1SMBPASSWD(5)                                                      SMBPASSWD(5)
2
3
4

NAME

6       smbpasswd - The Samba encrypted password file
7

SYNOPSIS

9       smbpasswd
10

DESCRIPTION

12       This tool is part of the samba(7) suite.
13
14       smbpasswd  is  the Samba encrypted password file. It contains the user‐
15       name, Unix user id and the SMB hashed passwords of the user, as well as
16       account  flag  information  and the time the password was last changed.
17       This file format has been evolving with Samba and has had several  dif‐
18       ferent formats in the past.
19

FILE FORMAT

21       The  format  of the smbpasswd file used by Samba 2.2 is very similar to
22       the familiar Unix passwd(5) file. It is an ASCII  file  containing  one
23       line  for  each  user. Each field ithin each line is separated from the
24       next by a colon. Any entry beginning with '#' is ignored. The smbpasswd
25       file contains the following information for each user:
26
27       name
28          This  is the user name. It must be a name that already exists in the
29          standard UNIX passwd file.
30
31       uid
32          This is the UNIX uid. It must match the uid field for the same  user
33          entry  in the standard UNIX passwd file. If this does not match then
34          Samba will refuse to recognize this smbpasswd file  entry  as  being
35          valid for a user.
36
37       Lanman Password Hash
38          This  is  the  LANMAN hash of the user's password, encoded as 32 hex
39          digits. The LANMAN hash is created by DES encrypting  a  well  known
40          string  with  the  user's  password as the DES key. This is the same
41          password used by Windows 95/98 machines.  Note  that  this  password
42          hash  is  regarded as weak as it is vulnerable to dictionary attacks
43          and if two users choose the same password this entry will be identi‐
44          cal  (i.e. the password is not "salted" as the UNIX password is). If
45          the user has a null password this field will contain the  characters
46          "NO  PASSWORD"  as the start of the hex string. If the hex string is
47          equal to 32 'X' characters then the user's account is marked as dis‐
48          abled and the user will not be able to log onto the Samba server.
49
50          WARNING  !!   Note that, due to the challenge-response nature of the
51          SMB/CIFS authentication protocol, anyone with a  knowledge  of  this
52          password  hash  will be able to impersonate the user on the network.
53          For this reason these hashes are known as plain text equivalents and
54          must  NOT  be made available to anyone but the root user. To protect
55          these passwords the smbpasswd file is placed  in  a  directory  with
56          read  and  traverse  access  only to the root user and the smbpasswd
57          file itself must be set to be read/write only by root, with no other
58          access.
59
60       NT Password Hash
61          This  is  the  Windows NT hash of the user's password, encoded as 32
62          hex digits. The Windows NT hash is  created  by  taking  the  user's
63          password  as  represented  in 16-bit, little-endian UNICODE and then
64          applying the MD4 (internet rfc1321) hashing algorithm to it.
65
66          This password hash is considered more secure than the  LANMAN  Pass‐
67          word  Hash  as it preserves the case of the password and uses a much
68          higher quality hashing algorithm. However, it is still the case that
69          if  two  users choose the same password this entry will be identical
70          (i.e. the password is not "salted" as the UNIX password is).
71
72          WARNING !!. Note that, due to the challenge-response nature  of  the
73          SMB/CIFS  authentication  protocol,  anyone with a knowledge of this
74          password hash will be able to impersonate the user on  the  network.
75          For this reason these hashes are known as plain text equivalents and
76          must NOT be made available to anyone but the root user.  To  protect
77          these  passwords  the  smbpasswd  file is placed in a directory with
78          read and traverse access only to the root  user  and  the  smbpasswd
79          file itself must be set to be read/write only by root, with no other
80          access.
81
82       Account Flags
83          This section contains flags that  describe  the  attributes  of  the
84          users account. This field is bracketed by '[' and ']' characters and
85          is always 13 characters in length (including the '[' and ']' charac‐
86          ters).  The contents of this field may be any of the following char‐
87          acters:
88
89             ·  U - This means this is a  "User"  account,  i.e.  an  ordinary
90                user.
91
92             ·  N  -  This means the account has no password (the passwords in
93                the fields LANMAN Password  Hash  and  NT  Password  Hash  are
94                ignored).  Note that this will only allow users to log on with
95                no password if the
96                 null passwords parameter is set  in  the  smb.conf(5)  config
97                file.
98
99             ·  D  - This means the account is disabled and no SMB/CIFS logins
100                will be allowed for this user.
101
102             ·  X - This means the password does not expire.
103
104             ·  W - This means this account is a "Workstation Trust"  account.
105                This  kind  of account is used in the Samba PDC code stream to
106                allow Windows NT Workstations and Servers  to  join  a  Domain
107                hosted by a Samba PDC.
108
109             Other  flags  may be added as the code is extended in future. The
110             rest of this field space is filled in with  spaces.  For  further
111             information  regarding  the flags that are supported please refer
112             to the man page for the pdbedit command.
113
114       Last Change Time
115          This field consists of the time the account was  last  modified.  It
116          consists  of the characters 'LCT-' (standing for "Last Change Time")
117          followed by a numeric encoding of the UNIX time in seconds since the
118          epoch (1970) that the last change was made.
119
120       All other colon separated fields are ignored at this time.
121

VERSION

123       This man page is correct for version 3.0 of the Samba suite.
124

SEE ALSO

126       smbpasswd(8), Samba(7), and the Internet RFC1321 for details on the MD4
127       algorithm.
128

AUTHOR

130       The original Samba software  and  related  utilities  were  created  by
131       Andrew  Tridgell.  Samba  is now developed by the Samba Team as an Open
132       Source project similar to the way the Linux kernel is developed.
133
134       The original Samba man pages were written by Karl Auer.  The  man  page
135       sources  were converted to YODL format (another excellent piece of Open
136       Source  software,  available  at  ftp://ftp.icce.rug.nl/pub/unix/)  and
137       updated  for the Samba 2.0 release by Jeremy Allison. The conversion to
138       DocBook for Samba 2.2 was done by Gerald Carter. The conversion to Doc‐
139       Book XML 4.2 for Samba 3.0 was done by Alexander Bokovoy.
140
141
142
143
144                                                                  SMBPASSWD(5)
Impressum