1
<?xml version="1.0" encoding="iso-8859-1"?>
2
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3
<refentry id="ntlm-auth.1">
6
<refentrytitle>ntlm_auth</refentrytitle>
7
<manvolnum>1</manvolnum>
8
<refmiscinfo class="source">Samba</refmiscinfo>
9
<refmiscinfo class="manual">User Commands</refmiscinfo>
10
<refmiscinfo class="version">3.4</refmiscinfo>
15
<refname>ntlm_auth</refname>
16
<refpurpose>tool to allow external access to Winbind's NTLM authentication function</refpurpose>
21
<command>ntlm_auth</command>
22
<arg choice="opt">-d debuglevel</arg>
23
<arg choice="opt">-l logdir</arg>
24
<arg choice="opt">-s <smb config file></arg>
29
<title>DESCRIPTION</title>
31
<para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
32
<manvolnum>7</manvolnum></citerefentry> suite.</para>
34
<para><command>ntlm_auth</command> is a helper utility that authenticates
35
users using NT/LM authentication. It returns 0 if the users is authenticated
36
successfully and 1 if access was denied. ntlm_auth uses winbind to access
37
the user and authentication data for a domain. This utility
38
is only intended to be used by other programs (currently
39
<ulink url="http://www.squid-cache.org/">Squid</ulink>
40
and <ulink url="http://download.samba.org/ftp/unpacked/lorikeet/trunk/mod_ntlm_winbind/">mod_ntlm_winbind</ulink>)
45
<title>OPERATIONAL REQUIREMENTS</title>
48
The <citerefentry><refentrytitle>winbindd</refentrytitle>
49
<manvolnum>8</manvolnum></citerefentry> daemon must be operational
50
for many of these commands to function.</para>
52
<para>Some of these commands also require access to the directory
53
<filename>winbindd_privileged</filename> in
54
<filename>$LOCKDIR</filename>. This should be done either by running
55
this command as root or providing group access
56
to the <filename>winbindd_privileged</filename> directory. For
57
security reasons, this directory should not be world-accessable. </para>
63
<title>OPTIONS</title>
67
<term>--helper-protocol=PROTO</term>
69
Operate as a stdio-based helper. Valid helper protocols are:
73
<term>squid-2.4-basic</term>
75
Server-side helper for use with Squid 2.4's basic (plaintext)
76
authentication. </para>
80
<term>squid-2.5-basic</term>
82
Server-side helper for use with Squid 2.5's basic (plaintext)
83
authentication. </para>
87
<term>squid-2.5-ntlmssp</term>
89
Server-side helper for use with Squid 2.5's NTLMSSP
90
authentication. </para>
91
<para>Requires access to the directory
92
<filename>winbindd_privileged</filename> in
93
<filename>$LOCKDIR</filename>. The protocol used is
94
described here: <ulink
95
url="http://devel.squid-cache.org/ntlm/squid_helper_protocol.html">http://devel.squid-cache.org/ntlm/squid_helper_protocol.html</ulink>.
96
This protocol has been extended to allow the
97
NTLMSSP Negotiate packet to be included as an argument
98
to the <command>YR</command> command. (Thus avoiding
99
loss of information in the protocol exchange).
104
<term>ntlmssp-client-1</term>
106
Client-side helper for use with arbitrary external
107
programs that may wish to use Samba's NTLMSSP
108
authentication knowledge. </para>
109
<para>This helper is a client, and as such may be run by any
110
user. The protocol used is
111
effectively the reverse of the previous protocol. A
112
<command>YR</command> command (without any arguments)
113
starts the authentication exchange.
119
<term>gss-spnego</term>
121
Server-side helper that implements GSS-SPNEGO. This
122
uses a protocol that is almost the same as
123
<command>squid-2.5-ntlmssp</command>, but has some
124
subtle differences that are undocumented outside the
125
source at this stage.
127
<para>Requires access to the directory
128
<filename>winbindd_privileged</filename> in
129
<filename>$LOCKDIR</filename>.
135
<term>gss-spnego-client</term>
137
Client-side helper that implements GSS-SPNEGO. This
138
also uses a protocol similar to the above helpers, but
139
is currently undocumented.
145
<term>ntlm-server-1</term>
147
Server-side helper protocol, intended for use by a
148
RADIUS server or the 'winbind' plugin for pppd, for
149
the provision of MSCHAP and MSCHAPv2 authentication.
151
<para>This protocol consists of lines in the form:
152
<command>Parameter: value</command> and <command>Parameter::
153
Base64-encode value</command>. The presence of a single
154
period <command>.</command> indicates that one side has
155
finished supplying data to the other. (Which in turn
156
could cause the helper to authenticate the
159
<para>Curently implemented parameters from the
160
external program to the helper are:</para>
163
<term>Username</term>
165
<listitem><para>The username, expected to be in
166
Samba's <smbconfoption name="unix charset"/>.
169
<para><example>Username: bob</example></para>
170
<para><example>Username:: Ym9i</example></para>
171
</listitem></varlistentry>
174
<term>Username</term>
175
<listitem><para>The user's domain, expected to be in
176
Samba's <smbconfoption name="unix charset"/>.
179
<para><example>Domain: WORKGROUP</example></para>
180
<para><example>Domain:: V09SS0dST1VQ</example></para>
181
</listitem></varlistentry>
184
<term>Full-Username</term>
185
<listitem><para>The fully qualified username, expected to be in
186
Samba's <smbconfoption name="unix charset"/> and qualified with the
187
<smbconfoption name="winbind separator"/>.
190
<para><example>Full-Username: WORKGROUP\bob</example></para>
191
<para><example>Full-Username:: V09SS0dST1VQYm9i</example></para>
192
</listitem></varlistentry>
195
<term>LANMAN-Challenge</term>
197
<listitem><para>The 8 byte <command>LANMAN Challenge</command> value,
198
generated randomly by the server, or (in cases such as
199
MSCHAPv2) generated in some way by both the server and
202
<para><example>LANMAN-Challege: 0102030405060708</example></para>
203
</listitem></varlistentry>
206
<term>LANMAN-Response</term>
208
<listitem><para>The 24 byte <command>LANMAN Response</command> value,
209
calculated from the user's password and the supplied
210
<command>LANMAN Challenge</command>. Typically, this
211
is provided over the network by a client wishing to authenticate.
213
<para><example>LANMAN-Response: 0102030405060708090A0B0C0D0E0F101112131415161718</example></para>
215
</listitem></varlistentry>
218
<term>NT-Response</term>
219
<listitem><para>The >= 24 byte <command>NT Response</command>
220
calculated from the user's password and the supplied
221
<command>LANMAN Challenge</command>. Typically, this is
222
provided over the network by a client wishing to authenticate.
224
<para><example>NT-Response: 0102030405060708090A0B0C0D0E0F101112131415161718</example></para>
226
</listitem></varlistentry>
229
<term>Password</term>
230
<listitem><para>The user's password. This would be
231
provided by a network client, if the helper is being
232
used in a legacy situation that exposes plaintext
233
passwords in this way.
235
<para><example>Password: samba2</example></para>
236
<para><example>Password:: c2FtYmEy</example></para>
238
</listitem></varlistentry>
241
<term>Request-User-Session-Key</term>
242
<listitem><para>Apon sucessful authenticaiton, return
243
the user session key associated with the login.
245
<para><example>Request-User-Session-Key: Yes</example></para>
247
</listitem></varlistentry>
250
<term>Request-LanMan-Session-Key</term>
251
<listitem><para>Apon sucessful authenticaiton, return
252
the LANMAN session key associated with the login.
254
<para><example>Request-LanMan-Session-Key: Yes</example></para>
256
</listitem></varlistentry>
258
<para><warning>Implementors should take care to base64 encode
259
any data (such as usernames/passwords) that may contain malicous user data, such as
260
a newline. They may also need to decode strings from
261
the helper, which likewise may have been base64 encoded.</warning></para>
271
<term>--username=USERNAME</term>
273
Specify username of user to authenticate
279
<term>--domain=DOMAIN</term>
281
Specify domain of user to authenticate
286
<term>--workstation=WORKSTATION</term>
288
Specify the workstation the user authenticated from
293
<term>--challenge=STRING</term>
294
<listitem><para>NTLM challenge (in HEXADECIMAL)</para>
299
<term>--lm-response=RESPONSE</term>
300
<listitem><para>LM Response to the challenge (in HEXADECIMAL)</para></listitem>
304
<term>--nt-response=RESPONSE</term>
305
<listitem><para>NT or NTLMv2 Response to the challenge (in HEXADECIMAL)</para></listitem>
309
<term>--password=PASSWORD</term>
310
<listitem><para>User's plaintext password</para><para>If
311
not specified on the command line, this is prompted for when
314
<para>For the NTLMSSP based server roles, this parameter
315
specifies the expected password, allowing testing without
316
winbindd operational.</para>
321
<term>--request-lm-key</term>
322
<listitem><para>Retreive LM session key</para></listitem>
326
<term>--request-nt-key</term>
327
<listitem><para>Request NT key</para></listitem>
331
<term>--diagnostics</term>
332
<listitem><para>Perform Diagnostics on the authentication
333
chain. Uses the password from <command>--password</command>
334
or prompts for one.</para>
339
<term>--require-membership-of={SID|Name}</term>
340
<listitem><para>Require that a user be a member of specified
341
group (either name or SID) for authentication to succeed.</para>
345
&stdarg.server.debug;
353
<title>EXAMPLE SETUP</title>
355
<para>To setup ntlm_auth for use by squid 2.5, with both basic and
356
NTLMSSP authentication, the following
357
should be placed in the <filename>squid.conf</filename> file.
359
auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp
360
auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic
361
auth_param basic children 5
362
auth_param basic realm Squid proxy-caching web server
363
auth_param basic credentialsttl 2 hours
364
</programlisting></para>
366
<note><para>This example assumes that ntlm_auth has been installed into your
367
path, and that the group permissions on
368
<filename>winbindd_privileged</filename> are as described above.</para></note>
370
<para>To setup ntlm_auth for use by squid 2.5 with group limitation in addition to the above
371
example, the following should be added to the <filename>squid.conf</filename> file.
373
auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='WORKGROUP\Domain Users'
374
auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='WORKGROUP\Domain Users'
375
</programlisting></para>
380
<title>TROUBLESHOOTING</title>
382
<para>If you're experiencing problems with authenticating Internet Explorer running
383
under MS Windows 9X or Millenium Edition against ntlm_auth's NTLMSSP authentication
384
helper (--helper-protocol=squid-2.5-ntlmssp), then please read
385
<ulink url="http://support.microsoft.com/support/kb/articles/Q239/8/69.ASP">
386
the Microsoft Knowledge Base article #239869 and follow instructions described there</ulink>.
391
<title>VERSION</title>
393
<para>This man page is correct for version 3 of the Samba
398
<title>AUTHOR</title>
400
<para>The original Samba software and related utilities
401
were created by Andrew Tridgell. Samba is now developed
402
by the Samba Team as an Open Source project similar
403
to the way the Linux kernel is developed.</para>
405
<para>The ntlm_auth manpage was written by Jelmer Vernooij and
406
Andrew Bartlett.</para>