← Back to branch summary

~ubuntu-branches/ubuntu/maverick/samba/maverick-security

« back to all changes in this revision

Viewing changes to docs/htmldocs/manpages/ntlm_auth.1.html

  • Committer: Bazaar Package Importer
  • Author(s): Chuck Short
  • Date: 2010-01-29 06:16:15 UTC
  • mfrom: (0.27.9 upstream) (0.34.4 squeeze)
  • Revision ID: james.westby@ubuntu.com-20100129061615-37hs6xqpsdhjq3ld
Tags: 2:3.4.5~dfsg-1ubuntu1
https://launchpad.net/bugs/462169
https://launchpad.net/bugs/493565
* Merge from debian testing.  Remaining changes:
  + debian/patches/VERSION.patch:
    - set SAMBA_VERSION_SUFFIX to Ubuntu.
  + debian/smb.conf:
    - Add "(Samba, Ubuntu)" to server string.
    - Comment out the default [homes] share, and add a comment about "valid users = %s"
      to show users how to restrict access to \\server\username to only username.
    - Set 'usershare allow guests', so that usershare admins are allowed to create
      public shares in additon to authenticated ones.
    - add map to guest = Bad user, maps bad username to gues access.
  + debian/samba-common.conf:
    - Do not change priority to high if dhclient3 is installed.
    - Use priority medium instead of high for the workgroup question.
  + debian/mksambapasswd.awk:
    - Do not add user with UID less than 1000 to smbpasswd.
  + debian/control: 
    - Make libswbclient0 replace/conflict with hardy's likewise-open.
    - Don't build against ctdb, since its not in main yet.
  + debian/rules:
    - Enable "native" PIE hardening.
    - Add BIND_NOW to maximize benefit of RELRO hardening.
  + Add ufw integration:
    - Created debian/samba.ufw.profile.
    - debian/rules, debian/samba.dirs, debian/samba.files: install
  + Add apoort hook:
    - Created debian/source_samba.py.
    - debian/rules, debian/samba.dirs, debian/samba-common-bin.files: install
  + debian/rules, debian/samba.if-up: allow "NetworkManager" as a recognized address
    family... it's obviously /not/ an address family, but it's what gets
    sent when using NM, so we'll cope for now.  (LP: #462169). Taken from karmic-proposed.
  + debian/control: Recommend keyutils for smbfs (LP: #493565)
  + Dropped patches:
    - debian/patches/security-CVE-2009-3297.patch: No longer needed
    - debian/patches/fix-too-many-open-files.patch: No longer needed

Show diffs side-by-side

added added

removed removed

Lines of Context:
docs/htmldocs/manpages/ntlm_auth.1.html
1
 
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>ntlm_auth</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="ntlm-auth.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ntlm_auth &#8212; tool to allow external access to Winbind's NTLM authentication function</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">ntlm_auth</code> [-d debuglevel] [-l logdir] [-s &lt;smb config file&gt;]</p></div></div><div class="refsect1" lang="en"><a name="id2522953"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a class="citerefentry" href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">ntlm_auth</code> is a helper utility that authenticates 
 
1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>ntlm_auth</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" title="ntlm_auth"><a name="ntlm-auth.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ntlm_auth &#8212; tool to allow external access to Winbind's NTLM authentication function</p></div><div class="refsynopsisdiv" title="Synopsis"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">ntlm_auth</code> [-d debuglevel] [-l logdir] [-s &lt;smb config file&gt;]</p></div></div><div class="refsect1" title="DESCRIPTION"><a name="id2528920"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a class="citerefentry" href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">ntlm_auth</code> is a helper utility that authenticates 
2
2
        users using NT/LM authentication. It returns 0 if the users is authenticated
3
3
        successfully and 1 if access was denied. ntlm_auth uses winbind to access 
4
4
        the user and authentication data for a domain.  This utility 
5
5
        is only indended to be used by other programs (currently
6
6
        <a class="ulink" href="http://www.squid-cache.org/" target="_top">Squid</a>
7
7
        and <a class="ulink" href="http://download.samba.org/ftp/unpacked/lorikeet/trunk/mod_ntlm_winbind/" target="_top">mod_ntlm_winbind</a>)
8
 
        </p></div><div class="refsect1" lang="en"><a name="id2483370"></a><h2>OPERATIONAL REQUIREMENTS</h2><p>
 
8
        </p></div><div class="refsect1" title="OPERATIONAL REQUIREMENTS"><a name="id2489332"></a><h2>OPERATIONAL REQUIREMENTS</h2><p>
9
9
    The <a class="citerefentry" href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon must be operational
10
10
    for many of these commands to function.</p><p>Some of these commands also require access to the directory 
11
11
    <code class="filename">winbindd_privileged</code> in
12
12
    <code class="filename">$LOCKDIR</code>.  This should be done either by running
13
13
    this command as root or providing group access
14
14
    to the <code class="filename">winbindd_privileged</code> directory.  For
15
 
    security reasons, this directory should not be world-accessable. </p></div><div class="refsect1" lang="en"><a name="id2483416"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">--helper-protocol=PROTO</span></dt><dd><p>
 
15
    security reasons, this directory should not be world-accessable. </p></div><div class="refsect1" title="OPTIONS"><a name="id2489378"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">--helper-protocol=PROTO</span></dt><dd><p>
16
16
        Operate as a stdio-based helper.  Valid helper protocols are:
17
17
        </p><div class="variablelist"><dl><dt><span class="term">squid-2.4-basic</span></dt><dd><p>
18
18
                Server-side helper for use with Squid 2.4's basic (plaintext)
60
60
                finished supplying data to the other.  (Which in turn
61
61
                could cause the helper to authenticate the
62
62
                user). </p><p>Curently implemented parameters from the
63
 
                external program to the helper are:</p><div class="variablelist"><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3>Implementors should take care to base64 encode
 
63
                external program to the helper are:</p><div class="variablelist"><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3>Implementors should take care to base64 encode
64
64
                any data (such as usernames/passwords) that may contain malicous user data, such as
65
65
                a newline.  They may also need to decode strings from
66
66
                the helper, which likewise may have been base64 encoded.</div><dl><dt><span class="term">Username</span></dt><dd><p>The username, expected to be in
67
67
                Samba's <a class="link" href="smb.conf.5.html#UNIXCHARSET" target="_top">unix charset</a>.
68
 
                </p><div class="example"><a name="id2483782"></a><p class="title"><b>Example�1.�</b></p><div class="example-contents">Username: bob</div></div><p><br class="example-break"></p><div class="example"><a name="id2483787"></a><p class="title"><b>Example�2.�</b></p><div class="example-contents">Username:: Ym9i</div></div><p><br class="example-break"></p></dd><dt><span class="term">Username</span></dt><dd><p>The user's domain, expected to be in
 
68
                </p><div class="example"><a name="id2489752"></a><p class="title"><b>Example�1.�</b></p><div class="example-contents">Username: bob</div></div><p><br class="example-break"></p><div class="example"><a name="id2489757"></a><p class="title"><b>Example�2.�</b></p><div class="example-contents">Username:: Ym9i</div></div><p><br class="example-break"></p></dd><dt><span class="term">Username</span></dt><dd><p>The user's domain, expected to be in
69
69
                Samba's <a class="link" href="smb.conf.5.html#UNIXCHARSET" target="_top">unix charset</a>.
70
 
                </p><div class="example"><a name="id2481589"></a><p class="title"><b>Example�3.�</b></p><div class="example-contents">Domain: WORKGROUP</div></div><p><br class="example-break"></p><div class="example"><a name="id2481593"></a><p class="title"><b>Example�4.�</b></p><div class="example-contents">Domain:: V09SS0dST1VQ</div></div><p><br class="example-break"></p></dd><dt><span class="term">Full-Username</span></dt><dd><p>The fully qualified username, expected to be in
 
70
                </p><div class="example"><a name="id2487554"></a><p class="title"><b>Example�3.�</b></p><div class="example-contents">Domain: WORKGROUP</div></div><p><br class="example-break"></p><div class="example"><a name="id2487559"></a><p class="title"><b>Example�4.�</b></p><div class="example-contents">Domain:: V09SS0dST1VQ</div></div><p><br class="example-break"></p></dd><dt><span class="term">Full-Username</span></dt><dd><p>The fully qualified username, expected to be in
71
71
                Samba's <a class="link" href="smb.conf.5.html#UNIXCHARSET" target="_top">unix charset</a> and qualified with the
72
72
                <a class="link" href="smb.conf.5.html#WINBINDSEPARATOR" target="_top">winbind separator</a>.
73
 
                </p><div class="example"><a name="id2481629"></a><p class="title"><b>Example�5.�</b></p><div class="example-contents">Full-Username: WORKGROUP\bob</div></div><p><br class="example-break"></p><div class="example"><a name="id2481633"></a><p class="title"><b>Example�6.�</b></p><div class="example-contents">Full-Username:: V09SS0dST1VQYm9i</div></div><p><br class="example-break"></p></dd><dt><span class="term">LANMAN-Challenge</span></dt><dd><p>The 8 byte <code class="literal">LANMAN Challenge</code> value,
 
73
                </p><div class="example"><a name="id2487596"></a><p class="title"><b>Example�5.�</b></p><div class="example-contents">Full-Username: WORKGROUP\bob</div></div><p><br class="example-break"></p><div class="example"><a name="id2487600"></a><p class="title"><b>Example�6.�</b></p><div class="example-contents">Full-Username:: V09SS0dST1VQYm9i</div></div><p><br class="example-break"></p></dd><dt><span class="term">LANMAN-Challenge</span></dt><dd><p>The 8 byte <code class="literal">LANMAN Challenge</code> value,
74
74
                generated randomly by the server, or (in cases such as
75
75
                MSCHAPv2) generated in some way by both the server and
76
76
                the client.
77
 
                </p><div class="example"><a name="id2481658"></a><p class="title"><b>Example�7.�</b></p><div class="example-contents">LANMAN-Challege: 0102030405060708</div></div><p><br class="example-break"></p></dd><dt><span class="term">LANMAN-Response</span></dt><dd><p>The 24 byte <code class="literal">LANMAN Response</code> value,
 
77
                </p><div class="example"><a name="id2487624"></a><p class="title"><b>Example�7.�</b></p><div class="example-contents">LANMAN-Challege: 0102030405060708</div></div><p><br class="example-break"></p></dd><dt><span class="term">LANMAN-Response</span></dt><dd><p>The 24 byte <code class="literal">LANMAN Response</code> value,
78
78
                calculated from the user's password and the supplied
79
79
                <code class="literal">LANMAN Challenge</code>.  Typically, this
80
80
                is provided over the network by a client wishing to authenticate.
81
 
                </p><div class="example"><a name="id2481689"></a><p class="title"><b>Example�8.�</b></p><div class="example-contents">LANMAN-Response: 0102030405060708090A0B0C0D0E0F101112131415161718</div></div><p><br class="example-break"></p></dd><dt><span class="term">NT-Response</span></dt><dd><p>The &gt;= 24 byte <code class="literal">NT Response</code>
 
81
                </p><div class="example"><a name="id2487656"></a><p class="title"><b>Example�8.�</b></p><div class="example-contents">LANMAN-Response: 0102030405060708090A0B0C0D0E0F101112131415161718</div></div><p><br class="example-break"></p></dd><dt><span class="term">NT-Response</span></dt><dd><p>The &gt;= 24 byte <code class="literal">NT Response</code>
82
82
                calculated from the user's password and the supplied
83
83
                <code class="literal">LANMAN Challenge</code>.  Typically, this is 
84
84
                provided over the network by a client wishing to authenticate.
85
 
                 </p><div class="example"><a name="id2481722"></a><p class="title"><b>Example�9.�</b></p><div class="example-contents">NT-Response: 0102030405060708090A0B0C0D0E0F101112131415161718</div></div><p><br class="example-break"></p></dd><dt><span class="term">Password</span></dt><dd><p>The user's password.  This would be
 
85
                 </p><div class="example"><a name="id2487689"></a><p class="title"><b>Example�9.�</b></p><div class="example-contents">NT-Response: 0102030405060708090A0B0C0D0E0F101112131415161718</div></div><p><br class="example-break"></p></dd><dt><span class="term">Password</span></dt><dd><p>The user's password.  This would be
86
86
                provided by a network client, if the helper is being
87
87
                used in a legacy situation that exposes plaintext
88
88
                passwords in this way.
89
 
                 </p><div class="example"><a name="id2481743"></a><p class="title"><b>Example�10.�</b></p><div class="example-contents">Password: samba2</div></div><p><br class="example-break"></p><div class="example"><a name="id2481747"></a><p class="title"><b>Example�11.�</b></p><div class="example-contents">Password:: c2FtYmEy</div></div><p><br class="example-break"></p></dd><dt><span class="term">Request-User-Session-Key</span></dt><dd><p>Apon sucessful authenticaiton, return
 
89
                 </p><div class="example"><a name="id2487709"></a><p class="title"><b>Example�10.�</b></p><div class="example-contents">Password: samba2</div></div><p><br class="example-break"></p><div class="example"><a name="id2487714"></a><p class="title"><b>Example�11.�</b></p><div class="example-contents">Password:: c2FtYmEy</div></div><p><br class="example-break"></p></dd><dt><span class="term">Request-User-Session-Key</span></dt><dd><p>Apon sucessful authenticaiton, return
90
90
                the user session key associated with the login.
91
 
                 </p><div class="example"><a name="id2481765"></a><p class="title"><b>Example�12.�</b></p><div class="example-contents">Request-User-Session-Key: Yes</div></div><p><br class="example-break"></p></dd><dt><span class="term">Request-LanMan-Session-Key</span></dt><dd><p>Apon sucessful authenticaiton, return
 
91
                 </p><div class="example"><a name="id2487731"></a><p class="title"><b>Example�12.�</b></p><div class="example-contents">Request-User-Session-Key: Yes</div></div><p><br class="example-break"></p></dd><dt><span class="term">Request-LanMan-Session-Key</span></dt><dd><p>Apon sucessful authenticaiton, return
92
92
                the LANMAN session key associated with the login.
93
 
                 </p><div class="example"><a name="id2481782"></a><p class="title"><b>Example�13.�</b></p><div class="example-contents">Request-LanMan-Session-Key: Yes</div></div><p><br class="example-break"></p></dd></dl></div></dd></dl></div></dd><dt><span class="term">--username=USERNAME</span></dt><dd><p>
 
93
                 </p><div class="example"><a name="id2487748"></a><p class="title"><b>Example�13.�</b></p><div class="example-contents">Request-LanMan-Session-Key: Yes</div></div><p><br class="example-break"></p></dd></dl></div></dd></dl></div></dd><dt><span class="term">--username=USERNAME</span></dt><dd><p>
94
94
        Specify username of user to authenticate
95
95
        </p></dd><dt><span class="term">--domain=DOMAIN</span></dt><dd><p>
96
96
        Specify domain of user to authenticate
115
115
investigating a problem. Levels above 3 are designed for 
116
116
use only by developers and generate HUGE amounts of log
117
117
data, most of which is extremely cryptic.</p><p>Note that specifying this parameter here will 
118
 
override the <a class="link" href="smb.conf.5.html#LOGLEVEL" target="_top">log level</a> parameter
119
 
in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term">-V</span></dt><dd><p>Prints the program version number.
120
 
</p></dd><dt><span class="term">-s &lt;configuration file&gt;</span></dt><dd><p>The file specified contains the 
 
118
override the <a class="link" href="smb.conf.5.html#" target="_top"></a> parameter
 
119
in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term">-V|--version</span></dt><dd><p>Prints the program version number.
 
120
</p></dd><dt><span class="term">-s|--configfile &lt;configuration file&gt;</span></dt><dd><p>The file specified contains the 
121
121
configuration details required by the server.  The 
122
122
information in this file includes server-specific
123
123
information such as what printcap file to use, as well 
128
128
<code class="constant">".progname"</code> will be appended (e.g. log.smbclient, 
129
129
log.smbd, etc...). The log file is never removed by the client.
130
130
</p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options.
131
 
</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id2532534"></a><h2>EXAMPLE SETUP</h2><p>To setup ntlm_auth for use by squid 2.5, with both basic and
 
131
</p></dd></dl></div></div><div class="refsect1" title="EXAMPLE SETUP"><a name="id2538506"></a><h2>EXAMPLE SETUP</h2><p>To setup ntlm_auth for use by squid 2.5, with both basic and
132
132
        NTLMSSP authentication, the following
133
133
        should be placed in the <code class="filename">squid.conf</code> file.
134
134
</p><pre class="programlisting">
137
137
auth_param basic children 5
138
138
auth_param basic realm Squid proxy-caching web server
139
139
auth_param basic credentialsttl 2 hours
140
 
</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This example assumes that ntlm_auth has been installed into your
 
140
</pre><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This example assumes that ntlm_auth has been installed into your
141
141
      path, and that the group permissions on
142
142
      <code class="filename">winbindd_privileged</code> are as described above.</p></div><p>To setup ntlm_auth for use by squid 2.5 with group limitation in addition to the above
143
143
        example, the following should be added to the <code class="filename">squid.conf</code> file.
144
144
</p><pre class="programlisting">
145
145
auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='WORKGROUP\Domain Users'
146
146
auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='WORKGROUP\Domain Users'
147
 
</pre></div><div class="refsect1" lang="en"><a name="id2532590"></a><h2>TROUBLESHOOTING</h2><p>If you're experiencing problems with authenticating Internet Explorer running
 
147
</pre></div><div class="refsect1" title="TROUBLESHOOTING"><a name="id2538561"></a><h2>TROUBLESHOOTING</h2><p>If you're experiencing problems with authenticating Internet Explorer running
148
148
        under MS Windows 9X or Millenium Edition against ntlm_auth's NTLMSSP authentication
149
149
        helper (--helper-protocol=squid-2.5-ntlmssp), then please read 
150
150
        <a class="ulink" href="http://support.microsoft.com/support/kb/articles/Q239/8/69.ASP" target="_top">
151
151
        the Microsoft Knowledge Base article #239869 and follow instructions described there</a>.
152
 
        </p></div><div class="refsect1" lang="en"><a name="id2532612"></a><h2>VERSION</h2><p>This man page is correct for version 3 of the Samba 
153
 
        suite.</p></div><div class="refsect1" lang="en"><a name="id2532623"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities 
 
152
        </p></div><div class="refsect1" title="VERSION"><a name="id2538583"></a><h2>VERSION</h2><p>This man page is correct for version 3 of the Samba 
 
153
        suite.</p></div><div class="refsect1" title="AUTHOR"><a name="id2538593"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities 
154
154
        were created by Andrew Tridgell. Samba is now developed
155
155
        by the Samba Team as an Open Source project similar 
156
156
        to the way the Linux kernel is developed.</p><p>The ntlm_auth manpage was written by Jelmer Vernooij and