path: root/docs/manpages/smbpasswd.5
diff options
Diffstat (limited to 'docs/manpages/smbpasswd.5')
1 files changed, 155 insertions, 210 deletions
diff --git a/docs/manpages/smbpasswd.5 b/docs/manpages/smbpasswd.5
index bc87d134d23..fef3713425d 100644
--- a/docs/manpages/smbpasswd.5
+++ b/docs/manpages/smbpasswd.5
@@ -1,214 +1,159 @@
-.TH "smbpasswd " "5" "23 Oct 1998" "Samba" "SAMBA"
+.\" This manpage has been automatically generated by docbook2man-spec
+.\" from a DocBook document. docbook2man-spec can be found at:
+.\" <>
+.\" Please send any bug reports, improvements, comments, patches,
+.\" etc. to Steve Cheng <>.
+.TH "SMBPASSWD" "5" "22 February 2001" "" ""
smbpasswd \- The Samba encrypted password file
-smbpasswd is the \fBSamba\fP encrypted password file\&.
-This file is part of the \fBSamba\fP suite\&.
-smbpasswd is the \fBSamba\fP encrypted password file\&. It contains
-the username, Unix user id and the SMB hashed passwords of the
-user, as well as account flag information and the time the password
-was last changed\&. This file format has been evolving with Samba
-and has had several different formats in the past\&.
-The format of the smbpasswd file used by Samba 2\&.0 is very similar to
-the familiar Unix \fBpasswd (5)\fP file\&. It is an ASCII file containing
-one line for each user\&. Each field within each line is separated from
-the next by a colon\&. Any entry beginning with # is ignored\&. The
-smbpasswd file contains the following information for each user:
-.IP "\fBname\fP"
-This is the user name\&. It must be a name that already exists
-in the standard UNIX passwd file\&.
-.IP "\fBuid\fP"
-This is the UNIX uid\&. It must match the uid field for the same
-user entry in the standard UNIX passwd file\&. If this does not
-match then Samba will refuse to recognize this \fBsmbpasswd\fP file entry
-as being valid for a user\&.
-.IP "\fBLanman Password Hash\fP"
-This is the \fILANMAN\fP hash of the users password, encoded as 32 hex
-digits\&. The \fILANMAN\fP hash is created by DES encrypting a well known
-string with the users password as the DES key\&. This is the same
-password used by Windows 95/98 machines\&. Note that this password hash
-is regarded as weak as it is vulnerable to dictionary attacks and if
-two users choose the same password this entry will be identical (i\&.e\&.
-the password is not \fI"salted"\fP as the UNIX password is)\&. If the
-user has a null password this field will contain the characters
-\f(CW"NO PASSWORD"\fP as the start of the hex string\&. If the hex string
-is equal to 32 \f(CW\'X\'\fP characters then the users account is marked as
-\fIdisabled\fP and the user will not be able to log onto the Samba
-\fIWARNING !!\fP\&. Note that, due to the challenge-response nature of the
-SMB/CIFS authentication protocol, anyone with a knowledge of this
-password hash will be able to impersonate the user on the network\&.
-For this reason these hashes are known as \fI"plain text equivalent"\fP
-and must \fINOT\fP be made available to anyone but the root user\&. To
-protect these passwords the \fBsmbpasswd\fP file is placed in a
-directory with read and traverse access only to the root user and the
-\fBsmbpasswd\fP file itself must be set to be read/write only by root,
-with no other access\&.
-.IP "\fBNT Password Hash\fP"
-This is the \fIWindows NT\fP hash of the users password, encoded as 32
-hex digits\&. The \fIWindows NT\fP hash is created by taking the users
-password as represented in 16-bit, little-endian UNICODE and then
-applying the \fIMD4\fP (internet rfc1321) hashing algorithm to it\&.
-This password hash is considered more secure than the \fBLanman
-Password Hash\fP as it preserves the case of the
-password and uses a much higher quality hashing algorithm\&. However, it
-is still the case that if two users choose the same password this
-entry will be identical (i\&.e\&. the password is not \fI"salted"\fP as the
-UNIX password is)\&.
-\fIWARNING !!\fP\&. Note that, due to the challenge-response nature of the
-SMB/CIFS authentication protocol, anyone with a knowledge of this
-password hash will be able to impersonate the user on the network\&.
-For this reason these hashes are known as \fI"plain text equivalent"\fP
-and must \fINOT\fP be made available to anyone but the root user\&. To
-protect these passwords the \fBsmbpasswd\fP file is placed in a
-directory with read and traverse access only to the root user and the
-\fBsmbpasswd\fP file itself must be set to be read/write only by root,
-with no other access\&.
-.IP "\fBAccount Flags\fP"
-This section contains flags that describe the attributes of the users
-account\&. In the \fBSamba2\&.0\fP release this field is bracketed by \f(CW\'[\'\fP
-and \f(CW\']\'\fP characters and is always 13 characters in length (including
-the \f(CW\'[\'\fP and \f(CW\']\'\fP characters)\&. The contents of this field may be
-any of the characters\&.
-.IP o
-\fB\'U\'\fP This means this is a \fI"User"\fP account, i\&.e\&. an ordinary
-user\&. Only \fBUser\fP and \fBWorkstation Trust\fP accounts are
-currently supported in the \fBsmbpasswd\fP file\&.
-.IP o
-\fB\'N\'\fP This means the account has \fIno\fP password (the passwords
-in the fields \fBLanman Password Hash\fP and
-\fBNT Password Hash\fP are ignored)\&. Note that this
-will only allow users to log on with no password if the
-\fBnull passwords\fP parameter is set
-in the \fBsmb\&.conf (5)\fP config file\&.
-.IP o
-\fB\'D\'\fP This means the account is disabled and no SMB/CIFS logins
-will be allowed for this user\&.
-.IP o
-\fB\'W\'\fP This means this account is a \fI"Workstation Trust"\fP account\&.
-This kind of account is used in the Samba PDC code stream to allow Windows
-NT Workstations and Servers to join a Domain hosted by a Samba PDC\&.
-Other flags may be added as the code is extended in future\&. The rest of
-this field space is filled in with spaces\&.
-.IP "\fBLast Change Time\fP"
-This field consists of the time the account was last modified\&. It consists of
-the characters \f(CWLCT-\fP (standing for \fI"Last Change Time"\fP) followed by a numeric
-encoding of the UNIX time in seconds since the epoch (1970) that the last change
-was made\&.
-.IP "\fBFollowing fields\fP"
-All other colon separated fields are ignored at this time\&.
-In previous versions of Samba (notably the 1\&.9\&.18 series) this file
-did not contain the \fBAccount Flags\fP or
-\fBLast Change Time\fP fields\&. The Samba 2\&.0
-code will read and write these older password files but will not be able to
-modify the old entries to add the new fields\&. New entries added with
-\fBsmbpasswd (8)\fP will contain the new fields
-in the added accounts however\&. Thus an older \fBsmbpasswd\fP file used
-with Samba 2\&.0 may end up with some accounts containing the new fields
-and some not\&.
-In order to convert from an old-style \fBsmbpasswd\fP file to a new
-style, run the script \fBconvert_smbpasswd\fP, installed in the
-Samba \f(CWbin/\fP directory (the same place that the \fBsmbd\fP
-and \fBnmbd\fP binaries are installed) as follows:
+This tool is part of the Samba <URL:samba.7.html> suite.
+smbpasswd is the Samba encrypted password file. It contains
+the username, Unix user id and the SMB hashed passwords of the
+user, as well as account flag information and the time the
+password was last changed. This file format has been evolving with
+Samba and has had several different formats in the past.
+The format of the smbpasswd file used by Samba 2.2
+is very similar to the familiar Unix \fIpasswd(5)\fR
+file. It is an ASCII file containing one line for each user. Each field
+ithin each line is separated from the next by a colon. Any entry
+beginning with '#' is ignored. The smbpasswd file contains the
+following information for each user:
+This is the user name. It must be a name that
+already exists in the standard UNIX passwd file.
+This is the UNIX uid. It must match the uid
+field for the same user entry in the standard UNIX passwd file.
+If this does not match then Samba will refuse to recognize
+this smbpasswd file entry as being valid for a user.
+\fBLanman Password Hash\fR
+This is the LANMAN hash of the users password,
+encoded as 32 hex digits. The LANMAN hash is created by DES
+encrypting a well known string with the users password as the
+DES key. This is the same password used by Windows 95/98 machines.
+Note that this password hash is regarded as weak as it is
+vulnerable to dictionary attacks and if two users choose the
+same password this entry will be identical (i.e. the password
+is not "salted" as the UNIX password is). If the user has a
+null password this field will contain the characters "NO PASSWORD"
+as the start of the hex string. If the hex string is equal to
+32 'X' characters then the users account is marked as
+disabled and the user will not be able to
+log onto the Samba server.
+\fBWARNING !!\fR Note that, due to
+the challenge-response nature of the SMB/CIFS authentication
+protocol, anyone with a knowledge of this password hash will
+be able to impersonate the user on the network. For this
+reason these hashes are known as \fBplain text
+equivalents\fR and must \fBNOT\fR be made
+available to anyone but the root user. To protect these passwords
+the smbpasswd file is placed in a directory with read and
+traverse access only to the root user and the smbpasswd file
+itself must be set to be read/write only by root, with no
+other access.
+\fBNT Password Hash\fR
+This is the Windows NT hash of the users
+password, encoded as 32 hex digits. The Windows NT hash is
+created by taking the users password as represented in
+16-bit, little-endian UNICODE and then applying the MD4
+(internet rfc1321) hashing algorithm to it.
+This password hash is considered more secure than
+the Lanman Password Hash as it preserves the case of the
+password and uses a much higher quality hashing algorithm.
+However, it is still the case that if two users choose the same
+password this entry will be identical (i.e. the password is
+not "salted" as the UNIX password is).
- cat old_smbpasswd_file | convert_smbpasswd > new_smbpasswd_file
-The \fBconvert_smbpasswd\fP script reads from stdin and writes to stdout
-so as not to overwrite any files by accident\&.
-Once this script has been run, check the contents of the new smbpasswd
-file to ensure that it has not been damaged by the conversion script
-(which uses \fBawk\fP), and then replace the \f(CW<old smbpasswd file>\fP
-with the \f(CW<new smbpasswd file>\fP\&.
-This man page is correct for version 2\&.0 of the Samba suite\&.
-\fBsmbpasswd (8)\fP, \fBsamba
-(7)\fP, and the Internet RFC1321 for details on the MD4
-The original Samba software and related utilities were created by
-Andrew Tridgell samba@samba\&.org\&. Samba is now developed
-by the Samba Team as an Open Source project similar to the way the
-Linux kernel is developed\&.
-The original Samba man pages were written by Karl Auer\&. The man page
-sources were converted to YODL format (another excellent piece of Open
-Source software, available at
-and updated for the Samba2\&.0 release by Jeremy
-Allison, samba@samba\&.org\&.
-See \fBsamba (7)\fP to find out how to get a full
-list of contributors and details on how to submit bug reports,
-comments etc\&.
+\fBWARNING !!\fR. Note that, due to
+the challenge-response nature of the SMB/CIFS authentication
+protocol, anyone with a knowledge of this password hash will
+be able to impersonate the user on the network. For this
+reason these hashes are known as \fBplain text
+equivalents\fR and must \fBNOT\fR be made
+available to anyone but the root user. To protect these passwords
+the smbpasswd file is placed in a directory with read and
+traverse access only to the root user and the smbpasswd file
+itself must be set to be read/write only by root, with no
+other access.
+\fBAccount Flags\fR
+This section contains flags that describe
+the attributes of the users account. In the Samba 2.2 release
+this field is bracketed by '[' and ']' characters and is always
+13 characters in length (including the '[' and ']' characters).
+The contents of this field may be any of the characters.
+.TP 0.2i
+\fBU\fR - This means
+this is a "User" account, i.e. an ordinary user. Only User
+and Workstation Trust accounts are currently supported
+in the smbpasswd file.
+.TP 0.2i
+\fBN\fR - This means the
+account has no password (the passwords in the fields Lanman
+Password Hash and NT Password Hash are ignored). Note that this
+will only allow users to log on with no password if the \fI null passwords\fR parameter is set in the \fIsmb.conf(5)
+\fR <URL:smb.conf.5.html#NULLPASSWORDS> config file.
+.TP 0.2i
+\fBD\fR - This means the account
+is disabled and no SMB/CIFS logins will be allowed for
+this user.
+.TP 0.2i
+\fBW\fR - This means this account
+is a "Workstation Trust" account. This kind of account is used
+in the Samba PDC code stream to allow Windows NT Workstations
+and Servers to join a Domain hosted by a Samba PDC.
+Other flags may be added as the code is extended in future.
+The rest of this field space is filled in with spaces.
+\fBLast Change Time\fR
+This field consists of the time the account was
+last modified. It consists of the characters 'LCT-' (standing for
+"Last Change Time") followed by a numeric encoding of the UNIX time
+in seconds since the epoch (1970) that the last change was made.
+All other colon separated fields are ignored at this time.
+This man page is correct for version 2.2 of
+the Samba suite.
+\fBsmbpasswd(8)\fR <URL:smbpasswd.8.html>,
+samba(7) <URL:samba.7.html>, and
+the Internet RFC1321 for details on the MD4 algorithm.
+The original Samba software and related utilities
+were created by Andrew Tridgell. Samba is now developed
+by the Samba Team as an Open Source project similar
+to the way the Linux kernel is developed.
+The original Samba man pages were written by Karl Auer.
+The man page sources were converted to YODL format (another
+excellent piece of Open Source software, available at
+ <URL:>) and updated for the Samba 2.0
+release by Jeremy Allison. The conversion to DocBook for
+Samba 2.2 was done by Gerald Carter