mirror of
https://github.com/samba-team/samba.git
synced 2024-12-28 07:21:54 +03:00
158 lines
6.3 KiB
Groff
158 lines
6.3 KiB
Groff
.\" This manpage has been automatically generated by docbook2man
|
|
.\" from a DocBook document. This tool can be found at:
|
|
.\" <http://shell.ipoline.com/~elmert/comp/docbook2X/>
|
|
.\" Please send any bug reports, improvements, comments, patches,
|
|
.\" etc. to Steve Cheng <steve@ggi-project.org>.
|
|
.TH "SMBPASSWD" "5" "04 March 2003" "" ""
|
|
.SH NAME
|
|
smbpasswd \- The Samba encrypted password file
|
|
.SH SYNOPSIS
|
|
.PP
|
|
\fIsmbpasswd\fR
|
|
.SH "DESCRIPTION"
|
|
.PP
|
|
This tool is part of the Samba suite.
|
|
.PP
|
|
smbpasswd is the Samba encrypted password file. It contains
|
|
the username, Unix user id and the SMB hashed passwords of the
|
|
user, as well as account flag information and the time the
|
|
password was last changed. This file format has been evolving with
|
|
Samba and has had several different formats in the past.
|
|
.SH "FILE FORMAT"
|
|
.PP
|
|
The format of the smbpasswd file used by Samba 2.2
|
|
is very similar to the familiar Unix \fIpasswd(5)\fR
|
|
file. It is an ASCII file containing one line for each user. Each field
|
|
ithin each line is separated from the next by a colon. Any entry
|
|
beginning with '#' is ignored. The smbpasswd file contains the
|
|
following information for each user:
|
|
.TP
|
|
\fBname\fR
|
|
This is the user name. It must be a name that
|
|
already exists in the standard UNIX passwd file.
|
|
.TP
|
|
\fBuid\fR
|
|
This is the UNIX uid. It must match the uid
|
|
field for the same user entry in the standard UNIX passwd file.
|
|
If this does not match then Samba will refuse to recognize
|
|
this smbpasswd file entry as being valid for a user.
|
|
.TP
|
|
\fBLanman Password Hash\fR
|
|
This is the LANMAN hash of the user's password,
|
|
encoded as 32 hex digits. The LANMAN hash is created by DES
|
|
encrypting a well known string with the user's password as the
|
|
DES key. This is the same password used by Windows 95/98 machines.
|
|
Note that this password hash is regarded as weak as it is
|
|
vulnerable to dictionary attacks and if two users choose the
|
|
same password this entry will be identical (i.e. the password
|
|
is not "salted" as the UNIX password is). If the user has a
|
|
null password this field will contain the characters "NO PASSWORD"
|
|
as the start of the hex string. If the hex string is equal to
|
|
32 'X' characters then the user's account is marked as
|
|
disabled and the user will not be able to
|
|
log onto the Samba server.
|
|
|
|
\fBWARNING !!\fR Note that, due to
|
|
the challenge-response nature of the SMB/CIFS authentication
|
|
protocol, anyone with a knowledge of this password hash will
|
|
be able to impersonate the user on the network. For this
|
|
reason these hashes are known as \fBplain text
|
|
equivalents\fR and must \fBNOT\fR be made
|
|
available to anyone but the root user. To protect these passwords
|
|
the smbpasswd file is placed in a directory with read and
|
|
traverse access only to the root user and the smbpasswd file
|
|
itself must be set to be read/write only by root, with no
|
|
other access.
|
|
.TP
|
|
\fBNT Password Hash\fR
|
|
This is the Windows NT hash of the user's
|
|
password, encoded as 32 hex digits. The Windows NT hash is
|
|
created by taking the user's password as represented in
|
|
16-bit, little-endian UNICODE and then applying the MD4
|
|
(internet rfc1321) hashing algorithm to it.
|
|
|
|
This password hash is considered more secure than
|
|
the LANMAN Password Hash as it preserves the case of the
|
|
password and uses a much higher quality hashing algorithm.
|
|
However, it is still the case that if two users choose the same
|
|
password this entry will be identical (i.e. the password is
|
|
not "salted" as the UNIX password is).
|
|
|
|
\fBWARNING !!\fR. Note that, due to
|
|
the challenge-response nature of the SMB/CIFS authentication
|
|
protocol, anyone with a knowledge of this password hash will
|
|
be able to impersonate the user on the network. For this
|
|
reason these hashes are known as \fBplain text
|
|
equivalents\fR and must \fBNOT\fR be made
|
|
available to anyone but the root user. To protect these passwords
|
|
the smbpasswd file is placed in a directory with read and
|
|
traverse access only to the root user and the smbpasswd file
|
|
itself must be set to be read/write only by root, with no
|
|
other access.
|
|
.TP
|
|
\fBAccount Flags\fR
|
|
This section contains flags that describe
|
|
the attributes of the users account. In the Samba 2.2 release
|
|
this field is bracketed by '[' and ']' characters and is always
|
|
13 characters in length (including the '[' and ']' characters).
|
|
The contents of this field may be any of the characters.
|
|
.RS
|
|
.TP 0.2i
|
|
\(bu
|
|
\fBU\fR - This means
|
|
this is a "User" account, i.e. an ordinary user. Only User
|
|
and Workstation Trust accounts are currently supported
|
|
in the smbpasswd file.
|
|
.TP 0.2i
|
|
\(bu
|
|
\fBN\fR - This means the
|
|
account has no password (the passwords in the fields LANMAN
|
|
Password Hash and NT Password Hash are ignored). Note that this
|
|
will only allow users to log on with no password if the \fI null passwords\fR parameter is set in the \fIsmb.conf(5)
|
|
\fR config file.
|
|
.TP 0.2i
|
|
\(bu
|
|
\fBD\fR - This means the account
|
|
is disabled and no SMB/CIFS logins will be allowed for
|
|
this user.
|
|
.TP 0.2i
|
|
\(bu
|
|
\fBW\fR - This means this account
|
|
is a "Workstation Trust" account. This kind of account is used
|
|
in the Samba PDC code stream to allow Windows NT Workstations
|
|
and Servers to join a Domain hosted by a Samba PDC.
|
|
.RE
|
|
|
|
Other flags may be added as the code is extended in future.
|
|
The rest of this field space is filled in with spaces.
|
|
.TP
|
|
\fBLast Change Time\fR
|
|
This field consists of the time the account was
|
|
last modified. It consists of the characters 'LCT-' (standing for
|
|
"Last Change Time") followed by a numeric encoding of the UNIX time
|
|
in seconds since the epoch (1970) that the last change was made.
|
|
.PP
|
|
All other colon separated fields are ignored at this time.
|
|
.SH "VERSION"
|
|
.PP
|
|
This man page is correct for version 3.0 of
|
|
the Samba suite.
|
|
.SH "SEE ALSO"
|
|
.PP
|
|
\fBsmbpasswd(8)\fR
|
|
samba(7) and
|
|
the Internet RFC1321 for details on the MD4 algorithm.
|
|
.SH "AUTHOR"
|
|
.PP
|
|
The original Samba software and related utilities
|
|
were created by Andrew Tridgell. Samba is now developed
|
|
by the Samba Team as an Open Source project similar
|
|
to the way the Linux kernel is developed.
|
|
.PP
|
|
The original Samba man pages were written by Karl Auer.
|
|
The man page sources were converted to YODL format (another
|
|
excellent piece of Open Source software, available at
|
|
ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the Samba 2.0
|
|
release by Jeremy Allison. The conversion to DocBook for
|
|
Samba 2.2 was done by Gerald Carter
|