NAME

smbpasswd - Samba加密的口令文件。  

總覽 SYNOPSIS

smbpasswd

描述 DESCRIPTION

此文件是 Samba(7) 套件的一部分。

smbpasswd是Samba加密的口令文件。文件中包含了用戶名，UNIX用戶ID和SMB用戶口令(經(jīng)過hash散列算法處理過)，還有賬號標(biāo)志信息及上次更改口令時間。samba已經(jīng)改進了文件格式并和以前的格式有些不同之處。

文件格式 FILE FORMAT

Samba 2.2使用的smbpasswd文件格式和UNIX的passwd(5)文件非常類似。它是個ASCII文件，其中每行內(nèi)容對應(yīng)一個用戶。每個字段用冒號分隔。任何以#號開始的行將被忽略。對于每個用戶在smbpasswd文件中都包含以下的信息：

name

用戶名，必須是標(biāo)準(zhǔn)UNIX口令文件中已經(jīng)存在的用戶名。

uid

UNIX的用戶標(biāo)識。必須匹配標(biāo)準(zhǔn)UNIX口令文件中相應(yīng)用戶的UID字段。如果不匹配Samba會拒絕確認(rèn)用戶的整個描述項合法。

Lanman Password Hash

此處是用戶口令的32位十六進制編碼的LANMAN散列表。LANMAN散列表是用DES加密過的用戶口令字串。這也是Windows 95/98使用的口令。注意這份口令編碼表在字典攻擊法下非常脆弱，并且如果兩個用戶使用了相同的口令的話，這個口令散列表將會相同(也就是這個口令沒有像UNIX口令那樣“加工”過)。如果用戶使用了空口令，這個部分起始將是“NO PASSWORD”的十六進制字串。而如果這些十六進制字串是32個“X”的話，那么這個用戶賬號就被禁止了，用戶就不能登錄到samba服務(wù)器上了。

警告?。∽⒁獾接捎赟MB/CIFS驗證協(xié)議的“請求-響應(yīng)”特性，任何了解口令散列表信息的人都可以偽裝成網(wǎng)絡(luò)中的其他用戶。因此，這些口令散列表信息都相當(dāng)于只是“明文”一樣(plain text equivalents). root以外的任何用戶都不應(yīng)該獲得這些數(shù)據(jù). 為了保護這些口令，smbpasswd文件被存放到只有root用戶可以讀取和訪問的目錄中，而smbpasswd文件本身也必須設(shè)成只有root用戶可以讀/寫，而其它人無法訪問。

NT Password Hash

指定Windows NT的用戶口令散列表，也是32位的十六進制編碼。NT的散列表用16位的用戶口令，little-endian UNICODE編碼建立，然后用MD4算法(互聯(lián)網(wǎng)草案 rfc1321)產(chǎn)生對應(yīng)的散列表。

這種口令散列表比Lanman Password Hash更安全，因為它用更高質(zhì)量的散列算法來維護口令和用戶信息。但是它仍然存在當(dāng)兩個用戶使用相同口令時口令項相同的問題(沒有像UNIX口令那樣“加工”過)。

警告??！注意到由于SMB/CIFS驗證協(xié)議的“請求-響應(yīng)”特性，任何了解口令散列表信息的人都可以偽裝成網(wǎng)絡(luò)中的其他用戶。因此，這些口令散列表信息都相當(dāng)于只是“明文”一樣(plain text equivalents). root以外的任何用戶都不應(yīng)該獲得這些數(shù)據(jù). 為了保護這些口令，smbpasswd文件被存放到只有root用戶可以讀取和訪問的目錄中，而smbpasswd文件本身也必須設(shè)成只有root用戶可以讀/寫，而其它人無法訪問。

Account Flags

賬號標(biāo)志部分描述了用戶賬號的屬性。在Samba 2.2中這個字段是用‘[’和‘]’字符封閉的。它的長度總是13個字符(包含‘[’和‘]’字符), 內(nèi)容可以是如下的任何字符。

U - 說明這是一個“用戶” 賬號，也就是原始用戶。在smbpasswd文件中只支持用戶和工作站信任賬號。

N - 說明這個賬號沒有口令(Lanman Password Hash和NT Password Hash字段會被忽略)。注意只有在smb.conf(5)配置文件中設(shè)定了 null passwords，才允許用戶不帶口令進行登錄。

D - 說明此賬號被禁止了，此用戶無法登錄SMB/CIFS。

W - 說明此賬號是個 “工作站信任” 賬號。這類賬號被用在把samba作為PDC時, NT工作站和服務(wù)器加入到域中的時候。

其它標(biāo)志作為將來功能擴展所用。這個標(biāo)志字段余下的空間用空格填充。

Last Change Time

這個字段由賬號最后修改的時間組成。它以字符LCT(含義是“Last Change Time”)后跟UNIX以秒計的時間編碼數(shù)字(從epoch(公元1970年)開始計算)。

所有其余用冒號分隔的字段現(xiàn)在都將被忽略。

版本 VERSION

此手冊頁是針對samba套件版本3.0的。

參見 SEE ALSO

smbpasswd(8), Samba(7), 以及互聯(lián)網(wǎng)草案RFC1321 中MD4算法的詳細(xì)資料。

#p#

NAME

smbpasswd - The Samba encrypted password file  

SYNOPSIS

smbpasswd

DESCRIPTION

This tool is part of the samba(7) suite.

smbpasswd is the Samba encrypted password file. It contains the username, Unix user id and the SMB hashed passwords of the user, as well as account flag information and the time the password was last changed. This file format has been evolving with Samba and has had several different formats in the past.

FILE FORMAT

The format of the smbpasswd file used by Samba 2.2 is very similar to the familiar Unix passwd(5) file. It is an ASCII file containing one line for each user. Each field ithin each line is separated from the next by a colon. Any entry beginning with '#' is ignored. The smbpasswd file contains the following information for each user:

name

This is the user name. It must be a name that already exists in the standard UNIX passwd file.

uid

This is the UNIX uid. It must match the uid field for the same user entry in the standard UNIX passwd file. If this does not match then Samba will refuse to recognize this smbpasswd file entry as being valid for a user.

Lanman Password Hash

This is the LANMAN hash of the user's password, encoded as 32 hex digits. The LANMAN hash is created by DES encrypting a well known string with the user's password as the DES key. This is the same password used by Windows 95/98 machines. Note that this password hash is regarded as weak as it is vulnerable to dictionary attacks and if two users choose the same password this entry will be identical (i.e. the password is not "salted" as the UNIX password is). If the user has a null password this field will contain the characters "NO PASSWORD" as the start of the hex string. If the hex string is equal to 32 'X' characters then the user's account is marked asdisabled and the user will not be able to log onto the Samba server.

WARNING !! Note that, due to the challenge-response nature of the SMB/CIFS authentication protocol, anyone with a knowledge of this password hash will be able to impersonate the user on the network. For this reason these hashes are known as plain text equivalents and must NOT be made available to anyone but the root user. To protect these passwords the smbpasswd file is placed in a directory with read and traverse access only to the root user and the smbpasswd file itself must be set to be read/write only by root, with no other access.

NT Password Hash

This is the Windows NT hash of the user's password, encoded as 32 hex digits. The Windows NT hash is created by taking the user's password as represented in 16-bit, little-endian UNICODE and then applying the MD4 (internet rfc1321) hashing algorithm to it.

This password hash is considered more secure than the LANMAN Password Hash as it preserves the case of the password and uses a much higher quality hashing algorithm. However, it is still the case that if two users choose the same password this entry will be identical (i.e. the password is not "salted" as the UNIX password is).

WARNING !!. Note that, due to the challenge-response nature of the SMB/CIFS authentication protocol, anyone with a knowledge of this password hash will be able to impersonate the user on the network. For this reason these hashes are known as plain text equivalents and must NOT be made available to anyone but the root user. To protect these passwords the smbpasswd file is placed in a directory with read and traverse access only to the root user and the smbpasswd file itself must be set to be read/write only by root, with no other access.

Account Flags

This section contains flags that describe the attributes of the users account. In the Samba 2.2 release this field is bracketed by '[' and ']' characters and is always 13 characters in length (including the '[' and ']' characters). The contents of this field may be any of the following characters:

*

U - This means this is a "User" account, i.e. an ordinary user. Only User and Workstation Trust accounts are currently supported in the smbpasswd file.

*

N - This means the account has no password (the passwords in the fields LANMAN Password Hash and NT Password Hash are ignored). Note that this will only allow users to log on with no password if the null passwords parameter is set in thesmb.conf(5) config file.

*

D - This means the account is disabled and no SMB/CIFS logins will be allowed for this user.

*

W - This means this account is a "Workstation Trust" account. This kind of account is used in the Samba PDC code stream to allow Windows NT Workstations and Servers to join a Domain hosted by a Samba PDC.

Other flags may be added as the code is extended in future. The rest of this field space is filled in with spaces.

Last Change Time

This field consists of the time the account was last modified. It consists of the characters 'LCT-' (standing for "Last Change Time") followed by a numeric encoding of the UNIX time in seconds since the epoch (1970) that the last change was made.

All other colon separated fields are ignored at this time.

VERSION

This man page is correct for version 3.0 of the Samba suite.

SEE ALSO

smbpasswd(8), Samba(7), and the Internet RFC1321 for details on the MD4 algorithm.