| 1 | <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smbpasswd</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.68.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smbpasswd.5"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smbpasswd — The Samba encrypted password file</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p><code class="filename">smbpasswd</code></p></div><div class="refsect1" lang="en"><a name="id263114"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>smbpasswd is the Samba encrypted password file. It contains |
|---|
| 2 | the username, Unix user id and the SMB hashed passwords of the |
|---|
| 3 | user, as well as account flag information and the time the |
|---|
| 4 | password was last changed. This file format has been evolving with |
|---|
| 5 | Samba and has had several different formats in the past. </p></div><div class="refsect1" lang="en"><a name="id230782"></a><h2>FILE FORMAT</h2><p>The format of the smbpasswd file used by Samba 2.2 |
|---|
| 6 | is very similar to the familiar Unix <code class="filename">passwd(5)</code> |
|---|
| 7 | file. It is an ASCII file containing one line for each user. Each field |
|---|
| 8 | ithin each line is separated from the next by a colon. Any entry |
|---|
| 9 | beginning with '#' is ignored. The smbpasswd file contains the |
|---|
| 10 | following information for each user: </p><div class="variablelist"><dl><dt><span class="term">name</span></dt><dd><p> This is the user name. It must be a name that |
|---|
| 11 | already exists in the standard UNIX passwd file. </p></dd><dt><span class="term">uid</span></dt><dd><p>This is the UNIX uid. It must match the uid |
|---|
| 12 | field for the same user entry in the standard UNIX passwd file. |
|---|
| 13 | If this does not match then Samba will refuse to recognize |
|---|
| 14 | this smbpasswd file entry as being valid for a user. |
|---|
| 15 | </p></dd><dt><span class="term">Lanman Password Hash</span></dt><dd><p>This is the LANMAN hash of the user's password, |
|---|
| 16 | encoded as 32 hex digits. The LANMAN hash is created by DES |
|---|
| 17 | encrypting a well known string with the user's password as the |
|---|
| 18 | DES key. This is the same password used by Windows 95/98 machines. |
|---|
| 19 | Note that this password hash is regarded as weak as it is |
|---|
| 20 | vulnerable to dictionary attacks and if two users choose the |
|---|
| 21 | same password this entry will be identical (i.e. the password |
|---|
| 22 | is not "salted" as the UNIX password is). If the user has a |
|---|
| 23 | null password this field will contain the characters "NO PASSWORD" |
|---|
| 24 | as the start of the hex string. If the hex string is equal to |
|---|
| 25 | 32 'X' characters then the user's account is marked as |
|---|
| 26 | <code class="constant">disabled</code> and the user will not be able to |
|---|
| 27 | log onto the Samba server. </p><p><span class="emphasis"><em>WARNING !!</em></span> Note that, due to |
|---|
| 28 | the challenge-response nature of the SMB/CIFS authentication |
|---|
| 29 | protocol, anyone with a knowledge of this password hash will |
|---|
| 30 | be able to impersonate the user on the network. For this |
|---|
| 31 | reason these hashes are known as <span class="emphasis"><em>plain text |
|---|
| 32 | equivalents</em></span> and must <span class="emphasis"><em>NOT</em></span> be made |
|---|
| 33 | available to anyone but the root user. To protect these passwords |
|---|
| 34 | the smbpasswd file is placed in a directory with read and |
|---|
| 35 | traverse access only to the root user and the smbpasswd file |
|---|
| 36 | itself must be set to be read/write only by root, with no |
|---|
| 37 | other access. </p></dd><dt><span class="term">NT Password Hash</span></dt><dd><p>This is the Windows NT hash of the user's |
|---|
| 38 | password, encoded as 32 hex digits. The Windows NT hash is |
|---|
| 39 | created by taking the user's password as represented in |
|---|
| 40 | 16-bit, little-endian UNICODE and then applying the MD4 |
|---|
| 41 | (internet rfc1321) hashing algorithm to it. </p><p>This password hash is considered more secure than |
|---|
| 42 | the LANMAN Password Hash as it preserves the case of the |
|---|
| 43 | password and uses a much higher quality hashing algorithm. |
|---|
| 44 | However, it is still the case that if two users choose the same |
|---|
| 45 | password this entry will be identical (i.e. the password is |
|---|
| 46 | not "salted" as the UNIX password is). </p><p><span class="emphasis"><em>WARNING !!</em></span>. Note that, due to |
|---|
| 47 | the challenge-response nature of the SMB/CIFS authentication |
|---|
| 48 | protocol, anyone with a knowledge of this password hash will |
|---|
| 49 | be able to impersonate the user on the network. For this |
|---|
| 50 | reason these hashes are known as <span class="emphasis"><em>plain text |
|---|
| 51 | equivalents</em></span> and must <span class="emphasis"><em>NOT</em></span> be made |
|---|
| 52 | available to anyone but the root user. To protect these passwords |
|---|
| 53 | the smbpasswd file is placed in a directory with read and |
|---|
| 54 | traverse access only to the root user and the smbpasswd file |
|---|
| 55 | itself must be set to be read/write only by root, with no |
|---|
| 56 | other access. </p></dd><dt><span class="term">Account Flags</span></dt><dd><p>This section contains flags that describe |
|---|
| 57 | the attributes of the users account. This field is bracketed by |
|---|
| 58 | '[' and ']' characters and is always 13 characters in length |
|---|
| 59 | (including the '[' and ']' characters). |
|---|
| 60 | The contents of this field may be any of the following characters: |
|---|
| 61 | </p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>U</em></span> - This means |
|---|
| 62 | this is a "User" account, i.e. an ordinary user.</p></li><li><p><span class="emphasis"><em>N</em></span> - This means the |
|---|
| 63 | account has no password (the passwords in the fields LANMAN |
|---|
| 64 | Password Hash and NT Password Hash are ignored). Note that this |
|---|
| 65 | will only allow users to log on with no password if the <em class="parameter"><code> |
|---|
| 66 | null passwords</code></em> parameter is set in the |
|---|
| 67 | <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> config file. </p></li><li><p><span class="emphasis"><em>D</em></span> - This means the account |
|---|
| 68 | is disabled and no SMB/CIFS logins will be allowed for this user. </p></li><li><p><span class="emphasis"><em>X</em></span> - This means the password |
|---|
| 69 | does not expire. </p></li><li><p><span class="emphasis"><em>W</em></span> - This means this account |
|---|
| 70 | is a "Workstation Trust" account. This kind of account is used |
|---|
| 71 | in the Samba PDC code stream to allow Windows NT Workstations |
|---|
| 72 | and Servers to join a Domain hosted by a Samba PDC. </p></li></ul></div><p>Other flags may be added as the code is extended in future. |
|---|
| 73 | The rest of this field space is filled in with spaces. For further |
|---|
| 74 | information regarding the flags that are supported please refer to the |
|---|
| 75 | man page for the <span><strong class="command">pdbedit</strong></span> command.</p></dd><dt><span class="term">Last Change Time</span></dt><dd><p>This field consists of the time the account was |
|---|
| 76 | last modified. It consists of the characters 'LCT-' (standing for |
|---|
| 77 | "Last Change Time") followed by a numeric encoding of the UNIX time |
|---|
| 78 | in seconds since the epoch (1970) that the last change was made. |
|---|
| 79 | </p></dd></dl></div><p>All other colon separated fields are ignored at this time.</p></div><div class="refsect1" lang="en"><a name="id231528"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of |
|---|
| 80 | the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id231538"></a><h2>SEE ALSO</h2><p><a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>, <a href="Samba.7.html"><span class="citerefentry"><span class="refentrytitle">Samba</span>(7)</span></a>, and |
|---|
| 81 | the Internet RFC1321 for details on the MD4 algorithm. |
|---|
| 82 | </p></div><div class="refsect1" lang="en"><a name="id230511"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities |
|---|
| 83 | were created by Andrew Tridgell. Samba is now developed |
|---|
| 84 | by the Samba Team as an Open Source project similar |
|---|
| 85 | to the way the Linux kernel is developed.</p><p>The original Samba man pages were written by Karl Auer. |
|---|
| 86 | The man page sources were converted to YODL format (another |
|---|
| 87 | excellent piece of Open Source software, available at <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top"> |
|---|
| 88 | ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0 |
|---|
| 89 | release by Jeremy Allison. The conversion to DocBook for |
|---|
| 90 | Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 |
|---|
| 91 | for Samba 3.0 was done by Alexander Bokovoy.</p></div></div></body></html> |
|---|
