NAME
smbpasswd - Samba加密的口令文件。
总览 SYNOPSIS
smbpasswd
描述 DESCRIPTION
此文件是 Samba(7) 套件的一部分。
smbpasswd是Samba加密的口令文件。文件中包含了用户名,UNIX用户ID和SMB用户口令(经过hash散列算法处理过),还有账号标志信息及上次更改口令时间。samba已经改进了文件格式并和以前的格式有些不同之处。
文件格式 FILE FORMAT
Samba 2.2使用的smbpasswd文件格式和UNIX的passwd(5)文件非常类似。它是个ASCII文件,其中每行内容对应一个用户。每个字段用冒号分隔。任何以#号开始的行将被忽略。对于每个用户在smbpasswd文件中都包含以下的信息:
- name
- 用户名,必须是标准UNIX口令文件中已经存在的用户名。
- uid
- UNIX的用户标识。必须匹配标准UNIX口令文件中相应用户的UID字段。如果不匹配Samba会拒绝确认用户的整个描述项合法。
- Lanman Password Hash
- 此处是用户口令的32位十六进制编码的LANMAN散列表。LANMAN散列表是用DES加密过的用户口令字串。这也是Windows 95/98使用的口令。注意这份口令编码表在字典攻击法下非常脆弱,并且如果两个用户使用了相同的口令的话,这个口令散列表将会相同(也就是这个口令没有像UNIX口令那样“加工”过)。如果用户使用了空口令,这个部分起始将是“NO PASSWORD”的十六进制字串。而如果这些十六进制字串是32个“X”的话,那么这个用户账号就被禁止了,用户就不能登录到samba服务器上了。
警告!!注意到由于SMB/CIFS验证协议的“请求-响应”特性,任何了解口令散列表信息的人都可以伪装成网络中的其他用户。因此,这些口令散列表信息都相当于只是“明文”一样(plain text equivalents). root以外的任何用户都不应该获得这些数据. 为了保护这些口令,smbpasswd文件被存放到只有root用户可以读取和访问的目录中,而smbpasswd文件本身也必须设成只有root用户可以读/写,而其它人无法访问。
- NT Password Hash
- 指定Windows NT的用户口令散列表,也是32位的十六进制编码。NT的散列表用16位的用户口令,little-endian UNICODE编码建立,然后用MD4算法(互联网草案 rfc1321)产生对应的散列表。
这种口令散列表比Lanman Password Hash更安全,因为它用更高质量的散列算法来维护口令和用户信息。但是它仍然存在当两个用户使用相同口令时口令项相同的问题(没有像UNIX口令那样“加工”过)。
警告!!注意到由于SMB/CIFS验证协议的“请求-响应”特性,任何了解口令散列表信息的人都可以伪装成网络中的其他用户。因此,这些口令散列表信息都相当于只是“明文”一样(plain text equivalents). root以外的任何用户都不应该获得这些数据. 为了保护这些口令,smbpasswd文件被存放到只有root用户可以读取和访问的目录中,而smbpasswd文件本身也必须设成只有root用户可以读/写,而其它人无法访问。
- Account Flags
- 账号标志部分描述了用户账号的属性。在Samba 2.2中这个字段是用‘[’和‘]’字符封闭的。它的长度总是13个字符(包含‘[’和‘]’字符), 内容可以是如下的任何字符。
U - 说明这是一个“用户” 账号,也就是原始用户。在smbpasswd文件中只支持用户和工作站信任账号。
N - 说明这个账号没有口令(Lanman Password Hash和NT Password Hash字段会被忽略)。注意只有在smb.conf(5)配置文件中设定了 null passwords,才允许用户不带口令进行登录。
D - 说明此账号被禁止了,此用户无法登录SMB/CIFS。
W - 说明此账号是个 “工作站信任” 账号。这类账号被用在把samba作为PDC时, NT工作站和服务器加入到域中的时候。
其它标志作为将来功能扩展所用。这个标志字段余下的空间用空格填充。
- Last Change Time
- 这个字段由账号最后修改的时间组成。它以字符LCT(含义是“Last Change Time”)后跟UNIX以秒计的时间编码数字(从epoch(公元1970年)开始计算)。
所有其余用冒号分隔的字段现在都将被忽略。
版本 VERSION
此手册页是针对samba套件版本3.0的。
参见 SEE ALSO
smbpasswd(8), Samba(7), 以及互联网草案RFC1321 中MD4算法的详细资料。
#p#
NAME
smbpasswd - The Samba encrypted password file
SYNOPSIS
smbpasswd
DESCRIPTION
This tool is part of the samba(7) suite.
smbpasswd is the Samba encrypted password file. It contains the username, Unix user id and the SMB hashed passwords of the user, as well as account flag information and the time the password was last changed. This file format has been evolving with Samba and has had several different formats in the past.
FILE FORMAT
The format of the smbpasswd file used by Samba 2.2 is very similar to the familiar Unix passwd(5) file. It is an ASCII file containing one line for each user. Each field ithin each line is separated from the next by a colon. Any entry beginning with '#' is ignored. The smbpasswd file contains the following information for each user:
- name
- This is the user name. It must be a name that already exists in the standard UNIX passwd file.
- uid
- This is the UNIX uid. It must match the uid field for the same user entry in the standard UNIX passwd file. If this does not match then Samba will refuse to recognize this smbpasswd file entry as being valid for a user.
- Lanman Password Hash
- This is the LANMAN hash of the user's password, encoded as 32 hex digits. The LANMAN hash is created by DES encrypting a well known string with the user's password as the DES key. This is the same password used by Windows 95/98 machines. Note that this password hash is regarded as weak as it is vulnerable to dictionary attacks and if two users choose the same password this entry will be identical (i.e. the password is not "salted" as the UNIX password is). If the user has a null password this field will contain the characters "NO PASSWORD" as the start of the hex string. If the hex string is equal to 32 'X' characters then the user's account is marked asdisabled and the user will not be able to log onto the Samba server.
WARNING !! Note that, due to the challenge-response nature of the SMB/CIFS authentication protocol, anyone with a knowledge of this password hash will be able to impersonate the user on the network. For this reason these hashes are known as plain text equivalents and must NOT be made available to anyone but the root user. To protect these passwords the smbpasswd file is placed in a directory with read and traverse access only to the root user and the smbpasswd file itself must be set to be read/write only by root, with no other access.
- NT Password Hash
- This is the Windows NT hash of the user's password, encoded as 32 hex digits. The Windows NT hash is created by taking the user's password as represented in 16-bit, little-endian UNICODE and then applying the MD4 (internet rfc1321) hashing algorithm to it.
This password hash is considered more secure than the LANMAN Password Hash as it preserves the case of the password and uses a much higher quality hashing algorithm. However, it is still the case that if two users choose the same password this entry will be identical (i.e. the password is not "salted" as the UNIX password is).
WARNING !!. Note that, due to the challenge-response nature of the SMB/CIFS authentication protocol, anyone with a knowledge of this password hash will be able to impersonate the user on the network. For this reason these hashes are known as plain text equivalents and must NOT be made available to anyone but the root user. To protect these passwords the smbpasswd file is placed in a directory with read and traverse access only to the root user and the smbpasswd file itself must be set to be read/write only by root, with no other access.
- Account Flags
- This section contains flags that describe the attributes of the users account. In the Samba 2.2 release this field is bracketed by '[' and ']' characters and is always 13 characters in length (including the '[' and ']' characters). The contents of this field may be any of the following characters:
- *
- U - This means this is a "User" account, i.e. an ordinary user. Only User and Workstation Trust accounts are currently supported in the smbpasswd file.
- *
- N - This means the account has no password (the passwords in the fields LANMAN Password Hash and NT Password Hash are ignored). Note that this will only allow users to log on with no password if the null passwords parameter is set in thesmb.conf(5) config file.
- *
- D - This means the account is disabled and no SMB/CIFS logins will be allowed for this user.
- *
- W - This means this account is a "Workstation Trust" account. This kind of account is used in the Samba PDC code stream to allow Windows NT Workstations and Servers to join a Domain hosted by a Samba PDC.
- Last Change Time
- This field consists of the time the account was last modified. It consists of the characters 'LCT-' (standing for "Last Change Time") followed by a numeric encoding of the UNIX time in seconds since the epoch (1970) that the last change was made.
All other colon separated fields are ignored at this time.
VERSION
This man page is correct for version 3.0 of the Samba suite.
SEE ALSO
smbpasswd(8), Samba(7), and the Internet RFC1321 for details on the MD4 algorithm.
