2
.\" Author: [see the "AUTHOR" section]
3
.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
5
.\" Manual: File Formats and Conventions
9
.TH "SMBPASSWD" "5" "10/29/2009" "Samba 3\&.4" "File Formats and Conventions"
10
.\" -----------------------------------------------------------------
11
.\" * (re)Define some macros
12
.\" -----------------------------------------------------------------
13
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
14
.\" toupper - uppercase a string (locale-aware)
15
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
17
.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
19
.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
21
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
22
.\" SH-xref - format a cross-reference to an SH section
23
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
32
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
33
.\" SH - level-one heading that works better for non-TTY output
34
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
36
.\" put an extra blank line of space above the head in non-TTY output
43
.nr an-prevailing-indent \\n[IN]
47
.HTML-TAG ".NH \\n[an-level]"
49
.nr an-no-space-flag 1
51
\." make the size of the head bigger
56
.\" if n (TTY output), use uppercase
61
.\" if not n (not TTY), use normal case (not uppercase)
65
.\" if not n (not TTY), put a border/line under subheading
70
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
71
.\" SS - level-two heading that works better for non-TTY output
72
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
77
.nr an-prevailing-indent \\n[IN]
82
.nr an-no-space-flag 1
85
\." make the size of the head bigger
91
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
92
.\" BB/BE - put background/screen (filled box) around block of text
93
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
106
.if "\\$2"adjust-for-leading-newline" \{\
114
.nr BW \\n(.lu-\\n(.i
117
.ie "\\$2"adjust-for-leading-newline" \{\
118
\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
121
\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
132
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
133
.\" BM/EM - put colored marker in margin next to block of text
134
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
151
\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
159
.\" -----------------------------------------------------------------
160
.\" * set default formatting
161
.\" -----------------------------------------------------------------
162
.\" disable hyphenation
164
.\" disable justification (adjust text to left margin only)
166
.\" -----------------------------------------------------------------
167
.\" * MAIN CONTENT STARTS HERE *
168
.\" -----------------------------------------------------------------
170
smbpasswd \- The Samba encrypted password file
176
This tool is part of the
180
smbpasswd is the Samba encrypted password file\&. It contains the username, Unix user id and the SMB hashed passwords of the user, as well as account flag information and the time the password was last changed\&. This file format has been evolving with Samba and has had several different formats in the past\&.
183
The format of the smbpasswd file used by Samba 2\&.2 is very similar to the familiar Unix
185
file\&. It is an ASCII file containing one line for each user\&. Each field ithin each line is separated from the next by a colon\&. Any entry beginning with \'#\' is ignored\&. The smbpasswd file contains the following information for each user:
189
This is the user name\&. It must be a name that already exists in the standard UNIX passwd file\&.
194
This is the UNIX uid\&. It must match the uid field for the same user entry in the standard UNIX passwd file\&. If this does not match then Samba will refuse to recognize this smbpasswd file entry as being valid for a user\&.
199
This is the LANMAN hash of the user\'s password, encoded as 32 hex digits\&. The LANMAN hash is created by DES encrypting a well known string with the user\'s password as the DES key\&. This is the same password used by Windows 95/98 machines\&. Note that this password hash is regarded as weak as it is vulnerable to dictionary attacks and if two users choose the same password this entry will be identical (i\&.e\&. the password is not "salted" as the UNIX password is)\&. If the user has a null password this field will contain the characters "NO PASSWORD" as the start of the hex string\&. If the hex string is equal to 32 \'X\' characters then the user\'s account is marked as
201
and the user will not be able to log onto the Samba server\&.
204
Note that, due to the challenge\-response nature of the SMB/CIFS authentication protocol, anyone with a knowledge of this password hash will be able to impersonate the user on the network\&. For this reason these hashes are known as
205
\fIplain text equivalents\fR
208
be made available to anyone but the root user\&. To protect these passwords the smbpasswd file is placed in a directory with read and traverse access only to the root user and the smbpasswd file itself must be set to be read/write only by root, with no other access\&.
213
This is the Windows NT hash of the user\'s password, encoded as 32 hex digits\&. The Windows NT hash is created by taking the user\'s password as represented in 16\-bit, little\-endian UNICODE and then applying the MD4 (internet rfc1321) hashing algorithm to it\&.
215
This password hash is considered more secure than the LANMAN Password Hash as it preserves the case of the password and uses a much higher quality hashing algorithm\&. However, it is still the case that if two users choose the same password this entry will be identical (i\&.e\&. the password is not "salted" as the UNIX password is)\&.
217
\fIWARNING !!\fR\&. Note that, due to the challenge\-response nature of the SMB/CIFS authentication protocol, anyone with a knowledge of this password hash will be able to impersonate the user on the network\&. For this reason these hashes are known as
218
\fIplain text equivalents\fR
221
be made available to anyone but the root user\&. To protect these passwords the smbpasswd file is placed in a directory with read and traverse access only to the root user and the smbpasswd file itself must be set to be read/write only by root, with no other access\&.
226
This section contains flags that describe the attributes of the users account\&. This field is bracketed by \'[\' and \']\' characters and is always 13 characters in length (including the \'[\' and \']\' characters)\&. The contents of this field may be any of the following characters:
237
\- This means this is a "User" account, i\&.e\&. an ordinary user\&.
249
\- This means the account has no password (the passwords in the fields LANMAN Password Hash and NT Password Hash are ignored)\&. Note that this will only allow users to log on with no password if the
250
\fI null passwords\fR
251
parameter is set in the
265
\- This means the account is disabled and no SMB/CIFS logins will be allowed for this user\&.
277
\- This means the password does not expire\&.
289
\- This means this account is a "Workstation Trust" account\&. This kind of account is used in the Samba PDC code stream to allow Windows NT Workstations and Servers to join a Domain hosted by a Samba PDC\&.
292
Other flags may be added as the code is extended in future\&. The rest of this field space is filled in with spaces\&. For further information regarding the flags that are supported please refer to the man page for the
299
This field consists of the time the account was last modified\&. It consists of the characters \'LCT\-\' (standing for "Last Change Time") followed by a numeric encoding of the UNIX time in seconds since the epoch (1970) that the last change was made\&.
302
All other colon separated fields are ignored at this time\&.
305
This man page is correct for version 3 of the Samba suite\&.
309
\fBSamba\fR(7), and the Internet RFC1321 for details on the MD4 algorithm\&.
312
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
314
The original Samba man pages were written by Karl Auer\&. The man page sources were converted to YODL format (another excellent piece of Open Source software, available at
315
ftp://ftp\&.icce\&.rug\&.nl/pub/unix/) and updated for the Samba 2\&.0 release by Jeremy Allison\&. The conversion to DocBook for Samba 2\&.2 was done by Gerald Carter\&. The conversion to DocBook XML 4\&.2 for Samba 3\&.0 was done by Alexander Bokovoy\&.