1<?xml version="1.0" encoding="iso-8859-1"?> 2<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> 3<refentry id="ntlm-auth.1"> 4 5<refmeta> 6 <refentrytitle>ntlm_auth</refentrytitle> 7 <manvolnum>1</manvolnum> 8</refmeta> 9 10 11<refnamediv> 12 <refname>ntlm_auth</refname> 13 <refpurpose>tool to allow external access to Winbind's NTLM authentication function</refpurpose> 14</refnamediv> 15 16<refsynopsisdiv> 17 <cmdsynopsis> 18 <command>ntlm_auth</command> 19 <arg choice="opt">-d debuglevel</arg> 20 <arg choice="opt">-l logdir</arg> 21 <arg choice="opt">-s <smb config file></arg> 22 </cmdsynopsis> 23</refsynopsisdiv> 24 25<refsect1> 26 <title>DESCRIPTION</title> 27 28 <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle> 29 <manvolnum>7</manvolnum></citerefentry> suite.</para> 30 31 <para><command>ntlm_auth</command> is a helper utility that authenticates 32 users using NT/LM authentication. It returns 0 if the users is authenticated 33 successfully and 1 if access was denied. ntlm_auth uses winbind to access 34 the user and authentication data for a domain. This utility 35 is only indended to be used by other programs (currently squid). 36 </para> 37</refsect1> 38 39<refsect1> 40 <title>OPERATIONAL REQUIREMENTS</title> 41 42 <para> 43 The <citerefentry><refentrytitle>winbindd</refentrytitle> 44 <manvolnum>8</manvolnum></citerefentry> daemon must be operational 45 for many of these commands to function.</para> 46 47 <para>Some of these commands also require access to the directory 48 <filename>winbindd_privileged</filename> in 49 <filename>$LOCKDIR</filename>. This should be done either by running 50 this command as root or providing group access 51 to the <filename>winbindd_privileged</filename> directory. For 52 security reasons, this directory should not be world-accessable. </para> 53 54</refsect1> 55 56 57<refsect1> 58 <title>OPTIONS</title> 59 60 <variablelist> 61 <varlistentry> 62 <term>--helper-protocol=PROTO</term> 63 <listitem><para> 64 Operate as a stdio-based helper. Valid helper protocols are: 65 </para> 66 <variablelist> 67 <varlistentry> 68 <term>squid-2.4-basic</term> 69 <listitem><para> 70 Server-side helper for use with Squid 2.4's basic (plaintext) 71 authentication. </para> 72 </listitem> 73 </varlistentry> 74 <varlistentry> 75 <term>squid-2.5-basic</term> 76 <listitem><para> 77 Server-side helper for use with Squid 2.5's basic (plaintext) 78 authentication. </para> 79 </listitem> 80 </varlistentry> 81 <varlistentry> 82 <term>squid-2.5-ntlmssp</term> 83 <listitem><para> 84 Server-side helper for use with Squid 2.5's NTLMSSP 85 authentication. </para> 86 <para>Requires access to the directory 87 <filename>winbindd_privileged</filename> in 88 <filename>$LOCKDIR</filename>. The protocol used is 89 described here: <ulink 90 url="http://devel.squid-cache.org/ntlm/squid_helper_protocol.html">http://devel.squid-cache.org/ntlm/squid_helper_protocol.html</ulink> 91 </para> 92 </listitem> 93 </varlistentry> 94 <varlistentry> 95 <term>ntlmssp-client-1</term> 96 <listitem><para> 97 Cleint-side helper for use with arbitary external 98 programs that may wish to use Samba's NTLMSSP 99 authentication knowlege. </para> 100 <para>This helper is a client, and as such may be run by any 101 user. The protocol used is 102 effectivly the reverse of the previous protocol. 103 </para> 104 </listitem> 105 </varlistentry> 106 107 <varlistentry> 108 <term>gss-spnego</term> 109 <listitem><para> 110 Server-side helper that implements GSS-SPNEGO. This 111 uses a protocol that is almost the same as 112 <command>squid-2.5-ntlmssp</command>, but has some 113 subtle differences that are undocumented outside the 114 source at this stage. 115 </para> 116 <para>Requires access to the directory 117 <filename>winbindd_privileged</filename> in 118 <filename>$LOCKDIR</filename>. 119 </para> 120 </listitem> 121 </varlistentry> 122 123 <varlistentry> 124 <term>gss-spnego-client</term> 125 <listitem><para> 126 Client-side helper that implements GSS-SPNEGO. This 127 also uses a protocol similar to the above helpers, but 128 is currently undocumented. 129 </para> 130 </listitem> 131 </varlistentry> 132 </variablelist> 133 </listitem> 134 </varlistentry> 135 136 <varlistentry> 137 <term>--username=USERNAME</term> 138 <listitem><para> 139 Specify username of user to authenticate 140 </para></listitem> 141 142 </varlistentry> 143 144 <varlistentry> 145 <term>--domain=DOMAIN</term> 146 <listitem><para> 147 Specify domain of user to authenticate 148 </para></listitem> 149 </varlistentry> 150 151 <varlistentry> 152 <term>--workstation=WORKSTATION</term> 153 <listitem><para> 154 Specify the workstation the user authenticated from 155 </para></listitem> 156 </varlistentry> 157 158 <varlistentry> 159 <term>--challenge=STRING</term> 160 <listitem><para>NTLM challenge (in HEXADECIMAL)</para> 161 </listitem> 162 </varlistentry> 163 164 <varlistentry> 165 <term>--lm-response=RESPONSE</term> 166 <listitem><para>LM Response to the challenge (in HEXADECIMAL)</para></listitem> 167 </varlistentry> 168 169 <varlistentry> 170 <term>--nt-response=RESPONSE</term> 171 <listitem><para>NT or NTLMv2 Response to the challenge (in HEXADECIMAL)</para></listitem> 172 </varlistentry> 173 174 <varlistentry> 175 <term>--password=PASSWORD</term> 176 <listitem><para>User's plaintext password</para><para>If 177 not specified on the command line, this is prompted for when 178 required. </para></listitem> 179 </varlistentry> 180 181 <varlistentry> 182 <term>--request-lm-key</term> 183 <listitem><para>Retreive LM session key</para></listitem> 184 </varlistentry> 185 186 <varlistentry> 187 <term>--request-nt-key</term> 188 <listitem><para>Request NT key</para></listitem> 189 </varlistentry> 190 191 <varlistentry> 192 <term>--diagnostics</term> 193 <listitem><para>Perform Diagnostics on the authentication 194 chain. Uses the password from <command>--password</command> 195 or prompts for one.</para> 196 </listitem> 197 </varlistentry> 198 199 <varlistentry> 200 <term>--require-membership-of={SID|Name}</term> 201 <listitem><para>Require that a user be a member of specified 202 group (either name or SID) for authentication to succeed.</para> 203 </listitem> 204 </varlistentry> 205 206 &popt.common.samba; 207 &stdarg.help; 208 209 </variablelist> 210</refsect1> 211 212<refsect1> 213 <title>EXAMPLE SETUP</title> 214 215 <para>To setup ntlm_auth for use by squid 2.5, with both basic and 216 NTLMSSP authentication, the following 217 should be placed in the <filename>squid.conf</filename> file. 218<programlisting> 219auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp 220auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic 221auth_param basic children 5 222auth_param basic realm Squid proxy-caching web server 223auth_param basic credentialsttl 2 hours 224</programlisting></para> 225 226<note><para>This example assumes that ntlm_auth has been installed into your 227 path, and that the group permissions on 228 <filename>winbindd_privileged</filename> are as described above.</para></note> 229 230 <para>To setup ntlm_auth for use by squid 2.5 with group limitation in addition to the above 231 example, the following should be added to the <filename>squid.conf</filename> file. 232<programlisting> 233auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='WORKGROUP\Domain Users' 234auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='WORKGROUP\Domain Users' 235</programlisting></para> 236 237</refsect1> 238 239<refsect1> 240 <title>TROUBLESHOOTING</title> 241 242 <para>If you're experiencing problems with authenticating Internet Explorer running 243 under MS Windows 9X or Millenium Edition against ntlm_auth's NTLMSSP authentication 244 helper (--helper-protocol=squid-2.5-ntlmssp), then please read 245 <ulink url="http://support.microsoft.com/support/kb/articles/Q239/8/69.ASP"> 246 the Microsoft Knowledge Base article #239869 and follow instructions described there</ulink>. 247 </para> 248</refsect1> 249 250<refsect1> 251 <title>VERSION</title> 252 253 <para>This man page is correct for version 3.0 of the Samba 254 suite.</para> 255</refsect1> 256 257<refsect1> 258 <title>AUTHOR</title> 259 260 <para>The original Samba software and related utilities 261 were created by Andrew Tridgell. Samba is now developed 262 by the Samba Team as an Open Source project similar 263 to the way the Linux kernel is developed.</para> 264 265 <para>The ntlm_auth manpage was written by Jelmer Vernooij and 266 Andrew Bartlett.</para> 267</refsect1> 268 269</refentry> 270