diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
commit | 4f5791ebd03eaec1c7da0865a383175b05102712 (patch) | |
tree | 8ce7b00f7a76baa386372422adebbe64510812d4 /docs-xml/manpages/ntlm_auth.1.xml | |
parent | Initial commit. (diff) | |
download | samba-upstream.tar.xz samba-upstream.zip |
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'docs-xml/manpages/ntlm_auth.1.xml')
-rw-r--r-- | docs-xml/manpages/ntlm_auth.1.xml | 460 |
1 files changed, 460 insertions, 0 deletions
diff --git a/docs-xml/manpages/ntlm_auth.1.xml b/docs-xml/manpages/ntlm_auth.1.xml new file mode 100644 index 0000000..c257d1d --- /dev/null +++ b/docs-xml/manpages/ntlm_auth.1.xml @@ -0,0 +1,460 @@ +<?xml version="1.0" encoding="iso-8859-1"?> +<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> +<refentry id="ntlm-auth.1"> + +<refmeta> + <refentrytitle>ntlm_auth</refentrytitle> + <manvolnum>1</manvolnum> + <refmiscinfo class="source">Samba</refmiscinfo> + <refmiscinfo class="manual">User Commands</refmiscinfo> + <refmiscinfo class="version">&doc.version;</refmiscinfo> +</refmeta> + + +<refnamediv> + <refname>ntlm_auth</refname> + <refpurpose>tool to allow external access to Winbind's NTLM authentication function</refpurpose> +</refnamediv> + +<refsynopsisdiv> + <cmdsynopsis> + <command>ntlm_auth</command> + </cmdsynopsis> +</refsynopsisdiv> + +<refsect1> + <title>DESCRIPTION</title> + + <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle> + <manvolnum>7</manvolnum></citerefentry> suite.</para> + + <para><command>ntlm_auth</command> is a helper utility that authenticates + users using NT/LM authentication. It returns 0 if the users is authenticated + successfully and 1 if access was denied. ntlm_auth uses winbind to access + the user and authentication data for a domain. This utility + is only intended to be used by other programs (currently + <ulink url="http://www.squid-cache.org/">Squid</ulink> + and <ulink url="http://download.samba.org/ftp/unpacked/lorikeet/trunk/mod_ntlm_winbind/">mod_ntlm_winbind</ulink>) + </para> +</refsect1> + +<refsect1> + <title>OPERATIONAL REQUIREMENTS</title> + + <para> + The <citerefentry><refentrytitle>winbindd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> daemon must be operational + for many of these commands to function.</para> + + <para>Some of these commands also require access to the directory + <filename>winbindd_privileged</filename> in + <filename>$LOCKDIR</filename>. This should be done either by running + this command as root or providing group access + to the <filename>winbindd_privileged</filename> directory. For + security reasons, this directory should not be world-accessable. </para> + +</refsect1> + + +<refsect1> + <title>OPTIONS</title> + + <variablelist> + <varlistentry> + <term>--helper-protocol=PROTO</term> + <listitem><para> + Operate as a stdio-based helper. Valid helper protocols are: + </para> + <variablelist> + <varlistentry> + <term>squid-2.4-basic</term> + <listitem><para> + Server-side helper for use with Squid 2.4's basic (plaintext) + authentication. </para> + </listitem> + </varlistentry> + <varlistentry> + <term>squid-2.5-basic</term> + <listitem><para> + Server-side helper for use with Squid 2.5's basic (plaintext) + authentication. </para> + </listitem> + </varlistentry> + <varlistentry> + <term>squid-2.5-ntlmssp</term> + <listitem><para> + Server-side helper for use with Squid 2.5's NTLMSSP + authentication. </para> + <para>Requires access to the directory + <filename>winbindd_privileged</filename> in + <filename>$LOCKDIR</filename>. The protocol used is + described here: <ulink + url="http://devel.squid-cache.org/ntlm/squid_helper_protocol.html">http://devel.squid-cache.org/ntlm/squid_helper_protocol.html</ulink>. + This protocol has been extended to allow the + NTLMSSP Negotiate packet to be included as an argument + to the <command>YR</command> command. (Thus avoiding + loss of information in the protocol exchange). + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>ntlmssp-client-1</term> + <listitem><para> + Client-side helper for use with arbitrary external + programs that may wish to use Samba's NTLMSSP + authentication knowledge. </para> + <para>This helper is a client, and as such may be run by any + user. The protocol used is + effectively the reverse of the previous protocol. A + <command>YR</command> command (without any arguments) + starts the authentication exchange. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>gss-spnego</term> + <listitem><para> + Server-side helper that implements GSS-SPNEGO. This + uses a protocol that is almost the same as + <command>squid-2.5-ntlmssp</command>, but has some + subtle differences that are undocumented outside the + source at this stage. + </para> + <para>Requires access to the directory + <filename>winbindd_privileged</filename> in + <filename>$LOCKDIR</filename>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>gss-spnego-client</term> + <listitem><para> + Client-side helper that implements GSS-SPNEGO. This + also uses a protocol similar to the above helpers, but + is currently undocumented. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ntlm-server-1</term> + <listitem><para> + Server-side helper protocol, intended for use by a + RADIUS server or the 'winbind' plugin for pppd, for + the provision of MSCHAP and MSCHAPv2 authentication. + </para> + <para>This protocol consists of lines in the form: + <command>Parameter: value</command> and <command>Parameter:: + Base64-encode value</command>. The presence of a single + period <command>.</command> indicates that one side has + finished supplying data to the other. (Which in turn + could cause the helper to authenticate the + user). </para> + + <para>Currently implemented parameters from the + external program to the helper are:</para> + <variablelist> + <varlistentry> + <term>Username</term> + <listitem><para>The username, expected to be in + Samba's <smbconfoption name="unix charset"/>. + </para> + <varlistentry> + <term>Examples:</term> + <para>Username: bob</para> + <para>Username:: Ym9i</para> + </varlistentry> + </listitem> + </varlistentry> + + <varlistentry> + <term>NT-Domain</term> + <listitem><para>The user's domain, expected to be in + Samba's <smbconfoption name="unix charset"/>. + </para> + + <varlistentry> + <term>Examples:</term> + <para>NT-Domain: WORKGROUP</para> + <para>NT-Domain:: V09SS0dST1VQ</para> + </varlistentry> + </listitem> + </varlistentry> + + <varlistentry> + <term>Full-Username</term> + <listitem><para>The fully qualified username, expected to be + in Samba's <smbconfoption name="unix charset"/> and qualified + with the <smbconfoption name="winbind separator"/>.</para> + <varlistentry> + <term>Examples:</term> + <para>Full-Username: WORKGROUP\bob</para> + <para>Full-Username:: V09SS0dST1VQYm9i</para> + </varlistentry> + </listitem> + </varlistentry> + + <varlistentry> + <term>LANMAN-Challenge</term> + <listitem><para>The 8 byte <command>LANMAN Challenge</command> + value, generated randomly by the server, or (in cases such + as MSCHAPv2) generated in some way by both the server and + the client.</para> + <varlistentry> + <term>Examples:</term> + <para>LANMAN-Challenge: 0102030405060708</para> + </varlistentry> + </listitem> + </varlistentry> + + <varlistentry> + <term>LANMAN-Response</term> + <listitem><para>The 24 byte <command>LANMAN Response</command> value, + calculated from the user's password and the supplied + <command>LANMAN Challenge</command>. Typically, this + is provided over the network by a client wishing to authenticate. + </para> + <varlistentry> + <term>Examples:</term> + <para>LANMAN-Response: 0102030405060708090A0B0C0D0E0F101112131415161718</para> + </varlistentry> + </listitem> + </varlistentry> + + <varlistentry> + <term>NT-Response</term> + <listitem><para>The >= 24 byte <command>NT Response</command> + calculated from the user's password and the supplied + <command>LANMAN Challenge</command>. Typically, this is + provided over the network by a client wishing to authenticate. + </para> + <varlistentry> + <term>Examples:</term> + <para>NT-Response: 0102030405060708090A0B0C0D0E0F10111213141516171</para> + </varlistentry> + </listitem> + </varlistentry> + + <varlistentry> + <term>Password</term> + <listitem><para>The user's password. This would be + provided by a network client, if the helper is being + used in a legacy situation that exposes plaintext + passwords in this way.</para> + <varlistentry> + <term>Examples:</term> + <para>Password: samba2</para> + <para>Password:: c2FtYmEy</para> + </varlistentry> + </listitem> + </varlistentry> + + <varlistentry> + <term>Request-User-Session-Key</term> + <listitem><para>Upon successful authentication, return + the user session key associated with the login.</para> + <varlistentry> + <term>Examples:</term> + <para>Request-User-Session-Key: Yes</para> + </varlistentry> + </listitem> + </varlistentry> + + <varlistentry> + <term>Request-LanMan-Session-Key</term> + <listitem><para>Upon successful authentication, return + the LANMAN session key associated with the login. + </para> + <varlistentry> + <term>Examples:</term> + <para>Request-LanMan-Session-Key: Yes</para> + </varlistentry> + </listitem> + </varlistentry> + + </variablelist> + </listitem> + </varlistentry> + </variablelist> + <warning><para>Implementers should take care to base64 encode + any data (such as usernames/passwords) that may contain malicious user data, such as + a newline. They may also need to decode strings from + the helper, which likewise may have been base64 encoded.</para></warning> + </listitem> + </varlistentry> + + <varlistentry> + <term>--username=USERNAME</term> + <listitem><para> + Specify username of user to authenticate + </para></listitem> + + </varlistentry> + + <varlistentry> + <term>--domain=DOMAIN</term> + <listitem><para> + Specify domain of user to authenticate + </para></listitem> + </varlistentry> + + <varlistentry> + <term>--workstation=WORKSTATION</term> + <listitem><para> + Specify the workstation the user authenticated from + </para></listitem> + </varlistentry> + + <varlistentry> + <term>--challenge=STRING</term> + <listitem><para>NTLM challenge (in HEXADECIMAL)</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>--lm-response=RESPONSE</term> + <listitem><para>LM Response to the challenge (in HEXADECIMAL)</para></listitem> + </varlistentry> + + <varlistentry> + <term>--nt-response=RESPONSE</term> + <listitem><para>NT or NTLMv2 Response to the challenge (in HEXADECIMAL)</para></listitem> + </varlistentry> + + <varlistentry> + <term>--password=PASSWORD</term> + <listitem><para>User's plaintext password</para><para>If + not specified on the command line, this is prompted for when + required. </para> + + <para>For the NTLMSSP based server roles, this parameter + specifies the expected password, allowing testing without + winbindd operational.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>--request-lm-key</term> + <listitem><para>Retrieve LM session key</para></listitem> + </varlistentry> + + <varlistentry> + <term>--request-nt-key</term> + <listitem><para>Request NT key</para></listitem> + </varlistentry> + + <varlistentry> + <term>--diagnostics</term> + <listitem><para>Perform Diagnostics on the authentication + chain. Uses the password from <command>--password</command> + or prompts for one.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>--require-membership-of={SID|Name}</term> + <listitem><para>Require that a user be a member of specified + group (either name or SID) for authentication to succeed.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term>--pam-winbind-conf=FILENAME</term> + <listitem><para>Define the path to the pam_winbind.conf file.</para></listitem> + </varlistentry> + + <varlistentry> + <term>--target-hostname=HOSTNAME</term> + <listitem><para>Define the target hostname.</para></listitem> + </varlistentry> + + <varlistentry> + <term>--target-service=SERVICE</term> + <listitem><para>Define the target service.</para></listitem> + </varlistentry> + + <varlistentry> + <term>--use-cached-creds</term> + <listitem><para>Whether to use credentials cached by winbindd.</para></listitem> + </varlistentry> + + <varlistentry> + <term>--allow-mschapv2</term> + <listitem><para>Explicitly allow MSCHAPv2.</para></listitem> + </varlistentry> + + <varlistentry> + <term>--offline-logon</term> + <listitem><para>Allow offline logons for plain text auth. + </para></listitem> + </varlistentry> + + &popt.autohelp; + &cmdline.common.debug.client; + &cmdline.common.config.client; + &cmdline.common.option; + &cmdline.version; + + </variablelist> +</refsect1> + +<refsect1> + <title>EXAMPLE SETUP</title> + + <para>To setup ntlm_auth for use by squid 2.5, with both basic and + NTLMSSP authentication, the following + should be placed in the <filename>squid.conf</filename> file. +<programlisting> +auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp +auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic +auth_param basic children 5 +auth_param basic realm Squid proxy-caching web server +auth_param basic credentialsttl 2 hours +</programlisting></para> + +<note><para>This example assumes that ntlm_auth has been installed into your + path, and that the group permissions on + <filename>winbindd_privileged</filename> are as described above.</para></note> + + <para>To setup ntlm_auth for use by squid 2.5 with group limitation in addition to the above + example, the following should be added to the <filename>squid.conf</filename> file. +<programlisting> +auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='WORKGROUP\Domain Users' +auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='WORKGROUP\Domain Users' +</programlisting></para> + +</refsect1> + +<refsect1> + <title>TROUBLESHOOTING</title> + + <para>If you're experiencing problems with authenticating Internet Explorer running + under MS Windows 9X or Millennium Edition against ntlm_auth's NTLMSSP authentication + helper (--helper-protocol=squid-2.5-ntlmssp), then please read + <ulink url="http://support.microsoft.com/support/kb/articles/Q239/8/69.ASP"> + the Microsoft Knowledge Base article #239869 and follow instructions described there</ulink>. + </para> +</refsect1> + +<refsect1> + <title>VERSION</title> + + <para>This man page is part of version &doc.version; of the Samba + suite.</para> +</refsect1> + +<refsect1> + <title>AUTHOR</title> + + <para>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</para> + + <para>The ntlm_auth manpage was written by Jelmer Vernooij and + Andrew Bartlett.</para> +</refsect1> + +</refentry> |