mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
9aa11fdf69
Karolin
212 lines
8.4 KiB
XML
212 lines
8.4 KiB
XML
<?xml version="1.0" encoding="iso-8859-1"?>
|
|
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
|
|
<refentry id="smbpasswd.5">
|
|
|
|
<refmeta>
|
|
<refentrytitle>smbpasswd</refentrytitle>
|
|
<manvolnum>5</manvolnum>
|
|
<refmiscinfo class="source">Samba</refmiscinfo>
|
|
<refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
|
|
<refmiscinfo class="version">3.6</refmiscinfo>
|
|
</refmeta>
|
|
|
|
|
|
<refnamediv>
|
|
<refname>smbpasswd</refname>
|
|
<refpurpose>The Samba encrypted password file</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<para><filename>smbpasswd</filename></para>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>DESCRIPTION</title>
|
|
|
|
<para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
|
|
<manvolnum>7</manvolnum></citerefentry> suite.</para>
|
|
|
|
<para>smbpasswd is the Samba encrypted password file. It contains
|
|
the username, Unix user id and the SMB hashed passwords of the
|
|
user, as well as account flag information and the time the
|
|
password was last changed. This file format has been evolving with
|
|
Samba and has had several different formats in the past. </para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>FILE FORMAT</title>
|
|
|
|
<para>The format of the smbpasswd file used by Samba 2.2
|
|
is very similar to the familiar Unix <filename>passwd(5)</filename>
|
|
file. It is an ASCII file containing one line for each user. Each field
|
|
ithin each line is separated from the next by a colon. Any entry
|
|
beginning with '#' is ignored. The smbpasswd file contains the
|
|
following information for each user: </para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>name</term>
|
|
<listitem><para> This is the user name. It must be a name that
|
|
already exists in the standard UNIX passwd file. </para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>uid</term>
|
|
<listitem><para>This is the UNIX uid. It must match the uid
|
|
field for the same user entry in the standard UNIX passwd file.
|
|
If this does not match then Samba will refuse to recognize
|
|
this smbpasswd file entry as being valid for a user.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>Lanman Password Hash</term>
|
|
<listitem><para>This is the LANMAN hash of the user's password,
|
|
encoded as 32 hex digits. The LANMAN hash is created by DES
|
|
encrypting a well known string with the user's password as the
|
|
DES key. This is the same password used by Windows 95/98 machines.
|
|
Note that this password hash is regarded as weak as it is
|
|
vulnerable to dictionary attacks and if two users choose the
|
|
same password this entry will be identical (i.e. the password
|
|
is not "salted" as the UNIX password is). If the user has a
|
|
null password this field will contain the characters "NO PASSWORD"
|
|
as the start of the hex string. If the hex string is equal to
|
|
32 'X' characters then the user's account is marked as
|
|
<constant>disabled</constant> and the user will not be able to
|
|
log onto the Samba server. </para>
|
|
|
|
<para><emphasis>WARNING !!</emphasis> Note that, due to
|
|
the challenge-response nature of the SMB/CIFS authentication
|
|
protocol, anyone with a knowledge of this password hash will
|
|
be able to impersonate the user on the network. For this
|
|
reason these hashes are known as <emphasis>plain text
|
|
equivalents</emphasis> and must <emphasis>NOT</emphasis> be made
|
|
available to anyone but the root user. To protect these passwords
|
|
the smbpasswd file is placed in a directory with read and
|
|
traverse access only to the root user and the smbpasswd file
|
|
itself must be set to be read/write only by root, with no
|
|
other access. </para></listitem>
|
|
</varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>NT Password Hash</term>
|
|
<listitem><para>This is the Windows NT hash of the user's
|
|
password, encoded as 32 hex digits. The Windows NT hash is
|
|
created by taking the user's password as represented in
|
|
16-bit, little-endian UNICODE and then applying the MD4
|
|
(internet rfc1321) hashing algorithm to it. </para>
|
|
|
|
<para>This password hash is considered more secure than
|
|
the LANMAN Password Hash as it preserves the case of the
|
|
password and uses a much higher quality hashing algorithm.
|
|
However, it is still the case that if two users choose the same
|
|
password this entry will be identical (i.e. the password is
|
|
not "salted" as the UNIX password is). </para>
|
|
|
|
<para><emphasis>WARNING !!</emphasis>. Note that, due to
|
|
the challenge-response nature of the SMB/CIFS authentication
|
|
protocol, anyone with a knowledge of this password hash will
|
|
be able to impersonate the user on the network. For this
|
|
reason these hashes are known as <emphasis>plain text
|
|
equivalents</emphasis> and must <emphasis>NOT</emphasis> be made
|
|
available to anyone but the root user. To protect these passwords
|
|
the smbpasswd file is placed in a directory with read and
|
|
traverse access only to the root user and the smbpasswd file
|
|
itself must be set to be read/write only by root, with no
|
|
other access. </para></listitem>
|
|
</varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>Account Flags</term>
|
|
<listitem><para>This section contains flags that describe
|
|
the attributes of the users account. This field is bracketed by
|
|
'[' and ']' characters and is always 13 characters in length
|
|
(including the '[' and ']' characters).
|
|
The contents of this field may be any of the following characters:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para><emphasis>U</emphasis> - This means
|
|
this is a "User" account, i.e. an ordinary user.</para></listitem>
|
|
|
|
<listitem><para><emphasis>N</emphasis> - This means the
|
|
account has no password (the passwords in the fields LANMAN
|
|
Password Hash and NT Password Hash are ignored). Note that this
|
|
will only allow users to log on with no password if the <parameter>
|
|
null passwords</parameter> parameter is set in the
|
|
<citerefentry><refentrytitle>smb.conf</refentrytitle>
|
|
<manvolnum>5</manvolnum></citerefentry> config file. </para></listitem>
|
|
|
|
<listitem><para><emphasis>D</emphasis> - This means the account
|
|
is disabled and no SMB/CIFS logins will be allowed for this user. </para></listitem>
|
|
|
|
<listitem><para><emphasis>X</emphasis> - This means the password
|
|
does not expire. </para></listitem>
|
|
|
|
<listitem><para><emphasis>W</emphasis> - This means this account
|
|
is a "Workstation Trust" account. This kind of account is used
|
|
in the Samba PDC code stream to allow Windows NT Workstations
|
|
and Servers to join a Domain hosted by a Samba PDC. </para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Other flags may be added as the code is extended in future.
|
|
The rest of this field space is filled in with spaces. For further
|
|
information regarding the flags that are supported please refer to the
|
|
man page for the <command>pdbedit</command> command.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
|
|
<varlistentry>
|
|
<term>Last Change Time</term>
|
|
<listitem><para>This field consists of the time the account was
|
|
last modified. It consists of the characters 'LCT-' (standing for
|
|
"Last Change Time") followed by a numeric encoding of the UNIX time
|
|
in seconds since the epoch (1970) that the last change was made.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para>All other colon separated fields are ignored at this time.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>VERSION</title>
|
|
|
|
<para>This man page is correct for version 3 of
|
|
the Samba suite.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>SEE ALSO</title>
|
|
<para><citerefentry><refentrytitle>smbpasswd</refentrytitle>
|
|
<manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>Samba</refentrytitle>
|
|
<manvolnum>7</manvolnum></citerefentry>, and
|
|
the Internet RFC1321 for details on the MD4 algorithm.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>AUTHOR</title>
|
|
|
|
<para>The original Samba software and related utilities
|
|
were created by Andrew Tridgell. Samba is now developed
|
|
by the Samba Team as an Open Source project similar
|
|
to the way the Linux kernel is developed.</para>
|
|
|
|
<para>The original Samba man pages were written by Karl Auer.
|
|
The man page sources were converted to YODL format (another
|
|
excellent piece of Open Source software, available at <ulink noescape="1" url="ftp://ftp.icce.rug.nl/pub/unix/">
|
|
ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
|
|
release by Jeremy Allison. The conversion to DocBook for
|
|
Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2
|
|
for Samba 3.0 was done by Alexander Bokovoy.</para>
|
|
</refsect1>
|
|
|
|
</refentry>
|