From b58b856db5c5c2583a4bbe24ab39726efefb18a6 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 23 Feb 2001 04:34:24 +0000 Subject: more updates. Conversion almost done. 2 more man pages (then all the ASCII stuff) (This used to be commit 7247027e833616bfe9350253cc1e6cdb236b2cdf) --- docs/htmldocs/smbpasswd.5.html | 521 ++++++++++++++++++++++++++--------------- 1 file changed, 326 insertions(+), 195 deletions(-) (limited to 'docs/htmldocs/smbpasswd.5.html') diff --git a/docs/htmldocs/smbpasswd.5.html b/docs/htmldocs/smbpasswd.5.html index 2969022790..4ec7b7c86a 100644 --- a/docs/htmldocs/smbpasswd.5.html +++ b/docs/htmldocs/smbpasswd.5.html @@ -1,195 +1,326 @@ - - - - - - -smbpasswd (5) - - - - - -
- -

smbpasswd (5)

-

Samba

-

23 Oct 1998

- - - -

-

NAME

- smbpasswd - The Samba encrypted password file -

-

SYNOPSIS

- -

smbpasswd is the Samba encrypted password file. -

-

DESCRIPTION

- -

This file is part of the Samba suite. -

smbpasswd is the Samba encrypted password file. It contains -the username, Unix user id and the SMB hashed passwords of the -user, as well as account flag information and the time the password -was last changed. This file format has been evolving with Samba -and has had several different formats in the past. -

-

FILE FORMAT

- -

The format of the smbpasswd file used by Samba 2.0 is very similar to -the familiar Unix passwd (5) file. It is an ASCII file containing -one line for each user. Each field within each line is separated from -the next by a colon. Any entry beginning with # is ignored. The -smbpasswd file contains the following information for each user: -

-

-

name


-

This is the user name. It must be a name that already exists - in the standard UNIX passwd file. -

-

uid


-

This is the UNIX uid. It must match the uid field for the same - user entry in the standard UNIX passwd file. If this does not - match then Samba will refuse to recognize this smbpasswd file entry - as being valid for a user. -

-

Lanman Password Hash


-

This is the LANMAN hash of the users password, encoded as 32 hex - digits. The LANMAN hash is created by DES encrypting a well known - string with the users password as the DES key. This is the same - password used by Windows 95/98 machines. Note that this password hash - is regarded as weak as it is vulnerable to dictionary attacks and if - two users choose the same password this entry will be identical (i.e. - the password is not "salted" as the UNIX password is). If the - user has a null password this field will contain the characters - "NO PASSWORD" as the start of the hex string. If the hex string - is equal to 32 'X' characters then the users account is marked as - disabled and the user will not be able to log onto the Samba - server. -

WARNING !!. Note that, due to the challenge-response nature of the - SMB/CIFS authentication protocol, anyone with a knowledge of this - password hash will be able to impersonate the user on the network. - For this reason these hashes are known as "plain text equivalent" - and must NOT be made available to anyone but the root user. To - protect these passwords the smbpasswd file is placed in a - directory with read and traverse access only to the root user and the - smbpasswd file itself must be set to be read/write only by root, - with no other access. -

-

NT Password Hash


-

This is the Windows NT hash of the users password, encoded as 32 - hex digits. The Windows NT hash is created by taking the users - password as represented in 16-bit, little-endian UNICODE and then - applying the MD4 (internet rfc1321) hashing algorithm to it. -

This password hash is considered more secure than the Lanman - Password Hash as it preserves the case of the - password and uses a much higher quality hashing algorithm. However, it - is still the case that if two users choose the same password this - entry will be identical (i.e. the password is not "salted" as the - UNIX password is). -

WARNING !!. Note that, due to the challenge-response nature of the - SMB/CIFS authentication protocol, anyone with a knowledge of this - password hash will be able to impersonate the user on the network. - For this reason these hashes are known as "plain text equivalent" - and must NOT be made available to anyone but the root user. To - protect these passwords the smbpasswd file is placed in a - directory with read and traverse access only to the root user and the - smbpasswd file itself must be set to be read/write only by root, - with no other access. -

-

Account Flags


-

This section contains flags that describe the attributes of the users - account. In the Samba2.0 release this field is bracketed by '[' - and ']' characters and is always 13 characters in length (including - the '[' and ']' characters). The contents of this field may be - any of the characters. -

-

-

  • 'U' This means this is a "User" account, i.e. an ordinary - user. Only User and Workstation Trust accounts are - currently supported in the smbpasswd file. -

    -

  • 'N' This means the account has no password (the passwords - in the fields Lanman Password Hash and - NT Password Hash are ignored). Note that this - will only allow users to log on with no password if the - null passwords parameter is set - in the smb.conf (5) config file. -

    -

  • 'D' This means the account is disabled and no SMB/CIFS logins - will be allowed for this user. -

    -

  • 'W' This means this account is a "Workstation Trust" account. - This kind of account is used in the Samba PDC code stream to allow Windows - NT Workstations and Servers to join a Domain hosted by a Samba PDC. -

    • -

    Other flags may be added as the code is extended in future. The rest of - this field space is filled in with spaces. -

    -

    Last Change Time


    -

    This field consists of the time the account was last modified. It consists of - the characters LCT- (standing for "Last Change Time") followed by a numeric - encoding of the UNIX time in seconds since the epoch (1970) that the last change - was made. -

    Following fields


    -

    All other colon separated fields are ignored at this time. -

    -

    -

    NOTES

    - -

    In previous versions of Samba (notably the 1.9.18 series) this file -did not contain the Account Flags or -Last Change Time fields. The Samba 2.0 -code will read and write these older password files but will not be able to -modify the old entries to add the new fields. New entries added with -smbpasswd (8) will contain the new fields -in the added accounts however. Thus an older smbpasswd file used -with Samba 2.0 may end up with some accounts containing the new fields -and some not. -

    In order to convert from an old-style smbpasswd file to a new -style, run the script convert_smbpasswd, installed in the -Samba bin/ directory (the same place that the smbd -and nmbd binaries are installed) as follows: -

    -
-
-    cat old_smbpasswd_file | convert_smbpasswd > new_smbpasswd_file
-
-
-
    - -

    The convert_smbpasswd script reads from stdin and writes to stdout -so as not to overwrite any files by accident. -

    Once this script has been run, check the contents of the new smbpasswd -file to ensure that it has not been damaged by the conversion script -(which uses awk), and then replace the <old smbpasswd file> -with the <new smbpasswd file>. -

    -

    VERSION

    - -

    This man page is correct for version 2.0 of the Samba suite. -

    -

    SEE ALSO

    - -

    smbpasswd (8), samba -(7), and the Internet RFC1321 for details on the MD4 -algorithm. -

    -

    AUTHOR

    - -

    The original Samba software and related utilities were created by -Andrew Tridgell samba@samba.org. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -

    The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -ftp://ftp.icce.rug.nl/pub/unix/) -and updated for the Samba2.0 release by Jeremy -Allison, samba@samba.org. -

    See samba (7) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. - - +smbpasswd

    smbpasswd

    Name

    smbpasswd -- The Samba encrypted password file

    Synopsis

    smbpasswd

    DESCRIPTION

    This tool is part of the Samba suite.

    smbpasswd is the Samba encrypted password file. It contains + the username, Unix user id and the SMB hashed passwords of the + user, as well as account flag information and the time the + password was last changed. This file format has been evolving with + Samba and has had several different formats in the past.

    FILE FORMAT

    The format of the smbpasswd file used by Samba 2.2 + is very similar to the familiar Unix passwd(5) + file. It is an ASCII file containing one line for each user. Each field + ithin each line is separated from the next by a colon. Any entry + beginning with '#' is ignored. The smbpasswd file contains the + following information for each user:

    name

    This is the user name. It must be a name that + already exists in the standard UNIX passwd file.

    uid

    This is the UNIX uid. It must match the uid + field for the same user entry in the standard UNIX passwd file. + If this does not match then Samba will refuse to recognize + this smbpasswd file entry as being valid for a user. +

    Lanman Password Hash

    This is the LANMAN hash of the users password, + encoded as 32 hex digits. The LANMAN hash is created by DES + encrypting a well known string with the users password as the + DES key. This is the same password used by Windows 95/98 machines. + Note that this password hash is regarded as weak as it is + vulnerable to dictionary attacks and if two users choose the + same password this entry will be identical (i.e. the password + is not "salted" as the UNIX password is). If the user has a + null password this field will contain the characters "NO PASSWORD" + as the start of the hex string. If the hex string is equal to + 32 'X' characters then the users account is marked as + disabled and the user will not be able to + log onto the Samba server.

    WARNING !! Note that, due to + the challenge-response nature of the SMB/CIFS authentication + protocol, anyone with a knowledge of this password hash will + be able to impersonate the user on the network. For this + reason these hashes are known as plain text + equivalents and must NOT be made + available to anyone but the root user. To protect these passwords + the smbpasswd file is placed in a directory with read and + traverse access only to the root user and the smbpasswd file + itself must be set to be read/write only by root, with no + other access.

    NT Password Hash

    This is the Windows NT hash of the users + password, encoded as 32 hex digits. The Windows NT hash is + created by taking the users password as represented in + 16-bit, little-endian UNICODE and then applying the MD4 + (internet rfc1321) hashing algorithm to it.

    This password hash is considered more secure than + the Lanman Password Hash as it preserves the case of the + password and uses a much higher quality hashing algorithm. + However, it is still the case that if two users choose the same + password this entry will be identical (i.e. the password is + not "salted" as the UNIX password is).

    WARNING !!. Note that, due to + the challenge-response nature of the SMB/CIFS authentication + protocol, anyone with a knowledge of this password hash will + be able to impersonate the user on the network. For this + reason these hashes are known as plain text + equivalents and must NOT be made + available to anyone but the root user. To protect these passwords + the smbpasswd file is placed in a directory with read and + traverse access only to the root user and the smbpasswd file + itself must be set to be read/write only by root, with no + other access.

    Account Flags

    This section contains flags that describe + the attributes of the users account. In the Samba 2.2 release + this field is bracketed by '[' and ']' characters and is always + 13 characters in length (including the '[' and ']' characters). + The contents of this field may be any of the characters. +

    • U - This means + this is a "User" account, i.e. an ordinary user. Only User + and Workstation Trust accounts are currently supported + in the smbpasswd file.

    • N - This means the + account has no password (the passwords in the fields Lanman + Password Hash and NT Password Hash are ignored). Note that this + will only allow users to log on with no password if the null passwords parameter is set in the smb.conf(5) + config file.

    • D - This means the account + is disabled and no SMB/CIFS logins will be allowed for + this user.

    • W - This means this account + is a "Workstation Trust" account. This kind of account is used + in the Samba PDC code stream to allow Windows NT Workstations + and Servers to join a Domain hosted by a Samba PDC.

    Other flags may be added as the code is extended in future. + The rest of this field space is filled in with spaces.

    Last Change Time

    This field consists of the time the account was + last modified. It consists of the characters 'LCT-' (standing for + "Last Change Time") followed by a numeric encoding of the UNIX time + in seconds since the epoch (1970) that the last change was made. +

    All other colon separated fields are ignored at this time.

    VERSION

    This man page is correct for version 2.2 of + the Samba suite.

    SEE ALSO

    smbpasswd(8), + samba(7), and + the Internet RFC1321 for details on the MD4 algorithm. +

    AUTHOR

    The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.

    The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter

    \ No newline at end of file -- cgit