NAME
smbpasswd - 改变用户的SMB口令
总览 SYNOPSIS
smbpasswd [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-U username[%password]] [-h] [-s] [-w pass] [-i] [-L] [username]
描述 DESCRIPTION
此程序是Samba(7)套件的一部分。
smbpasswd程序有几个不太一样的功能,这取决于它被root账号还是其它账号来使用。当普通用户运行它时,用户可以通过SMB会话在任何保存SMB口令的机器上改变他们的口令。
默认情况下(不带参数运行)它会尝试在本地改变当前用户的SMB口令。这和passwd(1)程序的工作方式类似。不过, smbpasswd和具有setuid root 特性的passwd还是不一样的,它工作在客户机-服务器模式, 并且与本地运行中的smbd(8)通信。为了运行成功,smbd守护程序必须正在本地主机上运行。在UNIX主机上通常用smbpasswd(5) 来存放SMB的加密口令。
当普通用户不带选项来运行这个程序时,smbpasswd会向他们提示输入原SMB口令并询问所需的新口令两次,来确保输入正确. 输入时屏幕并不回显。如果你用了一个空SMB口令(在smbpasswd文件中会指定字串“NO PASSWORD”)的话,在程序提示输入原口令时可以直接输入<Enter>键。
普通用户也可以在远程主机(例如Windows NT主域控制器)上用smbpasswd来改他们的SMB口令。详细情况请参见以下的(-r)和-U两个选项。
当root运行这个程序时,smbpasswd可以在smbpasswd文件中增删用户,也可以改变用户属性。这时, smbpasswd 会直接访问本地smbpasswd文件,即使smbd并没有在运行时也可以。
选项 OPTIONS
- -a
- 在这个选项后跟上用户名用来实现在本地smbpasswd文件中增加用户,并且同时设置口令(提示原口令时用<Enter>)。如果smbpasswd文件中已经存在了这个用户时,命令就变成通常的修改口令模式。注意,默认的passdb后端要求所要加入的SMB用户必须是系统口令文件中(通常是/etc/passwd)已经存在的用户否则加入操作将会失败。
只有root运行smbpasswd程序时才可以使用这个选项。
- -x
- This option specifies that the username following should be deleted from the local smbpasswd file.
This option is only available when running smbpasswd as root.
- -d
- 这个选项后跟用户名用来禁止存在于smbpasswd文件中的这个账号。通过在smbpasswd文件的账号控制部分写入 'D'标志来实现这个功能。一旦账号被禁止,所有使用这个账号作SMB身份验证的尝试都将失败。
如果smbpasswd文件还是旧格式的话(比如Samba 2.0之前版本),在用户口令项中没有这样的账号控制部分可以作任何标志,这个命令会*失败*。关于口令文件的新格式和旧格式细节可以参见smbpasswd(5) 。
只有root运行smbpasswd程序时才可以使用这个选项。
- -e
- 这个选项后跟用户名用来在本地smbpasswd文件中的这个账号被禁止时重新允许使用。如果账号并未被禁止的话,使用这个选项不会有什么结果。被允许的账号将可以通过SMB的身份验证。
使用老格式的口令文件时, smbpasswd 将运行失败。关于口令文件的新格式和旧格式细节可以参见smbpasswd(5)。
只有root运行smbpasswd程序时才可以使用这个选项。
- -D debuglevel
- debuglevel 是一个从0到10的整数。如果没有指定此参数则默认的值是0。
如果这个值越高,越多关于smbpasswd的详细活动信息将被记录到文件中。在0调试级时,只记录紧急错误和严重警告。
1以上的调试级将产生相当多的记录数据,并且只在解决问题时才有用。3以上的调试级只被设计为让开发者使用并会产生极大数量的记录数据,而且其中很多部分非常难以理解。
- -n
- 用这个选项后跟用户名来把这个账号的口令设为空(也就是没有口令)。程序会把本地smbpasswd文件中该口令项的***部分改为“NO PASSWORD”。
注意如果设置了"NO PASSWORD"之后,要允许用户以空口令登录到Samba服务器,管理员必须在smb.conf配置文件的[global]段中设置以下的参数:
null passwords = yes
只有root运行smbpasswd程序时才可以使用这个选项。
- -r remote machine name
- 使用这个选项来让用户指定他们所希望改变口令的主机,不用此参数时默认对本地更改口令。SMB/CIFS服务器会试图联接以remote machine name作为NetBIOS名字的主机以更改口令。Samba套件中的所有程序都使用标准的名字解析机制来把这样的名字转换成IP地址。参见-R name resolve order参数来获得改变解析机制的详细信息。
用这个选项更改密码的账号就是当前登录UNIX的账号。要改变其它帐号的密码可以参见-U username参数。
注意,如果要改变一个NT域账号,指定的远程主机必须是域中的主域控制器,因为备份域控制器只维护用户账号数据库的只读复本,而不能更改。
注意的是Windows 95/98实际根本没有口令数据库,所以不可能更改远程Win95/98主机上的口令
- -R name resolve order
- 用这个选项来让使用smbclient的用户在查询主机NetBIOS名字用于联接时,决定使用怎样的名字解析服务。
这些名字解析选项是:"lmhosts","host","wins"和"bcast".它们决定了名字解析是以如下方式的:
lmhosts : 在samba的lmhosts文件中查找IP地址.如果lmhosts文件的内容行中没有名字类型附加在NetBIOS名上时(参见lmhosts (5)中的详细描述),任何类型的名字都可以匹配这个查询.
host : 执行标准的主机名到IP地址的解析操作,此操作会使用系统的/etc/hosts,NIS或者是DNS来查询.具体方法取决于操作系统,在IRIX和Solaris中解析名字的方法可能是由/etc/nsswitch.conf文件来控制的.注意此方法只适用于对被查询的NetBIOS名字类型为0x20(服务器)时才有用,其它类型都会被忽略.
wins : 向列在wins server选项中的服务器查询一个名字对应的IP地址.如果没有指定WINS服务器,那么此方法就被略过了.
bcast : 向在interfaces选项中列出的每一个已知本地网络接口进行广播来作查询.这是最不可信的名字解析方法,除非目标主机就在本地子网中.
默认的顺序是 lmhosts, host, wins, bcast。如果没有这个参数,smb.conf(5) 文件中也没有选项,将尝试这个顺序的名字解析。
- -m
- 这个选项来把账号改为一个MACHINE账号。通常当Samba作为Windows NT主域控制器的时候可以使用它。
只有root运行smbpasswd程序时才可以使用这个选项。
- -U username
- 这个选项只能和 -r选项联合使用。当从远程主机更改口令时,用它来允许用户指定要改变的远程主机口令的用户账号。这使得在不同的系统上使用不同的账号的用户可以口令。
- -h
- 使用这个选项可以打印出 smbpasswd的帮助信息,注意选择正确的帮助: root用户和普通用户使用的。
- -s
- 使用这个选项会使smbpasswd保持安静(不发出提示),在标准输入上读取原口令和新口令。而不是从/dev/tty上读口令(象passwd(1)那样)。使用脚本来处理smbpasswd时可以用它。
- -w password
- This parameter is only available if Samba has been configured to use the experimental --with-ldapsam option. The -w switch is used to specify the password to be used with the ldap admin dn. Note that the password is stored in the secrets.tdb and is keyed off of the admin's DN. This means that if the value of ldap admin dn ever changes, the password will need to be manually updated as well.
- -i
- This option tells smbpasswd that the account being changed is an interdomain trust account. Currently this is used when Samba is being used as an NT Primary Domain Controller. The account contains the info about another trusted domain.
This option is only available when running smbpasswd as root.
- -L
- Run in local mode.
- username
- This specifies the username for all of the root only options to operate on. Only root can specify this parameter as only root has the permission needed to modify attributes directly in the local smbpasswd file.
注意 NOTES
由于非root用户是以客户机-服务器模式运行smbpasswd与本地smbd通信,因此smbd守护程序必须在运行状态。通常会出现的一个问题是在对可以连接到本地运行的smbd的主机进行限制的时候,通过在smb.conf(5) 配置文件中指定allow hosts或者deny hosts参数但是忘记了允许“localhost”对smbd进行连接。
另外smbpasswd命令只有在已经把samba设成使用加密口令时才能发挥作用。
版本 VERSION
此手册页是针对samba套件版本3.0的。
参见 SEE ALSO
smbpasswd(5), Samba(7).
#p#
NAME
smbpasswd - The Samba encrypted password file
SYNOPSIS
smbpasswd
DESCRIPTION
This tool is part of the samba(7) suite.
smbpasswd is the Samba encrypted password file. It contains the username, Unix user id and the SMB hashed passwords of the user, as well as account flag information and the time the password was last changed. This file format has been evolving with Samba and has had several different formats in the past.
FILE FORMAT
The format of the smbpasswd file used by Samba 2.2 is very similar to the familiar Unix passwd(5) file. It is an ASCII file containing one line for each user. Each field ithin each line is separated from the next by a colon. Any entry beginning with '#' is ignored. The smbpasswd file contains the following information for each user:
- name
- This is the user name. It must be a name that already exists in the standard UNIX passwd file.
- uid
- This is the UNIX uid. It must match the uid field for the same user entry in the standard UNIX passwd file. If this does not match then Samba will refuse to recognize this smbpasswd file entry as being valid for a user.
- Lanman Password Hash
- This is the LANMAN hash of the user's password, encoded as 32 hex digits. The LANMAN hash is created by DES encrypting a well known string with the user's password as the DES key. This is the same password used by Windows 95/98 machines. Note that this password hash is regarded as weak as it is vulnerable to dictionary attacks and if two users choose the same password this entry will be identical (i.e. the password is not "salted" as the UNIX password is). If the user has a null password this field will contain the characters "NO PASSWORD" as the start of the hex string. If the hex string is equal to 32 'X' characters then the user's account is marked asdisabled and the user will not be able to log onto the Samba server.
WARNING !! Note that, due to the challenge-response nature of the SMB/CIFS authentication protocol, anyone with a knowledge of this password hash will be able to impersonate the user on the network. For this reason these hashes are known as plain text equivalents and must NOT be made available to anyone but the root user. To protect these passwords the smbpasswd file is placed in a directory with read and traverse access only to the root user and the smbpasswd file itself must be set to be read/write only by root, with no other access.
- NT Password Hash
- This is the Windows NT hash of the user's password, encoded as 32 hex digits. The Windows NT hash is created by taking the user's password as represented in 16-bit, little-endian UNICODE and then applying the MD4 (internet rfc1321) hashing algorithm to it.
This password hash is considered more secure than the LANMAN Password Hash as it preserves the case of the password and uses a much higher quality hashing algorithm. However, it is still the case that if two users choose the same password this entry will be identical (i.e. the password is not "salted" as the UNIX password is).
WARNING !!. Note that, due to the challenge-response nature of the SMB/CIFS authentication protocol, anyone with a knowledge of this password hash will be able to impersonate the user on the network. For this reason these hashes are known as plain text equivalents and must NOT be made available to anyone but the root user. To protect these passwords the smbpasswd file is placed in a directory with read and traverse access only to the root user and the smbpasswd file itself must be set to be read/write only by root, with no other access.
- Account Flags
- This section contains flags that describe the attributes of the users account. In the Samba 2.2 release this field is bracketed by '[' and ']' characters and is always 13 characters in length (including the '[' and ']' characters). The contents of this field may be any of the following characters:
- *
- U - This means this is a "User" account, i.e. an ordinary user. Only User and Workstation Trust accounts are currently supported in the smbpasswd file.
- *
- N - This means the account has no password (the passwords in the fields LANMAN Password Hash and NT Password Hash are ignored). Note that this will only allow users to log on with no password if the null passwords parameter is set in thesmb.conf(5) config file.
- *
- D - This means the account is disabled and no SMB/CIFS logins will be allowed for this user.
- *
- W - This means this account is a "Workstation Trust" account. This kind of account is used in the Samba PDC code stream to allow Windows NT Workstations and Servers to join a Domain hosted by a Samba PDC.
- Last Change Time
- This field consists of the time the account was last modified. It consists of the characters 'LCT-' (standing for "Last Change Time") followed by a numeric encoding of the UNIX time in seconds since the epoch (1970) that the last change was made.
All other colon separated fields are ignored at this time.
VERSION
This man page is correct for version 3.0 of the Samba suite.
SEE ALSO
smbpasswd(8), Samba(7), and the Internet RFC1321 for details on the MD4 algorithm.
