| 1 | <?xml version="1.0" encoding="iso-8859-1"?> | 
|---|
| 2 | <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> | 
|---|
| 3 | <refentry id="smbpasswd.5"> | 
|---|
| 4 |  | 
|---|
| 5 | <refmeta> | 
|---|
| 6 | <refentrytitle>smbpasswd</refentrytitle> | 
|---|
| 7 | <manvolnum>5</manvolnum> | 
|---|
| 8 | <refmiscinfo class="source">Samba</refmiscinfo> | 
|---|
| 9 | <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo> | 
|---|
| 10 | <refmiscinfo class="version">3.5</refmiscinfo> | 
|---|
| 11 | </refmeta> | 
|---|
| 12 |  | 
|---|
| 13 |  | 
|---|
| 14 | <refnamediv> | 
|---|
| 15 | <refname>smbpasswd</refname> | 
|---|
| 16 | <refpurpose>The Samba encrypted password file</refpurpose> | 
|---|
| 17 | </refnamediv> | 
|---|
| 18 |  | 
|---|
| 19 | <refsynopsisdiv> | 
|---|
| 20 | <para><filename>smbpasswd</filename></para> | 
|---|
| 21 | </refsynopsisdiv> | 
|---|
| 22 |  | 
|---|
| 23 | <refsect1> | 
|---|
| 24 | <title>DESCRIPTION</title> | 
|---|
| 25 |  | 
|---|
| 26 | <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle> | 
|---|
| 27 | <manvolnum>7</manvolnum></citerefentry> suite.</para> | 
|---|
| 28 |  | 
|---|
| 29 | <para>smbpasswd is the Samba encrypted password file. It contains | 
|---|
| 30 | the username, Unix user id and the SMB hashed passwords of the | 
|---|
| 31 | user, as well as account flag information and the time the | 
|---|
| 32 | password was last changed. This file format has been evolving with | 
|---|
| 33 | Samba and has had several different formats in the past. </para> | 
|---|
| 34 | </refsect1> | 
|---|
| 35 |  | 
|---|
| 36 | <refsect1> | 
|---|
| 37 | <title>FILE FORMAT</title> | 
|---|
| 38 |  | 
|---|
| 39 | <para>The format of the smbpasswd file used by Samba 2.2 | 
|---|
| 40 | is very similar to the familiar Unix <filename>passwd(5)</filename> | 
|---|
| 41 | file. It is an ASCII file containing one line for each user. Each field | 
|---|
| 42 | ithin each line is separated from the next by a colon. Any entry | 
|---|
| 43 | beginning with '#' is ignored. The smbpasswd file contains the | 
|---|
| 44 | following information for each user: </para> | 
|---|
| 45 |  | 
|---|
| 46 | <variablelist> | 
|---|
| 47 | <varlistentry> | 
|---|
| 48 | <term>name</term> | 
|---|
| 49 | <listitem><para> This is the user name. It must be a name that | 
|---|
| 50 | already exists in the standard UNIX passwd file. </para> | 
|---|
| 51 | </listitem> | 
|---|
| 52 | </varlistentry> | 
|---|
| 53 |  | 
|---|
| 54 | <varlistentry> | 
|---|
| 55 | <term>uid</term> | 
|---|
| 56 | <listitem><para>This is the UNIX uid. It must match the uid | 
|---|
| 57 | field for the same user entry in the standard UNIX passwd file. | 
|---|
| 58 | If this does not match then Samba will refuse to recognize | 
|---|
| 59 | this smbpasswd file entry as being valid for a user. | 
|---|
| 60 | </para></listitem> | 
|---|
| 61 | </varlistentry> | 
|---|
| 62 |  | 
|---|
| 63 |  | 
|---|
| 64 | <varlistentry> | 
|---|
| 65 | <term>Lanman Password Hash</term> | 
|---|
| 66 | <listitem><para>This is the LANMAN hash of the user's password, | 
|---|
| 67 | encoded as 32 hex digits.  The LANMAN hash is created by DES | 
|---|
| 68 | encrypting a well known string with the user's password as the | 
|---|
| 69 | DES key. This is the same password used by Windows 95/98 machines. | 
|---|
| 70 | Note that this password hash is regarded as weak as it is | 
|---|
| 71 | vulnerable to dictionary attacks and if two users choose the | 
|---|
| 72 | same password this entry will be identical (i.e. the password | 
|---|
| 73 | is not "salted" as the UNIX password is). If the user has a | 
|---|
| 74 | null password this field will contain the characters "NO PASSWORD" | 
|---|
| 75 | as the start of the hex string. If the hex string is equal to | 
|---|
| 76 | 32 'X' characters then the user's account is marked as | 
|---|
| 77 | <constant>disabled</constant> and the user will not be able to | 
|---|
| 78 | log onto the Samba server. </para> | 
|---|
| 79 |  | 
|---|
| 80 | <para><emphasis>WARNING !!</emphasis> Note that, due to | 
|---|
| 81 | the challenge-response nature of the SMB/CIFS authentication | 
|---|
| 82 | protocol, anyone with a knowledge of this password hash will | 
|---|
| 83 | be able to impersonate the user on the network. For this | 
|---|
| 84 | reason these hashes are known as <emphasis>plain text | 
|---|
| 85 | equivalents</emphasis> and must <emphasis>NOT</emphasis> be made | 
|---|
| 86 | available to anyone but the root user. To protect these passwords | 
|---|
| 87 | the smbpasswd file is placed in a directory with read and | 
|---|
| 88 | traverse access only to the root user and the smbpasswd file | 
|---|
| 89 | itself must be set to be read/write only by root, with no | 
|---|
| 90 | other access. </para></listitem> | 
|---|
| 91 | </varlistentry> | 
|---|
| 92 |  | 
|---|
| 93 |  | 
|---|
| 94 | <varlistentry> | 
|---|
| 95 | <term>NT Password Hash</term> | 
|---|
| 96 | <listitem><para>This is the Windows NT hash of the user's | 
|---|
| 97 | password, encoded as 32 hex digits.  The Windows NT hash is | 
|---|
| 98 | created by taking the user's password as represented in | 
|---|
| 99 | 16-bit, little-endian UNICODE and then applying the MD4 | 
|---|
| 100 | (internet rfc1321) hashing algorithm to it. </para> | 
|---|
| 101 |  | 
|---|
| 102 | <para>This password hash is considered more secure than | 
|---|
| 103 | the LANMAN Password Hash as it preserves the case of the | 
|---|
| 104 | password and uses a much higher quality hashing algorithm. | 
|---|
| 105 | However, it is still the case that if two users choose the same | 
|---|
| 106 | password this entry will be identical (i.e. the password is | 
|---|
| 107 | not "salted" as the UNIX password is). </para> | 
|---|
| 108 |  | 
|---|
| 109 | <para><emphasis>WARNING !!</emphasis>. Note that, due to | 
|---|
| 110 | the challenge-response nature of the SMB/CIFS authentication | 
|---|
| 111 | protocol, anyone with a knowledge of this password hash will | 
|---|
| 112 | be able to impersonate the user on the network. For this | 
|---|
| 113 | reason these hashes are known as <emphasis>plain text | 
|---|
| 114 | equivalents</emphasis> and must <emphasis>NOT</emphasis> be made | 
|---|
| 115 | available to anyone but the root user. To protect these passwords | 
|---|
| 116 | the smbpasswd file is placed in a directory with read and | 
|---|
| 117 | traverse access only to the root user and the smbpasswd file | 
|---|
| 118 | itself must be set to be read/write only by root, with no | 
|---|
| 119 | other access. </para></listitem> | 
|---|
| 120 | </varlistentry> | 
|---|
| 121 |  | 
|---|
| 122 |  | 
|---|
| 123 | <varlistentry> | 
|---|
| 124 | <term>Account Flags</term> | 
|---|
| 125 | <listitem><para>This section contains flags that describe | 
|---|
| 126 | the attributes of the users account.  This field is bracketed by | 
|---|
| 127 | '[' and ']' characters and is always 13 characters in length | 
|---|
| 128 | (including the '[' and ']' characters). | 
|---|
| 129 | The contents of this field may be any of the following characters: | 
|---|
| 130 | </para> | 
|---|
| 131 |  | 
|---|
| 132 | <itemizedlist> | 
|---|
| 133 | <listitem><para><emphasis>U</emphasis> - This means | 
|---|
| 134 | this is a "User" account, i.e. an ordinary user.</para></listitem> | 
|---|
| 135 |  | 
|---|
| 136 | <listitem><para><emphasis>N</emphasis> - This means the | 
|---|
| 137 | account has no password (the passwords in the fields LANMAN | 
|---|
| 138 | Password Hash and NT Password Hash are ignored). Note that this | 
|---|
| 139 | will only allow users to log on with no password if the <parameter> | 
|---|
| 140 | null passwords</parameter> parameter is set in the | 
|---|
| 141 | <citerefentry><refentrytitle>smb.conf</refentrytitle> | 
|---|
| 142 | <manvolnum>5</manvolnum></citerefentry> config file. </para></listitem> | 
|---|
| 143 |  | 
|---|
| 144 | <listitem><para><emphasis>D</emphasis> - This means the account | 
|---|
| 145 | is disabled and no SMB/CIFS logins  will be allowed for this user. </para></listitem> | 
|---|
| 146 |  | 
|---|
| 147 | <listitem><para><emphasis>X</emphasis> - This means the password | 
|---|
| 148 | does not expire. </para></listitem> | 
|---|
| 149 |  | 
|---|
| 150 | <listitem><para><emphasis>W</emphasis> - This means this account | 
|---|
| 151 | is a "Workstation Trust" account. This kind of account is used | 
|---|
| 152 | in the Samba PDC code stream to allow Windows NT Workstations | 
|---|
| 153 | and Servers to join a Domain hosted by a Samba PDC. </para> | 
|---|
| 154 | </listitem> | 
|---|
| 155 | </itemizedlist> | 
|---|
| 156 |  | 
|---|
| 157 | <para>Other flags may be added as the code is extended in future. | 
|---|
| 158 | The rest of this field space is filled in with spaces. For further | 
|---|
| 159 | information regarding the flags that are supported please refer to the | 
|---|
| 160 | man page for the <command>pdbedit</command> command.</para> | 
|---|
| 161 | </listitem> | 
|---|
| 162 | </varlistentry> | 
|---|
| 163 |  | 
|---|
| 164 |  | 
|---|
| 165 | <varlistentry> | 
|---|
| 166 | <term>Last Change Time</term> | 
|---|
| 167 | <listitem><para>This field consists of the time the account was | 
|---|
| 168 | last modified. It consists of the characters 'LCT-' (standing for | 
|---|
| 169 | "Last Change Time") followed by a numeric encoding of the UNIX time | 
|---|
| 170 | in seconds since the epoch (1970) that the last change was made. | 
|---|
| 171 | </para></listitem> | 
|---|
| 172 | </varlistentry> | 
|---|
| 173 | </variablelist> | 
|---|
| 174 |  | 
|---|
| 175 | <para>All other colon separated fields are ignored at this time.</para> | 
|---|
| 176 | </refsect1> | 
|---|
| 177 |  | 
|---|
| 178 | <refsect1> | 
|---|
| 179 | <title>VERSION</title> | 
|---|
| 180 |  | 
|---|
| 181 | <para>This man page is correct for version 3 of | 
|---|
| 182 | the Samba suite.</para> | 
|---|
| 183 | </refsect1> | 
|---|
| 184 |  | 
|---|
| 185 | <refsect1> | 
|---|
| 186 | <title>SEE ALSO</title> | 
|---|
| 187 | <para><citerefentry><refentrytitle>smbpasswd</refentrytitle> | 
|---|
| 188 | <manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>Samba</refentrytitle> | 
|---|
| 189 | <manvolnum>7</manvolnum></citerefentry>, and | 
|---|
| 190 | the Internet RFC1321 for details on the MD4 algorithm. | 
|---|
| 191 | </para> | 
|---|
| 192 | </refsect1> | 
|---|
| 193 |  | 
|---|
| 194 | <refsect1> | 
|---|
| 195 | <title>AUTHOR</title> | 
|---|
| 196 |  | 
|---|
| 197 | <para>The original Samba software and related utilities | 
|---|
| 198 | were created by Andrew Tridgell. Samba is now developed | 
|---|
| 199 | by the Samba Team as an Open Source project similar | 
|---|
| 200 | to the way the Linux kernel is developed.</para> | 
|---|
| 201 |  | 
|---|
| 202 | <para>The original Samba man pages were written by Karl Auer. | 
|---|
| 203 | The man page sources were converted to YODL format (another | 
|---|
| 204 | excellent piece of Open Source software, available at <ulink noescape="1" url="ftp://ftp.icce.rug.nl/pub/unix/"> | 
|---|
| 205 | ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0 | 
|---|
| 206 | release by Jeremy Allison.  The conversion to DocBook for | 
|---|
| 207 | Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 | 
|---|
| 208 | for Samba 3.0 was done by Alexander Bokovoy.</para> | 
|---|
| 209 | </refsect1> | 
|---|
| 210 |  | 
|---|
| 211 | </refentry> | 
|---|