• Home
  • History
  • Annotate
  • Line#
  • Navigate
  • Raw
  • Download
  • only in /asuswrt-rt-n18u-9.0.0.4.380.2695/release/src-rt-6.x.4708/router/samba-3.5.8/docs-xml/manpages-3/
1<?xml version="1.0" encoding="iso-8859-1"?>
2<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3<refentry id="smbpasswd.5">
4
5<refmeta>
6	<refentrytitle>smbpasswd</refentrytitle>
7	<manvolnum>5</manvolnum>
8	<refmiscinfo class="source">Samba</refmiscinfo>
9	<refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
10	<refmiscinfo class="version">3.5</refmiscinfo>
11</refmeta>
12
13
14<refnamediv>
15	<refname>smbpasswd</refname>
16	<refpurpose>The Samba encrypted password file</refpurpose>
17</refnamediv>
18
19<refsynopsisdiv>
20	<para><filename>smbpasswd</filename></para>
21</refsynopsisdiv>
22
23<refsect1>
24	<title>DESCRIPTION</title>
25
26	<para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
27	<manvolnum>7</manvolnum></citerefentry> suite.</para>
28
29	<para>smbpasswd is the Samba encrypted password file. It contains 
30	the username, Unix user id and the SMB hashed passwords of the 
31	user, as well as account flag information and the time the 
32	password was last changed. This file format has been evolving with 
33	Samba and has had several different formats in the past. </para>
34</refsect1>
35
36<refsect1>
37	<title>FILE FORMAT</title>
38
39	<para>The format of the smbpasswd file used by Samba 2.2 
40	is very similar to the familiar Unix <filename>passwd(5)</filename> 
41	file. It is an ASCII file containing one line for each user. Each field 
42	ithin each line is separated from the next by a colon. Any entry 
43	beginning with '#' is ignored. The smbpasswd file contains the 
44	following information for each user: </para>
45
46	<variablelist>
47		<varlistentry>
48		<term>name</term>
49		<listitem><para> This is the user name. It must be a name that 
50		already exists in the standard UNIX passwd file. </para>
51		</listitem>
52		</varlistentry>
53
54		<varlistentry>
55		<term>uid</term>
56		<listitem><para>This is the UNIX uid. It must match the uid
57		field for the same user entry in the standard UNIX passwd file. 
58		If this does not match then Samba will refuse to recognize 
59		this smbpasswd file entry as being valid for a user. 
60		</para></listitem>
61		</varlistentry>
62		 
63		 
64		<varlistentry>
65		<term>Lanman Password Hash</term>
66		<listitem><para>This is the LANMAN hash of the user's password, 
67		encoded as 32 hex digits.  The LANMAN hash is created by DES 
68		encrypting a well known string with the user's password as the 
69		DES key. This is the same password used by Windows 95/98 machines. 
70		Note that this password hash is regarded as weak as it is
71		vulnerable to dictionary attacks and if two users choose the 
72		same password this entry will be identical (i.e. the password 
73		is not "salted" as the UNIX password is). If the user has a 
74		null password this field will contain the characters "NO PASSWORD" 
75		as the start of the hex string. If the hex string is equal to 
76		32 'X' characters then the user's account is marked as 
77		<constant>disabled</constant> and the user will not be able to 
78		log onto the Samba server. </para>
79		
80		<para><emphasis>WARNING !!</emphasis> Note that, due to 
81		the challenge-response nature of the SMB/CIFS authentication
82		protocol, anyone with a knowledge of this password hash will 
83		be able to impersonate the user on the network. For this
84		reason these hashes are known as <emphasis>plain text 
85		equivalents</emphasis> and must <emphasis>NOT</emphasis> be made 
86		available to anyone but the root user. To protect these passwords 
87		the smbpasswd file is placed in a directory with read and 
88		traverse access only to the root user and the smbpasswd file 
89		itself must be set to be read/write only by root, with no
90		other access. </para></listitem>
91		</varlistentry>
92		
93		
94		<varlistentry>
95		<term>NT Password Hash</term>
96		<listitem><para>This is the Windows NT hash of the user's 
97		password, encoded as 32 hex digits.  The Windows NT hash is 
98		created by taking the user's password as represented in 
99		16-bit, little-endian UNICODE and then applying the MD4 
100		(internet rfc1321) hashing algorithm to it. </para>
101		
102		<para>This password hash is considered more secure than
103		the LANMAN Password Hash as it preserves the case of the 
104		password and uses a much higher quality hashing algorithm. 
105		However, it is still the case that if two users choose the same 
106		password this entry will be identical (i.e. the password is 
107		not "salted" as the UNIX password is). </para>
108
109		<para><emphasis>WARNING !!</emphasis>. Note that, due to 
110		the challenge-response nature of the SMB/CIFS authentication
111		protocol, anyone with a knowledge of this password hash will 
112		be able to impersonate the user on the network. For this
113		reason these hashes are known as <emphasis>plain text 
114		equivalents</emphasis> and must <emphasis>NOT</emphasis> be made 
115		available to anyone but the root user. To protect these passwords 
116		the smbpasswd file is placed in a directory with read and 
117		traverse access only to the root user and the smbpasswd file 
118		itself must be set to be read/write only by root, with no
119		other access. </para></listitem>
120		</varlistentry>
121		
122
123		<varlistentry>
124		<term>Account Flags</term>
125		<listitem><para>This section contains flags that describe 
126		the attributes of the users account.  This field is bracketed by 
127		'[' and ']' characters and is always 13 characters in length 
128		(including the '[' and ']' characters).
129		The contents of this field may be any of the following characters:
130		</para>
131		
132		<itemizedlist>
133			<listitem><para><emphasis>U</emphasis> - This means 
134			this is a "User" account, i.e. an ordinary user.</para></listitem>
135			
136			<listitem><para><emphasis>N</emphasis> - This means the
137			account has no password (the passwords in the fields LANMAN 
138			Password Hash and NT Password Hash are ignored). Note that this 
139			will only allow users to log on with no password if the <parameter>
140			null passwords</parameter> parameter is set in the 
141			<citerefentry><refentrytitle>smb.conf</refentrytitle>
142			<manvolnum>5</manvolnum></citerefentry> config file. </para></listitem>
143				
144			<listitem><para><emphasis>D</emphasis> - This means the account 
145			is disabled and no SMB/CIFS logins  will be allowed for this user. </para></listitem>
146			
147			<listitem><para><emphasis>X</emphasis> - This means the password 
148			does not expire. </para></listitem>
149			
150			<listitem><para><emphasis>W</emphasis> - This means this account 
151			is a "Workstation Trust" account. This kind of account is used 
152			in the Samba PDC code stream to allow Windows NT Workstations 
153			and Servers to join a Domain hosted by a Samba PDC. </para>
154			</listitem>
155		</itemizedlist>
156		
157		<para>Other flags may be added as the code is extended in future.
158		The rest of this field space is filled in with spaces. For further
159		information regarding the flags that are supported please refer to the
160		man page for the <command>pdbedit</command> command.</para>
161		</listitem>
162		</varlistentry>
163		
164		
165		<varlistentry>
166		<term>Last Change Time</term>
167		<listitem><para>This field consists of the time the account was 
168		last modified. It consists of the characters 'LCT-' (standing for 
169		"Last Change Time") followed by a numeric encoding of the UNIX time 
170		in seconds since the epoch (1970) that the last change was made. 
171		</para></listitem>
172		</varlistentry>
173	</variablelist>
174	
175	<para>All other colon separated fields are ignored at this time.</para> 
176</refsect1>
177
178<refsect1>
179	<title>VERSION</title>
180
181	<para>This man page is correct for version 3 of 
182	the Samba suite.</para>
183</refsect1>
184
185<refsect1>
186	<title>SEE ALSO</title>
187	<para><citerefentry><refentrytitle>smbpasswd</refentrytitle>
188	<manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>Samba</refentrytitle>
189	<manvolnum>7</manvolnum></citerefentry>, and
190	the Internet RFC1321 for details on the MD4 algorithm.
191	</para>
192</refsect1>
193
194<refsect1>
195	<title>AUTHOR</title>
196	
197	<para>The original Samba software and related utilities 
198	were created by Andrew Tridgell. Samba is now developed
199	by the Samba Team as an Open Source project similar 
200	to the way the Linux kernel is developed.</para>
201	
202	<para>The original Samba man pages were written by Karl Auer. 
203	The man page sources were converted to YODL format (another 
204	excellent piece of Open Source software, available at <ulink noescape="1" url="ftp://ftp.icce.rug.nl/pub/unix/">
205	ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0 
206	release by Jeremy Allison.  The conversion to DocBook for 
207	Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2
208	for Samba 3.0 was done by Alexander Bokovoy.</para>
209</refsect1>
210
211</refentry>
212