diff options
Diffstat (limited to 'docs/manpages/smbpasswd.5')
-rw-r--r-- | docs/manpages/smbpasswd.5 | 222 |
1 files changed, 88 insertions, 134 deletions
diff --git a/docs/manpages/smbpasswd.5 b/docs/manpages/smbpasswd.5 index 07b04530c3..75645d4b6a 100644 --- a/docs/manpages/smbpasswd.5 +++ b/docs/manpages/smbpasswd.5 @@ -1,157 +1,111 @@ -.\" This manpage has been automatically generated by docbook2man -.\" from a DocBook document. This tool can be found at: -.\" <http://shell.ipoline.com/~elmert/comp/docbook2X/> -.\" Please send any bug reports, improvements, comments, patches, -.\" etc. to Steve Cheng <steve@ggi-project.org>. -.TH "SMBPASSWD" "5" "04 March 2003" "" "" +.\"Generated by db2man.xsl. Don't modify this, modify the source. +.de Sh \" Subsection +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.TH "SMBPASSWD" 5 "" "" "" .SH NAME smbpasswd \- The Samba encrypted password file -.SH SYNOPSIS +.SH "SYNOPSIS" + .PP \fIsmbpasswd\fR + .SH "DESCRIPTION" + .PP -This tool is part of the Samba suite. +This tool is part of the \fBSamba\fR(7) suite\&. + .PP -smbpasswd is the Samba encrypted password file. It contains -the username, Unix user id and the SMB hashed passwords of the -user, as well as account flag information and the time the -password was last changed. This file format has been evolving with -Samba and has had several different formats in the past. +smbpasswd is the Samba encrypted password file\&. It contains the username, Unix user id and the SMB hashed passwords of the user, as well as account flag information and the time the password was last changed\&. This file format has been evolving with Samba and has had several different formats in the past\&. + .SH "FILE FORMAT" + .PP -The format of the smbpasswd file used by Samba 2.2 -is very similar to the familiar Unix \fIpasswd(5)\fR -file. It is an ASCII file containing one line for each user. Each field -ithin each line is separated from the next by a colon. Any entry -beginning with '#' is ignored. The smbpasswd file contains the -following information for each user: +The format of the smbpasswd file used by Samba 2\&.2 is very similar to the familiar Unix \fIpasswd(5)\fR file\&. It is an ASCII file containing one line for each user\&. Each field ithin each line is separated from the next by a colon\&. Any entry beginning with '#' is ignored\&. The smbpasswd file contains the following information for each user: + .TP -\fBname\fR -This is the user name. It must be a name that -already exists in the standard UNIX passwd file. +name +This is the user name\&. It must be a name that already exists in the standard UNIX passwd file\&. + + .TP -\fBuid\fR -This is the UNIX uid. It must match the uid -field for the same user entry in the standard UNIX passwd file. -If this does not match then Samba will refuse to recognize -this smbpasswd file entry as being valid for a user. +uid +This is the UNIX uid\&. It must match the uid field for the same user entry in the standard UNIX passwd file\&. If this does not match then Samba will refuse to recognize this smbpasswd file entry as being valid for a user\&. + + .TP -\fBLanman Password Hash\fR -This is the LANMAN hash of the user's password, -encoded as 32 hex digits. The LANMAN hash is created by DES -encrypting a well known string with the user's password as the -DES key. This is the same password used by Windows 95/98 machines. -Note that this password hash is regarded as weak as it is -vulnerable to dictionary attacks and if two users choose the -same password this entry will be identical (i.e. the password -is not "salted" as the UNIX password is). If the user has a -null password this field will contain the characters "NO PASSWORD" -as the start of the hex string. If the hex string is equal to -32 'X' characters then the user's account is marked as -disabled and the user will not be able to -log onto the Samba server. - -\fBWARNING !!\fR Note that, due to -the challenge-response nature of the SMB/CIFS authentication -protocol, anyone with a knowledge of this password hash will -be able to impersonate the user on the network. For this -reason these hashes are known as \fBplain text -equivalents\fR and must \fBNOT\fR be made -available to anyone but the root user. To protect these passwords -the smbpasswd file is placed in a directory with read and -traverse access only to the root user and the smbpasswd file -itself must be set to be read/write only by root, with no -other access. +Lanman Password Hash +This is the LANMAN hash of the user's password, encoded as 32 hex digits\&. The LANMAN hash is created by DES encrypting a well known string with the user's password as the DES key\&. This is the same password used by Windows 95/98 machines\&. Note that this password hash is regarded as weak as it is vulnerable to dictionary attacks and if two users choose the same password this entry will be identical (i\&.e\&. the password is not "salted" as the UNIX password is)\&. If the user has a null password this field will contain the characters "NO PASSWORD" as the start of the hex string\&. If the hex string is equal to 32 'X' characters then the user's account is marked as \fBdisabled\fR and the user will not be able to log onto the Samba server\&. + + +\fBWARNING !!\fR Note that, due to the challenge-response nature of the SMB/CIFS authentication protocol, anyone with a knowledge of this password hash will be able to impersonate the user on the network\&. For this reason these hashes are known as \fBplain text equivalents\fR and must \fBNOT\fR be made available to anyone but the root user\&. To protect these passwords the smbpasswd file is placed in a directory with read and traverse access only to the root user and the smbpasswd file itself must be set to be read/write only by root, with no other access\&. + + .TP -\fBNT Password Hash\fR -This is the Windows NT hash of the user's -password, encoded as 32 hex digits. The Windows NT hash is -created by taking the user's password as represented in -16-bit, little-endian UNICODE and then applying the MD4 -(internet rfc1321) hashing algorithm to it. - -This password hash is considered more secure than -the LANMAN Password Hash as it preserves the case of the -password and uses a much higher quality hashing algorithm. -However, it is still the case that if two users choose the same -password this entry will be identical (i.e. the password is -not "salted" as the UNIX password is). - -\fBWARNING !!\fR. Note that, due to -the challenge-response nature of the SMB/CIFS authentication -protocol, anyone with a knowledge of this password hash will -be able to impersonate the user on the network. For this -reason these hashes are known as \fBplain text -equivalents\fR and must \fBNOT\fR be made -available to anyone but the root user. To protect these passwords -the smbpasswd file is placed in a directory with read and -traverse access only to the root user and the smbpasswd file -itself must be set to be read/write only by root, with no -other access. +NT Password Hash +This is the Windows NT hash of the user's password, encoded as 32 hex digits\&. The Windows NT hash is created by taking the user's password as represented in 16-bit, little-endian UNICODE and then applying the MD4 (internet rfc1321) hashing algorithm to it\&. + + +This password hash is considered more secure than the LANMAN Password Hash as it preserves the case of the password and uses a much higher quality hashing algorithm\&. However, it is still the case that if two users choose the same password this entry will be identical (i\&.e\&. the password is not "salted" as the UNIX password is)\&. + + +\fBWARNING !!\fR\&. Note that, due to the challenge-response nature of the SMB/CIFS authentication protocol, anyone with a knowledge of this password hash will be able to impersonate the user on the network\&. For this reason these hashes are known as \fBplain text equivalents\fR and must \fBNOT\fR be made available to anyone but the root user\&. To protect these passwords the smbpasswd file is placed in a directory with read and traverse access only to the root user and the smbpasswd file itself must be set to be read/write only by root, with no other access\&. + + .TP -\fBAccount Flags\fR -This section contains flags that describe -the attributes of the users account. In the Samba 2.2 release -this field is bracketed by '[' and ']' characters and is always -13 characters in length (including the '[' and ']' characters). -The contents of this field may be any of the characters. -.RS -.TP 0.2i -\(bu -\fBU\fR - This means -this is a "User" account, i.e. an ordinary user. Only User -and Workstation Trust accounts are currently supported -in the smbpasswd file. -.TP 0.2i -\(bu -\fBN\fR - This means the -account has no password (the passwords in the fields LANMAN -Password Hash and NT Password Hash are ignored). Note that this -will only allow users to log on with no password if the \fI null passwords\fR parameter is set in the \fIsmb.conf(5) -\fR config file. -.TP 0.2i -\(bu -\fBD\fR - This means the account -is disabled and no SMB/CIFS logins will be allowed for -this user. -.TP 0.2i -\(bu -\fBW\fR - This means this account -is a "Workstation Trust" account. This kind of account is used -in the Samba PDC code stream to allow Windows NT Workstations -and Servers to join a Domain hosted by a Samba PDC. -.RE - -Other flags may be added as the code is extended in future. -The rest of this field space is filled in with spaces. +Account Flags +This section contains flags that describe the attributes of the users account\&. In the Samba 2\&.2 release this field is bracketed by '[' and ']' characters and is always 13 characters in length (including the '[' and ']' characters)\&. The contents of this field may be any of the following characters: + + +\fBU\fR - This means this is a "User" account, i\&.e\&. an ordinary user\&. Only User and Workstation Trust accounts are currently supported in the smbpasswd file\&. + +\fBN\fR - This means the account has no password (the passwords in the fields LANMAN Password Hash and NT Password Hash are ignored)\&. Note that this will only allow users to log on with no password if the \fI null passwords\fR parameter is set in the \fBsmb.conf\fR(5) config file\&. + +\fBD\fR - This means the account is disabled and no SMB/CIFS logins will be allowed for this user\&. + +\fBW\fR - This means this account is a "Workstation Trust" account\&. This kind of account is used in the Samba PDC code stream to allow Windows NT Workstations and Servers to join a Domain hosted by a Samba PDC\&. + +Other flags may be added as the code is extended in future\&. The rest of this field space is filled in with spaces\&. + + .TP -\fBLast Change Time\fR -This field consists of the time the account was -last modified. It consists of the characters 'LCT-' (standing for -"Last Change Time") followed by a numeric encoding of the UNIX time -in seconds since the epoch (1970) that the last change was made. +Last Change Time +This field consists of the time the account was last modified\&. It consists of the characters 'LCT-' (standing for "Last Change Time") followed by a numeric encoding of the UNIX time in seconds since the epoch (1970) that the last change was made\&. + + .PP -All other colon separated fields are ignored at this time. +All other colon separated fields are ignored at this time\&. + .SH "VERSION" + .PP -This man page is correct for version 3.0 of -the Samba suite. +This man page is correct for version 3\&.0 of the Samba suite\&. + .SH "SEE ALSO" + .PP -\fBsmbpasswd(8)\fR -samba(7) and -the Internet RFC1321 for details on the MD4 algorithm. +\fBsmbpasswd\fR(8), \fBSamba\fR(7), and the Internet RFC1321 for details on the MD4 algorithm\&. + .SH "AUTHOR" + .PP -The original Samba software and related utilities -were created by Andrew Tridgell. Samba is now developed -by the Samba Team as an Open Source project similar -to the way the Linux kernel is developed. +The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&. + .PP -The original Samba man pages were written by Karl Auer. -The man page sources were converted to YODL format (another -excellent piece of Open Source software, available at -ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the Samba 2.0 -release by Jeremy Allison. The conversion to DocBook for -Samba 2.2 was done by Gerald Carter +The original Samba man pages were written by Karl Auer\&. The man page sources were converted to YODL format (another excellent piece of Open Source software, available at ftp://ftp\&.icce\&.rug\&.nl/pub/unix/) and updated for the Samba 2\&.0 release by Jeremy Allison\&. The conversion to DocBook for Samba 2\&.2 was done by Gerald Carter\&. The conversion to DocBook XML 4\&.2 for Samba 3\&.0 was done by Alexander Bokovoy\&. + |