diff options
author | Gerald Carter <jerry@samba.org> | 2001-02-23 04:34:24 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2001-02-23 04:34:24 +0000 |
commit | b58b856db5c5c2583a4bbe24ab39726efefb18a6 (patch) | |
tree | 6bec93ee6bfb51723e3ad118621c7c8b6d1fdcab /docs/manpages/smbpasswd.5 | |
parent | ed77fca1990f96dba6fe9204e551056395c6ed29 (diff) | |
download | samba-b58b856db5c5c2583a4bbe24ab39726efefb18a6.tar.gz samba-b58b856db5c5c2583a4bbe24ab39726efefb18a6.tar.xz samba-b58b856db5c5c2583a4bbe24ab39726efefb18a6.zip |
more updates. Conversion almost done. 2 more man pages
(then all the ASCII stuff)
(This used to be commit 7247027e833616bfe9350253cc1e6cdb236b2cdf)
Diffstat (limited to 'docs/manpages/smbpasswd.5')
-rw-r--r-- | docs/manpages/smbpasswd.5 | 365 |
1 files changed, 155 insertions, 210 deletions
diff --git a/docs/manpages/smbpasswd.5 b/docs/manpages/smbpasswd.5 index bc87d134d2..fef3713425 100644 --- a/docs/manpages/smbpasswd.5 +++ b/docs/manpages/smbpasswd.5 @@ -1,214 +1,159 @@ -.TH "smbpasswd " "5" "23 Oct 1998" "Samba" "SAMBA" -.PP -.SH "NAME" +.\" This manpage has been automatically generated by docbook2man-spec +.\" from a DocBook document. docbook2man-spec can be found at: +.\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/> +.\" Please send any bug reports, improvements, comments, patches, +.\" etc. to Steve Cheng <steve@ggi-project.org>. +.TH "SMBPASSWD" "5" "22 February 2001" "" "" +.SH NAME smbpasswd \- The Samba encrypted password file -.PP -.SH "SYNOPSIS" -.PP -smbpasswd is the \fBSamba\fP encrypted password file\&. -.PP -.SH "DESCRIPTION" -.PP -This file is part of the \fBSamba\fP suite\&. -.PP -smbpasswd is the \fBSamba\fP encrypted password file\&. It contains -the username, Unix user id and the SMB hashed passwords of the -user, as well as account flag information and the time the password -was last changed\&. This file format has been evolving with Samba -and has had several different formats in the past\&. -.PP -.SH "FILE FORMAT" -.PP -The format of the smbpasswd file used by Samba 2\&.0 is very similar to -the familiar Unix \fBpasswd (5)\fP file\&. It is an ASCII file containing -one line for each user\&. Each field within each line is separated from -the next by a colon\&. Any entry beginning with # is ignored\&. The -smbpasswd file contains the following information for each user: -.PP -.IP -.IP "\fBname\fP" -.br -.br -.IP -This is the user name\&. It must be a name that already exists -in the standard UNIX passwd file\&. -.IP -.IP "\fBuid\fP" -.br -.br -.IP -This is the UNIX uid\&. It must match the uid field for the same -user entry in the standard UNIX passwd file\&. If this does not -match then Samba will refuse to recognize this \fBsmbpasswd\fP file entry -as being valid for a user\&. -.IP -.IP "\fBLanman Password Hash\fP" -.br -.br -.IP -This is the \fILANMAN\fP hash of the users password, encoded as 32 hex -digits\&. The \fILANMAN\fP hash is created by DES encrypting a well known -string with the users password as the DES key\&. This is the same -password used by Windows 95/98 machines\&. Note that this password hash -is regarded as weak as it is vulnerable to dictionary attacks and if -two users choose the same password this entry will be identical (i\&.e\&. -the password is not \fI"salted"\fP as the UNIX password is)\&. If the -user has a null password this field will contain the characters -\f(CW"NO PASSWORD"\fP as the start of the hex string\&. If the hex string -is equal to 32 \f(CW\'X\'\fP characters then the users account is marked as -\fIdisabled\fP and the user will not be able to log onto the Samba -server\&. -.IP -\fIWARNING !!\fP\&. Note that, due to the challenge-response nature of the -SMB/CIFS authentication protocol, anyone with a knowledge of this -password hash will be able to impersonate the user on the network\&. -For this reason these hashes are known as \fI"plain text equivalent"\fP -and must \fINOT\fP be made available to anyone but the root user\&. To -protect these passwords the \fBsmbpasswd\fP file is placed in a -directory with read and traverse access only to the root user and the -\fBsmbpasswd\fP file itself must be set to be read/write only by root, -with no other access\&. -.IP -.IP "\fBNT Password Hash\fP" -.br -.br -.IP -This is the \fIWindows NT\fP hash of the users password, encoded as 32 -hex digits\&. The \fIWindows NT\fP hash is created by taking the users -password as represented in 16-bit, little-endian UNICODE and then -applying the \fIMD4\fP (internet rfc1321) hashing algorithm to it\&. -.IP -This password hash is considered more secure than the \fBLanman -Password Hash\fP as it preserves the case of the -password and uses a much higher quality hashing algorithm\&. However, it -is still the case that if two users choose the same password this -entry will be identical (i\&.e\&. the password is not \fI"salted"\fP as the -UNIX password is)\&. -.IP -\fIWARNING !!\fP\&. Note that, due to the challenge-response nature of the -SMB/CIFS authentication protocol, anyone with a knowledge of this -password hash will be able to impersonate the user on the network\&. -For this reason these hashes are known as \fI"plain text equivalent"\fP -and must \fINOT\fP be made available to anyone but the root user\&. To -protect these passwords the \fBsmbpasswd\fP file is placed in a -directory with read and traverse access only to the root user and the -\fBsmbpasswd\fP file itself must be set to be read/write only by root, -with no other access\&. -.IP -.IP "\fBAccount Flags\fP" -.br -.br -.IP -This section contains flags that describe the attributes of the users -account\&. In the \fBSamba2\&.0\fP release this field is bracketed by \f(CW\'[\'\fP -and \f(CW\']\'\fP characters and is always 13 characters in length (including -the \f(CW\'[\'\fP and \f(CW\']\'\fP characters)\&. The contents of this field may be -any of the characters\&. -.IP -.IP -.IP o -\fB\'U\'\fP This means this is a \fI"User"\fP account, i\&.e\&. an ordinary -user\&. Only \fBUser\fP and \fBWorkstation Trust\fP accounts are -currently supported in the \fBsmbpasswd\fP file\&. -.IP -.IP o -\fB\'N\'\fP This means the account has \fIno\fP password (the passwords -in the fields \fBLanman Password Hash\fP and -\fBNT Password Hash\fP are ignored)\&. Note that this -will only allow users to log on with no password if the -\fBnull passwords\fP parameter is set -in the \fBsmb\&.conf (5)\fP config file\&. -.IP -.IP o -\fB\'D\'\fP This means the account is disabled and no SMB/CIFS logins -will be allowed for this user\&. -.IP -.IP o -\fB\'W\'\fP This means this account is a \fI"Workstation Trust"\fP account\&. -This kind of account is used in the Samba PDC code stream to allow Windows -NT Workstations and Servers to join a Domain hosted by a Samba PDC\&. -.IP -.IP -Other flags may be added as the code is extended in future\&. The rest of -this field space is filled in with spaces\&. -.IP -.IP "\fBLast Change Time\fP" -.br -.br -.IP -This field consists of the time the account was last modified\&. It consists of -the characters \f(CWLCT-\fP (standing for \fI"Last Change Time"\fP) followed by a numeric -encoding of the UNIX time in seconds since the epoch (1970) that the last change -was made\&. -.IP -.IP "\fBFollowing fields\fP" -.br -.br -.IP -All other colon separated fields are ignored at this time\&. -.IP -.PP -.SH "NOTES" -.PP -In previous versions of Samba (notably the 1\&.9\&.18 series) this file -did not contain the \fBAccount Flags\fP or -\fBLast Change Time\fP fields\&. The Samba 2\&.0 -code will read and write these older password files but will not be able to -modify the old entries to add the new fields\&. New entries added with -\fBsmbpasswd (8)\fP will contain the new fields -in the added accounts however\&. Thus an older \fBsmbpasswd\fP file used -with Samba 2\&.0 may end up with some accounts containing the new fields -and some not\&. -.PP -In order to convert from an old-style \fBsmbpasswd\fP file to a new -style, run the script \fBconvert_smbpasswd\fP, installed in the -Samba \f(CWbin/\fP directory (the same place that the \fBsmbd\fP -and \fBnmbd\fP binaries are installed) as follows: -.PP +.SH SYNOPSIS +.PP +\fIsmbpasswd\fR +.SH "DESCRIPTION" +.PP +This tool is part of the Samba <URL:samba.7.html> suite. +.PP +smbpasswd is the Samba encrypted password file. It contains +the username, Unix user id and the SMB hashed passwords of the +user, as well as account flag information and the time the +password was last changed. This file format has been evolving with +Samba and has had several different formats in the past. +.SH "FILE FORMAT" +.PP +The format of the smbpasswd file used by Samba 2.2 +is very similar to the familiar Unix \fIpasswd(5)\fR +file. It is an ASCII file containing one line for each user. Each field +ithin each line is separated from the next by a colon. Any entry +beginning with '#' is ignored. The smbpasswd file contains the +following information for each user: +.TP +\fBname\fR +This is the user name. It must be a name that +already exists in the standard UNIX passwd file. +.TP +\fBuid\fR +This is the UNIX uid. It must match the uid +field for the same user entry in the standard UNIX passwd file. +If this does not match then Samba will refuse to recognize +this smbpasswd file entry as being valid for a user. +.TP +\fBLanman Password Hash\fR +This is the LANMAN hash of the users password, +encoded as 32 hex digits. The LANMAN hash is created by DES +encrypting a well known string with the users password as the +DES key. This is the same password used by Windows 95/98 machines. +Note that this password hash is regarded as weak as it is +vulnerable to dictionary attacks and if two users choose the +same password this entry will be identical (i.e. the password +is not "salted" as the UNIX password is). If the user has a +null password this field will contain the characters "NO PASSWORD" +as the start of the hex string. If the hex string is equal to +32 'X' characters then the users account is marked as +disabled and the user will not be able to +log onto the Samba server. -.nf - +\fBWARNING !!\fR Note that, due to +the challenge-response nature of the SMB/CIFS authentication +protocol, anyone with a knowledge of this password hash will +be able to impersonate the user on the network. For this +reason these hashes are known as \fBplain text +equivalents\fR and must \fBNOT\fR be made +available to anyone but the root user. To protect these passwords +the smbpasswd file is placed in a directory with read and +traverse access only to the root user and the smbpasswd file +itself must be set to be read/write only by root, with no +other access. +.TP +\fBNT Password Hash\fR +This is the Windows NT hash of the users +password, encoded as 32 hex digits. The Windows NT hash is +created by taking the users password as represented in +16-bit, little-endian UNICODE and then applying the MD4 +(internet rfc1321) hashing algorithm to it. +This password hash is considered more secure than +the Lanman Password Hash as it preserves the case of the +password and uses a much higher quality hashing algorithm. +However, it is still the case that if two users choose the same +password this entry will be identical (i.e. the password is +not "salted" as the UNIX password is). - cat old_smbpasswd_file | convert_smbpasswd > new_smbpasswd_file - - -.fi - - -.PP -The \fBconvert_smbpasswd\fP script reads from stdin and writes to stdout -so as not to overwrite any files by accident\&. -.PP -Once this script has been run, check the contents of the new smbpasswd -file to ensure that it has not been damaged by the conversion script -(which uses \fBawk\fP), and then replace the \f(CW<old smbpasswd file>\fP -with the \f(CW<new smbpasswd file>\fP\&. -.PP -.SH "VERSION" -.PP -This man page is correct for version 2\&.0 of the Samba suite\&. -.PP -.SH "SEE ALSO" -.PP -\fBsmbpasswd (8)\fP, \fBsamba -(7)\fP, and the Internet RFC1321 for details on the MD4 -algorithm\&. -.PP -.SH "AUTHOR" -.PP -The original Samba software and related utilities were created by -Andrew Tridgell samba@samba\&.org\&. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed\&. -.PP -The original Samba man pages were written by Karl Auer\&. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -\fBftp://ftp\&.icce\&.rug\&.nl/pub/unix/\fP) -and updated for the Samba2\&.0 release by Jeremy -Allison, samba@samba\&.org\&. -.PP -See \fBsamba (7)\fP to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc\&. +\fBWARNING !!\fR. Note that, due to +the challenge-response nature of the SMB/CIFS authentication +protocol, anyone with a knowledge of this password hash will +be able to impersonate the user on the network. For this +reason these hashes are known as \fBplain text +equivalents\fR and must \fBNOT\fR be made +available to anyone but the root user. To protect these passwords +the smbpasswd file is placed in a directory with read and +traverse access only to the root user and the smbpasswd file +itself must be set to be read/write only by root, with no +other access. +.TP +\fBAccount Flags\fR +This section contains flags that describe +the attributes of the users account. In the Samba 2.2 release +this field is bracketed by '[' and ']' characters and is always +13 characters in length (including the '[' and ']' characters). +The contents of this field may be any of the characters. +.RS +.TP 0.2i +\(bu +\fBU\fR - This means +this is a "User" account, i.e. an ordinary user. Only User +and Workstation Trust accounts are currently supported +in the smbpasswd file. +.TP 0.2i +\(bu +\fBN\fR - This means the +account has no password (the passwords in the fields Lanman +Password Hash and NT Password Hash are ignored). Note that this +will only allow users to log on with no password if the \fI null passwords\fR parameter is set in the \fIsmb.conf(5) +\fR <URL:smb.conf.5.html#NULLPASSWORDS> config file. +.TP 0.2i +\(bu +\fBD\fR - This means the account +is disabled and no SMB/CIFS logins will be allowed for +this user. +.TP 0.2i +\(bu +\fBW\fR - This means this account +is a "Workstation Trust" account. This kind of account is used +in the Samba PDC code stream to allow Windows NT Workstations +and Servers to join a Domain hosted by a Samba PDC. +.RE +.PP +Other flags may be added as the code is extended in future. +The rest of this field space is filled in with spaces. +.PP +.TP +\fBLast Change Time\fR +This field consists of the time the account was +last modified. It consists of the characters 'LCT-' (standing for +"Last Change Time") followed by a numeric encoding of the UNIX time +in seconds since the epoch (1970) that the last change was made. +.PP +All other colon separated fields are ignored at this time. +.PP +.SH "VERSION" +.PP +This man page is correct for version 2.2 of +the Samba suite. +.SH "SEE ALSO" +.PP +\fBsmbpasswd(8)\fR <URL:smbpasswd.8.html>, +samba(7) <URL:samba.7.html>, and +the Internet RFC1321 for details on the MD4 algorithm. +.SH "AUTHOR" +.PP +The original Samba software and related utilities +were created by Andrew Tridgell. Samba is now developed +by the Samba Team as an Open Source project similar +to the way the Linux kernel is developed. +.PP +The original Samba man pages were written by Karl Auer. +The man page sources were converted to YODL format (another +excellent piece of Open Source software, available at +ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the Samba 2.0 +release by Jeremy Allison. The conversion to DocBook for +Samba 2.2 was done by Gerald Carter |