summaryrefslogtreecommitdiff
path: root/net/samba419/files/man/ntlm_auth.1
diff options
context:
space:
mode:
Diffstat (limited to 'net/samba419/files/man/ntlm_auth.1')
-rw-r--r--net/samba419/files/man/ntlm_auth.1458
1 files changed, 0 insertions, 458 deletions
diff --git a/net/samba419/files/man/ntlm_auth.1 b/net/samba419/files/man/ntlm_auth.1
deleted file mode 100644
index 932633931f3e..000000000000
--- a/net/samba419/files/man/ntlm_auth.1
+++ /dev/null
@@ -1,458 +0,0 @@
-'\" t
-.\" Title: ntlm_auth
-.\" Author: [see the "AUTHOR" section]
-.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 08/09/2022
-.\" Manual: User Commands
-.\" Source: Samba 4.16.4
-.\" Language: English
-.\"
-.TH "NTLM_AUTH" "1" "08/09/2022" "Samba 4\&.16\&.4" "User Commands"
-.\" -----------------------------------------------------------------
-.\" * Define some portability stuff
-.\" -----------------------------------------------------------------
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" http://bugs.debian.org/507673
-.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.ie \n(.g .ds Aq \(aq
-.el .ds Aq '
-.\" -----------------------------------------------------------------
-.\" * set default formatting
-.\" -----------------------------------------------------------------
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.\" -----------------------------------------------------------------
-.\" * MAIN CONTENT STARTS HERE *
-.\" -----------------------------------------------------------------
-.SH "NAME"
-ntlm_auth \- tool to allow external access to Winbind\*(Aqs NTLM authentication function
-.SH "SYNOPSIS"
-.HP \w'\ 'u
-ntlm_auth
-.SH "DESCRIPTION"
-.PP
-This tool is part of the
-\fBsamba\fR(7)
-suite\&.
-.PP
-ntlm_auth
-is a helper utility that authenticates users using NT/LM authentication\&. It returns 0 if the users is authenticated successfully and 1 if access was denied\&. ntlm_auth uses winbind to access the user and authentication data for a domain\&. This utility is only intended to be used by other programs (currently
-Squid
-and
-mod_ntlm_winbind)
-.SH "OPERATIONAL REQUIREMENTS"
-.PP
-The
-\fBwinbindd\fR(8)
-daemon must be operational for many of these commands to function\&.
-.PP
-Some of these commands also require access to the directory
-winbindd_privileged
-in
-$LOCKDIR\&. This should be done either by running this command as root or providing group access to the
-winbindd_privileged
-directory\&. For security reasons, this directory should not be world\-accessable\&.
-.SH "OPTIONS"
-.PP
-\-\-helper\-protocol=PROTO
-.RS 4
-Operate as a stdio\-based helper\&. Valid helper protocols are:
-.PP
-squid\-2\&.4\-basic
-.RS 4
-Server\-side helper for use with Squid 2\&.4\*(Aqs basic (plaintext) authentication\&.
-.RE
-.PP
-squid\-2\&.5\-basic
-.RS 4
-Server\-side helper for use with Squid 2\&.5\*(Aqs basic (plaintext) authentication\&.
-.RE
-.PP
-squid\-2\&.5\-ntlmssp
-.RS 4
-Server\-side helper for use with Squid 2\&.5\*(Aqs NTLMSSP authentication\&.
-.sp
-Requires access to the directory
-winbindd_privileged
-in
-$LOCKDIR\&. The protocol used is described here:
-http://devel\&.squid\-cache\&.org/ntlm/squid_helper_protocol\&.html\&. This protocol has been extended to allow the NTLMSSP Negotiate packet to be included as an argument to the
-YR
-command\&. (Thus avoiding loss of information in the protocol exchange)\&.
-.RE
-.PP
-ntlmssp\-client\-1
-.RS 4
-Client\-side helper for use with arbitrary external programs that may wish to use Samba\*(Aqs NTLMSSP authentication knowledge\&.
-.sp
-This helper is a client, and as such may be run by any user\&. The protocol used is effectively the reverse of the previous protocol\&. A
-YR
-command (without any arguments) starts the authentication exchange\&.
-.RE
-.PP
-gss\-spnego
-.RS 4
-Server\-side helper that implements GSS\-SPNEGO\&. This uses a protocol that is almost the same as
-squid\-2\&.5\-ntlmssp, but has some subtle differences that are undocumented outside the source at this stage\&.
-.sp
-Requires access to the directory
-winbindd_privileged
-in
-$LOCKDIR\&.
-.RE
-.PP
-gss\-spnego\-client
-.RS 4
-Client\-side helper that implements GSS\-SPNEGO\&. This also uses a protocol similar to the above helpers, but is currently undocumented\&.
-.RE
-.PP
-ntlm\-server\-1
-.RS 4
-Server\-side helper protocol, intended for use by a RADIUS server or the \*(Aqwinbind\*(Aq plugin for pppd, for the provision of MSCHAP and MSCHAPv2 authentication\&.
-.sp
-This protocol consists of lines in the form:
-Parameter: value
-and
-Parameter:: Base64\-encode value\&. The presence of a single period
-\&.
-indicates that one side has finished supplying data to the other\&. (Which in turn could cause the helper to authenticate the user)\&.
-.sp
-Currently implemented parameters from the external program to the helper are:
-.PP
-Username
-.RS 4
-The username, expected to be in Samba\*(Aqs
-\m[blue]\fBunix charset\fR\m[]\&.
-.PP
-Examples:
-.RS 4
-Username: bob
-.sp
-Username:: Ym9i
-.RE
-.RE
-.PP
-NT\-Domain
-.RS 4
-The user\*(Aqs domain, expected to be in Samba\*(Aqs
-\m[blue]\fBunix charset\fR\m[]\&.
-.PP
-Examples:
-.RS 4
-NT\-Domain: WORKGROUP
-.sp
-NT\-Domain:: V09SS0dST1VQ
-.RE
-.RE
-.PP
-Full\-Username
-.RS 4
-The fully qualified username, expected to be in Samba\*(Aqs
-\m[blue]\fBunix charset\fR\m[]
-and qualified with the
-\m[blue]\fBwinbind separator\fR\m[]\&.
-.PP
-Examples:
-.RS 4
-Full\-Username: WORKGROUP\ebob
-.sp
-Full\-Username:: V09SS0dST1VQYm9i
-.RE
-.RE
-.PP
-LANMAN\-Challenge
-.RS 4
-The 8 byte
-LANMAN Challenge
-value, generated randomly by the server, or (in cases such as MSCHAPv2) generated in some way by both the server and the client\&.
-.PP
-Examples:
-.RS 4
-LANMAN\-Challenge: 0102030405060708
-.RE
-.RE
-.PP
-LANMAN\-Response
-.RS 4
-The 24 byte
-LANMAN Response
-value, calculated from the user\*(Aqs password and the supplied
-LANMAN Challenge\&. Typically, this is provided over the network by a client wishing to authenticate\&.
-.PP
-Examples:
-.RS 4
-LANMAN\-Response: 0102030405060708090A0B0C0D0E0F101112131415161718
-.RE
-.RE
-.PP
-NT\-Response
-.RS 4
-The >= 24 byte
-NT Response
-calculated from the user\*(Aqs password and the supplied
-LANMAN Challenge\&. Typically, this is provided over the network by a client wishing to authenticate\&.
-.PP
-Examples:
-.RS 4
-NT\-Response: 0102030405060708090A0B0C0D0E0F10111213141516171
-.RE
-.RE
-.PP
-Password
-.RS 4
-The user\*(Aqs password\&. This would be provided by a network client, if the helper is being used in a legacy situation that exposes plaintext passwords in this way\&.
-.PP
-Examples:
-.RS 4
-Password: samba2
-.sp
-Password:: c2FtYmEy
-.RE
-.RE
-.PP
-Request\-User\-Session\-Key
-.RS 4
-Upon successful authentication, return the user session key associated with the login\&.
-.PP
-Examples:
-.RS 4
-Request\-User\-Session\-Key: Yes
-.RE
-.RE
-.PP
-Request\-LanMan\-Session\-Key
-.RS 4
-Upon successful authentication, return the LANMAN session key associated with the login\&.
-.PP
-Examples:
-.RS 4
-Request\-LanMan\-Session\-Key: Yes
-.RE
-.RE
-.RE
-.sp
-.if n \{\
-.sp
-.\}
-.RS 4
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-.br
-.ps +1
-\fBWarning\fR
-.ps -1
-.br
-Implementers should take care to base64 encode any data (such as usernames/passwords) that may contain malicious user data, such as a newline\&. They may also need to decode strings from the helper, which likewise may have been base64 encoded\&.
-.sp .5v
-.RE
-.RE
-.PP
-\-\-username=USERNAME
-.RS 4
-Specify username of user to authenticate
-.RE
-.PP
-\-\-domain=DOMAIN
-.RS 4
-Specify domain of user to authenticate
-.RE
-.PP
-\-\-workstation=WORKSTATION
-.RS 4
-Specify the workstation the user authenticated from
-.RE
-.PP
-\-\-challenge=STRING
-.RS 4
-NTLM challenge (in HEXADECIMAL)
-.RE
-.PP
-\-\-lm\-response=RESPONSE
-.RS 4
-LM Response to the challenge (in HEXADECIMAL)
-.RE
-.PP
-\-\-nt\-response=RESPONSE
-.RS 4
-NT or NTLMv2 Response to the challenge (in HEXADECIMAL)
-.RE
-.PP
-\-\-password=PASSWORD
-.RS 4
-User\*(Aqs plaintext password
-.sp
-If not specified on the command line, this is prompted for when required\&.
-.sp
-For the NTLMSSP based server roles, this parameter specifies the expected password, allowing testing without winbindd operational\&.
-.RE
-.PP
-\-\-request\-lm\-key
-.RS 4
-Retrieve LM session key
-.RE
-.PP
-\-\-request\-nt\-key
-.RS 4
-Request NT key
-.RE
-.PP
-\-\-diagnostics
-.RS 4
-Perform Diagnostics on the authentication chain\&. Uses the password from
-\-\-password
-or prompts for one\&.
-.RE
-.PP
-\-\-require\-membership\-of={SID|Name}
-.RS 4
-Require that a user be a member of specified group (either name or SID) for authentication to succeed\&.
-.RE
-.PP
-\-\-pam\-winbind\-conf=FILENAME
-.RS 4
-Define the path to the pam_winbind\&.conf file\&.
-.RE
-.PP
-\-\-target\-hostname=HOSTNAME
-.RS 4
-Define the target hostname\&.
-.RE
-.PP
-\-\-target\-service=SERVICE
-.RS 4
-Define the target service\&.
-.RE
-.PP
-\-\-use\-cached\-creds
-.RS 4
-Whether to use credentials cached by winbindd\&.
-.RE
-.PP
-\-\-allow\-mschapv2
-.RS 4
-Explicitly allow MSCHAPv2\&.
-.RE
-.PP
-\-\-offline\-logon
-.RS 4
-Allow offline logons for plain text auth\&.
-.RE
-.PP
-\-?|\-\-help
-.RS 4
-Print a summary of command line options\&.
-.RE
-.PP
-\-\-usage
-.RS 4
-Display brief usage message\&.
-.RE
-.PP
-\-d|\-\-debuglevel=DEBUGLEVEL
-.RS 4
-\fIlevel\fR
-is an integer from 0 to 10\&. The default value if this parameter is not specified is 1 for client applications\&.
-.sp
-The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
-.sp
-Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
-.sp
-Note that specifying this parameter here will override the
-\m[blue]\fBlog level\fR\m[]
-parameter in the
-smb\&.conf
-file\&.
-.RE
-.PP
-\-\-debug\-stdout
-.RS 4
-This will redirect debug output to STDOUT\&. By default all clients are logging to STDERR\&.
-.RE
-.PP
-\-\-configfile=<configuration file>
-.RS 4
-The file specified contains the configuration details required by the client\&. The information in this file can be general for client and server or only provide client specific like options such as
-\m[blue]\fBclient smb encrypt\fR\m[]\&. See
-smb\&.conf
-for more information\&. The default configuration file name is determined at compile time\&.
-.RE
-.PP
-\-\-option=<name>=<value>
-.RS 4
-Set the
-\fBsmb.conf\fR(5)
-option "<name>" to value "<value>" from the command line\&. This overrides compiled\-in defaults and options read from the configuration file\&. If a name or a value includes a space, wrap whole \-\-option=name=value into quotes\&.
-.RE
-.PP
-\-V|\-\-version
-.RS 4
-Prints the program version number\&.
-.RE
-.SH "EXAMPLE SETUP"
-.PP
-To setup ntlm_auth for use by squid 2\&.5, with both basic and NTLMSSP authentication, the following should be placed in the
-squid\&.conf
-file\&.
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-auth_param ntlm program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-ntlmssp
-auth_param basic program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-basic
-auth_param basic children 5
-auth_param basic realm Squid proxy\-caching web server
-auth_param basic credentialsttl 2 hours
-.fi
-.if n \{\
-.RE
-.\}
-.if n \{\
-.sp
-.\}
-.RS 4
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-.br
-.ps +1
-\fBNote\fR
-.ps -1
-.br
-.PP
-This example assumes that ntlm_auth has been installed into your path, and that the group permissions on
-winbindd_privileged
-are as described above\&.
-.sp .5v
-.RE
-.PP
-To setup ntlm_auth for use by squid 2\&.5 with group limitation in addition to the above example, the following should be added to the
-squid\&.conf
-file\&.
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-auth_param ntlm program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-ntlmssp \-\-require\-membership\-of=\*(AqWORKGROUP\eDomain Users\*(Aq
-auth_param basic program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-basic \-\-require\-membership\-of=\*(AqWORKGROUP\eDomain Users\*(Aq
-.fi
-.if n \{\
-.RE
-.\}
-.SH "TROUBLESHOOTING"
-.PP
-If you\*(Aqre experiencing problems with authenticating Internet Explorer running under MS Windows 9X or Millennium Edition against ntlm_auth\*(Aqs NTLMSSP authentication helper (\-\-helper\-protocol=squid\-2\&.5\-ntlmssp), then please read
-the Microsoft Knowledge Base article #239869 and follow instructions described there\&.
-.SH "VERSION"
-.PP
-This man page is part of version 4\&.16\&.4 of the Samba suite\&.
-.SH "AUTHOR"
-.PP
-The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
-.PP
-The ntlm_auth manpage was written by Jelmer Vernooij and Andrew Bartlett\&.
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-20 17:11:13 +0000