source4/utils/man/ntlm_auth.1.xml

   1 <?xml version="1.0" encoding="iso-8859-1"?>
   2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
   3 <refentry id="ntlm-auth.1">
   4
   5 <refmeta>
   6         <refentrytitle>ntlm_auth</refentrytitle>
   7         <manvolnum>1</manvolnum>
   8 </refmeta>
   9
  10
  11 <refnamediv>
  12         <refname>ntlm_auth</refname>
  13         <refpurpose>tool to allow external access to Winbind's NTLM authentication function</refpurpose>
  14 </refnamediv>
  15
  16 <refsynopsisdiv>
  17         <cmdsynopsis>
  18                 <command>ntlm_auth</command>
  19                 <arg choice="opt">-d debuglevel</arg>
  20                 <arg choice="opt">-l logdir</arg>
  21                 <arg choice="opt">-s &lt;smb config file&gt;</arg>
  22         </cmdsynopsis>
  23 </refsynopsisdiv>
  24
  25 <refsect1>
  26         <title>DESCRIPTION</title>
  27
  28         <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
  29         <manvolnum>7</manvolnum></citerefentry> suite.</para>
  30
  31         <para><command>ntlm_auth</command> is a helper utility that authenticates
  32         users using NT/LM authentication. It returns 0 if the users is authenticated
  33         successfully and 1 if access was denied. ntlm_auth uses winbind to access
  34         the user and authentication data for a domain.  This utility
  35         is only indended to be used by other programs (currently squid).
  36         </para>
  37 </refsect1>
  38
  39 <refsect1>
  40         <title>OPERATIONAL REQUIREMENTS</title>
  41
  42     <para>
  43     The <citerefentry><refentrytitle>winbindd</refentrytitle>
  44     <manvolnum>8</manvolnum></citerefentry> daemon must be operational
  45     for many of these commands to function.</para>
  46
  47     <para>Some of these commands also require access to the directory
  48     <filename>winbindd_privileged</filename> in
  49     <filename>$LOCKDIR</filename>.  This should be done either by running
  50     this command as root or providing group access
  51     to the <filename>winbindd_privileged</filename> directory.  For
  52     security reasons, this directory should not be world-accessable. </para>
  53
  54 </refsect1>
  55
  56
  57 <refsect1>
  58         <title>OPTIONS</title>
  59
  60         <variablelist>
  61         <varlistentry>
  62         <term>--helper-protocol=PROTO</term>
  63         <listitem><para>
  64         Operate as a stdio-based helper.  Valid helper protocols are:
  65         </para>
  66         <variablelist>
  67               <varlistentry>
  68                 <term>squid-2.4-basic</term>
  69                 <listitem><para>
  70                 Server-side helper for use with Squid 2.4's basic (plaintext)
  71                 authentication.  </para>
  72                 </listitem>
  73                 </varlistentry>
  74               <varlistentry>
  75                 <term>squid-2.5-basic</term>
  76                 <listitem><para>
  77                 Server-side helper for use with Squid 2.5's basic (plaintext)
  78                 authentication. </para>
  79                 </listitem>
  80                 </varlistentry>
  81               <varlistentry>
  82                 <term>squid-2.5-ntlmssp</term>
  83                 <listitem><para>
  84                 Server-side helper for use with Squid 2.5's NTLMSSP
  85                 authentication. </para>
  86                   <para>Requires access to the directory
  87                 <filename>winbindd_privileged</filename> in
  88                 <filename>$LOCKDIR</filename>.  The protocol used is
  89                 described here: <ulink
  90                 url="http://devel.squid-cache.org/ntlm/squid_helper_protocol.html">http://devel.squid-cache.org/ntlm/squid_helper_protocol.html</ulink>
  91                 </para>
  92                 </listitem>
  93               </varlistentry>
  94               <varlistentry>
  95                 <term>ntlmssp-client-1</term>
  96                 <listitem><para>
  97                 Cleint-side helper for use with arbitary external
  98                 programs that may wish to use Samba's NTLMSSP
  99                 authentication knowlege. </para>
 100                   <para>This helper is a client, and as such may be run by any
 101                 user.  The protocol used is
 102                 effectivly the reverse of the previous protocol.
 103                 </para>
 104                 </listitem>
 105               </varlistentry>
 106
 107               <varlistentry>
 108                 <term>gss-spnego</term>
 109                 <listitem><para>
 110                 Server-side helper that implements GSS-SPNEGO.  This
 111                 uses a protocol that is almost the same as
 112                 <command>squid-2.5-ntlmssp</command>, but has some
 113                 subtle differences that are undocumented outside the
 114                 source at this stage.
 115                 </para>
 116                   <para>Requires access to the directory
 117                 <filename>winbindd_privileged</filename> in
 118                 <filename>$LOCKDIR</filename>.
 119                </para>
 120                 </listitem>
 121                 </varlistentry>
 122
 123                 <varlistentry>
 124                                 <term>gss-spnego-client</term>
 125                 <listitem><para>
 126                 Client-side helper that implements GSS-SPNEGO.  This
 127                 also uses a protocol similar to the above helpers, but
 128                 is currently undocumented.
 129                 </para>
 130                 </listitem>
 131                 </varlistentry>
 132         </variablelist>
 133         </listitem>
 134       </varlistentry>
 135
 136       <varlistentry>
 137         <term>--username=USERNAME</term>
 138         <listitem><para>
 139         Specify username of user to authenticate
 140         </para></listitem>
 141
 142       </varlistentry>
 143
 144       <varlistentry>
 145         <term>--domain=DOMAIN</term>
 146         <listitem><para>
 147         Specify domain of user to authenticate
 148         </para></listitem>
 149       </varlistentry>
 150
 151       <varlistentry>
 152         <term>--workstation=WORKSTATION</term>
 153         <listitem><para>
 154         Specify the workstation the user authenticated from
 155         </para></listitem>
 156       </varlistentry>
 157
 158         <varlistentry>
 159         <term>--challenge=STRING</term>
 160         <listitem><para>NTLM challenge (in HEXADECIMAL)</para>
 161         </listitem>
 162         </varlistentry>
 163
 164         <varlistentry>
 165         <term>--lm-response=RESPONSE</term>
 166         <listitem><para>LM Response to the challenge (in HEXADECIMAL)</para></listitem>
 167         </varlistentry>
 168
 169         <varlistentry>
 170         <term>--nt-response=RESPONSE</term>
 171         <listitem><para>NT or NTLMv2 Response to the challenge (in HEXADECIMAL)</para></listitem>
 172         </varlistentry>
 173
 174         <varlistentry>
 175         <term>--password=PASSWORD</term>
 176         <listitem><para>User's plaintext password</para><para>If
 177         not specified on the command line, this is prompted for when
 178         required.  </para></listitem>
 179         </varlistentry>
 180
 181         <varlistentry>
 182         <term>--request-lm-key</term>
 183         <listitem><para>Retreive LM session key</para></listitem>
 184         </varlistentry>
 185
 186         <varlistentry>
 187         <term>--request-nt-key</term>
 188         <listitem><para>Request NT key</para></listitem>
 189         </varlistentry>
 190
 191       <varlistentry>
 192         <term>--diagnostics</term>
 193         <listitem><para>Perform Diagnostics on the authentication
 194         chain.  Uses the password from <command>--password</command>
 195         or prompts for one.</para>
 196         </listitem>
 197         </varlistentry>
 198
 199         <varlistentry>
 200             <term>--require-membership-of={SID|Name}</term>
 201             <listitem><para>Require that a user be a member of specified
 202             group (either name or SID) for authentication to succeed.</para>
 203             </listitem>
 204         </varlistentry>
 205
 206         </variablelist>
 207 </refsect1>
 208
 209 <refsect1>
 210         <title>EXAMPLE SETUP</title>
 211
 212         <para>To setup ntlm_auth for use by squid 2.5, with both basic and
 213         NTLMSSP authentication, the following
 214         should be placed in the <filename>squid.conf</filename> file.
 215 <programlisting>
 216 auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp
 217 auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic
 218 auth_param basic children 5
 219 auth_param basic realm Squid proxy-caching web server
 220 auth_param basic credentialsttl 2 hours
 221 </programlisting></para>
 222
 223 <note><para>This example assumes that ntlm_auth has been installed into your
 224       path, and that the group permissions on
 225       <filename>winbindd_privileged</filename> are as described above.</para></note>
 226
 227         <para>To setup ntlm_auth for use by squid 2.5 with group limitation in addition to the above
 228         example, the following should be added to the <filename>squid.conf</filename> file.
 229 <programlisting>
 230 auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='WORKGROUP\Domain Users'
 231 auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='WORKGROUP\Domain Users'
 232 </programlisting></para>
 233
 234 </refsect1>
 235
 236 <refsect1>
 237         <title>TROUBLESHOOTING</title>
 238
 239         <para>If you're experiencing problems with authenticating Internet Explorer running
 240         under MS Windows 9X or Millenium Edition against ntlm_auth's NTLMSSP authentication
 241         helper (--helper-protocol=squid-2.5-ntlmssp), then please read
 242         <ulink url="http://support.microsoft.com/support/kb/articles/Q239/8/69.ASP">
 243         the Microsoft Knowledge Base article #239869 and follow instructions described there</ulink>.
 244         </para>
 245 </refsect1>
 246
 247 <refsect1>
 248         <title>VERSION</title>
 249
 250         <para>This man page is correct for version 3.0 of the Samba
 251         suite.</para>
 252 </refsect1>
 253
 254 <refsect1>
 255         <title>AUTHOR</title>
 256
 257         <para>The original Samba software and related utilities
 258         were created by Andrew Tridgell. Samba is now developed
 259         by the Samba Team as an Open Source project similar
 260         to the way the Linux kernel is developed.</para>
 261
 262         <para>The ntlm_auth manpage was written by Jelmer Vernooij and
 263         Andrew Bartlett.</para>
 264 </refsect1>
 265
 266 </refentry>