set cluster resource online
Set cluster resource offline
Get cluster resource state
Get cluster version2
Pause cluster node
Resume cluster node
Crack Name
Get Domain Controller Info
Get NC Changes
Write Account SPN
Read Eventlog
Get number of records
Get oldest record
Report event
Report event and source
Register event source
Backup Eventlog File
Get Eventlog Information
Open printer handle
Query Core Printer Driver Installed
Query NTSVCS version
Query NTSVCS device instance
Query NTSVCS HW prof flags
Query NTSVCS HW prof info
Query NTSVCS device registry property
Query NTSVCS device list size
Query NTSVCS device list
Enumerate Keys
Query multiple values
Query multiple values
List the interfaces to which witness client connections can be made
Register for resource state change notifications of a NetName and IPAddress
Unregister for notifications from the server
Request notification of registered resource changes from the server
Register for resource state change notifications of a NetName, ShareName and multiple IPAddresses
Query WKSSVC Workstation Information
Query WKSSVC Join Information
Send WKSSVC message
Enumerate WKSSVC computer names
Enumerate WKSSVC users
Get help on commands
Get help on commands
Set debug level
Set debug level
List available commands on pipe
Exit program
Exit program
Force RPC pipe connections to be signed
Force RPC pipe connections to be sealed
Force RPC pipe connections with packet authentication level
Force RPC pipe connections to be sealed with 'schannel'. Force RPC pipe connections to be sealed with 'schannel'. Assumes valid machine account to this domain controller.
Force RPC pipe connections to be signed (not sealed) with 'schannel'. Assumes valid machine account to this domain controller.
Set timeout (in milliseconds) for RPC operations
Choose ncacn transport for RPC operations
Force RPC pipe connections to have no special properties
rpcclient
is designed as a developer testing tool
and may not be robust in certain areas (such as command line parsing).
It has been known to generate a core dump upon failures when invalid
parameters where passed to the interpreter.
From Luke Leighton's original rpcclient man page:
WARNING! The MSRPC over SMB code has been developed from examining Network traces. No documentation is available from the original creators (Microsoft) on how MSRPC over SMB works, or how the individual MSRPC services work. Microsoft's implementation of these services has been demonstrated (and reported) to be... a bit flaky in places.
The development of Samba's implementation is also a bit rough, and as more of the services are understood, it can even result in versions of smbd(8) and rpcclient(1) that are incompatible for some commands or services. Additionally, the developers are sending reports to Microsoft, and problems found or reported to Microsoft are fixed in Service Packs, which may result in incompatibilities.
The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
The original rpcclient man page was written by Matthew Geddes, Luke Kenneth Casson Leighton, and rewritten by Gerald Carter. The conversion to DocBook for Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was done by Alexander Bokovoy.