发信人: tcpip (高级草包), 信区: Linux
标 题: smbpasswd (5)
发信站: 紫 丁 香 (Fri May 5 20:11:11 2000) WWW-POST
------------------------------------------------------------------------------
--
smbpasswd (5)
Samba
23 Oct 1998
NAME
名称
smbpasswd - The Samba encrypted password file
smbpasswd - samba加密口令文件
SYNOPSIS
概述
smbpasswd is the Samba encrypted password file.
smbpasswd是samba的加密口令文件。
DESCRIPTION
描述
This file is part of the Samba suite.
此文件是samba套件的一部分。
smbpasswd is the Samba encrypted password file. It contains the username,
Unix user id and the SMB hashed passwords of the user, as well as account
flag information and the time the password was last changed. This file format
has been evolving with Samba and has had several different formats in the
past.
smbpasswd是samba的加密口令文件。文件中包含了用户名,UNIX用户ID和SMB用户口令(经
过hash散列算法处理过),还有账号标志信息及上次更改口令时间。samba已经改进了文件
格式并和以前的格式有些不同之处。
FILE FORMAT
文件格式
The format of the smbpasswd file used by Samba 2.0 is very similar to the
familiar Unix passwd (5) file. It is an ASCII file containing one line for
each user. Each field within each line is separated from the next by a colon.
Any entry beginning with # is ignored. The smbpasswd file contains the
following information for each user:
samba 2.0使用的smbpasswd文件格式非常简单,而且和UNIX的passwd (5)文件非常类似。
它是个ASCII文件,其中每行内容对应一个用户。每个字段用冒号分隔。任何以#号开始的
行将被忽略。对于每个用户在smbpasswd文件中都包含以下的信息:
name
This is the user name. It must be a name that already exists in the standard
UNIX passwd file.
用户名,必须是标准UNIX口令文件中已经存在的用户名。
uid
This is the UNIX uid. It must match the uid field for the same user entry in
the standard UNIX passwd file. If this does not match then Samba will refuse
to recognize this smbpasswd file entry as being valid for a user.
UNIX的用户标识。必须匹配标准UNIX口令文件中相应用户的UID字段。如果不匹配samba会
拒绝确认合法用户的整个描述项。
Lanman Password Hash
Lanman的口令散列表
This is the LANMAN hash of the users password, encoded as 32 hex digits. The
LANMAN hash is created by DES encrypting a well known string with the users
password as the DES key. This is the same password used by Windows 95/98
machines. Note that this password hash is regarded as weak as it is
vulnerable to dictionary attacks and if two users choose the same password
this entry will be identical (i.e. the password is not "salted" as the UNIX
password is). If the user has a null password this field will contain the
characters "NO PASSWORD" as the start of the hex string. If the hex string is
equal to 32 'X' characters then the users account is marked as disabled and
the user will not be able to log onto the Samba server.
此处是用户口令的32位十六进制编码的LANMAN散列表。LANMAN散列表是用DES加密过的用
户口令字串。Windows 95/98也使用同样的口令。注意这份口令编码表在字典攻击法下非
常脆弱,应该仔细维护,如果两个用户使用了相同的口令的话,这个口令散列表将会相同
(例如没有UNIX口令那样“加工”过)。如果用户使用了空口令,这个部分会包含以“NO
PASSWORD”起头的十六进制字串。而如果这些十六进制字串是32个“X”的话,那么这个
用户账号就被禁止掉了,于是此用户就不能登录到samba服务器上。
WARNING !!. Note that, due to the challenge-response nature of the SMB/CIFS
authentication protocol, anyone with a knowledge of this password hash will
be able to impersonate the user on the network. For this reason these hashes
are known as "plain text equivalent" and must NOT be made available to anyone
but the root user. To protect these passwords the smbpasswd file is placed in
a directory with read and traverse access only to the root user and the
smbpasswd file itself must be set to be read/write only by root, with no
other access.
警告!!注意到由于要使用SMB/CIFS验证协议来实现请求-响应特性,所以任何了解口令
散列表信息的人都可以伪装成网络中的其他用户。为此,这些口令散列表信息都相当于只
是“明文”一样,所以root以外的任何用户都不应该获得这些数据,为了保护这些口令,
smbpasswd文件被存放到只有root用户可以读取和访问的目录中,而smbpasswd文件本身也
被设成只有root用户可以读/写,而其它人无法访问。
NT Password Hash
NT的口令散列表
This is the Windows NT hash of the users password, encoded as 32 hex digits.
The Windows NT hash is created by taking the users password as represented in
16-bit, little-endian UNICODE and then applying the MD4 (internet rfc1321)
hashing algorithm to it.
指定NT的用户口令散列表,也是32位的十六进制编码。NT的散列表用16位的用户口令,
little-endian UNICODE编码建立,然后用MD4算法产生对应的散列表。
This password hash is considered more secure than the Lanman Password Hash as
it preserves the case of the password and uses a much higher quality hashing
algorithm. However, it is still the case that if two users choose the same
password this entry will be identical (i.e. the password is not "salted" as
the UNIX password is).
这种口令散列表比Lanman Password Hash考虑更多的安全性,所以它用更高质量的散列算
法来维护口令和用户信息。但是它仍然存在当两个用户使用相同口令时口令项相同的问题
(例如没有UNIX口令那样“加工”过)。
WARNING !!. Note that, due to the challenge-response nature of the SMB/CIFS
authentication protocol, anyone with a knowledge of this password hash will
be able to impersonate the user on the network. For this reason these hashes
are known as "plain text equivalent" and must NOT be made available to anyone
but the root user. To protect these passwords the smbpasswd file is placed in
a directory with read and traverse access only to the root user and the
smbpasswd file itself must be set to be read/write only by root, with no
other access.
警告!!注意到由于要使用SMB/CIFS验证协议来实现请求-响应特性,所以任何了解口令
散列表信息的人都可以伪装成网络中的其他用户。为此,这些口令散列表信息都相当于只
是“明文”一样,所以root以外的任何用户都不应该获得这些数据,为了保护这些口令,
smbpasswd文件被存放到只有root用户可以读取和访问的目录中,而smbpasswd文件本身也
被设成只有root用户可以读/写,而其它人无法访问。
Account Flags
账号标志
This section contains flags that describe the attributes of the users
account. In the Samba2.0 release this field is bracketed by '[' and ']'
characters and is always 13 characters in length (including the '[' and ']'
characters). The contents of this field may be any of the characters.
账号标志部分描述了用户账号的属性。在samba 2.0中这个字段是用‘[’和‘]’字符围
封。而其总长度是13个字符(包含‘[’和‘]’字符)。这部分内容可以是任何字符。
'U' This means this is a "User" account, i.e. an ordinary user. Only User and
Workstation Trust accounts are currently supported in the smbpasswd file.
‘U’说明这是一个“用户” 账号,比如原始用户。在smbpasswd文件中只支持用户和工
作站信任账号。
'N' This means the account has no password (the passwords in the fields
Lanman Password Hash and NT Password Hash are ignored). Note that this will
only allow users to log on with no password if the null passwords parameter
is set in the smb.conf (5) config file.
‘N’说明这个账号没有口令(Lanman Password Hash和NT Password Hash会忽略这一字段
中的口令内容)。注意如果在smb.conf (5)配置文件中设定了null passwords,那么只允
许用户不带口令进行登录。
'D' This means the account is disabled and no SMB/CIFS logins will be allowed
for this user.
‘D’说明此账号被禁止了,此用户无法登录SMB/CIFS。
'W' This means this account is a "Workstation Trust" account. This kind of
account is used in the Samba PDC code stream to allow Windows NT Workstations
and Servers to join a Domain hosted by a Samba PDC.
‘W’说明此账号是个“工作站” 信任账号。这类账号被用在把samba作为PDC时允许NT工
作站和服务器加入到域中的情况下。
Other flags may be added as the code is extended in future. The rest of this
field space is filled in with spaces.
其它标志作为将来功能扩展所用。这个标志字段余下的空间用空格填充。
Last Change Time
最后改变时间
This field consists of the time the account was last modified. It consists of
the characters LCT- (standing for "Last Change Time") followed by a numeric
encoding of the UNIX time in seconds since the epoch (1970) that the last
change was made.
这个字段由账号最后修改的时间组成。它以字符LCT(标准含义是“Last Change Time”)
后跟UNIX以秒计的时间编码数字(从公元1970年开始计)。
Following fields
其余字段
All other colon separated fields are ignored at this time.
所有其余用冒号分隔的字段现在都将被忽略。
NOTES
注意
In previous versions of Samba (notably the 1.9.18 series) this file did not
contain the Account Flags or Last Change Time fields. The Samba 2.0 code will
read and write these older password files but will not be able to modify the
old entries to add the new fields. New entries added with smbpasswd (8) will
contain the new fields in the added accounts however. Thus an older smbpasswd
file used with Samba 2.0 may end up with some accounts containing the new
fields and some not.
在早期的版本中(特别是1.9.18系列),这个文件并不包含任何用户账号标志Account
Flags和最后更改时间Last Change Time这两个字段。samba 2.0的代码可以读/写这些较
老的口令文件,但却不能修改老的项目也不能添加新的字段。用smbpasswd (8)新添加的
项目会在加新账号时包含新的字段。因此samba 2.0在使用较老的文件时最终可能出现有
些用户账号带有新字段而有些没有的情况。
In order to convert from an old-style smbpasswd file to a new style, run the
script convert_smbpasswd, installed in the Samba bin/ directory (the same
place that the smbd and nmbd binaries are installed) as follows:
为了把旧格式的smbpasswd文件转换成新格式,用以下的格式运行samba可执行程序目录中
的convert_smbpasswd脚本(与smbd和nmbd位于同样的目录下):
cat old_smbpasswd_file | convert_smbpasswd > new_smbpasswd_file
The convert_smbpasswd script reads from stdin and writes to stdout so as not
to overwrite any files by accident.
这个脚本从标准输入输出中进行读写操作,所以不会意外地覆盖任何文件。
Once this script has been run, check the contents of the new smbpasswd file
to ensure that it has not been damaged by the conversion script (which uses
awk), and then replace the <old smbpasswd file> with the <new smbpasswd
file>.
一旦运行过这个脚本,检查新的smbpasswd文件内容,确保没有被转换脚本(使用了awk)所
破坏,然后用新的smbpasswd替换老的文件。
VERSION
版本
This man page is correct for version 2.0 of the Samba suite.
此手册页是针对samba套件版本2.0的。
SEE ALSO
参见
smbpasswd (8), samba (7), and the Internet RFC1321 for details on the MD4
algorithm.
smbpasswd (8), samba (7), 和Internet RFC1321中对MD4算法的描述。
AUTHOR
作者
The original Samba software and related utilities were created by Andrew
Tridgell samba-bugs@samba.org. Samba is now developed by the Samba Team as an
Open Source project similar to the way the Linux kernel is developed.
samba软件和相关工具最初由Andrew Tridgell samba-bugs@samba.org创建。samba现在由
开发组作为类似Linux内核开发采用的开放源代码计划方式来发展。
The original Samba man pages were written by Karl Auer. The man page sources
were converted to YODL format (another excellent piece of Open Source
software, available at ftp://ftp.icce.rug.nl/pub/unix/) and updated for the
Samba2.0 release by Jeremy Allison. samba-bugs@samba.org.
samba手册页最初由Karl Auer撰写。它的源码已被转换成YODL(一种极好的开放源代码软
件,可以在ftp://ftp.icce.rug.nl/pub/unix/处获得)格式并已由Jeremy Allison更新到
samba2.0版本。
See samba (7) to find out how to get a full list of contributors and details
on how to submit bug reports, comments etc.
请参见samba (7)查找如何获得一份完整的维护者列表以及如何提交错误报告及注解等等
。
--
"这一千多年没写诗了?"
"写了, 不过只写了两句."
"千年得两句, 一定是万古丽句了. 念来听听."
"好吧, 我现丑了" 太白星清了清嗓子, 浑厚的男中音在天庭响起:
大海啊, 都是水;
骏马啊, 四条腿;
※ 来源:·紫 丁 香 bbs.hit.edu.cn·[FROM: freesrc.hit.edu]