diff options
Diffstat (limited to 'docs-xml/manpages-3/ntlm_auth.1.xml')
-rw-r--r-- | docs-xml/manpages-3/ntlm_auth.1.xml | 409 |
1 files changed, 0 insertions, 409 deletions
diff --git a/docs-xml/manpages-3/ntlm_auth.1.xml b/docs-xml/manpages-3/ntlm_auth.1.xml deleted file mode 100644 index dcf9b42503..0000000000 --- a/docs-xml/manpages-3/ntlm_auth.1.xml +++ /dev/null @@ -1,409 +0,0 @@ -<?xml version="1.0" encoding="iso-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> -<refentry id="ntlm-auth.1"> - -<refmeta> - <refentrytitle>ntlm_auth</refentrytitle> - <manvolnum>1</manvolnum> - <refmiscinfo class="source">Samba</refmiscinfo> - <refmiscinfo class="manual">User Commands</refmiscinfo> - <refmiscinfo class="version">3.6</refmiscinfo> -</refmeta> - - -<refnamediv> - <refname>ntlm_auth</refname> - <refpurpose>tool to allow external access to Winbind's NTLM authentication function</refpurpose> -</refnamediv> - -<refsynopsisdiv> - <cmdsynopsis> - <command>ntlm_auth</command> - <arg choice="opt">-d debuglevel</arg> - <arg choice="opt">-l logdir</arg> - <arg choice="opt">-s <smb config file></arg> - </cmdsynopsis> -</refsynopsisdiv> - -<refsect1> - <title>DESCRIPTION</title> - - <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle> - <manvolnum>7</manvolnum></citerefentry> suite.</para> - - <para><command>ntlm_auth</command> is a helper utility that authenticates - users using NT/LM authentication. It returns 0 if the users is authenticated - successfully and 1 if access was denied. ntlm_auth uses winbind to access - the user and authentication data for a domain. This utility - is only intended to be used by other programs (currently - <ulink url="http://www.squid-cache.org/">Squid</ulink> - and <ulink url="http://download.samba.org/ftp/unpacked/lorikeet/trunk/mod_ntlm_winbind/">mod_ntlm_winbind</ulink>) - </para> -</refsect1> - -<refsect1> - <title>OPERATIONAL REQUIREMENTS</title> - - <para> - The <citerefentry><refentrytitle>winbindd</refentrytitle> - <manvolnum>8</manvolnum></citerefentry> daemon must be operational - for many of these commands to function.</para> - - <para>Some of these commands also require access to the directory - <filename>winbindd_privileged</filename> in - <filename>$LOCKDIR</filename>. This should be done either by running - this command as root or providing group access - to the <filename>winbindd_privileged</filename> directory. For - security reasons, this directory should not be world-accessable. </para> - -</refsect1> - - -<refsect1> - <title>OPTIONS</title> - - <variablelist> - <varlistentry> - <term>--helper-protocol=PROTO</term> - <listitem><para> - Operate as a stdio-based helper. Valid helper protocols are: - </para> - <variablelist> - <varlistentry> - <term>squid-2.4-basic</term> - <listitem><para> - Server-side helper for use with Squid 2.4's basic (plaintext) - authentication. </para> - </listitem> - </varlistentry> - <varlistentry> - <term>squid-2.5-basic</term> - <listitem><para> - Server-side helper for use with Squid 2.5's basic (plaintext) - authentication. </para> - </listitem> - </varlistentry> - <varlistentry> - <term>squid-2.5-ntlmssp</term> - <listitem><para> - Server-side helper for use with Squid 2.5's NTLMSSP - authentication. </para> - <para>Requires access to the directory - <filename>winbindd_privileged</filename> in - <filename>$LOCKDIR</filename>. The protocol used is - described here: <ulink - url="http://devel.squid-cache.org/ntlm/squid_helper_protocol.html">http://devel.squid-cache.org/ntlm/squid_helper_protocol.html</ulink>. - This protocol has been extended to allow the - NTLMSSP Negotiate packet to be included as an argument - to the <command>YR</command> command. (Thus avoiding - loss of information in the protocol exchange). - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>ntlmssp-client-1</term> - <listitem><para> - Client-side helper for use with arbitrary external - programs that may wish to use Samba's NTLMSSP - authentication knowledge. </para> - <para>This helper is a client, and as such may be run by any - user. The protocol used is - effectively the reverse of the previous protocol. A - <command>YR</command> command (without any arguments) - starts the authentication exchange. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>gss-spnego</term> - <listitem><para> - Server-side helper that implements GSS-SPNEGO. This - uses a protocol that is almost the same as - <command>squid-2.5-ntlmssp</command>, but has some - subtle differences that are undocumented outside the - source at this stage. - </para> - <para>Requires access to the directory - <filename>winbindd_privileged</filename> in - <filename>$LOCKDIR</filename>. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>gss-spnego-client</term> - <listitem><para> - Client-side helper that implements GSS-SPNEGO. This - also uses a protocol similar to the above helpers, but - is currently undocumented. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ntlm-server-1</term> - <listitem><para> - Server-side helper protocol, intended for use by a - RADIUS server or the 'winbind' plugin for pppd, for - the provision of MSCHAP and MSCHAPv2 authentication. - </para> - <para>This protocol consists of lines in the form: - <command>Parameter: value</command> and <command>Parameter:: - Base64-encode value</command>. The presence of a single - period <command>.</command> indicates that one side has - finished supplying data to the other. (Which in turn - could cause the helper to authenticate the - user). </para> - - <para>Currently implemented parameters from the - external program to the helper are:</para> - <variablelist> - <varlistentry> - <term>Username</term> - - <listitem><para>The username, expected to be in - Samba's <smbconfoption name="unix charset"/>. - </para> - - <para><example>Username: bob</example></para> - <para><example>Username:: Ym9i</example></para> - </listitem></varlistentry> - - <varlistentry> - <term>NT-Domain</term> - <listitem><para>The user's domain, expected to be in - Samba's <smbconfoption name="unix charset"/>. - </para> - - <para><example>NT-Domain: WORKGROUP</example></para> - <para><example>NT-Domain:: V09SS0dST1VQ</example></para> - </listitem></varlistentry> - - <varlistentry> - <term>Full-Username</term> - <listitem><para>The fully qualified username, expected to be in - Samba's <smbconfoption name="unix charset"/> and qualified with the - <smbconfoption name="winbind separator"/>. - </para> - - <para><example>Full-Username: WORKGROUP\bob</example></para> - <para><example>Full-Username:: V09SS0dST1VQYm9i</example></para> - </listitem></varlistentry> - - <varlistentry> - <term>LANMAN-Challenge</term> - - <listitem><para>The 8 byte <command>LANMAN Challenge</command> value, - generated randomly by the server, or (in cases such as - MSCHAPv2) generated in some way by both the server and - the client. - </para> - <para><example>LANMAN-Challenge: 0102030405060708</example></para> - </listitem></varlistentry> - - <varlistentry> - <term>LANMAN-Response</term> - - <listitem><para>The 24 byte <command>LANMAN Response</command> value, - calculated from the user's password and the supplied - <command>LANMAN Challenge</command>. Typically, this - is provided over the network by a client wishing to authenticate. - </para> - <para><example>LANMAN-Response: 0102030405060708090A0B0C0D0E0F101112131415161718</example></para> - - </listitem></varlistentry> - - <varlistentry> - <term>NT-Response</term> - <listitem><para>The >= 24 byte <command>NT Response</command> - calculated from the user's password and the supplied - <command>LANMAN Challenge</command>. Typically, this is - provided over the network by a client wishing to authenticate. - </para> - <para><example>NT-Response: 0102030405060708090A0B0C0D0E0F101112131415161718</example></para> - - </listitem></varlistentry> - - <varlistentry> - <term>Password</term> - <listitem><para>The user's password. This would be - provided by a network client, if the helper is being - used in a legacy situation that exposes plaintext - passwords in this way. - </para> - <para><example>Password: samba2</example></para> - <para><example>Password:: c2FtYmEy</example></para> - - </listitem></varlistentry> - - <varlistentry> - <term>Request-User-Session-Key</term> - <listitem><para>Upon successful authenticaiton, return - the user session key associated with the login. - </para> - <para><example>Request-User-Session-Key: Yes</example></para> - - </listitem></varlistentry> - - <varlistentry> - <term>Request-LanMan-Session-Key</term> - <listitem><para>Upon successful authenticaiton, return - the LANMAN session key associated with the login. - </para> - <para><example>Request-LanMan-Session-Key: Yes</example></para> - - </listitem></varlistentry> - - <para><warning>Implementers should take care to base64 encode - any data (such as usernames/passwords) that may contain malicous user data, such as - a newline. They may also need to decode strings from - the helper, which likewise may have been base64 encoded.</warning></para> - </variablelist> - - </listitem> - </varlistentry> - </variablelist> - </listitem> - </varlistentry> - - <varlistentry> - <term>--username=USERNAME</term> - <listitem><para> - Specify username of user to authenticate - </para></listitem> - - </varlistentry> - - <varlistentry> - <term>--domain=DOMAIN</term> - <listitem><para> - Specify domain of user to authenticate - </para></listitem> - </varlistentry> - - <varlistentry> - <term>--workstation=WORKSTATION</term> - <listitem><para> - Specify the workstation the user authenticated from - </para></listitem> - </varlistentry> - - <varlistentry> - <term>--challenge=STRING</term> - <listitem><para>NTLM challenge (in HEXADECIMAL)</para> - </listitem> - </varlistentry> - - <varlistentry> - <term>--lm-response=RESPONSE</term> - <listitem><para>LM Response to the challenge (in HEXADECIMAL)</para></listitem> - </varlistentry> - - <varlistentry> - <term>--nt-response=RESPONSE</term> - <listitem><para>NT or NTLMv2 Response to the challenge (in HEXADECIMAL)</para></listitem> - </varlistentry> - - <varlistentry> - <term>--password=PASSWORD</term> - <listitem><para>User's plaintext password</para><para>If - not specified on the command line, this is prompted for when - required. </para> - - <para>For the NTLMSSP based server roles, this parameter - specifies the expected password, allowing testing without - winbindd operational.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term>--request-lm-key</term> - <listitem><para>Retrieve LM session key</para></listitem> - </varlistentry> - - <varlistentry> - <term>--request-nt-key</term> - <listitem><para>Request NT key</para></listitem> - </varlistentry> - - <varlistentry> - <term>--diagnostics</term> - <listitem><para>Perform Diagnostics on the authentication - chain. Uses the password from <command>--password</command> - or prompts for one.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term>--require-membership-of={SID|Name}</term> - <listitem><para>Require that a user be a member of specified - group (either name or SID) for authentication to succeed.</para> - </listitem> - </varlistentry> - - &stdarg.server.debug; - &popt.common.samba; - &stdarg.help; - - </variablelist> -</refsect1> - -<refsect1> - <title>EXAMPLE SETUP</title> - - <para>To setup ntlm_auth for use by squid 2.5, with both basic and - NTLMSSP authentication, the following - should be placed in the <filename>squid.conf</filename> file. -<programlisting> -auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp -auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic -auth_param basic children 5 -auth_param basic realm Squid proxy-caching web server -auth_param basic credentialsttl 2 hours -</programlisting></para> - -<note><para>This example assumes that ntlm_auth has been installed into your - path, and that the group permissions on - <filename>winbindd_privileged</filename> are as described above.</para></note> - - <para>To setup ntlm_auth for use by squid 2.5 with group limitation in addition to the above - example, the following should be added to the <filename>squid.conf</filename> file. -<programlisting> -auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='WORKGROUP\Domain Users' -auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='WORKGROUP\Domain Users' -</programlisting></para> - -</refsect1> - -<refsect1> - <title>TROUBLESHOOTING</title> - - <para>If you're experiencing problems with authenticating Internet Explorer running - under MS Windows 9X or Millennium Edition against ntlm_auth's NTLMSSP authentication - helper (--helper-protocol=squid-2.5-ntlmssp), then please read - <ulink url="http://support.microsoft.com/support/kb/articles/Q239/8/69.ASP"> - the Microsoft Knowledge Base article #239869 and follow instructions described there</ulink>. - </para> -</refsect1> - -<refsect1> - <title>VERSION</title> - - <para>This man page is correct for version 3 of the Samba - suite.</para> -</refsect1> - -<refsect1> - <title>AUTHOR</title> - - <para>The original Samba software and related utilities - were created by Andrew Tridgell. Samba is now developed - by the Samba Team as an Open Source project similar - to the way the Linux kernel is developed.</para> - - <para>The ntlm_auth manpage was written by Jelmer Vernooij and - Andrew Bartlett.</para> -</refsect1> - -</refentry> |