• Home
  • History
  • Annotate
  • Line#
  • Navigate
  • Raw
  • Download
  • only in /asuswrt-rt-n18u-9.0.0.4.380.2695/release/src-rt/router/samba-3.5.8/source4/utils/man/
1<?xml version="1.0" encoding="iso-8859-1"?>
2<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3<refentry id="ntlm-auth.1">
4
5<refmeta>
6	<refentrytitle>ntlm_auth</refentrytitle>
7	<manvolnum>1</manvolnum>
8</refmeta>
9
10
11<refnamediv>
12	<refname>ntlm_auth</refname>
13	<refpurpose>tool to allow external access to Winbind's NTLM authentication function</refpurpose>
14</refnamediv>
15
16<refsynopsisdiv>
17	<cmdsynopsis>
18		<command>ntlm_auth</command>
19		<arg choice="opt">-d debuglevel</arg>
20		<arg choice="opt">-l logdir</arg>
21		<arg choice="opt">-s &lt;smb config file&gt;</arg>
22	</cmdsynopsis>
23</refsynopsisdiv>
24
25<refsect1>
26	<title>DESCRIPTION</title>
27
28	<para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
29	<manvolnum>7</manvolnum></citerefentry> suite.</para>
30
31	<para><command>ntlm_auth</command> is a helper utility that authenticates 
32	users using NT/LM authentication. It returns 0 if the users is authenticated
33	successfully and 1 if access was denied. ntlm_auth uses winbind to access 
34	the user and authentication data for a domain.  This utility 
35	is only indended to be used by other programs (currently squid).
36	</para>
37</refsect1>
38
39<refsect1>
40	<title>OPERATIONAL REQUIREMENTS</title>
41
42    <para>
43    The <citerefentry><refentrytitle>winbindd</refentrytitle>
44    <manvolnum>8</manvolnum></citerefentry> daemon must be operational
45    for many of these commands to function.</para>
46
47    <para>Some of these commands also require access to the directory 
48    <filename>winbindd_privileged</filename> in
49    <filename>$LOCKDIR</filename>.  This should be done either by running
50    this command as root or providing group access
51    to the <filename>winbindd_privileged</filename> directory.  For
52    security reasons, this directory should not be world-accessable. </para>
53
54</refsect1>
55
56
57<refsect1>
58	<title>OPTIONS</title>
59
60	<variablelist>
61	<varlistentry>
62	<term>--helper-protocol=PROTO</term>
63	<listitem><para>
64	Operate as a stdio-based helper.  Valid helper protocols are:
65        </para> 
66        <variablelist>
67	      <varlistentry>
68		<term>squid-2.4-basic</term>
69		<listitem><para>
70                Server-side helper for use with Squid 2.4's basic (plaintext)
71		authentication.  </para>
72                </listitem>
73		</varlistentry>
74	      <varlistentry>
75		<term>squid-2.5-basic</term>
76		<listitem><para>
77                Server-side helper for use with Squid 2.5's basic (plaintext)
78		authentication. </para>
79                </listitem>
80		</varlistentry>
81	      <varlistentry>
82		<term>squid-2.5-ntlmssp</term>
83		<listitem><para>
84                Server-side helper for use with Squid 2.5's NTLMSSP 
85		authentication. </para>
86		  <para>Requires access to the directory 
87                <filename>winbindd_privileged</filename> in
88		<filename>$LOCKDIR</filename>.  The protocol used is
89		described here: <ulink
90		url="http://devel.squid-cache.org/ntlm/squid_helper_protocol.html">http://devel.squid-cache.org/ntlm/squid_helper_protocol.html</ulink>
91                </para>
92                </listitem>
93	      </varlistentry>
94	      <varlistentry>
95		<term>ntlmssp-client-1</term>
96		<listitem><para>
97                Cleint-side helper for use with arbitary external
98		programs that may wish to use Samba's NTLMSSP 
99		authentication knowlege. </para>
100		  <para>This helper is a client, and as such may be run by any
101		user.  The protocol used is
102		effectivly the reverse of the previous protocol.
103                </para>
104                </listitem>
105	      </varlistentry>
106
107	      <varlistentry>
108		<term>gss-spnego</term>
109		<listitem><para>
110                Server-side helper that implements GSS-SPNEGO.  This
111		uses a protocol that is almost the same as
112		<command>squid-2.5-ntlmssp</command>, but has some
113		subtle differences that are undocumented outside the
114		source at this stage.
115                </para>
116		  <para>Requires access to the directory 
117                <filename>winbindd_privileged</filename> in
118		<filename>$LOCKDIR</filename>.   
119               </para>
120                </listitem>
121		</varlistentry>
122                 
123	        <varlistentry>
124				<term>gss-spnego-client</term>
125		<listitem><para>
126                Client-side helper that implements GSS-SPNEGO.  This
127		also uses a protocol similar to the above helpers, but
128		is currently undocumented.
129                </para>
130                </listitem>
131		</varlistentry>
132	</variablelist>
133	</listitem>
134      </varlistentry>
135      
136      <varlistentry>
137	<term>--username=USERNAME</term>
138	<listitem><para>
139	Specify username of user to authenticate
140	</para></listitem>
141	
142      </varlistentry>
143      
144      <varlistentry>
145	<term>--domain=DOMAIN</term>
146	<listitem><para>
147	Specify domain of user to authenticate
148	</para></listitem>
149      </varlistentry>
150
151      <varlistentry>
152	<term>--workstation=WORKSTATION</term>
153	<listitem><para>
154	Specify the workstation the user authenticated from
155	</para></listitem>
156      </varlistentry>
157
158	<varlistentry>
159	<term>--challenge=STRING</term>
160	<listitem><para>NTLM challenge (in HEXADECIMAL)</para>
161	</listitem>
162	</varlistentry>
163
164	<varlistentry>
165	<term>--lm-response=RESPONSE</term>
166	<listitem><para>LM Response to the challenge (in HEXADECIMAL)</para></listitem>
167	</varlistentry>
168
169	<varlistentry>
170	<term>--nt-response=RESPONSE</term>
171	<listitem><para>NT or NTLMv2 Response to the challenge (in HEXADECIMAL)</para></listitem>
172	</varlistentry>
173
174	<varlistentry>
175	<term>--password=PASSWORD</term>
176	<listitem><para>User's plaintext password</para><para>If 
177	not specified on the command line, this is prompted for when
178	required.  </para></listitem>
179	</varlistentry>
180
181	<varlistentry>
182	<term>--request-lm-key</term>
183	<listitem><para>Retreive LM session key</para></listitem>
184	</varlistentry>
185
186	<varlistentry>
187	<term>--request-nt-key</term>
188	<listitem><para>Request NT key</para></listitem>
189	</varlistentry>
190
191      <varlistentry>
192	<term>--diagnostics</term>
193	<listitem><para>Perform Diagnostics on the authentication
194	chain.  Uses the password from <command>--password</command>
195	or prompts for one.</para>
196        </listitem>
197        </varlistentry>
198	
199	<varlistentry>
200	    <term>--require-membership-of={SID|Name}</term>
201	    <listitem><para>Require that a user be a member of specified 
202	    group (either name or SID) for authentication to succeed.</para>
203	    </listitem>
204	</varlistentry>
205
206	  &popt.common.samba;
207	  &stdarg.help;
208	
209	</variablelist>
210</refsect1>
211
212<refsect1>
213	<title>EXAMPLE SETUP</title>
214
215        <para>To setup ntlm_auth for use by squid 2.5, with both basic and
216	NTLMSSP authentication, the following
217	should be placed in the <filename>squid.conf</filename> file.
218<programlisting>
219auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp
220auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic
221auth_param basic children 5
222auth_param basic realm Squid proxy-caching web server
223auth_param basic credentialsttl 2 hours
224</programlisting></para>
225
226<note><para>This example assumes that ntlm_auth has been installed into your
227      path, and that the group permissions on
228      <filename>winbindd_privileged</filename> are as described above.</para></note>
229
230	<para>To setup ntlm_auth for use by squid 2.5 with group limitation in addition to the above
231	example, the following should be added to the <filename>squid.conf</filename> file.
232<programlisting>
233auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='WORKGROUP\Domain Users'
234auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='WORKGROUP\Domain Users'
235</programlisting></para>
236	
237</refsect1>
238
239<refsect1>
240	<title>TROUBLESHOOTING</title>
241	
242	<para>If you're experiencing problems with authenticating Internet Explorer running
243	under MS Windows 9X or Millenium Edition against ntlm_auth's NTLMSSP authentication
244	helper (--helper-protocol=squid-2.5-ntlmssp), then please read 
245	<ulink url="http://support.microsoft.com/support/kb/articles/Q239/8/69.ASP">
246	the Microsoft Knowledge Base article #239869 and follow instructions described there</ulink>.
247	</para>
248</refsect1>
249
250<refsect1>
251	<title>VERSION</title>
252
253	<para>This man page is correct for version 3.0 of the Samba 
254	suite.</para>
255</refsect1>
256
257<refsect1>
258	<title>AUTHOR</title>
259	
260	<para>The original Samba software and related utilities 
261	were created by Andrew Tridgell. Samba is now developed
262	by the Samba Team as an Open Source project similar 
263	to the way the Linux kernel is developed.</para>
264	
265	<para>The ntlm_auth manpage was written by Jelmer Vernooij and
266	Andrew Bartlett.</para>
267</refsect1>
268
269</refentry>
270