diff options
Diffstat (limited to 'upstream/fedora-40/man5/smbpasswd.5')
-rw-r--r-- | upstream/fedora-40/man5/smbpasswd.5 | 175 |
1 files changed, 175 insertions, 0 deletions
diff --git a/upstream/fedora-40/man5/smbpasswd.5 b/upstream/fedora-40/man5/smbpasswd.5 new file mode 100644 index 00000000..d18b9a61 --- /dev/null +++ b/upstream/fedora-40/man5/smbpasswd.5 @@ -0,0 +1,175 @@ +'\" t +.\" Title: smbpasswd +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 02/26/2024 +.\" Manual: File Formats and Conventions +.\" Source: Samba 4.20.0rc3 +.\" Language: English +.\" +.TH "SMBPASSWD" "5" "02/26/2024" "Samba 4\&.20\&.0rc3" "File Formats and Conventions" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +smbpasswd \- The Samba encrypted password file +.SH "SYNOPSIS" +.PP +smbpasswd +.SH "DESCRIPTION" +.PP +This tool is part of the +\fBsamba\fR(7) +suite\&. +.PP +smbpasswd is the Samba encrypted password file\&. It contains the username, Unix user id and the SMB hashed passwords of the user, as well as account flag information and the time the password was last changed\&. This file format has been evolving with Samba and has had several different formats in the past\&. +.SH "FILE FORMAT" +.PP +The format of the smbpasswd file used by Samba 2\&.2 is very similar to the familiar Unix +passwd(5) +file\&. It is an ASCII file containing one line for each user\&. Each field within each line is separated from the next by a colon\&. Any entry beginning with \*(Aq#\*(Aq is ignored\&. The smbpasswd file contains the following information for each user: +.PP +name +.RS 4 +This is the user name\&. It must be a name that already exists in the standard UNIX passwd file\&. +.RE +.PP +uid +.RS 4 +This is the UNIX uid\&. It must match the uid field for the same user entry in the standard UNIX passwd file\&. If this does not match then Samba will refuse to recognize this smbpasswd file entry as being valid for a user\&. +.RE +.PP +Lanman Password Hash +.RS 4 +This is the LANMAN hash of the user\*(Aqs password, encoded as 32 hex digits\&. The LANMAN hash is created by DES encrypting a well known string with the user\*(Aqs password as the DES key\&. This is the same password used by Windows 95/98 machines\&. Note that this password hash is regarded as weak as it is vulnerable to dictionary attacks and if two users choose the same password this entry will be identical (i\&.e\&. the password is not "salted" as the UNIX password is)\&. If the user has a null password this field will contain the characters "NO PASSWORD" as the start of the hex string\&. If the hex string is equal to 32 \*(AqX\*(Aq characters then the user\*(Aqs account is marked as +\fBdisabled\fR +and the user will not be able to log onto the Samba server\&. +.sp +\fIWARNING !!\fR +Note that, due to the challenge\-response nature of the SMB/CIFS authentication protocol, anyone with a knowledge of this password hash will be able to impersonate the user on the network\&. For this reason these hashes are known as +\fIplain text equivalents\fR +and must +\fINOT\fR +be made available to anyone but the root user\&. To protect these passwords the smbpasswd file is placed in a directory with read and traverse access only to the root user and the smbpasswd file itself must be set to be read/write only by root, with no other access\&. +.RE +.PP +NT Password Hash +.RS 4 +This is the Windows NT hash of the user\*(Aqs password, encoded as 32 hex digits\&. The Windows NT hash is created by taking the user\*(Aqs password as represented in 16\-bit, little\-endian UNICODE and then applying the MD4 (internet rfc1321) hashing algorithm to it\&. +.sp +This password hash is considered more secure than the LANMAN Password Hash as it preserves the case of the password and uses a much higher quality hashing algorithm\&. However, it is still the case that if two users choose the same password this entry will be identical (i\&.e\&. the password is not "salted" as the UNIX password is)\&. +.sp +\fIWARNING !!\fR\&. Note that, due to the challenge\-response nature of the SMB/CIFS authentication protocol, anyone with a knowledge of this password hash will be able to impersonate the user on the network\&. For this reason these hashes are known as +\fIplain text equivalents\fR +and must +\fINOT\fR +be made available to anyone but the root user\&. To protect these passwords the smbpasswd file is placed in a directory with read and traverse access only to the root user and the smbpasswd file itself must be set to be read/write only by root, with no other access\&. +.RE +.PP +Account Flags +.RS 4 +This section contains flags that describe the attributes of the users account\&. This field is bracketed by \*(Aq[\*(Aq and \*(Aq]\*(Aq characters and is always 13 characters in length (including the \*(Aq[\*(Aq and \*(Aq]\*(Aq characters)\&. The contents of this field may be any of the following characters: +.RS +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fIU\fR +\- This means this is a "User" account, i\&.e\&. an ordinary user\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fIN\fR +\- This means the account has no password (the passwords in the fields LANMAN Password Hash and NT Password Hash are ignored)\&. Note that this will only allow users to log on with no password if the +\fI null passwords\fR +parameter is set in the +\fBsmb.conf\fR(5) +config file\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fID\fR +\- This means the account is disabled and no SMB/CIFS logins will be allowed for this user\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fIX\fR +\- This means the password does not expire\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fIW\fR +\- This means this account is a "Workstation Trust" account\&. This kind of account is used in the Samba PDC code stream to allow Windows NT Workstations and Servers to join a Domain hosted by a Samba PDC\&. +.RE +.sp +.RE +Other flags may be added as the code is extended in future\&. The rest of this field space is filled in with spaces\&. For further information regarding the flags that are supported please refer to the man page for the +pdbedit +command\&. +.RE +.PP +Last Change Time +.RS 4 +This field consists of the time the account was last modified\&. It consists of the characters \*(AqLCT\-\*(Aq (standing for "Last Change Time") followed by a numeric encoding of the UNIX time in seconds since the epoch (1970) that the last change was made\&. +.RE +.PP +All other colon separated fields are ignored at this time\&. +.SH "VERSION" +.PP +This man page is part of version 4\&.20\&.0rc3 of the Samba suite\&. +.SH "SEE ALSO" +.PP +\fBsmbpasswd\fR(8), +\fBSamba\fR(7), and the Internet RFC1321 for details on the MD4 algorithm\&. +.SH "AUTHOR" +.PP +The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&. |