Provided by: samba-common_3.0.28a-1ubuntu4_i386 bug

NAME

       smbpasswd - The Samba encrypted password file

SYNOPSIS

       smbpasswd

DESCRIPTION

       This tool is part of the samba(7) suite.

       smbpasswd  is  the  Samba  encrypted  password  file.  It  contains the
       username, Unix user id and the SMB hashed passwords  of  the  user,  as
       well  as  account  flag  information and the time the password was last
       changed. This file format has been evolving  with  Samba  and  has  had
       several different formats in the past.

FILE FORMAT

       The  format  of the smbpasswd file used by Samba 2.2 is very similar to
       the familiar Unix passwd(5) file. It is an ASCII  file  containing  one
       line  for  each  user. Each field ithin each line is separated from the
       next by a colon. Any entry beginning with ’#’ is ignored. The smbpasswd
       file contains the following information for each user:

       name
          This  is the user name. It must be a name that already exists in the
          standard UNIX passwd file.

       uid
          This is the UNIX uid. It must match the uid field for the same  user
          entry  in the standard UNIX passwd file. If this does not match then
          Samba will refuse to recognize this smbpasswd file  entry  as  being
          valid for a user.

       Lanman Password Hash
          This  is  the  LANMAN hash of the user’s password, encoded as 32 hex
          digits. The LANMAN hash is created by DES encrypting  a  well  known
          string  with  the  user’s  password as the DES key. This is the same
          password used by Windows 95/98 machines.  Note  that  this  password
          hash  is  regarded as weak as it is vulnerable to dictionary attacks
          and if two users  choose  the  same  password  this  entry  will  be
          identical  (i.e.  the  password is not "salted" as the UNIX password
          is). If the user has a null password this  field  will  contain  the
          characters  "NO PASSWORD" as the start of the hex string. If the hex
          string is equal to 32 ’X’ characters  then  the  user’s  account  is
          marked  as  disabled  and  the user will not be able to log onto the
          Samba server.

          WARNING !!  Note that, due to the challenge-response nature  of  the
          SMB/CIFS  authentication  protocol,  anyone with a knowledge of this
          password hash will be able to impersonate the user on  the  network.
          For this reason these hashes are known as plain text equivalents and
          must NOT be made available to anyone but the root user.  To  protect
          these  passwords  the  smbpasswd  file is placed in a directory with
          read and traverse access only to the root  user  and  the  smbpasswd
          file itself must be set to be read/write only by root, with no other
          access.

       NT Password Hash
          This is the Windows NT hash of the user’s password,  encoded  as  32
          hex  digits.  The  Windows  NT  hash is created by taking the user’s
          password as represented in 16-bit, little-endian  UNICODE  and  then
          applying the MD4 (internet rfc1321) hashing algorithm to it.

          This  password  hash  is  considered  more  secure  than  the LANMAN
          Password Hash as it preserves the case of the password  and  uses  a
          much higher quality hashing algorithm. However, it is still the case
          that if two users choose  the  same  password  this  entry  will  be
          identical  (i.e.  the  password is not "salted" as the UNIX password
          is).

          WARNING !!. Note that, due to the challenge-response nature  of  the
          SMB/CIFS  authentication  protocol,  anyone with a knowledge of this
          password hash will be able to impersonate the user on  the  network.
          For this reason these hashes are known as plain text equivalents and
          must NOT be made available to anyone but the root user.  To  protect
          these  passwords  the  smbpasswd  file is placed in a directory with
          read and traverse access only to the root  user  and  the  smbpasswd
          file itself must be set to be read/write only by root, with no other
          access.

       Account Flags
          This section contains flags that  describe  the  attributes  of  the
          users account. This field is bracketed by ’[’ and ’]’ characters and
          is always 13  characters  in  length  (including  the  ’[’  and  ’]’
          characters).  The contents of this field may be any of the following
          characters:

             ·  U - This means this is a  "User"  account,  i.e.  an  ordinary
                user.

             ·  N  -  This means the account has no password (the passwords in
                the fields LANMAN Password  Hash  and  NT  Password  Hash  are
                ignored).  Note that this will only allow users to log on with
                no password if the
                 null passwords parameter is set  in  the  smb.conf(5)  config
                file.

             ·  D  - This means the account is disabled and no SMB/CIFS logins
                will be allowed for this user.

             ·  X - This means the password does not expire.

             ·  W - This means this account is a "Workstation Trust"  account.
                This  kind  of account is used in the Samba PDC code stream to
                allow Windows NT Workstations and Servers  to  join  a  Domain
                hosted by a Samba PDC.

             Other  flags  may be added as the code is extended in future. The
             rest of this field space is filled in with  spaces.  For  further
             information  regarding  the flags that are supported please refer
             to the man page for the pdbedit command.

       Last Change Time
          This field consists of the time the account was  last  modified.  It
          consists  of the characters ’LCT-’ (standing for "Last Change Time")
          followed by a numeric encoding of the UNIX time in seconds since the
          epoch (1970) that the last change was made.

       All other colon separated fields are ignored at this time.

VERSION

       This man page is correct for version 3.0 of the Samba suite.

SEE ALSO

       smbpasswd(8), Samba(7), and the Internet RFC1321 for details on the MD4
       algorithm.

AUTHOR

       The original Samba software  and  related  utilities  were  created  by
       Andrew  Tridgell.  Samba  is now developed by the Samba Team as an Open
       Source project similar to the way the Linux kernel is developed.

       The original Samba man pages were written by Karl Auer.  The  man  page
       sources  were converted to YODL format (another excellent piece of Open
       Source  software,  available  at  ftp://ftp.icce.rug.nl/pub/unix/)  and
       updated  for the Samba 2.0 release by Jeremy Allison. The conversion to
       DocBook for Samba 2.2 was done by  Gerald  Carter.  The  conversion  to
       DocBook XML 4.2 for Samba 3.0 was done by Alexander Bokovoy.

                                                                  SMBPASSWD(5)