source: branches/samba-3.5.x/docs/manpages/smbpasswd.5@ 960

Last change on this file since 960 was 773, checked in by Herwig Bauernfeind, 12 years ago

Samba Server 3.5: Update branch to 3.5.20

File size: 7.4 KB
Line 
1'\" t
2.\" Title: smbpasswd
3.\" Author: [see the "AUTHOR" section]
4.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
5.\" Date: 12/14/2012
6.\" Manual: File Formats and Conventions
7.\" Source: Samba 3.5
8.\" Language: English
9.\"
10.TH "SMBPASSWD" "5" "12/14/2012" "Samba 3\&.5" "File Formats and Conventions"
11.\" -----------------------------------------------------------------
12.\" * set default formatting
13.\" -----------------------------------------------------------------
14.\" disable hyphenation
15.nh
16.\" disable justification (adjust text to left margin only)
17.ad l
18.\" -----------------------------------------------------------------
19.\" * MAIN CONTENT STARTS HERE *
20.\" -----------------------------------------------------------------
21.SH "NAME"
22smbpasswd \- The Samba encrypted password file
23.SH "SYNOPSIS"
24.PP
25smbpasswd
26.SH "DESCRIPTION"
27.PP
28This tool is part of the
29\fBsamba\fR(7)
30suite\&.
31.PP
32smbpasswd is the Samba encrypted password file\&. It contains the username, Unix user id and the SMB hashed passwords of the user, as well as account flag information and the time the password was last changed\&. This file format has been evolving with Samba and has had several different formats in the past\&.
33.SH "FILE FORMAT"
34.PP
35The format of the smbpasswd file used by Samba 2\&.2 is very similar to the familiar Unix
36passwd(5)
37file\&. It is an ASCII file containing one line for each user\&. Each field ithin each line is separated from the next by a colon\&. Any entry beginning with \'#\' is ignored\&. The smbpasswd file contains the following information for each user:
38.PP
39name
40.RS 4
41This is the user name\&. It must be a name that already exists in the standard UNIX passwd file\&.
42.RE
43.PP
44uid
45.RS 4
46This is the UNIX uid\&. It must match the uid field for the same user entry in the standard UNIX passwd file\&. If this does not match then Samba will refuse to recognize this smbpasswd file entry as being valid for a user\&.
47.RE
48.PP
49Lanman Password Hash
50.RS 4
51This is the LANMAN hash of the user\'s password, encoded as 32 hex digits\&. The LANMAN hash is created by DES encrypting a well known string with the user\'s password as the DES key\&. This is the same password used by Windows 95/98 machines\&. Note that this password hash is regarded as weak as it is vulnerable to dictionary attacks and if two users choose the same password this entry will be identical (i\&.e\&. the password is not "salted" as the UNIX password is)\&. If the user has a null password this field will contain the characters "NO PASSWORD" as the start of the hex string\&. If the hex string is equal to 32 \'X\' characters then the user\'s account is marked as
52\fBdisabled\fR
53and the user will not be able to log onto the Samba server\&.
54.sp
55\fIWARNING !!\fR
56Note that, due to the challenge\-response nature of the SMB/CIFS authentication protocol, anyone with a knowledge of this password hash will be able to impersonate the user on the network\&. For this reason these hashes are known as
57\fIplain text equivalents\fR
58and must
59\fINOT\fR
60be made available to anyone but the root user\&. To protect these passwords the smbpasswd file is placed in a directory with read and traverse access only to the root user and the smbpasswd file itself must be set to be read/write only by root, with no other access\&.
61.RE
62.PP
63NT Password Hash
64.RS 4
65This is the Windows NT hash of the user\'s password, encoded as 32 hex digits\&. The Windows NT hash is created by taking the user\'s password as represented in 16\-bit, little\-endian UNICODE and then applying the MD4 (internet rfc1321) hashing algorithm to it\&.
66.sp
67This password hash is considered more secure than the LANMAN Password Hash as it preserves the case of the password and uses a much higher quality hashing algorithm\&. However, it is still the case that if two users choose the same password this entry will be identical (i\&.e\&. the password is not "salted" as the UNIX password is)\&.
68.sp
69\fIWARNING !!\fR\&. Note that, due to the challenge\-response nature of the SMB/CIFS authentication protocol, anyone with a knowledge of this password hash will be able to impersonate the user on the network\&. For this reason these hashes are known as
70\fIplain text equivalents\fR
71and must
72\fINOT\fR
73be made available to anyone but the root user\&. To protect these passwords the smbpasswd file is placed in a directory with read and traverse access only to the root user and the smbpasswd file itself must be set to be read/write only by root, with no other access\&.
74.RE
75.PP
76Account Flags
77.RS 4
78This section contains flags that describe the attributes of the users account\&. This field is bracketed by \'[\' and \']\' characters and is always 13 characters in length (including the \'[\' and \']\' characters)\&. The contents of this field may be any of the following characters:
79.sp
80.RS 4
81.ie n \{\
82\h'-04'\(bu\h'+03'\c
83.\}
84.el \{\
85.sp -1
86.IP \(bu 2.3
87.\}
88\fIU\fR
89\- This means this is a "User" account, i\&.e\&. an ordinary user\&.
90.RE
91.sp
92.RS 4
93.ie n \{\
94\h'-04'\(bu\h'+03'\c
95.\}
96.el \{\
97.sp -1
98.IP \(bu 2.3
99.\}
100\fIN\fR
101\- This means the account has no password (the passwords in the fields LANMAN Password Hash and NT Password Hash are ignored)\&. Note that this will only allow users to log on with no password if the
102\fI null passwords\fR
103parameter is set in the
104\fBsmb.conf\fR(5)
105config file\&.
106.RE
107.sp
108.RS 4
109.ie n \{\
110\h'-04'\(bu\h'+03'\c
111.\}
112.el \{\
113.sp -1
114.IP \(bu 2.3
115.\}
116\fID\fR
117\- This means the account is disabled and no SMB/CIFS logins will be allowed for this user\&.
118.RE
119.sp
120.RS 4
121.ie n \{\
122\h'-04'\(bu\h'+03'\c
123.\}
124.el \{\
125.sp -1
126.IP \(bu 2.3
127.\}
128\fIX\fR
129\- This means the password does not expire\&.
130.RE
131.sp
132.RS 4
133.ie n \{\
134\h'-04'\(bu\h'+03'\c
135.\}
136.el \{\
137.sp -1
138.IP \(bu 2.3
139.\}
140\fIW\fR
141\- This means this account is a "Workstation Trust" account\&. This kind of account is used in the Samba PDC code stream to allow Windows NT Workstations and Servers to join a Domain hosted by a Samba PDC\&.
142.sp
143.RE
144Other flags may be added as the code is extended in future\&. The rest of this field space is filled in with spaces\&. For further information regarding the flags that are supported please refer to the man page for the
145pdbedit
146command\&.
147.RE
148.PP
149Last Change Time
150.RS 4
151This field consists of the time the account was last modified\&. It consists of the characters \'LCT\-\' (standing for "Last Change Time") followed by a numeric encoding of the UNIX time in seconds since the epoch (1970) that the last change was made\&.
152.RE
153.PP
154All other colon separated fields are ignored at this time\&.
155.SH "VERSION"
156.PP
157This man page is correct for version 3 of the Samba suite\&.
158.SH "SEE ALSO"
159.PP
160\fBsmbpasswd\fR(8),
161\fBSamba\fR(7), and the Internet RFC1321 for details on the MD4 algorithm\&.
162.SH "AUTHOR"
163.PP
164The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
165.PP
166The original Samba man pages were written by Karl Auer\&. The man page sources were converted to YODL format (another excellent piece of Open Source software, available at
167ftp://ftp\&.icce\&.rug\&.nl/pub/unix/) and updated for the Samba 2\&.0 release by Jeremy Allison\&. The conversion to DocBook for Samba 2\&.2 was done by Gerald Carter\&. The conversion to DocBook XML 4\&.2 for Samba 3\&.0 was done by Alexander Bokovoy\&.
Note: See TracBrowser for help on using the repository browser.