| 1 | <?xml version="1.0" encoding="iso-8859-1"?>
|
|---|
| 2 | <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
|
|---|
| 3 | <refentry id="smbpasswd.5">
|
|---|
| 4 |
|
|---|
| 5 | <refmeta>
|
|---|
| 6 | <refentrytitle>smbpasswd</refentrytitle>
|
|---|
| 7 | <manvolnum>5</manvolnum>
|
|---|
| 8 | <refmiscinfo class="source">Samba</refmiscinfo>
|
|---|
| 9 | <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
|
|---|
| 10 | <refmiscinfo class="version">3.6</refmiscinfo>
|
|---|
| 11 | </refmeta>
|
|---|
| 12 |
|
|---|
| 13 |
|
|---|
| 14 | <refnamediv>
|
|---|
| 15 | <refname>smbpasswd</refname>
|
|---|
| 16 | <refpurpose>The Samba encrypted password file</refpurpose>
|
|---|
| 17 | </refnamediv>
|
|---|
| 18 |
|
|---|
| 19 | <refsynopsisdiv>
|
|---|
| 20 | <para><filename>smbpasswd</filename></para>
|
|---|
| 21 | </refsynopsisdiv>
|
|---|
| 22 |
|
|---|
| 23 | <refsect1>
|
|---|
| 24 | <title>DESCRIPTION</title>
|
|---|
| 25 |
|
|---|
| 26 | <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
|
|---|
| 27 | <manvolnum>7</manvolnum></citerefentry> suite.</para>
|
|---|
| 28 |
|
|---|
| 29 | <para>smbpasswd is the Samba encrypted password file. It contains
|
|---|
| 30 | the username, Unix user id and the SMB hashed passwords of the
|
|---|
| 31 | user, as well as account flag information and the time the
|
|---|
| 32 | password was last changed. This file format has been evolving with
|
|---|
| 33 | Samba and has had several different formats in the past. </para>
|
|---|
| 34 | </refsect1>
|
|---|
| 35 |
|
|---|
| 36 | <refsect1>
|
|---|
| 37 | <title>FILE FORMAT</title>
|
|---|
| 38 |
|
|---|
| 39 | <para>The format of the smbpasswd file used by Samba 2.2
|
|---|
| 40 | is very similar to the familiar Unix <filename>passwd(5)</filename>
|
|---|
| 41 | file. It is an ASCII file containing one line for each user. Each field
|
|---|
| 42 | ithin each line is separated from the next by a colon. Any entry
|
|---|
| 43 | beginning with '#' is ignored. The smbpasswd file contains the
|
|---|
| 44 | following information for each user: </para>
|
|---|
| 45 |
|
|---|
| 46 | <variablelist>
|
|---|
| 47 | <varlistentry>
|
|---|
| 48 | <term>name</term>
|
|---|
| 49 | <listitem><para> This is the user name. It must be a name that
|
|---|
| 50 | already exists in the standard UNIX passwd file. </para>
|
|---|
| 51 | </listitem>
|
|---|
| 52 | </varlistentry>
|
|---|
| 53 |
|
|---|
| 54 | <varlistentry>
|
|---|
| 55 | <term>uid</term>
|
|---|
| 56 | <listitem><para>This is the UNIX uid. It must match the uid
|
|---|
| 57 | field for the same user entry in the standard UNIX passwd file.
|
|---|
| 58 | If this does not match then Samba will refuse to recognize
|
|---|
| 59 | this smbpasswd file entry as being valid for a user.
|
|---|
| 60 | </para></listitem>
|
|---|
| 61 | </varlistentry>
|
|---|
| 62 |
|
|---|
| 63 |
|
|---|
| 64 | <varlistentry>
|
|---|
| 65 | <term>Lanman Password Hash</term>
|
|---|
| 66 | <listitem><para>This is the LANMAN hash of the user's password,
|
|---|
| 67 | encoded as 32 hex digits. The LANMAN hash is created by DES
|
|---|
| 68 | encrypting a well known string with the user's password as the
|
|---|
| 69 | DES key. This is the same password used by Windows 95/98 machines.
|
|---|
| 70 | Note that this password hash is regarded as weak as it is
|
|---|
| 71 | vulnerable to dictionary attacks and if two users choose the
|
|---|
| 72 | same password this entry will be identical (i.e. the password
|
|---|
| 73 | is not "salted" as the UNIX password is). If the user has a
|
|---|
| 74 | null password this field will contain the characters "NO PASSWORD"
|
|---|
| 75 | as the start of the hex string. If the hex string is equal to
|
|---|
| 76 | 32 'X' characters then the user's account is marked as
|
|---|
| 77 | <constant>disabled</constant> and the user will not be able to
|
|---|
| 78 | log onto the Samba server. </para>
|
|---|
| 79 |
|
|---|
| 80 | <para><emphasis>WARNING !!</emphasis> Note that, due to
|
|---|
| 81 | the challenge-response nature of the SMB/CIFS authentication
|
|---|
| 82 | protocol, anyone with a knowledge of this password hash will
|
|---|
| 83 | be able to impersonate the user on the network. For this
|
|---|
| 84 | reason these hashes are known as <emphasis>plain text
|
|---|
| 85 | equivalents</emphasis> and must <emphasis>NOT</emphasis> be made
|
|---|
| 86 | available to anyone but the root user. To protect these passwords
|
|---|
| 87 | the smbpasswd file is placed in a directory with read and
|
|---|
| 88 | traverse access only to the root user and the smbpasswd file
|
|---|
| 89 | itself must be set to be read/write only by root, with no
|
|---|
| 90 | other access. </para></listitem>
|
|---|
| 91 | </varlistentry>
|
|---|
| 92 |
|
|---|
| 93 |
|
|---|
| 94 | <varlistentry>
|
|---|
| 95 | <term>NT Password Hash</term>
|
|---|
| 96 | <listitem><para>This is the Windows NT hash of the user's
|
|---|
| 97 | password, encoded as 32 hex digits. The Windows NT hash is
|
|---|
| 98 | created by taking the user's password as represented in
|
|---|
| 99 | 16-bit, little-endian UNICODE and then applying the MD4
|
|---|
| 100 | (internet rfc1321) hashing algorithm to it. </para>
|
|---|
| 101 |
|
|---|
| 102 | <para>This password hash is considered more secure than
|
|---|
| 103 | the LANMAN Password Hash as it preserves the case of the
|
|---|
| 104 | password and uses a much higher quality hashing algorithm.
|
|---|
| 105 | However, it is still the case that if two users choose the same
|
|---|
| 106 | password this entry will be identical (i.e. the password is
|
|---|
| 107 | not "salted" as the UNIX password is). </para>
|
|---|
| 108 |
|
|---|
| 109 | <para><emphasis>WARNING !!</emphasis>. Note that, due to
|
|---|
| 110 | the challenge-response nature of the SMB/CIFS authentication
|
|---|
| 111 | protocol, anyone with a knowledge of this password hash will
|
|---|
| 112 | be able to impersonate the user on the network. For this
|
|---|
| 113 | reason these hashes are known as <emphasis>plain text
|
|---|
| 114 | equivalents</emphasis> and must <emphasis>NOT</emphasis> be made
|
|---|
| 115 | available to anyone but the root user. To protect these passwords
|
|---|
| 116 | the smbpasswd file is placed in a directory with read and
|
|---|
| 117 | traverse access only to the root user and the smbpasswd file
|
|---|
| 118 | itself must be set to be read/write only by root, with no
|
|---|
| 119 | other access. </para></listitem>
|
|---|
| 120 | </varlistentry>
|
|---|
| 121 |
|
|---|
| 122 |
|
|---|
| 123 | <varlistentry>
|
|---|
| 124 | <term>Account Flags</term>
|
|---|
| 125 | <listitem><para>This section contains flags that describe
|
|---|
| 126 | the attributes of the users account. This field is bracketed by
|
|---|
| 127 | '[' and ']' characters and is always 13 characters in length
|
|---|
| 128 | (including the '[' and ']' characters).
|
|---|
| 129 | The contents of this field may be any of the following characters:
|
|---|
| 130 | </para>
|
|---|
| 131 |
|
|---|
| 132 | <itemizedlist>
|
|---|
| 133 | <listitem><para><emphasis>U</emphasis> - This means
|
|---|
| 134 | this is a "User" account, i.e. an ordinary user.</para></listitem>
|
|---|
| 135 |
|
|---|
| 136 | <listitem><para><emphasis>N</emphasis> - This means the
|
|---|
| 137 | account has no password (the passwords in the fields LANMAN
|
|---|
| 138 | Password Hash and NT Password Hash are ignored). Note that this
|
|---|
| 139 | will only allow users to log on with no password if the <parameter>
|
|---|
| 140 | null passwords</parameter> parameter is set in the
|
|---|
| 141 | <citerefentry><refentrytitle>smb.conf</refentrytitle>
|
|---|
| 142 | <manvolnum>5</manvolnum></citerefentry> config file. </para></listitem>
|
|---|
| 143 |
|
|---|
| 144 | <listitem><para><emphasis>D</emphasis> - This means the account
|
|---|
| 145 | is disabled and no SMB/CIFS logins will be allowed for this user. </para></listitem>
|
|---|
| 146 |
|
|---|
| 147 | <listitem><para><emphasis>X</emphasis> - This means the password
|
|---|
| 148 | does not expire. </para></listitem>
|
|---|
| 149 |
|
|---|
| 150 | <listitem><para><emphasis>W</emphasis> - This means this account
|
|---|
| 151 | is a "Workstation Trust" account. This kind of account is used
|
|---|
| 152 | in the Samba PDC code stream to allow Windows NT Workstations
|
|---|
| 153 | and Servers to join a Domain hosted by a Samba PDC. </para>
|
|---|
| 154 | </listitem>
|
|---|
| 155 | </itemizedlist>
|
|---|
| 156 |
|
|---|
| 157 | <para>Other flags may be added as the code is extended in future.
|
|---|
| 158 | The rest of this field space is filled in with spaces. For further
|
|---|
| 159 | information regarding the flags that are supported please refer to the
|
|---|
| 160 | man page for the <command>pdbedit</command> command.</para>
|
|---|
| 161 | </listitem>
|
|---|
| 162 | </varlistentry>
|
|---|
| 163 |
|
|---|
| 164 |
|
|---|
| 165 | <varlistentry>
|
|---|
| 166 | <term>Last Change Time</term>
|
|---|
| 167 | <listitem><para>This field consists of the time the account was
|
|---|
| 168 | last modified. It consists of the characters 'LCT-' (standing for
|
|---|
| 169 | "Last Change Time") followed by a numeric encoding of the UNIX time
|
|---|
| 170 | in seconds since the epoch (1970) that the last change was made.
|
|---|
| 171 | </para></listitem>
|
|---|
| 172 | </varlistentry>
|
|---|
| 173 | </variablelist>
|
|---|
| 174 |
|
|---|
| 175 | <para>All other colon separated fields are ignored at this time.</para>
|
|---|
| 176 | </refsect1>
|
|---|
| 177 |
|
|---|
| 178 | <refsect1>
|
|---|
| 179 | <title>VERSION</title>
|
|---|
| 180 |
|
|---|
| 181 | <para>This man page is correct for version 3 of
|
|---|
| 182 | the Samba suite.</para>
|
|---|
| 183 | </refsect1>
|
|---|
| 184 |
|
|---|
| 185 | <refsect1>
|
|---|
| 186 | <title>SEE ALSO</title>
|
|---|
| 187 | <para><citerefentry><refentrytitle>smbpasswd</refentrytitle>
|
|---|
| 188 | <manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>Samba</refentrytitle>
|
|---|
| 189 | <manvolnum>7</manvolnum></citerefentry>, and
|
|---|
| 190 | the Internet RFC1321 for details on the MD4 algorithm.
|
|---|
| 191 | </para>
|
|---|
| 192 | </refsect1>
|
|---|
| 193 |
|
|---|
| 194 | <refsect1>
|
|---|
| 195 | <title>AUTHOR</title>
|
|---|
| 196 |
|
|---|
| 197 | <para>The original Samba software and related utilities
|
|---|
| 198 | were created by Andrew Tridgell. Samba is now developed
|
|---|
| 199 | by the Samba Team as an Open Source project similar
|
|---|
| 200 | to the way the Linux kernel is developed.</para>
|
|---|
| 201 |
|
|---|
| 202 | <para>The original Samba man pages were written by Karl Auer.
|
|---|
| 203 | The man page sources were converted to YODL format (another
|
|---|
| 204 | excellent piece of Open Source software, available at <ulink noescape="1" url="ftp://ftp.icce.rug.nl/pub/unix/">
|
|---|
| 205 | ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
|
|---|
| 206 | release by Jeremy Allison. The conversion to DocBook for
|
|---|
| 207 | Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2
|
|---|
| 208 | for Samba 3.0 was done by Alexander Bokovoy.</para>
|
|---|
| 209 | </refsect1>
|
|---|
| 210 |
|
|---|
| 211 | </refentry>
|
|---|
