diff options
Diffstat (limited to 'docs/docbook/manpages/smbpasswd.5.sgml')
-rw-r--r-- | docs/docbook/manpages/smbpasswd.5.sgml | 338 |
1 files changed, 203 insertions, 135 deletions
diff --git a/docs/docbook/manpages/smbpasswd.5.sgml b/docs/docbook/manpages/smbpasswd.5.sgml index 95495000f3..0e8a704c50 100644 --- a/docs/docbook/manpages/smbpasswd.5.sgml +++ b/docs/docbook/manpages/smbpasswd.5.sgml @@ -1,136 +1,204 @@ +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> +<refentry id="smbpasswd"> -Namesmbpasswd - The Samba encrypted password file -Synopsis -smbpasswd is the -Samba encrypted password file. -Description -This file is part of the Samba -suite. -smbpasswd is the Samba encrypted password file. It contains the username, -Unix user id and the SMB hashed passwords of the user, as well as account -flag information and the time the password was last changed. This file format -has been evolving with Samba and has had several different formats in the -past. -File Format -The format of the smbpasswd file used by Samba 2.0 is very -similar to the familiar Unix passwd (5) file. It is an ASCII file containing -one line for each user. Each field within each line is separated from the -next by a colon. Any entry beginning with # is ignored. The smbpasswd file -contains the following information for each user: -name - -This is the user name. It must be a name that already exists in the standard -UNIX passwd file. uid - -This is the UNIX uid. It must match the uid field for the same user entry -in the standard UNIX passwd file. If this does not match then Samba will -refuse to recognize this smbpasswd file entry as being valid for a user. -Lanman Password Hash - -This is the LANMAN hash of the users password, encoded as 32 hex digits. -The LANMAN hash is created by DES encrypting a well known string with the -users password as the DES key. This is the same password used by Windows -95/98 machines. Note that this password hash is regarded as weak as it is -vulnerable to dictionary attacks and if two users choose the same password -this entry will be identical (i.e. the password is not "salted" as the UNIX -password is). If the user has a null password this field will contain the -characters CW"NO PASSWORD" as the start of the hex string. If the hex string -is equal to 32 CW'X' characters then the users account is marked as disabled -and the user will not be able to log onto the Samba server. WARNING !!. Note -that, due to the challenge-response nature of the SMB/CIFS authentication -protocol, anyone with a knowledge of this password hash will be able to -impersonate the user on the network. For this reason these hashes are known -as "plain text equivalent" and must NOT be made available to anyone but -the root user. To protect these passwords the smbpasswd file is placed in -a directory with read and traverse access only to the root user and the -smbpasswd file itself must be set to be read/write only by root, with no -other access. NT Password Hash - -This is the Windows NT hash of the users password, encoded as 32 hex digits. -The Windows NT hash is created by taking the users password as represented -in 16-bit, little-endian UNICODE and then applying the MD4 (internet rfc1321) -hashing algorithm to it. This password hash is considered more secure than -the Lanman Password Hash as it preserves the case of the password and uses -a much higher quality hashing algorithm. However, it is still the case that -if two users choose the same password this entry will be identical (i.e. -the password is not "salted" as the UNIX password is). WARNING !!. Note that, -due to the challenge-response nature of the SMB/CIFS authentication protocol, -anyone with a knowledge of this password hash will be able to impersonate -the user on the network. For this reason these hashes are known as "plain -text equivalent" and must NOT be made available to anyone but the root -user. To protect these passwords the smbpasswd file is placed in a directory -with read and traverse access only to the root user and the smbpasswd file -itself must be set to be read/write only by root, with no other access. -Account Flags - -This section contains flags that describe the attributes of the users account. -In the Samba2.0 release this field is bracketed by CW'[' and CW']' characters -and is always 13 characters in length (including the CW'[' and CW']' characters). -The contents of this field may be any of the characters. o'U' This means this -is a "User" account, i.e. an ordinary user. Only User and Workstation Trust -accounts are currently supported in the smbpasswd file. o'N' This means the -account has no password (the passwords in the fields Lanman Password Hash -and NT Password Hash are ignored). Note that this will only allow users -to log on with no password if the null passwords parameter is set in the -smb.conf (5) config file. o'D' This means the account is disabled and no SMB/CIFS -logins will be allowed for this user. o'W' This means this account is a "Workstation -Trust" account. This kind of account is used in the Samba PDC code stream -to allow Windows NT Workstations and Servers to join a Domain hosted by -a Samba PDC. Other flags may be added as the code is extended in future. -The rest of this field space is filled in with spaces. Last Change Time - -This field consists of the time the account was last modified. It consists -of the characters CWLCT- (standing for "Last Change Time") followed by a -numeric encoding of the UNIX time in seconds since the epoch (1970) that -the last change was made. Following fields - -All other colon separated fields are ignored at this time. -Notes -In previous -versions of Samba (notably the 1.9.18 series) this file did not contain the -Account Flags or Last Change Time fields. The Samba 2.0 code will read and -write these older password files but will not be able to modify the old -entries to add the new fields. New entries added with smbpasswd (8) will -contain the new fields in the added accounts however. Thus an older smbpasswd -file used with Samba 2.0 may end up with some accounts containing the new -fields and some not. -In order to convert from an old-style smbpasswd file -to a new style, run the script convert_smbpasswd, installed in the Samba -CWbin/ directory (the same place that the smbd and nmbd binaries are installed) -as follows: - - - - - - cat old_smbpasswd_file | convert_smbpasswd > new_smbpasswd_file - - - - - -The convert_smbpasswd script reads from stdin and writes to stdout so -as not to overwrite any files by accident. -Once this script has been run, -check the contents of the new smbpasswd file to ensure that it has not -been damaged by the conversion script (which uses awk), and then replace -the CW<old smbpasswd file> with the CW<new smbpasswd file>. -Version -This man -page is correct for version 2.0 of the Samba suite. -See Also -smbpasswd (8), -samba (7), and the Internet RFC1321 for details on the MD4 algorithm. -Author -The -original Samba software and related utilities were created by Andrew Tridgell -samba@samba.org. Samba is now developed by the Samba Team as an Open Source -project similar to the way the Linux kernel is developed. -The original Samba -man pages were written by Karl Auer. The man page sources were converted -to YODL format (another excellent piece of Open Source software, available -at ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba2.0 release by -Jeremy Allison, samba@samba.org. -See samba (7) to find out how to get a full -list of contributors and details on how to submit bug reports, comments -etc.
\ No newline at end of file +<refmeta> + <refentrytitle>smbpasswd</refentrytitle> + <manvolnum>5</manvolnum> +</refmeta> + + +<refnamediv> + <refname>smbpasswd</refname> + <refpurpose>The Samba encrypted password file</refpurpose> +</refnamediv> + +<refsynopsisdiv> + <para><filename>smbpasswd</filename></para> +</refsynopsisdiv> + +<refsect1> + <title>DESCRIPTION</title> + + <para>This tool is part of the <ulink url="samba.7.html"> + Samba</ulink> suite.</para> + + <para>smbpasswd is the Samba encrypted password file. It contains + the username, Unix user id and the SMB hashed passwords of the + user, as well as account flag information and the time the + password was last changed. This file format has been evolving with + Samba and has had several different formats in the past. </para> +</refsect1> + +<refsect1> + <title>FILE FORMAT</title> + + <para>The format of the smbpasswd file used by Samba 2.2 + is very similar to the familiar Unix <filename>passwd(5)</filename> + file. It is an ASCII file containing one line for each user. Each field + ithin each line is separated from the next by a colon. Any entry + beginning with '#' is ignored. The smbpasswd file contains the + following information for each user: </para> + + <variablelist> + <varlistentry> + <term>name</term> + <listitem><para> This is the user name. It must be a name that + already exists in the standard UNIX passwd file. </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>uid</term> + <listitem><para>This is the UNIX uid. It must match the uid + field for the same user entry in the standard UNIX passwd file. + If this does not match then Samba will refuse to recognize + this smbpasswd file entry as being valid for a user. + </para></listitem> + </varlistentry> + + + <varlistentry> + <term>Lanman Password Hash</term> + <listitem><para>This is the LANMAN hash of the users password, + encoded as 32 hex digits. The LANMAN hash is created by DES + encrypting a well known string with the users password as the + DES key. This is the same password used by Windows 95/98 machines. + Note that this password hash is regarded as weak as it is + vulnerable to dictionary attacks and if two users choose the + same password this entry will be identical (i.e. the password + is not "salted" as the UNIX password is). If the user has a + null password this field will contain the characters "NO PASSWORD" + as the start of the hex string. If the hex string is equal to + 32 'X' characters then the users account is marked as + <constant>disabled</constant> and the user will not be able to + log onto the Samba server. </para> + + <para><emphasis>WARNING !!</emphasis> Note that, due to + the challenge-response nature of the SMB/CIFS authentication + protocol, anyone with a knowledge of this password hash will + be able to impersonate the user on the network. For this + reason these hashes are known as <emphasis>plain text + equivalents</emphasis> and must <emphasis>NOT</emphasis> be made + available to anyone but the root user. To protect these passwords + the smbpasswd file is placed in a directory with read and + traverse access only to the root user and the smbpasswd file + itself must be set to be read/write only by root, with no + other access. </para></listitem> + </varlistentry> + + + <varlistentry> + <term>NT Password Hash</term> + <listitem><para>This is the Windows NT hash of the users + password, encoded as 32 hex digits. The Windows NT hash is + created by taking the users password as represented in + 16-bit, little-endian UNICODE and then applying the MD4 + (internet rfc1321) hashing algorithm to it. </para> + + <para>This password hash is considered more secure than + the Lanman Password Hash as it preserves the case of the + password and uses a much higher quality hashing algorithm. + However, it is still the case that if two users choose the same + password this entry will be identical (i.e. the password is + not "salted" as the UNIX password is). </para> + + <para><emphasis>WARNING !!</emphasis>. Note that, due to + the challenge-response nature of the SMB/CIFS authentication + protocol, anyone with a knowledge of this password hash will + be able to impersonate the user on the network. For this + reason these hashes are known as <emphasis>plain text + equivalents</emphasis> and must <emphasis>NOT</emphasis> be made + available to anyone but the root user. To protect these passwords + the smbpasswd file is placed in a directory with read and + traverse access only to the root user and the smbpasswd file + itself must be set to be read/write only by root, with no + other access. </para></listitem> + </varlistentry> + + + <varlistentry> + <term>Account Flags</term> + <listitem><para>This section contains flags that describe + the attributes of the users account. In the Samba 2.2 release + this field is bracketed by '[' and ']' characters and is always + 13 characters in length (including the '[' and ']' characters). + The contents of this field may be any of the characters. + </para> + + <itemizedlist> + <listitem><para><emphasis>U</emphasis> - This means + this is a "User" account, i.e. an ordinary user. Only User + and Workstation Trust accounts are currently supported + in the smbpasswd file. </para></listitem> + + <listitem><para><emphasis>N</emphasis> - This means the + account has no password (the passwords in the fields Lanman + Password Hash and NT Password Hash are ignored). Note that this + will only allow users to log on with no password if the <parameter> + null passwords</parameter> parameter is set in the <ulink + url="smb.conf.5.html#NULLPASSWORDS"><filename>smb.conf(5) + </filename></ulink> config file. </para></listitem> + + <listitem><para><emphasis>D</emphasis> - This means the account + is disabled and no SMB/CIFS logins will be allowed for + this user. </para></listitem> + + <listitem><para><emphasis>W</emphasis> - This means this account + is a "Workstation Trust" account. This kind of account is used + in the Samba PDC code stream to allow Windows NT Workstations + and Servers to join a Domain hosted by a Samba PDC. </para> + </listitem> + </itemizedlist> + + <para>Other flags may be added as the code is extended in future. + The rest of this field space is filled in with spaces. </para> + </listitem> + </varlistentry> + + + <varlistentry> + <term>Last Change Time</term> + <listitem><para>This field consists of the time the account was + last modified. It consists of the characters 'LCT-' (standing for + "Last Change Time") followed by a numeric encoding of the UNIX time + in seconds since the epoch (1970) that the last change was made. + </para></listitem> + </varlistentry> + </variablelist> + + <para>All other colon separated fields are ignored at this time.</para> +</refsect1> + +<refsect1> + <title>VERSION</title> + + <para>This man page is correct for version 2.2 of + the Samba suite.</para> +</refsect1> + +<refsect1> + <title>SEE ALSO</title> + <para><ulink url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink>, + <ulink url="samba.7.html">samba(7)</ulink>, and + the Internet RFC1321 for details on the MD4 algorithm. + </para> +</refsect1> + +<refsect1> + <title>AUTHOR</title> + + <para>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</para> + + <para>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <ulink url="ftp://ftp.icce.rug.nl/pub/unix/"> + ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</para> +</refsect1> + +</refentry> |