diff options
Diffstat (limited to 'docs/htmldocs/smbpasswd.5.html')
| -rw-r--r-- | docs/htmldocs/smbpasswd.5.html | 521 |
1 files changed, 326 insertions, 195 deletions
diff --git a/docs/htmldocs/smbpasswd.5.html b/docs/htmldocs/smbpasswd.5.html index 2969022790..4ec7b7c86a 100644 --- a/docs/htmldocs/smbpasswd.5.html +++ b/docs/htmldocs/smbpasswd.5.html @@ -1,195 +1,326 @@ - - - - - - -<html><head><title>smbpasswd (5)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>smbpasswd (5)</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - smbpasswd - The Samba encrypted password file -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p>smbpasswd is the <strong>Samba</strong> encrypted password file. -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>This file is part of the <strong>Samba</strong> suite. -<p>smbpasswd is the <strong>Samba</strong> encrypted password file. It contains -the username, Unix user id and the SMB hashed passwords of the -user, as well as account flag information and the time the password -was last changed. This file format has been evolving with Samba -and has had several different formats in the past. -<p><a name="FILEFORMAT"></a> -<h2>FILE FORMAT</h2> - -<p>The format of the smbpasswd file used by Samba 2.0 is very similar to -the familiar Unix <strong>passwd (5)</strong> file. It is an ASCII file containing -one line for each user. Each field within each line is separated from -the next by a colon. Any entry beginning with # is ignored. The -smbpasswd file contains the following information for each user: -<p><dl> -<p><a name="name"></a> -<p></p><dt><strong><strong>name</strong></strong><dd> <br> <br> -<p>This is the user name. It must be a name that already exists - in the standard UNIX passwd file. -<p><a name="uid"></a> -<p></p><dt><strong><strong>uid</strong></strong><dd> <br> <br> -<p>This is the UNIX uid. It must match the uid field for the same - user entry in the standard UNIX passwd file. If this does not - match then Samba will refuse to recognize this <strong>smbpasswd</strong> file entry - as being valid for a user. -<p><a name="LanmanPasswordHash"></a> -<p></p><dt><strong><strong>Lanman Password Hash</strong></strong><dd> <br> <br> -<p>This is the <em>LANMAN</em> hash of the users password, encoded as 32 hex - digits. The <em>LANMAN</em> hash is created by DES encrypting a well known - string with the users password as the DES key. This is the same - password used by Windows 95/98 machines. Note that this password hash - is regarded as weak as it is vulnerable to dictionary attacks and if - two users choose the same password this entry will be identical (i.e. - the password is not <em>"salted"</em> as the UNIX password is). If the - user has a null password this field will contain the characters - <code>"NO PASSWORD"</code> as the start of the hex string. If the hex string - is equal to 32 <code>'X'</code> characters then the users account is marked as - <em>disabled</em> and the user will not be able to log onto the Samba - server. -<p><em>WARNING !!</em>. Note that, due to the challenge-response nature of the - SMB/CIFS authentication protocol, anyone with a knowledge of this - password hash will be able to impersonate the user on the network. - For this reason these hashes are known as <em>"plain text equivalent"</em> - and must <em>NOT</em> be made available to anyone but the root user. To - protect these passwords the <strong>smbpasswd</strong> file is placed in a - directory with read and traverse access only to the root user and the - <strong>smbpasswd</strong> file itself must be set to be read/write only by root, - with no other access. -<p><a name="NTPasswordHash"></a> -<p></p><dt><strong><strong>NT Password Hash</strong></strong><dd> <br> <br> -<p>This is the <em>Windows NT</em> hash of the users password, encoded as 32 - hex digits. The <em>Windows NT</em> hash is created by taking the users - password as represented in 16-bit, little-endian UNICODE and then - applying the <em>MD4</em> (internet rfc1321) hashing algorithm to it. -<p>This password hash is considered more secure than the <a href="smbpasswd.5.html#LanmanPasswordHash"><strong>Lanman - Password Hash</strong></a> as it preserves the case of the - password and uses a much higher quality hashing algorithm. However, it - is still the case that if two users choose the same password this - entry will be identical (i.e. the password is not <em>"salted"</em> as the - UNIX password is). -<p><em>WARNING !!</em>. Note that, due to the challenge-response nature of the - SMB/CIFS authentication protocol, anyone with a knowledge of this - password hash will be able to impersonate the user on the network. - For this reason these hashes are known as <em>"plain text equivalent"</em> - and must <em>NOT</em> be made available to anyone but the root user. To - protect these passwords the <strong>smbpasswd</strong> file is placed in a - directory with read and traverse access only to the root user and the - <strong>smbpasswd</strong> file itself must be set to be read/write only by root, - with no other access. -<p><a name="AccountFlags"></a> -<p></p><dt><strong><strong>Account Flags</strong></strong><dd> <br> <br> -<p>This section contains flags that describe the attributes of the users - account. In the <strong>Samba2.0</strong> release this field is bracketed by <code>'['</code> - and <code>']'</code> characters and is always 13 characters in length (including - the <code>'['</code> and <code>']'</code> characters). The contents of this field may be - any of the characters. -<p><dl> -<p><a name="capU"></a> - <li > <strong>'U'</strong> This means this is a <em>"User"</em> account, i.e. an ordinary - user. Only <strong>User</strong> and <a href="smbpasswd.5.html#capW"><strong>Workstation Trust</strong></a> accounts are - currently supported in the <strong>smbpasswd</strong> file. -<p><a name="capN"></a> - <li > <strong>'N'</strong> This means the account has <em>no</em> password (the passwords - in the fields <a href="smbpasswd.5.html#LanmanPasswordHash"><strong>Lanman Password Hash</strong></a> and - <a href="smbpasswd.5.html#NTPasswordHash"><strong>NT Password Hash</strong></a> are ignored). Note that this - will only allow users to log on with no password if the - <a href="smb.conf.5.html#nullpasswords"><strong>null passwords</strong></a> parameter is set - in the <a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a> config file. -<p><a name="capD"></a> - <li > <strong>'D'</strong> This means the account is disabled and no SMB/CIFS logins - will be allowed for this user. -<p><a name="capW"></a> - <li > <strong>'W'</strong> This means this account is a <em>"Workstation Trust"</em> account. - This kind of account is used in the Samba PDC code stream to allow Windows - NT Workstations and Servers to join a Domain hosted by a Samba PDC. -<p></dl> -<p>Other flags may be added as the code is extended in future. The rest of - this field space is filled in with spaces. -<p><a name="LastChangeTime"></a> -<p></p><dt><strong><strong>Last Change Time</strong></strong><dd> <br> <br> -<p>This field consists of the time the account was last modified. It consists of - the characters <code>LCT-</code> (standing for <em>"Last Change Time"</em>) followed by a numeric - encoding of the UNIX time in seconds since the epoch (1970) that the last change - was made. -<p><p></p><dt><strong><strong>Following fields</strong></strong><dd> <br> <br> -<p>All other colon separated fields are ignored at this time. -<p></dl> -<p><a name="NOTES"></a> -<h2>NOTES</h2> - -<p>In previous versions of Samba (notably the 1.9.18 series) this file -did not contain the <a href="smbpasswd.5.html#AccountFlags"><strong>Account Flags</strong></a> or -<a href="smbpasswd.5.html#LastChangeTime"><strong>Last Change Time</strong></a> fields. The Samba 2.0 -code will read and write these older password files but will not be able to -modify the old entries to add the new fields. New entries added with -<a href="smbpasswd.8.html"><strong>smbpasswd (8)</strong></a> will contain the new fields -in the added accounts however. Thus an older <strong>smbpasswd</strong> file used -with Samba 2.0 may end up with some accounts containing the new fields -and some not. -<p>In order to convert from an old-style <strong>smbpasswd</strong> file to a new -style, run the script <strong>convert_smbpasswd</strong>, installed in the -Samba <code>bin/</code> directory (the same place that the <a href="smbd.8.html"><strong>smbd</strong></a> -and <a href="nmbd.8.html"><strong>nmbd</strong></a> binaries are installed) as follows: -<p><pre> - - - cat old_smbpasswd_file | convert_smbpasswd > new_smbpasswd_file - - -</pre> - -<p>The <strong>convert_smbpasswd</strong> script reads from stdin and writes to stdout -so as not to overwrite any files by accident. -<p>Once this script has been run, check the contents of the new smbpasswd -file to ensure that it has not been damaged by the conversion script -(which uses <strong>awk</strong>), and then replace the <code><old smbpasswd file></code> -with the <code><new smbpasswd file></code>. -<p><a name="VERSION"></a> -<h2>VERSION</h2> - -<p>This man page is correct for version 2.0 of the Samba suite. -<p><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<p><a href="smbpasswd.8.html"><strong>smbpasswd (8)</strong></a>, <a href="samba.7.html"><strong>samba -(7)</strong></a>, and the Internet RFC1321 for details on the MD4 -algorithm. -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p>The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy -Allison, <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -</body> -</html> +<HTML +><HEAD +><TITLE +>smbpasswd</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="SMBPASSWD" +>smbpasswd</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>smbpasswd -- The Samba encrypted password file</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><TT +CLASS="FILENAME" +>smbpasswd</TT +></P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN11" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +>smbpasswd is the Samba encrypted password file. It contains + the username, Unix user id and the SMB hashed passwords of the + user, as well as account flag information and the time the + password was last changed. This file format has been evolving with + Samba and has had several different formats in the past. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN16" +></A +><H2 +>FILE FORMAT</H2 +><P +>The format of the smbpasswd file used by Samba 2.2 + is very similar to the familiar Unix <TT +CLASS="FILENAME" +>passwd(5)</TT +> + file. It is an ASCII file containing one line for each user. Each field + ithin each line is separated from the next by a colon. Any entry + beginning with '#' is ignored. The smbpasswd file contains the + following information for each user: </P +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>name</DT +><DD +><P +> This is the user name. It must be a name that + already exists in the standard UNIX passwd file. </P +></DD +><DT +>uid</DT +><DD +><P +>This is the UNIX uid. It must match the uid + field for the same user entry in the standard UNIX passwd file. + If this does not match then Samba will refuse to recognize + this smbpasswd file entry as being valid for a user. + </P +></DD +><DT +>Lanman Password Hash</DT +><DD +><P +>This is the LANMAN hash of the users password, + encoded as 32 hex digits. The LANMAN hash is created by DES + encrypting a well known string with the users password as the + DES key. This is the same password used by Windows 95/98 machines. + Note that this password hash is regarded as weak as it is + vulnerable to dictionary attacks and if two users choose the + same password this entry will be identical (i.e. the password + is not "salted" as the UNIX password is). If the user has a + null password this field will contain the characters "NO PASSWORD" + as the start of the hex string. If the hex string is equal to + 32 'X' characters then the users account is marked as + <TT +CLASS="CONSTANT" +>disabled</TT +> and the user will not be able to + log onto the Samba server. </P +><P +><I +CLASS="EMPHASIS" +>WARNING !!</I +> Note that, due to + the challenge-response nature of the SMB/CIFS authentication + protocol, anyone with a knowledge of this password hash will + be able to impersonate the user on the network. For this + reason these hashes are known as <I +CLASS="EMPHASIS" +>plain text + equivalents</I +> and must <I +CLASS="EMPHASIS" +>NOT</I +> be made + available to anyone but the root user. To protect these passwords + the smbpasswd file is placed in a directory with read and + traverse access only to the root user and the smbpasswd file + itself must be set to be read/write only by root, with no + other access. </P +></DD +><DT +>NT Password Hash</DT +><DD +><P +>This is the Windows NT hash of the users + password, encoded as 32 hex digits. The Windows NT hash is + created by taking the users password as represented in + 16-bit, little-endian UNICODE and then applying the MD4 + (internet rfc1321) hashing algorithm to it. </P +><P +>This password hash is considered more secure than + the Lanman Password Hash as it preserves the case of the + password and uses a much higher quality hashing algorithm. + However, it is still the case that if two users choose the same + password this entry will be identical (i.e. the password is + not "salted" as the UNIX password is). </P +><P +><I +CLASS="EMPHASIS" +>WARNING !!</I +>. Note that, due to + the challenge-response nature of the SMB/CIFS authentication + protocol, anyone with a knowledge of this password hash will + be able to impersonate the user on the network. For this + reason these hashes are known as <I +CLASS="EMPHASIS" +>plain text + equivalents</I +> and must <I +CLASS="EMPHASIS" +>NOT</I +> be made + available to anyone but the root user. To protect these passwords + the smbpasswd file is placed in a directory with read and + traverse access only to the root user and the smbpasswd file + itself must be set to be read/write only by root, with no + other access. </P +></DD +><DT +>Account Flags</DT +><DD +><P +>This section contains flags that describe + the attributes of the users account. In the Samba 2.2 release + this field is bracketed by '[' and ']' characters and is always + 13 characters in length (including the '[' and ']' characters). + The contents of this field may be any of the characters. + </P +><P +></P +><UL +><LI +><P +><I +CLASS="EMPHASIS" +>U</I +> - This means + this is a "User" account, i.e. an ordinary user. Only User + and Workstation Trust accounts are currently supported + in the smbpasswd file. </P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>N</I +> - This means the + account has no password (the passwords in the fields Lanman + Password Hash and NT Password Hash are ignored). Note that this + will only allow users to log on with no password if the <TT +CLASS="PARAMETER" +><I +> null passwords</I +></TT +> parameter is set in the <A +HREF="smb.conf.5.html#NULLPASSWORDS" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5) + </TT +></A +> config file. </P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>D</I +> - This means the account + is disabled and no SMB/CIFS logins will be allowed for + this user. </P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>W</I +> - This means this account + is a "Workstation Trust" account. This kind of account is used + in the Samba PDC code stream to allow Windows NT Workstations + and Servers to join a Domain hosted by a Samba PDC. </P +></LI +></UL +><P +>Other flags may be added as the code is extended in future. + The rest of this field space is filled in with spaces. </P +></DD +><DT +>Last Change Time</DT +><DD +><P +>This field consists of the time the account was + last modified. It consists of the characters 'LCT-' (standing for + "Last Change Time") followed by a numeric encoding of the UNIX time + in seconds since the epoch (1970) that the last change was made. + </P +></DD +></DL +></DIV +><P +>All other colon separated fields are ignored at this time.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN73" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN76" +></A +><H2 +>SEE ALSO</H2 +><P +><A +HREF="smbpasswd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbpasswd(8)</B +></A +>, + <A +HREF="samba.7.html" +TARGET="_top" +>samba(7)</A +>, and + the Internet RFC1321 for details on the MD4 algorithm. + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN82" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file |