r7117: Move more manpages to the source repository
[samba.git] / source / utils / man / ntlm_auth.1.xml
1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3 <refentry id="ntlm-auth.1">
4
5 <refmeta>
6         <refentrytitle>ntlm_auth</refentrytitle>
7         <manvolnum>1</manvolnum>
8 </refmeta>
9
10
11 <refnamediv>
12         <refname>ntlm_auth</refname>
13         <refpurpose>tool to allow external access to Winbind's NTLM authentication function</refpurpose>
14 </refnamediv>
15
16 <refsynopsisdiv>
17         <cmdsynopsis>
18                 <command>ntlm_auth</command>
19                 <arg choice="opt">-d debuglevel</arg>
20                 <arg choice="opt">-l logdir</arg>
21                 <arg choice="opt">-s &lt;smb config file&gt;</arg>
22         </cmdsynopsis>
23 </refsynopsisdiv>
24
25 <refsect1>
26         <title>DESCRIPTION</title>
27
28         <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
29         <manvolnum>7</manvolnum></citerefentry> suite.</para>
30
31         <para><command>ntlm_auth</command> is a helper utility that authenticates 
32         users using NT/LM authentication. It returns 0 if the users is authenticated
33         successfully and 1 if access was denied. ntlm_auth uses winbind to access 
34         the user and authentication data for a domain.  This utility 
35         is only indended to be used by other programs (currently squid).
36         </para>
37 </refsect1>
38
39 <refsect1>
40         <title>OPERATIONAL REQUIREMENTS</title>
41
42     <para>
43     The <citerefentry><refentrytitle>winbindd</refentrytitle>
44     <manvolnum>8</manvolnum></citerefentry> daemon must be operational
45     for many of these commands to function.</para>
46
47     <para>Some of these commands also require access to the directory 
48     <filename>winbindd_privileged</filename> in
49     <filename>$LOCKDIR</filename>.  This should be done either by running
50     this command as root or providing group access
51     to the <filename>winbindd_privileged</filename> directory.  For
52     security reasons, this directory should not be world-accessable. </para>
53
54 </refsect1>
55
56
57 <refsect1>
58         <title>OPTIONS</title>
59
60         <variablelist>
61         <varlistentry>
62         <term>--helper-protocol=PROTO</term>
63         <listitem><para>
64         Operate as a stdio-based helper.  Valid helper protocols are:
65         </para> 
66         <variablelist>
67               <varlistentry>
68                 <term>squid-2.4-basic</term>
69                 <listitem><para>
70                 Server-side helper for use with Squid 2.4's basic (plaintext)
71                 authentication.  </para>
72                 </listitem>
73                 </varlistentry>
74               <varlistentry>
75                 <term>squid-2.5-basic</term>
76                 <listitem><para>
77                 Server-side helper for use with Squid 2.5's basic (plaintext)
78                 authentication. </para>
79                 </listitem>
80                 </varlistentry>
81               <varlistentry>
82                 <term>squid-2.5-ntlmssp</term>
83                 <listitem><para>
84                 Server-side helper for use with Squid 2.5's NTLMSSP 
85                 authentication. </para>
86                   <para>Requires access to the directory 
87                 <filename>winbindd_privileged</filename> in
88                 <filename>$LOCKDIR</filename>.  The protocol used is
89                 described here: <ulink
90                 url="http://devel.squid-cache.org/ntlm/squid_helper_protocol.html">http://devel.squid-cache.org/ntlm/squid_helper_protocol.html</ulink>
91                 </para>
92                 </listitem>
93               </varlistentry>
94               <varlistentry>
95                 <term>ntlmssp-client-1</term>
96                 <listitem><para>
97                 Cleint-side helper for use with arbitary external
98                 programs that may wish to use Samba's NTLMSSP 
99                 authentication knowlege. </para>
100                   <para>This helper is a client, and as such may be run by any
101                 user.  The protocol used is
102                 effectivly the reverse of the previous protocol.
103                 </para>
104                 </listitem>
105               </varlistentry>
106
107               <varlistentry>
108                 <term>gss-spnego</term>
109                 <listitem><para>
110                 Server-side helper that implements GSS-SPNEGO.  This
111                 uses a protocol that is almost the same as
112                 <command>squid-2.5-ntlmssp</command>, but has some
113                 subtle differences that are undocumented outside the
114                 source at this stage.
115                 </para>
116                   <para>Requires access to the directory 
117                 <filename>winbindd_privileged</filename> in
118                 <filename>$LOCKDIR</filename>.   
119                </para>
120                 </listitem>
121                 </varlistentry>
122                  
123                 <varlistentry>
124                                 <term>gss-spnego-client</term>
125                 <listitem><para>
126                 Client-side helper that implements GSS-SPNEGO.  This
127                 also uses a protocol similar to the above helpers, but
128                 is currently undocumented.
129                 </para>
130                 </listitem>
131                 </varlistentry>
132         </variablelist>
133         </listitem>
134       </varlistentry>
135       
136       <varlistentry>
137         <term>--username=USERNAME</term>
138         <listitem><para>
139         Specify username of user to authenticate
140         </para></listitem>
141         
142       </varlistentry>
143       
144       <varlistentry>
145         <term>--domain=DOMAIN</term>
146         <listitem><para>
147         Specify domain of user to authenticate
148         </para></listitem>
149       </varlistentry>
150
151       <varlistentry>
152         <term>--workstation=WORKSTATION</term>
153         <listitem><para>
154         Specify the workstation the user authenticated from
155         </para></listitem>
156       </varlistentry>
157
158         <varlistentry>
159         <term>--challenge=STRING</term>
160         <listitem><para>NTLM challenge (in HEXADECIMAL)</para>
161         </listitem>
162         </varlistentry>
163
164         <varlistentry>
165         <term>--lm-response=RESPONSE</term>
166         <listitem><para>LM Response to the challenge (in HEXADECIMAL)</para></listitem>
167         </varlistentry>
168
169         <varlistentry>
170         <term>--nt-response=RESPONSE</term>
171         <listitem><para>NT or NTLMv2 Response to the challenge (in HEXADECIMAL)</para></listitem>
172         </varlistentry>
173
174         <varlistentry>
175         <term>--password=PASSWORD</term>
176         <listitem><para>User's plaintext password</para><para>If 
177         not specified on the command line, this is prompted for when
178         required.  </para></listitem>
179         </varlistentry>
180
181         <varlistentry>
182         <term>--request-lm-key</term>
183         <listitem><para>Retreive LM session key</para></listitem>
184         </varlistentry>
185
186         <varlistentry>
187         <term>--request-nt-key</term>
188         <listitem><para>Request NT key</para></listitem>
189         </varlistentry>
190
191       <varlistentry>
192         <term>--diagnostics</term>
193         <listitem><para>Perform Diagnostics on the authentication
194         chain.  Uses the password from <command>--password</command>
195         or prompts for one.</para>
196         </listitem>
197         </varlistentry>
198         
199         <varlistentry>
200             <term>--require-membership-of={SID|Name}</term>
201             <listitem><para>Require that a user be a member of specified 
202             group (either name or SID) for authentication to succeed.</para>
203             </listitem>
204         </varlistentry>
205
206           &popt.common.samba;
207           &stdarg.help;
208         
209         </variablelist>
210 </refsect1>
211
212 <refsect1>
213         <title>EXAMPLE SETUP</title>
214
215         <para>To setup ntlm_auth for use by squid 2.5, with both basic and
216         NTLMSSP authentication, the following
217         should be placed in the <filename>squid.conf</filename> file.
218 <programlisting>
219 auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp
220 auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic
221 auth_param basic children 5
222 auth_param basic realm Squid proxy-caching web server
223 auth_param basic credentialsttl 2 hours
224 </programlisting></para>
225
226 <note><para>This example assumes that ntlm_auth has been installed into your
227       path, and that the group permissions on
228       <filename>winbindd_privileged</filename> are as described above.</para></note>
229
230         <para>To setup ntlm_auth for use by squid 2.5 with group limitation in addition to the above
231         example, the following should be added to the <filename>squid.conf</filename> file.
232 <programlisting>
233 auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='WORKGROUP\Domain Users'
234 auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='WORKGROUP\Domain Users'
235 </programlisting></para>
236         
237 </refsect1>
238
239 <refsect1>
240         <title>TROUBLESHOOTING</title>
241         
242         <para>If you're experiencing problems with authenticating Internet Explorer running
243         under MS Windows 9X or Millenium Edition against ntlm_auth's NTLMSSP authentication
244         helper (--helper-protocol=squid-2.5-ntlmssp), then please read 
245         <ulink url="http://support.microsoft.com/support/kb/articles/Q239/8/69.ASP">
246         the Microsoft Knowledge Base article #239869 and follow instructions described there</ulink>.
247         </para>
248 </refsect1>
249
250 <refsect1>
251         <title>VERSION</title>
252
253         <para>This man page is correct for version 3.0 of the Samba 
254         suite.</para>
255 </refsect1>
256
257 <refsect1>
258         <title>AUTHOR</title>
259         
260         <para>The original Samba software and related utilities 
261         were created by Andrew Tridgell. Samba is now developed
262         by the Samba Team as an Open Source project similar 
263         to the way the Linux kernel is developed.</para>
264         
265         <para>The ntlm_auth manpage was written by Jelmer Vernooij and
266         Andrew Bartlett.</para>
267 </refsect1>
268
269 </refentry>