Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
SMBPASSWD(5)		 File Formats and Conventions		  SMBPASSWD(5)

NAME
       smbpasswd - The Samba encrypted password	file

SYNOPSIS
       smbpasswd

DESCRIPTION
       This tool is part of the	samba(7) suite.

       smbpasswd is the	Samba encrypted	password file. It contains the
       username, Unix user id and the SMB hashed passwords of the user,	as
       well as account flag information	and the	time the password was last
       changed.	This file format has been evolving with	Samba and has had
       several different formats in the	past.

FILE FORMAT
       The format of the smbpasswd file	used by	Samba 2.2 is very similar to
       the familiar Unix passwd(5) file. It is an ASCII	file containing	one
       line for	each user. Each	field within each line is separated from the
       next by a colon.	Any entry beginning with '#' is	ignored. The smbpasswd
       file contains the following information for each	user:

       name
	   This	is the user name. It must be a name that already exists	in the
	   standard UNIX passwd	file.

       uid
	   This	is the UNIX uid. It must match the uid field for the same user
	   entry in the	standard UNIX passwd file. If this does	not match then
	   Samba will refuse to	recognize this smbpasswd file entry as being
	   valid for a user.

       Lanman Password Hash
	   This	is the LANMAN hash of the user's password, encoded as 32 hex
	   digits. The LANMAN hash is created by DES encrypting	a well known
	   string with the user's password as the DES key. This	is the same
	   password used by Windows 95/98 machines. Note that this password
	   hash	is regarded as weak as it is vulnerable	to dictionary attacks
	   and if two users choose the same password this entry	will be
	   identical (i.e. the password	is not "salted"	as the UNIX password
	   is).	If the user has	a null password	this field will	contain	the
	   characters "NO PASSWORD" as the start of the	hex string. If the hex
	   string is equal to 32 'X' characters	then the user's	account	is
	   marked as disabled and the user will	not be able to log onto	the
	   Samba server.

	   WARNING !!  Note that, due to the challenge-response	nature of the
	   SMB/CIFS authentication protocol, anyone with a knowledge of	this
	   password hash will be able to impersonate the user on the network.
	   For this reason these hashes	are known as plain text	equivalents
	   and must NOT	be made	available to anyone but	the root user. To
	   protect these passwords the smbpasswd file is placed	in a directory
	   with	read and traverse access only to the root user and the
	   smbpasswd file itself must be set to	be read/write only by root,
	   with	no other access.

       NT Password Hash
	   This	is the Windows NT hash of the user's password, encoded as 32
	   hex digits. The Windows NT hash is created by taking	the user's
	   password as represented in 16-bit, little-endian UNICODE and	then
	   applying the	MD4 (internet rfc1321) hashing algorithm to it.

	   This	password hash is considered more secure	than the LANMAN
	   Password Hash as it preserves the case of the password and uses a
	   much	higher quality hashing algorithm. However, it is still the
	   case	that if	two users choose the same password this	entry will be
	   identical (i.e. the password	is not "salted"	as the UNIX password
	   is).

	   WARNING !!. Note that, due to the challenge-response	nature of the
	   SMB/CIFS authentication protocol, anyone with a knowledge of	this
	   password hash will be able to impersonate the user on the network.
	   For this reason these hashes	are known as plain text	equivalents
	   and must NOT	be made	available to anyone but	the root user. To
	   protect these passwords the smbpasswd file is placed	in a directory
	   with	read and traverse access only to the root user and the
	   smbpasswd file itself must be set to	be read/write only by root,
	   with	no other access.

       Account Flags
	   This	section	contains flags that describe the attributes of the
	   users account. This field is	bracketed by '[' and ']' characters
	   and is always 13 characters in length (including the	'[' and	']'
	   characters).	The contents of	this field may be any of the following
	   characters:

	   o   U - This	means this is a	"User" account,	i.e. an	ordinary user.

	   o   N - This	means the account has no password (the passwords in
	       the fields LANMAN Password Hash and NT Password Hash are
	       ignored). Note that this	will only allow	users to log on	with
	       no password if the
		null passwords parameter is set	in the smb.conf(5) config
	       file.

	   o   D - This	means the account is disabled and no SMB/CIFS logins
	       will be allowed for this	user.

	   o   X - This	means the password does	not expire.

	   o   W - This	means this account is a	"Workstation Trust" account.
	       This kind of account is used in the Samba PDC code stream to
	       allow Windows NT	Workstations and Servers to join a Domain
	       hosted by a Samba PDC.

       Other flags may be added	as the code is extended	in future. The rest of
       this field space	is filled in with spaces. For further information
       regarding the flags that	are supported please refer to the man page for
       the pdbedit command.

       Last Change Time
	   This	field consists of the time the account was last	modified. It
	   consists of the characters 'LCT-' (standing for "Last Change	Time")
	   followed by a numeric encoding of the UNIX time in seconds since
	   the epoch (1970) that the last change was made.

       All other colon separated fields	are ignored at this time.

VERSION
       This man	page is	correct	for version 3 of the Samba suite.

SEE ALSO
       smbpasswd(8), Samba(7), and the Internet	RFC1321	for details on the MD4
       algorithm.

AUTHOR
       The original Samba software and related utilities were created by
       Andrew Tridgell.	Samba is now developed by the Samba Team as an Open
       Source project similar to the way the Linux kernel is developed.

       The original Samba man pages were written by Karl Auer. The man page
       sources were converted to YODL format (another excellent	piece of Open
       Source software,	available at ftp://ftp.icce.rug.nl/pub/unix/) and
       updated for the Samba 2.0 release by Jeremy Allison. The	conversion to
       DocBook for Samba 2.2 was done by Gerald	Carter.	The conversion to
       DocBook XML 4.2 for Samba 3.0 was done by Alexander Bokovoy.

Samba 4.4			  07/05/2016			  SMBPASSWD(5)

NAME | SYNOPSIS | DESCRIPTION | FILE FORMAT | VERSION | SEE ALSO | AUTHOR

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=smbpasswd&sektion=5&manpath=FreeBSD+11.0-RELEASE+and+Ports>

home | help