source: branches/samba-3.2.x/docs/manpages/smbpasswd.5@ 796

Last change on this file since 796 was 340, checked in by Herwig Bauernfeind, 16 years ago

Update 3.2 to 3.2.15 (security update)

File size: 10.7 KB
Line 
1.\" Title: smbpasswd
2.\" Author: [see the "AUTHOR" section]
3.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
4.\" Date: 09/30/2009
5.\" Manual: File Formats and Conventions
6.\" Source: Samba 3.2
7.\" Language: English
8.\"
9.TH "SMBPASSWD" "5" "09/30/2009" "Samba 3\&.2" "File Formats and Conventions"
10.\" -----------------------------------------------------------------
11.\" * (re)Define some macros
12.\" -----------------------------------------------------------------
13.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
14.\" toupper - uppercase a string (locale-aware)
15.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
16.de toupper
17.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
18\\$*
19.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
20..
21.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
22.\" SH-xref - format a cross-reference to an SH section
23.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
24.de SH-xref
25.ie n \{\
26.\}
27.toupper \\$*
28.el \{\
29\\$*
30.\}
31..
32.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
33.\" SH - level-one heading that works better for non-TTY output
34.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
35.de1 SH
36.\" put an extra blank line of space above the head in non-TTY output
37.if t \{\
38.sp 1
39.\}
40.sp \\n[PD]u
41.nr an-level 1
42.set-an-margin
43.nr an-prevailing-indent \\n[IN]
44.fi
45.in \\n[an-margin]u
46.ti 0
47.HTML-TAG ".NH \\n[an-level]"
48.it 1 an-trap
49.nr an-no-space-flag 1
50.nr an-break-flag 1
51\." make the size of the head bigger
52.ps +3
53.ft B
54.ne (2v + 1u)
55.ie n \{\
56.\" if n (TTY output), use uppercase
57.toupper \\$*
58.\}
59.el \{\
60.nr an-break-flag 0
61.\" if not n (not TTY), use normal case (not uppercase)
62\\$1
63.in \\n[an-margin]u
64.ti 0
65.\" if not n (not TTY), put a border/line under subheading
66.sp -.6
67\l'\n(.lu'
68.\}
69..
70.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
71.\" SS - level-two heading that works better for non-TTY output
72.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
73.de1 SS
74.sp \\n[PD]u
75.nr an-level 1
76.set-an-margin
77.nr an-prevailing-indent \\n[IN]
78.fi
79.in \\n[IN]u
80.ti \\n[SN]u
81.it 1 an-trap
82.nr an-no-space-flag 1
83.nr an-break-flag 1
84.ps \\n[PS-SS]u
85\." make the size of the head bigger
86.ps +2
87.ft B
88.ne (2v + 1u)
89.if \\n[.$] \&\\$*
90..
91.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
92.\" BB/BE - put background/screen (filled box) around block of text
93.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
94.de BB
95.if t \{\
96.sp -.5
97.br
98.in +2n
99.ll -2n
100.gcolor red
101.di BX
102.\}
103..
104.de EB
105.if t \{\
106.if "\\$2"adjust-for-leading-newline" \{\
107.sp -1
108.\}
109.br
110.di
111.in
112.ll
113.gcolor
114.nr BW \\n(.lu-\\n(.i
115.nr BH \\n(dn+.5v
116.ne \\n(BHu+.5v
117.ie "\\$2"adjust-for-leading-newline" \{\
118\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
119.\}
120.el \{\
121\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
122.\}
123.in 0
124.sp -.5v
125.nf
126.BX
127.in
128.sp .5v
129.fi
130.\}
131..
132.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
133.\" BM/EM - put colored marker in margin next to block of text
134.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
135.de BM
136.if t \{\
137.br
138.ll -2n
139.gcolor red
140.di BX
141.\}
142..
143.de EM
144.if t \{\
145.br
146.di
147.ll
148.gcolor
149.nr BH \\n(dn
150.ne \\n(BHu
151\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
152.in 0
153.nf
154.BX
155.in
156.fi
157.\}
158..
159.\" -----------------------------------------------------------------
160.\" * set default formatting
161.\" -----------------------------------------------------------------
162.\" disable hyphenation
163.nh
164.\" disable justification (adjust text to left margin only)
165.ad l
166.\" -----------------------------------------------------------------
167.\" * MAIN CONTENT STARTS HERE *
168.\" -----------------------------------------------------------------
169.SH "Name"
170smbpasswd \- The Samba encrypted password file
171.SH "Synopsis"
172.PP
173\FCsmbpasswd\F[]
174.SH "DESCRIPTION"
175.PP
176This tool is part of the
177\fBsamba\fR(7)
178suite\&.
179.PP
180smbpasswd is the Samba encrypted password file\&. It contains the username, Unix user id and the SMB hashed passwords of the user, as well as account flag information and the time the password was last changed\&. This file format has been evolving with Samba and has had several different formats in the past\&.
181.SH "FILE FORMAT"
182.PP
183The format of the smbpasswd file used by Samba 2\&.2 is very similar to the familiar Unix
184\FCpasswd(5)\F[]
185file\&. It is an ASCII file containing one line for each user\&. Each field ithin each line is separated from the next by a colon\&. Any entry beginning with \'#\' is ignored\&. The smbpasswd file contains the following information for each user:
186.PP
187name
188.RS 4
189This is the user name\&. It must be a name that already exists in the standard UNIX passwd file\&.
190.RE
191.PP
192uid
193.RS 4
194This is the UNIX uid\&. It must match the uid field for the same user entry in the standard UNIX passwd file\&. If this does not match then Samba will refuse to recognize this smbpasswd file entry as being valid for a user\&.
195.RE
196.PP
197Lanman Password Hash
198.RS 4
199This is the LANMAN hash of the user\'s password, encoded as 32 hex digits\&. The LANMAN hash is created by DES encrypting a well known string with the user\'s password as the DES key\&. This is the same password used by Windows 95/98 machines\&. Note that this password hash is regarded as weak as it is vulnerable to dictionary attacks and if two users choose the same password this entry will be identical (i\&.e\&. the password is not "salted" as the UNIX password is)\&. If the user has a null password this field will contain the characters "NO PASSWORD" as the start of the hex string\&. If the hex string is equal to 32 \'X\' characters then the user\'s account is marked as
200\fBdisabled\fR
201and the user will not be able to log onto the Samba server\&.
202.sp
203\fIWARNING !!\fR
204Note that, due to the challenge\-response nature of the SMB/CIFS authentication protocol, anyone with a knowledge of this password hash will be able to impersonate the user on the network\&. For this reason these hashes are known as
205\fIplain text equivalents\fR
206and must
207\fINOT\fR
208be made available to anyone but the root user\&. To protect these passwords the smbpasswd file is placed in a directory with read and traverse access only to the root user and the smbpasswd file itself must be set to be read/write only by root, with no other access\&.
209.RE
210.PP
211NT Password Hash
212.RS 4
213This is the Windows NT hash of the user\'s password, encoded as 32 hex digits\&. The Windows NT hash is created by taking the user\'s password as represented in 16\-bit, little\-endian UNICODE and then applying the MD4 (internet rfc1321) hashing algorithm to it\&.
214.sp
215This password hash is considered more secure than the LANMAN Password Hash as it preserves the case of the password and uses a much higher quality hashing algorithm\&. However, it is still the case that if two users choose the same password this entry will be identical (i\&.e\&. the password is not "salted" as the UNIX password is)\&.
216.sp
217\fIWARNING !!\fR\&. Note that, due to the challenge\-response nature of the SMB/CIFS authentication protocol, anyone with a knowledge of this password hash will be able to impersonate the user on the network\&. For this reason these hashes are known as
218\fIplain text equivalents\fR
219and must
220\fINOT\fR
221be made available to anyone but the root user\&. To protect these passwords the smbpasswd file is placed in a directory with read and traverse access only to the root user and the smbpasswd file itself must be set to be read/write only by root, with no other access\&.
222.RE
223.PP
224Account Flags
225.RS 4
226This section contains flags that describe the attributes of the users account\&. This field is bracketed by \'[\' and \']\' characters and is always 13 characters in length (including the \'[\' and \']\' characters)\&. The contents of this field may be any of the following characters:
227.sp
228.RS 4
229.ie n \{\
230\h'-04'\(bu\h'+03'\c
231.\}
232.el \{\
233.sp -1
234.IP \(bu 2.3
235.\}
236\fIU\fR
237\- This means this is a "User" account, i\&.e\&. an ordinary user\&.
238.RE
239.sp
240.RS 4
241.ie n \{\
242\h'-04'\(bu\h'+03'\c
243.\}
244.el \{\
245.sp -1
246.IP \(bu 2.3
247.\}
248\fIN\fR
249\- This means the account has no password (the passwords in the fields LANMAN Password Hash and NT Password Hash are ignored)\&. Note that this will only allow users to log on with no password if the
250\fI null passwords\fR
251parameter is set in the
252\fBsmb.conf\fR(5)
253config file\&.
254.RE
255.sp
256.RS 4
257.ie n \{\
258\h'-04'\(bu\h'+03'\c
259.\}
260.el \{\
261.sp -1
262.IP \(bu 2.3
263.\}
264\fID\fR
265\- This means the account is disabled and no SMB/CIFS logins will be allowed for this user\&.
266.RE
267.sp
268.RS 4
269.ie n \{\
270\h'-04'\(bu\h'+03'\c
271.\}
272.el \{\
273.sp -1
274.IP \(bu 2.3
275.\}
276\fIX\fR
277\- This means the password does not expire\&.
278.RE
279.sp
280.RS 4
281.ie n \{\
282\h'-04'\(bu\h'+03'\c
283.\}
284.el \{\
285.sp -1
286.IP \(bu 2.3
287.\}
288\fIW\fR
289\- This means this account is a "Workstation Trust" account\&. This kind of account is used in the Samba PDC code stream to allow Windows NT Workstations and Servers to join a Domain hosted by a Samba PDC\&.
290.sp
291.RE
292Other flags may be added as the code is extended in future\&. The rest of this field space is filled in with spaces\&. For further information regarding the flags that are supported please refer to the man page for the
293\FCpdbedit\F[]
294command\&.
295.RE
296.PP
297Last Change Time
298.RS 4
299This field consists of the time the account was last modified\&. It consists of the characters \'LCT\-\' (standing for "Last Change Time") followed by a numeric encoding of the UNIX time in seconds since the epoch (1970) that the last change was made\&.
300.RE
301.PP
302All other colon separated fields are ignored at this time\&.
303.SH "VERSION"
304.PP
305This man page is correct for version 3 of the Samba suite\&.
306.SH "SEE ALSO"
307.PP
308\fBsmbpasswd\fR(8),
309\fBSamba\fR(7), and the Internet RFC1321 for details on the MD4 algorithm\&.
310.SH "AUTHOR"
311.PP
312The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
313.PP
314The original Samba man pages were written by Karl Auer\&. The man page sources were converted to YODL format (another excellent piece of Open Source software, available at
315ftp://ftp\&.icce\&.rug\&.nl/pub/unix/) and updated for the Samba 2\&.0 release by Jeremy Allison\&. The conversion to DocBook for Samba 2\&.2 was done by Gerald Carter\&. The conversion to DocBook XML 4\&.2 for Samba 3\&.0 was done by Alexander Bokovoy\&.
Note: See TracBrowser for help on using the repository browser.