NAME

smbpasswd - 改變用戶的SMB口令  

總覽 SYNOPSIS

smbpasswd [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-U username[%password]] [-h] [-s] [-w pass] [-i] [-L] [username]
           

描述 DESCRIPTION

此程序是Samba(7)套件的一部分。

smbpasswd程序有幾個不太一樣的功能，這取決于它被root賬號還是其它賬號來使用。當普通用戶運行它時，用戶可以通過SMB會話在任何保存SMB口令的機器上改變他們的口令。

默認情況下(不帶參數運行)它會嘗試在本地改變當前用戶的SMB口令。這和passwd(1)程序的工作方式類似。不過， smbpasswd和具有setuid root 特性的passwd還是不一樣的，它工作在客戶機-服務器模式, 并且與本地運行中的smbd(8)通信。為了運行成功，smbd守護程序必須正在本地主機上運行。在UNIX主機上通常用smbpasswd(5) 來存放SMB的加密口令。

當普通用戶不帶選項來運行這個程序時，smbpasswd會向他們提示輸入原SMB口令并詢問所需的新口令兩次，來確保輸入正確. 輸入時屏幕并不回顯。如果你用了一個空SMB口令(在smbpasswd文件中會指定字串“NO PASSWORD”)的話，在程序提示輸入原口令時可以直接輸入<Enter>鍵。

普通用戶也可以在遠程主機(例如Windows NT主域控制器)上用smbpasswd來改他們的SMB口令。詳細情況請參見以下的(-r)和-U兩個選項。

當root運行這個程序時，smbpasswd可以在smbpasswd文件中增刪用戶，也可以改變用戶屬性。這時， smbpasswd 會直接訪問本地smbpasswd文件，即使smbd并沒有在運行時也可以。

選項 OPTIONS

-a

在這個選項后跟上用戶名用來實現在本地smbpasswd文件中增加用戶，并且同時設置口令(提示原口令時用<Enter>)。如果smbpasswd文件中已經存在了這個用戶時，命令就變成通常的修改口令模式。注意，默認的passdb后端要求所要加入的SMB用戶必須是系統口令文件中(通常是/etc/passwd)已經存在的用戶否則加入操作將會失敗。

只有root運行smbpasswd程序時才可以使用這個選項。

-x

This option specifies that the username following should be deleted from the local smbpasswd file.

This option is only available when running smbpasswd as root.

-d

這個選項后跟用戶名用來禁止存在于smbpasswd文件中的這個賬號。通過在smbpasswd文件的賬號控制部分寫入 'D'標志來實現這個功能。一旦賬號被禁止，所有使用這個賬號作SMB身份驗證的嘗試都將失敗。

如果smbpasswd文件還是舊格式的話(比如Samba 2.0之前版本)，在用戶口令項中沒有這樣的賬號控制部分可以作任何標志，這個命令會*失敗*。關于口令文件的新格式和舊格式細節可以參見smbpasswd(5) 。

只有root運行smbpasswd程序時才可以使用這個選項。

-e

這個選項后跟用戶名用來在本地smbpasswd文件中的這個賬號被禁止時重新允許使用。如果賬號并未被禁止的話，使用這個選項不會有什么結果。被允許的賬號將可以通過SMB的身份驗證。

使用老格式的口令文件時， smbpasswd 將運行失敗。關于口令文件的新格式和舊格式細節可以參見smbpasswd(5)。

只有root運行smbpasswd程序時才可以使用這個選項。

-D debuglevel

debuglevel 是一個從0到10的整數。如果沒有指定此參數則默認的值是0。

如果這個值越高，越多關于smbpasswd的詳細活動信息將被記錄到文件中。在0調試級時，只記錄緊急錯誤和嚴重警告。

1以上的調試級將產生相當多的記錄數據，并且只在解決問題時才有用。3以上的調試級只被設計為讓開發者使用并會產生極大數量的記錄數據，而且其中很多部分非常難以理解。

-n

用這個選項后跟用戶名來把這個賬號的口令設為空(也就是沒有口令)。程序會把本地smbpasswd文件中該口令項的***部分改為“NO PASSWORD”。

注意如果設置了"NO PASSWORD"之后，要允許用戶以空口令登錄到Samba服務器，管理員必須在smb.conf配置文件的[global]段中設置以下的參數：

null passwords = yes

只有root運行smbpasswd程序時才可以使用這個選項。

-r remote machine name

使用這個選項來讓用戶指定他們所希望改變口令的主機，不用此參數時默認對本地更改口令。SMB/CIFS服務器會試圖聯接以remote machine name作為NetBIOS名字的主機以更改口令。Samba套件中的所有程序都使用標準的名字解析機制來把這樣的名字轉換成IP地址。參見-R name resolve order參數來獲得改變解析機制的詳細信息。

用這個選項更改密碼的賬號就是當前登錄UNIX的賬號。要改變其它帳號的密碼可以參見-U username參數。

注意，如果要改變一個NT域賬號，指定的遠程主機必須是域中的主域控制器，因為備份域控制器只維護用戶賬號數據庫的只讀復本，而不能更改。

注意的是Windows 95/98實際根本沒有口令數據庫，所以不可能更改遠程Win95/98主機上的口令

-R name resolve order

用這個選項來讓使用smbclient的用戶在查詢主機NetBIOS名字用于聯接時，決定使用怎樣的名字解析服務。

這些名字解析選項是："lmhosts","host","wins"和"bcast".它們決定了名字解析是以如下方式的：

lmhosts : 在samba的lmhosts文件中查找IP地址.如果lmhosts文件的內容行中沒有名字類型附加在NetBIOS名上時(參見lmhosts (5)中的詳細描述),任何類型的名字都可以匹配這個查詢.

host : 執行標準的主機名到IP地址的解析操作,此操作會使用系統的/etc/hosts,NIS或者是DNS來查詢.具體方法取決于操作系統,在IRIX和Solaris中解析名字的方法可能是由/etc/nsswitch.conf文件來控制的.注意此方法只適用于對被查詢的NetBIOS名字類型為0x20(服務器)時才有用,其它類型都會被忽略.

wins : 向列在wins server選項中的服務器查詢一個名字對應的IP地址.如果沒有指定WINS服務器,那么此方法就被略過了.

bcast : 向在interfaces選項中列出的每一個已知本地網絡接口進行廣播來作查詢.這是最不可信的名字解析方法,除非目標主機就在本地子網中.

默認的順序是 lmhosts, host, wins, bcast。如果沒有這個參數，smb.conf(5) 文件中也沒有選項，將嘗試這個順序的名字解析。

-m

這個選項來把賬號改為一個MACHINE賬號。通常當Samba作為Windows NT主域控制器的時候可以使用它。

只有root運行smbpasswd程序時才可以使用這個選項。

-U username

這個選項只能和 -r選項聯合使用。當從遠程主機更改口令時，用它來允許用戶指定要改變的遠程主機口令的用戶賬號。這使得在不同的系統上使用不同的賬號的用戶可以口令。

-h

使用這個選項可以打印出 smbpasswd的幫助信息，注意選擇正確的幫助: root用戶和普通用戶使用的。

-s

使用這個選項會使smbpasswd保持安靜(不發出提示)，在標準輸入上讀取原口令和新口令。而不是從/dev/tty上讀口令(象passwd(1)那樣)。使用腳本來處理smbpasswd時可以用它。

-w password

This parameter is only available if Samba has been configured to use the experimental --with-ldapsam option. The -w switch is used to specify the password to be used with the ldap admin dn. Note that the password is stored in the secrets.tdb and is keyed off of the admin's DN. This means that if the value of ldap admin dn ever changes, the password will need to be manually updated as well.

-i

This option tells smbpasswd that the account being changed is an interdomain trust account. Currently this is used when Samba is being used as an NT Primary Domain Controller. The account contains the info about another trusted domain.

This option is only available when running smbpasswd as root.

-L

Run in local mode.

username

This specifies the username for all of the root only options to operate on. Only root can specify this parameter as only root has the permission needed to modify attributes directly in the local smbpasswd file.

注意 NOTES

由于非root用戶是以客戶機-服務器模式運行smbpasswd與本地smbd通信，因此smbd守護程序必須在運行狀態。通常會出現的一個問題是在對可以連接到本地運行的smbd的主機進行限制的時候，通過在smb.conf(5) 配置文件中指定allow hosts或者deny hosts參數但是忘記了允許“localhost”對smbd進行連接。

另外smbpasswd命令只有在已經把samba設成使用加密口令時才能發揮作用。

版本 VERSION

此手冊頁是針對samba套件版本3.0的。

參見 SEE ALSO

smbpasswd(5), Samba(7).

#p#

NAME

smbpasswd - The Samba encrypted password file  

SYNOPSIS

smbpasswd

DESCRIPTION

This tool is part of the samba(7) suite.

smbpasswd is the Samba encrypted password file. It contains the username, Unix user id and the SMB hashed passwords of the user, as well as account flag information and the time the password was last changed. This file format has been evolving with Samba and has had several different formats in the past.

FILE FORMAT

The format of the smbpasswd file used by Samba 2.2 is very similar to the familiar Unix passwd(5) file. It is an ASCII file containing one line for each user. Each field ithin each line is separated from the next by a colon. Any entry beginning with '#' is ignored. The smbpasswd file contains the following information for each user:

name

This is the user name. It must be a name that already exists in the standard UNIX passwd file.

uid

This is the UNIX uid. It must match the uid field for the same user entry in the standard UNIX passwd file. If this does not match then Samba will refuse to recognize this smbpasswd file entry as being valid for a user.

Lanman Password Hash

This is the LANMAN hash of the user's password, encoded as 32 hex digits. The LANMAN hash is created by DES encrypting a well known string with the user's password as the DES key. This is the same password used by Windows 95/98 machines. Note that this password hash is regarded as weak as it is vulnerable to dictionary attacks and if two users choose the same password this entry will be identical (i.e. the password is not "salted" as the UNIX password is). If the user has a null password this field will contain the characters "NO PASSWORD" as the start of the hex string. If the hex string is equal to 32 'X' characters then the user's account is marked asdisabled and the user will not be able to log onto the Samba server.

WARNING !! Note that, due to the challenge-response nature of the SMB/CIFS authentication protocol, anyone with a knowledge of this password hash will be able to impersonate the user on the network. For this reason these hashes are known as plain text equivalents and must NOT be made available to anyone but the root user. To protect these passwords the smbpasswd file is placed in a directory with read and traverse access only to the root user and the smbpasswd file itself must be set to be read/write only by root, with no other access.

NT Password Hash

This is the Windows NT hash of the user's password, encoded as 32 hex digits. The Windows NT hash is created by taking the user's password as represented in 16-bit, little-endian UNICODE and then applying the MD4 (internet rfc1321) hashing algorithm to it.

This password hash is considered more secure than the LANMAN Password Hash as it preserves the case of the password and uses a much higher quality hashing algorithm. However, it is still the case that if two users choose the same password this entry will be identical (i.e. the password is not "salted" as the UNIX password is).

WARNING !!. Note that, due to the challenge-response nature of the SMB/CIFS authentication protocol, anyone with a knowledge of this password hash will be able to impersonate the user on the network. For this reason these hashes are known as plain text equivalents and must NOT be made available to anyone but the root user. To protect these passwords the smbpasswd file is placed in a directory with read and traverse access only to the root user and the smbpasswd file itself must be set to be read/write only by root, with no other access.

Account Flags

This section contains flags that describe the attributes of the users account. In the Samba 2.2 release this field is bracketed by '[' and ']' characters and is always 13 characters in length (including the '[' and ']' characters). The contents of this field may be any of the following characters:

*

U - This means this is a "User" account, i.e. an ordinary user. Only User and Workstation Trust accounts are currently supported in the smbpasswd file.

*

N - This means the account has no password (the passwords in the fields LANMAN Password Hash and NT Password Hash are ignored). Note that this will only allow users to log on with no password if the null passwords parameter is set in thesmb.conf(5) config file.

*

D - This means the account is disabled and no SMB/CIFS logins will be allowed for this user.

*

W - This means this account is a "Workstation Trust" account. This kind of account is used in the Samba PDC code stream to allow Windows NT Workstations and Servers to join a Domain hosted by a Samba PDC.

Other flags may be added as the code is extended in future. The rest of this field space is filled in with spaces.

Last Change Time

This field consists of the time the account was last modified. It consists of the characters 'LCT-' (standing for "Last Change Time") followed by a numeric encoding of the UNIX time in seconds since the epoch (1970) that the last change was made.

All other colon separated fields are ignored at this time.

VERSION

This man page is correct for version 3.0 of the Samba suite.

SEE ALSO

smbpasswd(8), Samba(7), and the Internet RFC1321 for details on the MD4 algorithm.