+++ /dev/null
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
-<refentry id="ntlm-auth.1">
-
-<refmeta>
- <refentrytitle>ntlm_auth</refentrytitle>
- <manvolnum>1</manvolnum>
- <refmiscinfo class="source">Samba</refmiscinfo>
- <refmiscinfo class="manual">User Commands</refmiscinfo>
- <refmiscinfo class="version">3.6</refmiscinfo>
-</refmeta>
-
-
-<refnamediv>
- <refname>ntlm_auth</refname>
- <refpurpose>tool to allow external access to Winbind's NTLM authentication function</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
- <cmdsynopsis>
- <command>ntlm_auth</command>
- <arg choice="opt">-d debuglevel</arg>
- <arg choice="opt">-l logdir</arg>
- <arg choice="opt">-s <smb config file></arg>
- </cmdsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
- <title>DESCRIPTION</title>
-
- <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
- <manvolnum>7</manvolnum></citerefentry> suite.</para>
-
- <para><command>ntlm_auth</command> is a helper utility that authenticates
- users using NT/LM authentication. It returns 0 if the users is authenticated
- successfully and 1 if access was denied. ntlm_auth uses winbind to access
- the user and authentication data for a domain. This utility
- is only intended to be used by other programs (currently
- <ulink url="http://www.squid-cache.org/">Squid</ulink>
- and <ulink url="http://download.samba.org/ftp/unpacked/lorikeet/trunk/mod_ntlm_winbind/">mod_ntlm_winbind</ulink>)
- </para>
-</refsect1>
-
-<refsect1>
- <title>OPERATIONAL REQUIREMENTS</title>
-
- <para>
- The <citerefentry><refentrytitle>winbindd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> daemon must be operational
- for many of these commands to function.</para>
-
- <para>Some of these commands also require access to the directory
- <filename>winbindd_privileged</filename> in
- <filename>$LOCKDIR</filename>. This should be done either by running
- this command as root or providing group access
- to the <filename>winbindd_privileged</filename> directory. For
- security reasons, this directory should not be world-accessable. </para>
-
-</refsect1>
-
-
-<refsect1>
- <title>OPTIONS</title>
-
- <variablelist>
- <varlistentry>
- <term>--helper-protocol=PROTO</term>
- <listitem><para>
- Operate as a stdio-based helper. Valid helper protocols are:
- </para>
- <variablelist>
- <varlistentry>
- <term>squid-2.4-basic</term>
- <listitem><para>
- Server-side helper for use with Squid 2.4's basic (plaintext)
- authentication. </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>squid-2.5-basic</term>
- <listitem><para>
- Server-side helper for use with Squid 2.5's basic (plaintext)
- authentication. </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>squid-2.5-ntlmssp</term>
- <listitem><para>
- Server-side helper for use with Squid 2.5's NTLMSSP
- authentication. </para>
- <para>Requires access to the directory
- <filename>winbindd_privileged</filename> in
- <filename>$LOCKDIR</filename>. The protocol used is
- described here: <ulink
- url="http://devel.squid-cache.org/ntlm/squid_helper_protocol.html">http://devel.squid-cache.org/ntlm/squid_helper_protocol.html</ulink>.
- This protocol has been extended to allow the
- NTLMSSP Negotiate packet to be included as an argument
- to the <command>YR</command> command. (Thus avoiding
- loss of information in the protocol exchange).
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>ntlmssp-client-1</term>
- <listitem><para>
- Client-side helper for use with arbitrary external
- programs that may wish to use Samba's NTLMSSP
- authentication knowledge. </para>
- <para>This helper is a client, and as such may be run by any
- user. The protocol used is
- effectively the reverse of the previous protocol. A
- <command>YR</command> command (without any arguments)
- starts the authentication exchange.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>gss-spnego</term>
- <listitem><para>
- Server-side helper that implements GSS-SPNEGO. This
- uses a protocol that is almost the same as
- <command>squid-2.5-ntlmssp</command>, but has some
- subtle differences that are undocumented outside the
- source at this stage.
- </para>
- <para>Requires access to the directory
- <filename>winbindd_privileged</filename> in
- <filename>$LOCKDIR</filename>.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>gss-spnego-client</term>
- <listitem><para>
- Client-side helper that implements GSS-SPNEGO. This
- also uses a protocol similar to the above helpers, but
- is currently undocumented.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>ntlm-server-1</term>
- <listitem><para>
- Server-side helper protocol, intended for use by a
- RADIUS server or the 'winbind' plugin for pppd, for
- the provision of MSCHAP and MSCHAPv2 authentication.
- </para>
- <para>This protocol consists of lines in the form:
- <command>Parameter: value</command> and <command>Parameter::
- Base64-encode value</command>. The presence of a single
- period <command>.</command> indicates that one side has
- finished supplying data to the other. (Which in turn
- could cause the helper to authenticate the
- user). </para>
-
- <para>Currently implemented parameters from the
- external program to the helper are:</para>
- <variablelist>
- <varlistentry>
- <term>Username</term>
-
- <listitem><para>The username, expected to be in
- Samba's <smbconfoption name="unix charset"/>.
- </para>
-
- <para><example>Username: bob</example></para>
- <para><example>Username:: Ym9i</example></para>
- </listitem></varlistentry>
-
- <varlistentry>
- <term>NT-Domain</term>
- <listitem><para>The user's domain, expected to be in
- Samba's <smbconfoption name="unix charset"/>.
- </para>
-
- <para><example>NT-Domain: WORKGROUP</example></para>
- <para><example>NT-Domain:: V09SS0dST1VQ</example></para>
- </listitem></varlistentry>
-
- <varlistentry>
- <term>Full-Username</term>
- <listitem><para>The fully qualified username, expected to be in
- Samba's <smbconfoption name="unix charset"/> and qualified with the
- <smbconfoption name="winbind separator"/>.
- </para>
-
- <para><example>Full-Username: WORKGROUP\bob</example></para>
- <para><example>Full-Username:: V09SS0dST1VQYm9i</example></para>
- </listitem></varlistentry>
-
- <varlistentry>
- <term>LANMAN-Challenge</term>
-
- <listitem><para>The 8 byte <command>LANMAN Challenge</command> value,
- generated randomly by the server, or (in cases such as
- MSCHAPv2) generated in some way by both the server and
- the client.
- </para>
- <para><example>LANMAN-Challenge: 0102030405060708</example></para>
- </listitem></varlistentry>
-
- <varlistentry>
- <term>LANMAN-Response</term>
-
- <listitem><para>The 24 byte <command>LANMAN Response</command> value,
- calculated from the user's password and the supplied
- <command>LANMAN Challenge</command>. Typically, this
- is provided over the network by a client wishing to authenticate.
- </para>
- <para><example>LANMAN-Response: 0102030405060708090A0B0C0D0E0F101112131415161718</example></para>
-
- </listitem></varlistentry>
-
- <varlistentry>
- <term>NT-Response</term>
- <listitem><para>The >= 24 byte <command>NT Response</command>
- calculated from the user's password and the supplied
- <command>LANMAN Challenge</command>. Typically, this is
- provided over the network by a client wishing to authenticate.
- </para>
- <para><example>NT-Response: 0102030405060708090A0B0C0D0E0F101112131415161718</example></para>
-
- </listitem></varlistentry>
-
- <varlistentry>
- <term>Password</term>
- <listitem><para>The user's password. This would be
- provided by a network client, if the helper is being
- used in a legacy situation that exposes plaintext
- passwords in this way.
- </para>
- <para><example>Password: samba2</example></para>
- <para><example>Password:: c2FtYmEy</example></para>
-
- </listitem></varlistentry>
-
- <varlistentry>
- <term>Request-User-Session-Key</term>
- <listitem><para>Upon successful authenticaiton, return
- the user session key associated with the login.
- </para>
- <para><example>Request-User-Session-Key: Yes</example></para>
-
- </listitem></varlistentry>
-
- <varlistentry>
- <term>Request-LanMan-Session-Key</term>
- <listitem><para>Upon successful authenticaiton, return
- the LANMAN session key associated with the login.
- </para>
- <para><example>Request-LanMan-Session-Key: Yes</example></para>
-
- </listitem></varlistentry>
-
- <para><warning>Implementers should take care to base64 encode
- any data (such as usernames/passwords) that may contain malicous user data, such as
- a newline. They may also need to decode strings from
- the helper, which likewise may have been base64 encoded.</warning></para>
- </variablelist>
-
- </listitem>
- </varlistentry>
- </variablelist>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>--username=USERNAME</term>
- <listitem><para>
- Specify username of user to authenticate
- </para></listitem>
-
- </varlistentry>
-
- <varlistentry>
- <term>--domain=DOMAIN</term>
- <listitem><para>
- Specify domain of user to authenticate
- </para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term>--workstation=WORKSTATION</term>
- <listitem><para>
- Specify the workstation the user authenticated from
- </para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term>--challenge=STRING</term>
- <listitem><para>NTLM challenge (in HEXADECIMAL)</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>--lm-response=RESPONSE</term>
- <listitem><para>LM Response to the challenge (in HEXADECIMAL)</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term>--nt-response=RESPONSE</term>
- <listitem><para>NT or NTLMv2 Response to the challenge (in HEXADECIMAL)</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term>--password=PASSWORD</term>
- <listitem><para>User's plaintext password</para><para>If
- not specified on the command line, this is prompted for when
- required. </para>
-
- <para>For the NTLMSSP based server roles, this parameter
- specifies the expected password, allowing testing without
- winbindd operational.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>--request-lm-key</term>
- <listitem><para>Retrieve LM session key</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term>--request-nt-key</term>
- <listitem><para>Request NT key</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term>--diagnostics</term>
- <listitem><para>Perform Diagnostics on the authentication
- chain. Uses the password from <command>--password</command>
- or prompts for one.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>--require-membership-of={SID|Name}</term>
- <listitem><para>Require that a user be a member of specified
- group (either name or SID) for authentication to succeed.</para>
- </listitem>
- </varlistentry>
-
- &stdarg.server.debug;
- &popt.common.samba;
- &stdarg.help;
-
- </variablelist>
-</refsect1>
-
-<refsect1>
- <title>EXAMPLE SETUP</title>
-
- <para>To setup ntlm_auth for use by squid 2.5, with both basic and
- NTLMSSP authentication, the following
- should be placed in the <filename>squid.conf</filename> file.
-<programlisting>
-auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp
-auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic
-auth_param basic children 5
-auth_param basic realm Squid proxy-caching web server
-auth_param basic credentialsttl 2 hours
-</programlisting></para>
-
-<note><para>This example assumes that ntlm_auth has been installed into your
- path, and that the group permissions on
- <filename>winbindd_privileged</filename> are as described above.</para></note>
-
- <para>To setup ntlm_auth for use by squid 2.5 with group limitation in addition to the above
- example, the following should be added to the <filename>squid.conf</filename> file.
-<programlisting>
-auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='WORKGROUP\Domain Users'
-auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='WORKGROUP\Domain Users'
-</programlisting></para>
-
-</refsect1>
-
-<refsect1>
- <title>TROUBLESHOOTING</title>
-
- <para>If you're experiencing problems with authenticating Internet Explorer running
- under MS Windows 9X or Millennium Edition against ntlm_auth's NTLMSSP authentication
- helper (--helper-protocol=squid-2.5-ntlmssp), then please read
- <ulink url="http://support.microsoft.com/support/kb/articles/Q239/8/69.ASP">
- the Microsoft Knowledge Base article #239869 and follow instructions described there</ulink>.
- </para>
-</refsect1>
-
-<refsect1>
- <title>VERSION</title>
-
- <para>This man page is correct for version 3 of the Samba
- suite.</para>
-</refsect1>
-
-<refsect1>
- <title>AUTHOR</title>
-
- <para>The original Samba software and related utilities
- were created by Andrew Tridgell. Samba is now developed
- by the Samba Team as an Open Source project similar
- to the way the Linux kernel is developed.</para>
-
- <para>The ntlm_auth manpage was written by Jelmer Vernooij and
- Andrew Bartlett.</para>
-</refsect1>
-
-</refentry>
git.samba.org / sfrench / samba-autobuild / .git / blobdiff