1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>ntlm_auth</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="ntlm-auth.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ntlm_auth — tool to allow external access to Winbind's NTLM authentication function</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">ntlm_auth</code> [-d debuglevel] [-l logdir] [-s <smb config file>]</p></div></div><div class="refsect1" lang="en"><a name="id2522953"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a class="citerefentry" href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">ntlm_auth</code> is a helper utility that authenticates
1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>ntlm_auth</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" title="ntlm_auth"><a name="ntlm-auth.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ntlm_auth — tool to allow external access to Winbind's NTLM authentication function</p></div><div class="refsynopsisdiv" title="Synopsis"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="literal">ntlm_auth</code> [-d debuglevel] [-l logdir] [-s <smb config file>]</p></div></div><div class="refsect1" title="DESCRIPTION"><a name="id2528920"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a class="citerefentry" href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p><code class="literal">ntlm_auth</code> is a helper utility that authenticates
2
2
users using NT/LM authentication. It returns 0 if the users is authenticated
3
3
successfully and 1 if access was denied. ntlm_auth uses winbind to access
4
4
the user and authentication data for a domain. This utility
5
5
is only indended to be used by other programs (currently
6
6
<a class="ulink" href="http://www.squid-cache.org/" target="_top">Squid</a>
7
7
and <a class="ulink" href="http://download.samba.org/ftp/unpacked/lorikeet/trunk/mod_ntlm_winbind/" target="_top">mod_ntlm_winbind</a>)
8
</p></div><div class="refsect1" lang="en"><a name="id2483370"></a><h2>OPERATIONAL REQUIREMENTS</h2><p>
8
</p></div><div class="refsect1" title="OPERATIONAL REQUIREMENTS"><a name="id2489332"></a><h2>OPERATIONAL REQUIREMENTS</h2><p>
9
9
The <a class="citerefentry" href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon must be operational
10
10
for many of these commands to function.</p><p>Some of these commands also require access to the directory
11
11
<code class="filename">winbindd_privileged</code> in
12
12
<code class="filename">$LOCKDIR</code>. This should be done either by running
13
13
this command as root or providing group access
14
14
to the <code class="filename">winbindd_privileged</code> directory. For
15
security reasons, this directory should not be world-accessable. </p></div><div class="refsect1" lang="en"><a name="id2483416"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">--helper-protocol=PROTO</span></dt><dd><p>
15
security reasons, this directory should not be world-accessable. </p></div><div class="refsect1" title="OPTIONS"><a name="id2489378"></a><h2>OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">--helper-protocol=PROTO</span></dt><dd><p>
16
16
Operate as a stdio-based helper. Valid helper protocols are:
17
17
</p><div class="variablelist"><dl><dt><span class="term">squid-2.4-basic</span></dt><dd><p>
18
18
Server-side helper for use with Squid 2.4's basic (plaintext)
60
60
finished supplying data to the other. (Which in turn
61
61
could cause the helper to authenticate the
62
62
user). </p><p>Curently implemented parameters from the
63
external program to the helper are:</p><div class="variablelist"><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3>Implementors should take care to base64 encode
63
external program to the helper are:</p><div class="variablelist"><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3>Implementors should take care to base64 encode
64
64
any data (such as usernames/passwords) that may contain malicous user data, such as
65
65
a newline. They may also need to decode strings from
66
66
the helper, which likewise may have been base64 encoded.</div><dl><dt><span class="term">Username</span></dt><dd><p>The username, expected to be in
67
67
Samba's <a class="link" href="smb.conf.5.html#UNIXCHARSET" target="_top">unix charset</a>.
68
</p><div class="example"><a name="id2483782"></a><p class="title"><b>Example�1.�</b></p><div class="example-contents">Username: bob</div></div><p><br class="example-break"></p><div class="example"><a name="id2483787"></a><p class="title"><b>Example�2.�</b></p><div class="example-contents">Username:: Ym9i</div></div><p><br class="example-break"></p></dd><dt><span class="term">Username</span></dt><dd><p>The user's domain, expected to be in
68
</p><div class="example"><a name="id2489752"></a><p class="title"><b>Example�1.�</b></p><div class="example-contents">Username: bob</div></div><p><br class="example-break"></p><div class="example"><a name="id2489757"></a><p class="title"><b>Example�2.�</b></p><div class="example-contents">Username:: Ym9i</div></div><p><br class="example-break"></p></dd><dt><span class="term">Username</span></dt><dd><p>The user's domain, expected to be in
69
69
Samba's <a class="link" href="smb.conf.5.html#UNIXCHARSET" target="_top">unix charset</a>.
70
</p><div class="example"><a name="id2481589"></a><p class="title"><b>Example�3.�</b></p><div class="example-contents">Domain: WORKGROUP</div></div><p><br class="example-break"></p><div class="example"><a name="id2481593"></a><p class="title"><b>Example�4.�</b></p><div class="example-contents">Domain:: V09SS0dST1VQ</div></div><p><br class="example-break"></p></dd><dt><span class="term">Full-Username</span></dt><dd><p>The fully qualified username, expected to be in
70
</p><div class="example"><a name="id2487554"></a><p class="title"><b>Example�3.�</b></p><div class="example-contents">Domain: WORKGROUP</div></div><p><br class="example-break"></p><div class="example"><a name="id2487559"></a><p class="title"><b>Example�4.�</b></p><div class="example-contents">Domain:: V09SS0dST1VQ</div></div><p><br class="example-break"></p></dd><dt><span class="term">Full-Username</span></dt><dd><p>The fully qualified username, expected to be in
71
71
Samba's <a class="link" href="smb.conf.5.html#UNIXCHARSET" target="_top">unix charset</a> and qualified with the
72
72
<a class="link" href="smb.conf.5.html#WINBINDSEPARATOR" target="_top">winbind separator</a>.
73
</p><div class="example"><a name="id2481629"></a><p class="title"><b>Example�5.�</b></p><div class="example-contents">Full-Username: WORKGROUP\bob</div></div><p><br class="example-break"></p><div class="example"><a name="id2481633"></a><p class="title"><b>Example�6.�</b></p><div class="example-contents">Full-Username:: V09SS0dST1VQYm9i</div></div><p><br class="example-break"></p></dd><dt><span class="term">LANMAN-Challenge</span></dt><dd><p>The 8 byte <code class="literal">LANMAN Challenge</code> value,
73
</p><div class="example"><a name="id2487596"></a><p class="title"><b>Example�5.�</b></p><div class="example-contents">Full-Username: WORKGROUP\bob</div></div><p><br class="example-break"></p><div class="example"><a name="id2487600"></a><p class="title"><b>Example�6.�</b></p><div class="example-contents">Full-Username:: V09SS0dST1VQYm9i</div></div><p><br class="example-break"></p></dd><dt><span class="term">LANMAN-Challenge</span></dt><dd><p>The 8 byte <code class="literal">LANMAN Challenge</code> value,
74
74
generated randomly by the server, or (in cases such as
75
75
MSCHAPv2) generated in some way by both the server and
77
</p><div class="example"><a name="id2481658"></a><p class="title"><b>Example�7.�</b></p><div class="example-contents">LANMAN-Challege: 0102030405060708</div></div><p><br class="example-break"></p></dd><dt><span class="term">LANMAN-Response</span></dt><dd><p>The 24 byte <code class="literal">LANMAN Response</code> value,
77
</p><div class="example"><a name="id2487624"></a><p class="title"><b>Example�7.�</b></p><div class="example-contents">LANMAN-Challege: 0102030405060708</div></div><p><br class="example-break"></p></dd><dt><span class="term">LANMAN-Response</span></dt><dd><p>The 24 byte <code class="literal">LANMAN Response</code> value,
78
78
calculated from the user's password and the supplied
79
79
<code class="literal">LANMAN Challenge</code>. Typically, this
80
80
is provided over the network by a client wishing to authenticate.
81
</p><div class="example"><a name="id2481689"></a><p class="title"><b>Example�8.�</b></p><div class="example-contents">LANMAN-Response: 0102030405060708090A0B0C0D0E0F101112131415161718</div></div><p><br class="example-break"></p></dd><dt><span class="term">NT-Response</span></dt><dd><p>The >= 24 byte <code class="literal">NT Response</code>
81
</p><div class="example"><a name="id2487656"></a><p class="title"><b>Example�8.�</b></p><div class="example-contents">LANMAN-Response: 0102030405060708090A0B0C0D0E0F101112131415161718</div></div><p><br class="example-break"></p></dd><dt><span class="term">NT-Response</span></dt><dd><p>The >= 24 byte <code class="literal">NT Response</code>
82
82
calculated from the user's password and the supplied
83
83
<code class="literal">LANMAN Challenge</code>. Typically, this is
84
84
provided over the network by a client wishing to authenticate.
85
</p><div class="example"><a name="id2481722"></a><p class="title"><b>Example�9.�</b></p><div class="example-contents">NT-Response: 0102030405060708090A0B0C0D0E0F101112131415161718</div></div><p><br class="example-break"></p></dd><dt><span class="term">Password</span></dt><dd><p>The user's password. This would be
85
</p><div class="example"><a name="id2487689"></a><p class="title"><b>Example�9.�</b></p><div class="example-contents">NT-Response: 0102030405060708090A0B0C0D0E0F101112131415161718</div></div><p><br class="example-break"></p></dd><dt><span class="term">Password</span></dt><dd><p>The user's password. This would be
86
86
provided by a network client, if the helper is being
87
87
used in a legacy situation that exposes plaintext
88
88
passwords in this way.
89
</p><div class="example"><a name="id2481743"></a><p class="title"><b>Example�10.�</b></p><div class="example-contents">Password: samba2</div></div><p><br class="example-break"></p><div class="example"><a name="id2481747"></a><p class="title"><b>Example�11.�</b></p><div class="example-contents">Password:: c2FtYmEy</div></div><p><br class="example-break"></p></dd><dt><span class="term">Request-User-Session-Key</span></dt><dd><p>Apon sucessful authenticaiton, return
89
</p><div class="example"><a name="id2487709"></a><p class="title"><b>Example�10.�</b></p><div class="example-contents">Password: samba2</div></div><p><br class="example-break"></p><div class="example"><a name="id2487714"></a><p class="title"><b>Example�11.�</b></p><div class="example-contents">Password:: c2FtYmEy</div></div><p><br class="example-break"></p></dd><dt><span class="term">Request-User-Session-Key</span></dt><dd><p>Apon sucessful authenticaiton, return
90
90
the user session key associated with the login.
91
</p><div class="example"><a name="id2481765"></a><p class="title"><b>Example�12.�</b></p><div class="example-contents">Request-User-Session-Key: Yes</div></div><p><br class="example-break"></p></dd><dt><span class="term">Request-LanMan-Session-Key</span></dt><dd><p>Apon sucessful authenticaiton, return
91
</p><div class="example"><a name="id2487731"></a><p class="title"><b>Example�12.�</b></p><div class="example-contents">Request-User-Session-Key: Yes</div></div><p><br class="example-break"></p></dd><dt><span class="term">Request-LanMan-Session-Key</span></dt><dd><p>Apon sucessful authenticaiton, return
92
92
the LANMAN session key associated with the login.
93
</p><div class="example"><a name="id2481782"></a><p class="title"><b>Example�13.�</b></p><div class="example-contents">Request-LanMan-Session-Key: Yes</div></div><p><br class="example-break"></p></dd></dl></div></dd></dl></div></dd><dt><span class="term">--username=USERNAME</span></dt><dd><p>
93
</p><div class="example"><a name="id2487748"></a><p class="title"><b>Example�13.�</b></p><div class="example-contents">Request-LanMan-Session-Key: Yes</div></div><p><br class="example-break"></p></dd></dl></div></dd></dl></div></dd><dt><span class="term">--username=USERNAME</span></dt><dd><p>
94
94
Specify username of user to authenticate
95
95
</p></dd><dt><span class="term">--domain=DOMAIN</span></dt><dd><p>
96
96
Specify domain of user to authenticate
115
115
investigating a problem. Levels above 3 are designed for
116
116
use only by developers and generate HUGE amounts of log
117
117
data, most of which is extremely cryptic.</p><p>Note that specifying this parameter here will
118
override the <a class="link" href="smb.conf.5.html#LOGLEVEL" target="_top">log level</a> parameter
119
in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term">-V</span></dt><dd><p>Prints the program version number.
120
</p></dd><dt><span class="term">-s <configuration file></span></dt><dd><p>The file specified contains the
118
override the <a class="link" href="smb.conf.5.html#" target="_top"></a> parameter
119
in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term">-V|--version</span></dt><dd><p>Prints the program version number.
120
</p></dd><dt><span class="term">-s|--configfile <configuration file></span></dt><dd><p>The file specified contains the
121
121
configuration details required by the server. The
122
122
information in this file includes server-specific
123
123
information such as what printcap file to use, as well
137
137
auth_param basic children 5
138
138
auth_param basic realm Squid proxy-caching web server
139
139
auth_param basic credentialsttl 2 hours
140
</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This example assumes that ntlm_auth has been installed into your
140
</pre><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This example assumes that ntlm_auth has been installed into your
141
141
path, and that the group permissions on
142
142
<code class="filename">winbindd_privileged</code> are as described above.</p></div><p>To setup ntlm_auth for use by squid 2.5 with group limitation in addition to the above
143
143
example, the following should be added to the <code class="filename">squid.conf</code> file.
144
144
</p><pre class="programlisting">
145
145
auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='WORKGROUP\Domain Users'
146
146
auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='WORKGROUP\Domain Users'
147
</pre></div><div class="refsect1" lang="en"><a name="id2532590"></a><h2>TROUBLESHOOTING</h2><p>If you're experiencing problems with authenticating Internet Explorer running
147
</pre></div><div class="refsect1" title="TROUBLESHOOTING"><a name="id2538561"></a><h2>TROUBLESHOOTING</h2><p>If you're experiencing problems with authenticating Internet Explorer running
148
148
under MS Windows 9X or Millenium Edition against ntlm_auth's NTLMSSP authentication
149
149
helper (--helper-protocol=squid-2.5-ntlmssp), then please read
150
150
<a class="ulink" href="http://support.microsoft.com/support/kb/articles/Q239/8/69.ASP" target="_top">
151
151
the Microsoft Knowledge Base article #239869 and follow instructions described there</a>.
152
</p></div><div class="refsect1" lang="en"><a name="id2532612"></a><h2>VERSION</h2><p>This man page is correct for version 3 of the Samba
153
suite.</p></div><div class="refsect1" lang="en"><a name="id2532623"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities
152
</p></div><div class="refsect1" title="VERSION"><a name="id2538583"></a><h2>VERSION</h2><p>This man page is correct for version 3 of the Samba
153
suite.</p></div><div class="refsect1" title="AUTHOR"><a name="id2538593"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities
154
154
were created by Andrew Tridgell. Samba is now developed
155
155
by the Samba Team as an Open Source project similar
156
156
to the way the Linux kernel is developed.</p><p>The ntlm_auth manpage was written by Jelmer Vernooij and