See, I really can write documentation when I put my mind to it...

This updates the ntlm_auth manpage to detail some of the new helper
prototcols, and updates the winbind manpage to reflect some of the
changes over it's life.

Jelmer - you might want to look over this, and check if it's all
really valid docbook, but 'make manapges' works for me.

Andrew Bartlett

docs/manpages/ntlm_auth.1.xml

@@ -35,7 +35,8 @@
 	users using NT/LM authentication. It returns 0 if the users is authenticated
 	successfully and 1 if access was denied. ntlm_auth uses winbind to access 
 	the user and authentication data for a domain.  This utility 
-	is only indended to be used by other programs (currently squid).
+	is only indended to be used by other programs (currently
+	Squid).
 	</para>
 </refsect1>
 
@@ -90,7 +91,11 @@
                 <filename>winbindd_privileged</filename> in
 		<filename>$LOCKDIR</filename>.  The protocol used is
 		described here: <ulink
-		url="http://devel.squid-cache.org/ntlm/squid_helper_protocol.html">http://devel.squid-cache.org/ntlm/squid_helper_protocol.html</ulink>
+		url="http://devel.squid-cache.org/ntlm/squid_helper_protocol.html">http://devel.squid-cache.org/ntlm/squid_helper_protocol.html</ulink>.
+		This protocol has been extended to allow the
+		NTLMSSP Negotiate packet to be included as an argument
+		to the <command>YR</command> command. (Thus avoiding
+		loss of information in the protocol exchange).
                 </para>
                 </listitem>
 	      </varlistentry>
@@ -132,6 +137,130 @@
                 </para>
                 </listitem>
 		</varlistentry>
+
+	        <varlistentry>
+				<term>ntlm-server-1</term>
+		<listitem><para>
+                Server-side helper protocol, intended for use by a
+		RADIUS server or the 'winbind' plugin for pppd, for
+		the provision of MSCHAP and MSCHAPv2 authentication.  
+                </para>
+		<para>This protocol consists of lines in for form:
+                <command>Parameter: value</command> and <command>Paramter::
+                Base64-encode value</command>.  The presence of a single
+                period <command>.</command> indicates that one side has
+                finished supplying data to the other.  (Which in turn
+                could cause the helper to authenticate the
+                user). </para>
+
+		<para>Curently implemented parameters from the
+		external program to the helper are:</para>
+		<variablelist>
+		  <varlistentry>
+		  <term>Username</term>
+		  
+                <listitem><para>The username, expected to be in
+                Samba's <smbconfoption><name>unix charset</name></smbconfoption>.
+                </para>
+
+		      <para><example>Username: bob</example></para>
+		      <para><example>Username:: Ym9i</example></para>
+		    </listitem></varlistentry>
+
+		  <varlistentry>
+		  <term>Username</term>
+                <listitem><para>The user's domain, expected to be in
+                Samba's <smbconfoption><name>unix charset</name></smbconfoption>.
+                </para>
+
+		      <para><example>Domain: WORKGROUP</example></para>
+		      <para><example>Domain:: V09SS0dST1VQ</example></para>
+		    </listitem></varlistentry>
+
+		  <varlistentry>
+		  <term>Full-Username</term>
+                <listitem><para>The fully qualified username, expected to be in
+                Samba's <smbconfoption><name>unix
+                charset</name></smbconfoption> and qualified with the
+                <smbconfoption><name>winbind separator</name></smbconfoption>.
+                </para>
+
+		      <para><example>Full-Username: WORKGROUP\bob</example></para>
+		      <para><example>Full-Username:: V09SS0dST1VQYm9i</example></para>
+		    </listitem></varlistentry>
+
+		  <varlistentry>
+		  <term>LANMAN-Challenge</term>
+		  
+                <listitem><para>The 8 byte <command>LANMAN Challenge</command> value,
+                generated randomly by the server, or (in cases such as
+                MSCHAPv2) generated in some way by both the server and
+                the client.
+                </para>	
+		      <para><example>LANMAN-Challege: 0102030405060708</example></para>
+		    </listitem></varlistentry>
+
+		  <varlistentry>
+		  <term>LANMAN-Response</term>
+		  
+                <listitem><para>The 24 byte <command>LANMAN Response</command> value,
+                calculated from the user's password and the supplied
+                <command>LANMAN Challenge</command>.  Typically, this
+                is provided over the network by a client wishing to authenticate.
+                </para>	
+		      <para><example>LANMAN-Response: 010203040506070809101112131415161718192021222324</example></para>
+
+		    </listitem></varlistentry>
+
+		  <varlistentry>
+		  <term>NT-Response</term>
+                <listitem><para>The >= 24 byte <command>NT Response</command>
+                calculated from the user's password and the supplied
+                <command>LANMAN Challenge</command>.  Typically, this is 
+                provided over the network by a client wishing to authenticate.
+                 </para>	
+		      <para><example>NT-Response: 010203040506070809101112131415161718192021222324</example></para>
+
+		    </listitem></varlistentry>
+
+		  <varlistentry>
+		  <term>Password</term>
+                <listitem><para>The user's password.  This would be
+                provided by a network client, if the helper is being
+                used in a legacy situation that exposes plaintext
+                passwords in this way.
+                 </para>	
+		      <para><example>Password: samba2</example></para>
+		      <para><example>Password:: c2FtYmEy</example></para>
+
+		    </listitem></varlistentry>
+
+		  <varlistentry>
+		  <term>Request-User-Session-Key</term>
+                <listitem><para>Apon sucessful authenticaiton, return
+                the user session key associated with the login.
+                 </para>	
+		      <para><example>Request-User-Session-Key: Yes</example></para>
+
+		    </listitem></varlistentry>
+
+		  <varlistentry>
+		  <term>Request-LanMan-Session-Key</term>
+                <listitem><para>Apon sucessful authenticaiton, return
+                the LANMAN session key associated with the login.
+                 </para>	
+		      <para><example>Request-LanMan-Session-Key: Yes</example></para>
+
+		    </listitem></varlistentry>
+
+		<para><warning>Implementors should take care to base64 encode
+		any data (such as usernames/passwords) that may contain malicous user data, such as
+		a newline.  They may also need to decode strings from
+		the helper, which likewise may have been base64 encoded.</warning></para>
+	</variablelist>
+
+                </listitem>
+		</varlistentry>
 	</variablelist>
 	</listitem>
       </varlistentry>
@@ -178,7 +307,12 @@
 	<term>--password=PASSWORD</term>
 	<listitem><para>User's plaintext password</para><para>If 
 	not specified on the command line, this is prompted for when
-	required.  </para></listitem>
+	required.  </para>
+
+	  <para>For the NTLMSSP based server roles, this paramter
+	  specifies the expected password, allowing testing without
+	  winbindd operational.</para>
+	</listitem>
 	</varlistentry>
 
 	<varlistentry>

docs/manpages/winbindd.8.xml

@@ -37,8 +37,18 @@
 	<manvolnum>7</manvolnum></citerefentry> suite.</para>
 
 	<para><command>winbindd</command> is a daemon that provides 
-	a service for the Name Service Switch capability that is present 
-	in most modern C libraries.  The Name Service Switch allows user 
+	a number of services to the Name Service Switch capability found
+	in most modern C libraries, to arbitary applications via PAM
+	and <program>ntlm_auth</program> and to Samba itself.</para>
+
+    <para>Even if winbind is not used for nsswitch, it still provides a
+    service to <program>smbd</program>, ntlm_auth and the PAM modules, by managing connections to
+    domain controllers.  In this configuraiton the
+    <smbconfoption><name>idmap uid</name></smbconfoption> and
+    <smbconfoption><name>idmap gid</name></smbconfoption>
+    parameters are not required. (This is known as `netlogon proxy only mode'.)</para>
+
+        <para> The Name Service Switch allows user 
 	and system information to be obtained from different databases 
 	services such as NIS or DNS.  The exact behaviour can be configured 
 	throught the <filename>/etc/nsswitch.conf</filename> file.  
@@ -52,12 +62,15 @@
 	services via an associated PAM module. </para>
 	
 	<para>
-	The <filename>pam_winbind</filename> module in the 2.2.2 release only 
-	supports the <parameter>auth</parameter> and <parameter>account</parameter> 
-	module-types.  The latter simply
-	performs a getpwnam() to verify that the system can obtain a uid for the
-	user.  If the <filename>libnss_winbind</filename> library has been correctly 
-	installed, this should always succeed.
+	The <filename>pam_winbind</filename> module supports the
+        <parameter>auth</parameter>, <parameter>account</parameter>
+        and <parameter>password</parameter>
+        module-types.  It should be noted that the 
+        <parameter>account</parameter> module simply performs a getpwnam() to verify that
+        the system can obtain a uid for the user, as the domain
+        controller has already performed access control.  If the
+        <filename>libnss_winbind</filename> library has been correctly
+        installed, or an alternate source of names configured, this should always succeed.
 	</para>
 
 	<para>The following nsswitch databases are implemented by 
@@ -180,9 +193,9 @@ hosts:		files wins
 	<title>NAME AND ID RESOLUTION</title>
 
 	<para>Users and groups on a Windows NT server are assigned 
-	a relative id (rid) which is unique for the domain when the 
+	a security id (SID) which is globally unique when the 
 	user or group is created.  To convert the Windows NT user or group 
-	into a unix user or group, a mapping between rids and unix user 
+	into a unix user or group, a mapping between SIDs and unix user 
 	and group ids is required.  This is one of the jobs that <command>
 	winbindd</command> performs. </para>
 
@@ -194,11 +207,16 @@ hosts:		files wins
 	in a database file under the Samba lock directory and will be 
 	remembered. </para>
 
-	<para>WARNING: The rid to unix id database is the only location 
+	<para>WARNING: The SID to unix id database is the only location 
 	where the user and group mappings are stored by winbindd.  If this 
 	file is deleted or corrupted, there is no way for winbindd to 
 	determine which user and group ids correspond to Windows NT user 
 	and group rids. </para>
+
+        <para>See the <smbconfoption><name>idmap
+        backend</name></smbconfoption> parameter in
+        <filename>smb.conf</filename> for options for sharing this
+        database, such as via LDAP.</para>
 </refsect1>
 
 
@@ -219,6 +237,8 @@ hosts:		files wins
 		<listitem><para>
 		<smbconfoption><name>idmap gid</name></smbconfoption></para></listitem>
 		<listitem><para>
+		<smbconfoption><name>idmap backend</name></smbconfoption></para></listitem>
+		<listitem><para>
 		<smbconfoption><name>winbind cache time</name></smbconfoption></para></listitem>
 		<listitem><para>
 		<smbconfoption><name>winbind enum users</name></smbconfoption></para></listitem>
@@ -317,11 +337,7 @@ auth       required     /lib/security/pam_pwdb.so use_first_pass shadow nullok
 
 	<para><citerefentry><refentrytitle>nmbd</refentrytitle>
 	<manvolnum>8</manvolnum></citerefentry> must be running on the local machine 
-	for <command>winbindd</command> to work. <command>winbindd</command> queries
-	the list of trusted domains for the Windows NT server
-	on startup and when a SIGHUP is received.  Thus, for a running <command>
-	winbindd</command> to become aware of new trust relationships between 
-	servers, it must be sent a SIGHUP signal. </para>
+	for <command>winbindd</command> to work. </para>
 
 	<para>PAM is really easy to misconfigure.  Make sure you know what 
 	you are doing when modifying PAM configuration files.  It is possible 
@@ -330,9 +346,10 @@ auth       required     /lib/security/pam_pwdb.so use_first_pass shadow nullok
 	<para>If more than one UNIX machine is running <command>winbindd</command>, 
 	then in general the user and groups ids allocated by winbindd will not 
 	be the same.  The user and group ids will only be valid for the local 
-	machine.</para>
+	machine, unless a shared <smbconfoption><name>idmap
+	backend</name></smbconfoption> is configured.</para>
 
-	<para>If the the Windows NT RID to UNIX user and group id mapping 
+	<para>If the the Windows NT SID to UNIX user and group id mapping 
 	file is damaged or destroyed then the mappings will be lost. </para>
 </refsect1>
 
@@ -358,8 +375,7 @@ auth       required     /lib/security/pam_pwdb.so use_first_pass shadow nullok
 		<term>SIGUSR2</term>
 		<listitem><para>The SIGUSR2 signal will cause <command>
 		winbindd</command> to write status information to the winbind 
-		log file including information about the number of user and 
-		group ids allocated by <command>winbindd</command>.</para>
+		log file.</para>
 
 		<para>Log files are stored in the filename specified by the 
 		log file parameter.</para></listitem>
@@ -440,6 +456,8 @@ auth       required     /lib/security/pam_pwdb.so use_first_pass shadow nullok
 	<refentrytitle>samba</refentrytitle>
 	<manvolnum>7</manvolnum></citerefentry>, <citerefentry>
 	<refentrytitle>wbinfo</refentrytitle>
+	<manvolnum>1</manvolnum></citerefentry>, <citerefentry>
+	<refentrytitle>ntlm_auth</refentrytitle>
 	<manvolnum>8</manvolnum></citerefentry>, <citerefentry>
 	<refentrytitle>smb.conf</refentrytitle>
 	<manvolnum>5</manvolnum></citerefentry></para>