summaryrefslogtreecommitdiff
path: root/net/samba419/files/man/ntlm_auth.1
diff options
context:
space:
mode:
Diffstat (limited to 'net/samba419/files/man/ntlm_auth.1')
-rw-r--r--net/samba419/files/man/ntlm_auth.1458
1 files changed, 458 insertions, 0 deletions
diff --git a/net/samba419/files/man/ntlm_auth.1 b/net/samba419/files/man/ntlm_auth.1
new file mode 100644
index 000000000000..932633931f3e
--- /dev/null
+++ b/net/samba419/files/man/ntlm_auth.1
@@ -0,0 +1,458 @@
+'\" t
+.\" Title: ntlm_auth
+.\" Author: [see the "AUTHOR" section]
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Date: 08/09/2022
+.\" Manual: User Commands
+.\" Source: Samba 4.16.4
+.\" Language: English
+.\"
+.TH "NTLM_AUTH" "1" "08/09/2022" "Samba 4\&.16\&.4" "User Commands"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+ntlm_auth \- tool to allow external access to Winbind\*(Aqs NTLM authentication function
+.SH "SYNOPSIS"
+.HP \w'\ 'u
+ntlm_auth
+.SH "DESCRIPTION"
+.PP
+This tool is part of the
+\fBsamba\fR(7)
+suite\&.
+.PP
+ntlm_auth
+is a helper utility that authenticates users using NT/LM authentication\&. It returns 0 if the users is authenticated successfully and 1 if access was denied\&. ntlm_auth uses winbind to access the user and authentication data for a domain\&. This utility is only intended to be used by other programs (currently
+Squid
+and
+mod_ntlm_winbind)
+.SH "OPERATIONAL REQUIREMENTS"
+.PP
+The
+\fBwinbindd\fR(8)
+daemon must be operational for many of these commands to function\&.
+.PP
+Some of these commands also require access to the directory
+winbindd_privileged
+in
+$LOCKDIR\&. This should be done either by running this command as root or providing group access to the
+winbindd_privileged
+directory\&. For security reasons, this directory should not be world\-accessable\&.
+.SH "OPTIONS"
+.PP
+\-\-helper\-protocol=PROTO
+.RS 4
+Operate as a stdio\-based helper\&. Valid helper protocols are:
+.PP
+squid\-2\&.4\-basic
+.RS 4
+Server\-side helper for use with Squid 2\&.4\*(Aqs basic (plaintext) authentication\&.
+.RE
+.PP
+squid\-2\&.5\-basic
+.RS 4
+Server\-side helper for use with Squid 2\&.5\*(Aqs basic (plaintext) authentication\&.
+.RE
+.PP
+squid\-2\&.5\-ntlmssp
+.RS 4
+Server\-side helper for use with Squid 2\&.5\*(Aqs NTLMSSP authentication\&.
+.sp
+Requires access to the directory
+winbindd_privileged
+in
+$LOCKDIR\&. The protocol used is described here:
+http://devel\&.squid\-cache\&.org/ntlm/squid_helper_protocol\&.html\&. This protocol has been extended to allow the NTLMSSP Negotiate packet to be included as an argument to the
+YR
+command\&. (Thus avoiding loss of information in the protocol exchange)\&.
+.RE
+.PP
+ntlmssp\-client\-1
+.RS 4
+Client\-side helper for use with arbitrary external programs that may wish to use Samba\*(Aqs NTLMSSP authentication knowledge\&.
+.sp
+This helper is a client, and as such may be run by any user\&. The protocol used is effectively the reverse of the previous protocol\&. A
+YR
+command (without any arguments) starts the authentication exchange\&.
+.RE
+.PP
+gss\-spnego
+.RS 4
+Server\-side helper that implements GSS\-SPNEGO\&. This uses a protocol that is almost the same as
+squid\-2\&.5\-ntlmssp, but has some subtle differences that are undocumented outside the source at this stage\&.
+.sp
+Requires access to the directory
+winbindd_privileged
+in
+$LOCKDIR\&.
+.RE
+.PP
+gss\-spnego\-client
+.RS 4
+Client\-side helper that implements GSS\-SPNEGO\&. This also uses a protocol similar to the above helpers, but is currently undocumented\&.
+.RE
+.PP
+ntlm\-server\-1
+.RS 4
+Server\-side helper protocol, intended for use by a RADIUS server or the \*(Aqwinbind\*(Aq plugin for pppd, for the provision of MSCHAP and MSCHAPv2 authentication\&.
+.sp
+This protocol consists of lines in the form:
+Parameter: value
+and
+Parameter:: Base64\-encode value\&. The presence of a single period
+\&.
+indicates that one side has finished supplying data to the other\&. (Which in turn could cause the helper to authenticate the user)\&.
+.sp
+Currently implemented parameters from the external program to the helper are:
+.PP
+Username
+.RS 4
+The username, expected to be in Samba\*(Aqs
+\m[blue]\fBunix charset\fR\m[]\&.
+.PP
+Examples:
+.RS 4
+Username: bob
+.sp
+Username:: Ym9i
+.RE
+.RE
+.PP
+NT\-Domain
+.RS 4
+The user\*(Aqs domain, expected to be in Samba\*(Aqs
+\m[blue]\fBunix charset\fR\m[]\&.
+.PP
+Examples:
+.RS 4
+NT\-Domain: WORKGROUP
+.sp
+NT\-Domain:: V09SS0dST1VQ
+.RE
+.RE
+.PP
+Full\-Username
+.RS 4
+The fully qualified username, expected to be in Samba\*(Aqs
+\m[blue]\fBunix charset\fR\m[]
+and qualified with the
+\m[blue]\fBwinbind separator\fR\m[]\&.
+.PP
+Examples:
+.RS 4
+Full\-Username: WORKGROUP\ebob
+.sp
+Full\-Username:: V09SS0dST1VQYm9i
+.RE
+.RE
+.PP
+LANMAN\-Challenge
+.RS 4
+The 8 byte
+LANMAN Challenge
+value, generated randomly by the server, or (in cases such as MSCHAPv2) generated in some way by both the server and the client\&.
+.PP
+Examples:
+.RS 4
+LANMAN\-Challenge: 0102030405060708
+.RE
+.RE
+.PP
+LANMAN\-Response
+.RS 4
+The 24 byte
+LANMAN Response
+value, calculated from the user\*(Aqs password and the supplied
+LANMAN Challenge\&. Typically, this is provided over the network by a client wishing to authenticate\&.
+.PP
+Examples:
+.RS 4
+LANMAN\-Response: 0102030405060708090A0B0C0D0E0F101112131415161718
+.RE
+.RE
+.PP
+NT\-Response
+.RS 4
+The >= 24 byte
+NT Response
+calculated from the user\*(Aqs password and the supplied
+LANMAN Challenge\&. Typically, this is provided over the network by a client wishing to authenticate\&.
+.PP
+Examples:
+.RS 4
+NT\-Response: 0102030405060708090A0B0C0D0E0F10111213141516171
+.RE
+.RE
+.PP
+Password
+.RS 4
+The user\*(Aqs password\&. This would be provided by a network client, if the helper is being used in a legacy situation that exposes plaintext passwords in this way\&.
+.PP
+Examples:
+.RS 4
+Password: samba2
+.sp
+Password:: c2FtYmEy
+.RE
+.RE
+.PP
+Request\-User\-Session\-Key
+.RS 4
+Upon successful authentication, return the user session key associated with the login\&.
+.PP
+Examples:
+.RS 4
+Request\-User\-Session\-Key: Yes
+.RE
+.RE
+.PP
+Request\-LanMan\-Session\-Key
+.RS 4
+Upon successful authentication, return the LANMAN session key associated with the login\&.
+.PP
+Examples:
+.RS 4
+Request\-LanMan\-Session\-Key: Yes
+.RE
+.RE
+.RE
+.sp
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBWarning\fR
+.ps -1
+.br
+Implementers should take care to base64 encode any data (such as usernames/passwords) that may contain malicious user data, such as a newline\&. They may also need to decode strings from the helper, which likewise may have been base64 encoded\&.
+.sp .5v
+.RE
+.RE
+.PP
+\-\-username=USERNAME
+.RS 4
+Specify username of user to authenticate
+.RE
+.PP
+\-\-domain=DOMAIN
+.RS 4
+Specify domain of user to authenticate
+.RE
+.PP
+\-\-workstation=WORKSTATION
+.RS 4
+Specify the workstation the user authenticated from
+.RE
+.PP
+\-\-challenge=STRING
+.RS 4
+NTLM challenge (in HEXADECIMAL)
+.RE
+.PP
+\-\-lm\-response=RESPONSE
+.RS 4
+LM Response to the challenge (in HEXADECIMAL)
+.RE
+.PP
+\-\-nt\-response=RESPONSE
+.RS 4
+NT or NTLMv2 Response to the challenge (in HEXADECIMAL)
+.RE
+.PP
+\-\-password=PASSWORD
+.RS 4
+User\*(Aqs plaintext password
+.sp
+If not specified on the command line, this is prompted for when required\&.
+.sp
+For the NTLMSSP based server roles, this parameter specifies the expected password, allowing testing without winbindd operational\&.
+.RE
+.PP
+\-\-request\-lm\-key
+.RS 4
+Retrieve LM session key
+.RE
+.PP
+\-\-request\-nt\-key
+.RS 4
+Request NT key
+.RE
+.PP
+\-\-diagnostics
+.RS 4
+Perform Diagnostics on the authentication chain\&. Uses the password from
+\-\-password
+or prompts for one\&.
+.RE
+.PP
+\-\-require\-membership\-of={SID|Name}
+.RS 4
+Require that a user be a member of specified group (either name or SID) for authentication to succeed\&.
+.RE
+.PP
+\-\-pam\-winbind\-conf=FILENAME
+.RS 4
+Define the path to the pam_winbind\&.conf file\&.
+.RE
+.PP
+\-\-target\-hostname=HOSTNAME
+.RS 4
+Define the target hostname\&.
+.RE
+.PP
+\-\-target\-service=SERVICE
+.RS 4
+Define the target service\&.
+.RE
+.PP
+\-\-use\-cached\-creds
+.RS 4
+Whether to use credentials cached by winbindd\&.
+.RE
+.PP
+\-\-allow\-mschapv2
+.RS 4
+Explicitly allow MSCHAPv2\&.
+.RE
+.PP
+\-\-offline\-logon
+.RS 4
+Allow offline logons for plain text auth\&.
+.RE
+.PP
+\-?|\-\-help
+.RS 4
+Print a summary of command line options\&.
+.RE
+.PP
+\-\-usage
+.RS 4
+Display brief usage message\&.
+.RE
+.PP
+\-d|\-\-debuglevel=DEBUGLEVEL
+.RS 4
+\fIlevel\fR
+is an integer from 0 to 10\&. The default value if this parameter is not specified is 1 for client applications\&.
+.sp
+The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
+.sp
+Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
+.sp
+Note that specifying this parameter here will override the
+\m[blue]\fBlog level\fR\m[]
+parameter in the
+smb\&.conf
+file\&.
+.RE
+.PP
+\-\-debug\-stdout
+.RS 4
+This will redirect debug output to STDOUT\&. By default all clients are logging to STDERR\&.
+.RE
+.PP
+\-\-configfile=<configuration file>
+.RS 4
+The file specified contains the configuration details required by the client\&. The information in this file can be general for client and server or only provide client specific like options such as
+\m[blue]\fBclient smb encrypt\fR\m[]\&. See
+smb\&.conf
+for more information\&. The default configuration file name is determined at compile time\&.
+.RE
+.PP
+\-\-option=<name>=<value>
+.RS 4
+Set the
+\fBsmb.conf\fR(5)
+option "<name>" to value "<value>" from the command line\&. This overrides compiled\-in defaults and options read from the configuration file\&. If a name or a value includes a space, wrap whole \-\-option=name=value into quotes\&.
+.RE
+.PP
+\-V|\-\-version
+.RS 4
+Prints the program version number\&.
+.RE
+.SH "EXAMPLE SETUP"
+.PP
+To setup ntlm_auth for use by squid 2\&.5, with both basic and NTLMSSP authentication, the following should be placed in the
+squid\&.conf
+file\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+auth_param ntlm program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-ntlmssp
+auth_param basic program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-basic
+auth_param basic children 5
+auth_param basic realm Squid proxy\-caching web server
+auth_param basic credentialsttl 2 hours
+.fi
+.if n \{\
+.RE
+.\}
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBNote\fR
+.ps -1
+.br
+.PP
+This example assumes that ntlm_auth has been installed into your path, and that the group permissions on
+winbindd_privileged
+are as described above\&.
+.sp .5v
+.RE
+.PP
+To setup ntlm_auth for use by squid 2\&.5 with group limitation in addition to the above example, the following should be added to the
+squid\&.conf
+file\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+auth_param ntlm program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-ntlmssp \-\-require\-membership\-of=\*(AqWORKGROUP\eDomain Users\*(Aq
+auth_param basic program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-basic \-\-require\-membership\-of=\*(AqWORKGROUP\eDomain Users\*(Aq
+.fi
+.if n \{\
+.RE
+.\}
+.SH "TROUBLESHOOTING"
+.PP
+If you\*(Aqre experiencing problems with authenticating Internet Explorer running under MS Windows 9X or Millennium Edition against ntlm_auth\*(Aqs NTLMSSP authentication helper (\-\-helper\-protocol=squid\-2\&.5\-ntlmssp), then please read
+the Microsoft Knowledge Base article #239869 and follow instructions described there\&.
+.SH "VERSION"
+.PP
+This man page is part of version 4\&.16\&.4 of the Samba suite\&.
+.SH "AUTHOR"
+.PP
+The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
+.PP
+The ntlm_auth manpage was written by Jelmer Vernooij and Andrew Bartlett\&.
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-04 05:55:55 +0000