source4/utils/man/ntlm_auth.1.xml

   1 <?xml version="1.0" encoding="iso-8859-1"?>
   2 <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
   3 <refentry id="ntlm-auth.1">
   4
   5 <refmeta>
   6         <refentrytitle>ntlm_auth</refentrytitle>
   7         <manvolnum>1</manvolnum>
   8 </refmeta>
   9
  10
  11 <refnamediv>
  12         <refname>ntlm_auth</refname>
  13         <refpurpose>tool to allow external access to Winbind's NTLM authentication function</refpurpose>
  14 </refnamediv>
  15
  16 <refsynopsisdiv>
  17         <cmdsynopsis>
  18                 <command>ntlm_auth</command>
  19                 <arg choice="opt">-d debuglevel</arg>
  20                 <arg choice="opt">-l logdir</arg>
  21                 <arg choice="opt">-s &lt;smb config file&gt;</arg>
  22         </cmdsynopsis>
  23 </refsynopsisdiv>
  24
  25 <refsect1>
  26         <title>DESCRIPTION</title>
  27
  28         <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
  29         <manvolnum>7</manvolnum></citerefentry> suite.</para>
  30
  31         <para><command>ntlm_auth</command> is a helper utility that authenticates
  32         users using NT/LM authentication. It returns 0 if the users is authenticated
  33         successfully and 1 if access was denied. ntlm_auth uses winbind to access
  34         the user and authentication data for a domain.  This utility
  35         is only indended to be used by other programs (currently squid).
  36         </para>
  37 </refsect1>
  38
  39 <refsect1>
  40         <title>OPERATIONAL REQUIREMENTS</title>
  41
  42     <para>
  43     The <citerefentry><refentrytitle>winbindd</refentrytitle>
  44     <manvolnum>8</manvolnum></citerefentry> daemon must be operational
  45     for many of these commands to function.</para>
  46
  47     <para>Some of these commands also require access to the directory
  48     <filename>winbindd_privileged</filename> in
  49     <filename>$LOCKDIR</filename>.  This should be done either by running
  50     this command as root or providing group access
  51     to the <filename>winbindd_privileged</filename> directory.  For
  52     security reasons, this directory should not be world-accessable. </para>
  53
  54 </refsect1>
  55
  56
  57 <refsect1>
  58         <title>OPTIONS</title>
  59
  60         <variablelist>
  61         <varlistentry>
  62         <term>--helper-protocol=PROTO</term>
  63         <listitem><para>
  64         Operate as a stdio-based helper.  Valid helper protocols are:
  65         </para>
  66         <variablelist>
  67               <varlistentry>
  68                 <term>squid-2.4-basic</term>
  69                 <listitem><para>
  70                 Server-side helper for use with Squid 2.4's basic (plaintext)
  71                 authentication.  </para>
  72                 </listitem>
  73                 </varlistentry>
  74               <varlistentry>
  75                 <term>squid-2.5-basic</term>
  76                 <listitem><para>
  77                 Server-side helper for use with Squid 2.5's basic (plaintext)
  78                 authentication. </para>
  79                 </listitem>
  80                 </varlistentry>
  81               <varlistentry>
  82                 <term>squid-2.5-ntlmssp</term>
  83                 <listitem><para>
  84                 Server-side helper for use with Squid 2.5's NTLMSSP
  85                 authentication. </para>
  86                   <para>Requires access to the directory
  87                 <filename>winbindd_privileged</filename> in
  88                 <filename>$LOCKDIR</filename>.  The protocol used is
  89                 described here: <ulink
  90                 url="http://devel.squid-cache.org/ntlm/squid_helper_protocol.html">http://devel.squid-cache.org/ntlm/squid_helper_protocol.html</ulink>
  91                 </para>
  92                 </listitem>
  93               </varlistentry>
  94               <varlistentry>
  95                 <term>ntlmssp-client-1</term>
  96                 <listitem><para>
  97                 Cleint-side helper for use with arbitary external
  98                 programs that may wish to use Samba's NTLMSSP
  99                 authentication knowlege. </para>
 100                   <para>This helper is a client, and as such may be run by any
 101                 user.  The protocol used is
 102                 effectivly the reverse of the previous protocol.
 103                 </para>
 104                 </listitem>
 105               </varlistentry>
 106
 107               <varlistentry>
 108                 <term>gss-spnego</term>
 109                 <listitem><para>
 110                 Server-side helper that implements GSS-SPNEGO.  This
 111                 uses a protocol that is almost the same as
 112                 <command>squid-2.5-ntlmssp</command>, but has some
 113                 subtle differences that are undocumented outside the
 114                 source at this stage.
 115                 </para>
 116                   <para>Requires access to the directory
 117                 <filename>winbindd_privileged</filename> in
 118                 <filename>$LOCKDIR</filename>.
 119                </para>
 120                 </listitem>
 121                 </varlistentry>
 122
 123                 <varlistentry>
 124                                 <term>gss-spnego-client</term>
 125                 <listitem><para>
 126                 Client-side helper that implements GSS-SPNEGO.  This
 127                 also uses a protocol similar to the above helpers, but
 128                 is currently undocumented.
 129                 </para>
 130                 </listitem>
 131                 </varlistentry>
 132         </variablelist>
 133         </listitem>
 134       </varlistentry>
 135
 136       <varlistentry>
 137         <term>--username=USERNAME</term>
 138         <listitem><para>
 139         Specify username of user to authenticate
 140         </para></listitem>
 141
 142       </varlistentry>
 143
 144       <varlistentry>
 145         <term>--domain=DOMAIN</term>
 146         <listitem><para>
 147         Specify domain of user to authenticate
 148         </para></listitem>
 149       </varlistentry>
 150
 151       <varlistentry>
 152         <term>--workstation=WORKSTATION</term>
 153         <listitem><para>
 154         Specify the workstation the user authenticated from
 155         </para></listitem>
 156       </varlistentry>
 157
 158         <varlistentry>
 159         <term>--challenge=STRING</term>
 160         <listitem><para>NTLM challenge (in HEXADECIMAL)</para>
 161         </listitem>
 162         </varlistentry>
 163
 164         <varlistentry>
 165         <term>--lm-response=RESPONSE</term>
 166         <listitem><para>LM Response to the challenge (in HEXADECIMAL)</para></listitem>
 167         </varlistentry>
 168
 169         <varlistentry>
 170         <term>--nt-response=RESPONSE</term>
 171         <listitem><para>NT or NTLMv2 Response to the challenge (in HEXADECIMAL)</para></listitem>
 172         </varlistentry>
 173
 174         <varlistentry>
 175         <term>--password=PASSWORD</term>
 176         <listitem><para>User's plaintext password</para><para>If
 177         not specified on the command line, this is prompted for when
 178         required.  </para></listitem>
 179         </varlistentry>
 180
 181         <varlistentry>
 182         <term>--request-lm-key</term>
 183         <listitem><para>Retreive LM session key</para></listitem>
 184         </varlistentry>
 185
 186         <varlistentry>
 187         <term>--request-nt-key</term>
 188         <listitem><para>Request NT key</para></listitem>
 189         </varlistentry>
 190
 191       <varlistentry>
 192         <term>--diagnostics</term>
 193         <listitem><para>Perform Diagnostics on the authentication
 194         chain.  Uses the password from <command>--password</command>
 195         or prompts for one.</para>
 196         </listitem>
 197         </varlistentry>
 198
 199         <varlistentry>
 200             <term>--require-membership-of={SID|Name}</term>
 201             <listitem><para>Require that a user be a member of specified
 202             group (either name or SID) for authentication to succeed.</para>
 203             </listitem>
 204         </varlistentry>
 205
 206           &popt.common.samba;
 207           &stdarg.help;
 208
 209         </variablelist>
 210 </refsect1>
 211
 212 <refsect1>
 213         <title>EXAMPLE SETUP</title>
 214
 215         <para>To setup ntlm_auth for use by squid 2.5, with both basic and
 216         NTLMSSP authentication, the following
 217         should be placed in the <filename>squid.conf</filename> file.
 218 <programlisting>
 219 auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp
 220 auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic
 221 auth_param basic children 5
 222 auth_param basic realm Squid proxy-caching web server
 223 auth_param basic credentialsttl 2 hours
 224 </programlisting></para>
 225
 226 <note><para>This example assumes that ntlm_auth has been installed into your
 227       path, and that the group permissions on
 228       <filename>winbindd_privileged</filename> are as described above.</para></note>
 229
 230         <para>To setup ntlm_auth for use by squid 2.5 with group limitation in addition to the above
 231         example, the following should be added to the <filename>squid.conf</filename> file.
 232 <programlisting>
 233 auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='WORKGROUP\Domain Users'
 234 auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='WORKGROUP\Domain Users'
 235 </programlisting></para>
 236
 237 </refsect1>
 238
 239 <refsect1>
 240         <title>TROUBLESHOOTING</title>
 241
 242         <para>If you're experiencing problems with authenticating Internet Explorer running
 243         under MS Windows 9X or Millenium Edition against ntlm_auth's NTLMSSP authentication
 244         helper (--helper-protocol=squid-2.5-ntlmssp), then please read
 245         <ulink url="http://support.microsoft.com/support/kb/articles/Q239/8/69.ASP">
 246         the Microsoft Knowledge Base article #239869 and follow instructions described there</ulink>.
 247         </para>
 248 </refsect1>
 249
 250 <refsect1>
 251         <title>VERSION</title>
 252
 253         <para>This man page is correct for version 3.0 of the Samba
 254         suite.</para>
 255 </refsect1>
 256
 257 <refsect1>
 258         <title>AUTHOR</title>
 259
 260         <para>The original Samba software and related utilities
 261         were created by Andrew Tridgell. Samba is now developed
 262         by the Samba Team as an Open Source project similar
 263         to the way the Linux kernel is developed.</para>
 264
 265         <para>The ntlm_auth manpage was written by Jelmer Vernooij and
 266         Andrew Bartlett.</para>
 267 </refsect1>
 268
 269 </refentry>