mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
15b7508bab
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
461 lines
15 KiB
XML
461 lines
15 KiB
XML
<?xml version="1.0" encoding="iso-8859-1"?>
|
|
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
|
|
<refentry id="ntlm-auth.1">
|
|
|
|
<refmeta>
|
|
<refentrytitle>ntlm_auth</refentrytitle>
|
|
<manvolnum>1</manvolnum>
|
|
<refmiscinfo class="source">Samba</refmiscinfo>
|
|
<refmiscinfo class="manual">User Commands</refmiscinfo>
|
|
<refmiscinfo class="version">&doc.version;</refmiscinfo>
|
|
</refmeta>
|
|
|
|
|
|
<refnamediv>
|
|
<refname>ntlm_auth</refname>
|
|
<refpurpose>tool to allow external access to Winbind's NTLM authentication function</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>ntlm_auth</command>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>DESCRIPTION</title>
|
|
|
|
<para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
|
|
<manvolnum>7</manvolnum></citerefentry> suite.</para>
|
|
|
|
<para><command>ntlm_auth</command> is a helper utility that authenticates
|
|
users using NT/LM authentication. It returns 0 if the users is authenticated
|
|
successfully and 1 if access was denied. ntlm_auth uses winbind to access
|
|
the user and authentication data for a domain. This utility
|
|
is only intended to be used by other programs (currently
|
|
<ulink url="https://www.squid-cache.org/">Squid</ulink>
|
|
and <ulink url="https://www.samba.org/ftp/unpacked/lorikeet/mod_auth_ntlm_winbind/">mod_ntlm_winbind</ulink>).
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>OPERATIONAL REQUIREMENTS</title>
|
|
|
|
<para>
|
|
The <citerefentry><refentrytitle>winbindd</refentrytitle>
|
|
<manvolnum>8</manvolnum></citerefentry> daemon must be operational
|
|
for many of these commands to function.</para>
|
|
|
|
<para>Some of these commands also require access to the directory
|
|
<filename>winbindd_privileged</filename> in
|
|
<filename>$LOCKDIR</filename>. This should be done either by running
|
|
this command as root or providing group access
|
|
to the <filename>winbindd_privileged</filename> directory. For
|
|
security reasons, this directory should not be world-accessable. </para>
|
|
|
|
</refsect1>
|
|
|
|
|
|
<refsect1>
|
|
<title>OPTIONS</title>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--helper-protocol=PROTO</term>
|
|
<listitem><para>
|
|
Operate as a stdio-based helper. Valid helper protocols are:
|
|
</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>squid-2.4-basic</term>
|
|
<listitem><para>
|
|
Server-side helper for use with Squid 2.4's basic (plaintext)
|
|
authentication. </para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>squid-2.5-basic</term>
|
|
<listitem><para>
|
|
Server-side helper for use with Squid 2.5's basic (plaintext)
|
|
authentication. </para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>squid-2.5-ntlmssp</term>
|
|
<listitem><para>
|
|
Server-side helper for use with Squid 2.5's NTLMSSP
|
|
authentication. </para>
|
|
<para>Requires access to the directory
|
|
<filename>winbindd_privileged</filename> in
|
|
<filename>$LOCKDIR</filename>. The protocol used is
|
|
described here: <ulink
|
|
url="http://devel.squid-cache.org/ntlm/squid_helper_protocol.html">http://devel.squid-cache.org/ntlm/squid_helper_protocol.html</ulink>.
|
|
This protocol has been extended to allow the
|
|
NTLMSSP Negotiate packet to be included as an argument
|
|
to the <command>YR</command> command. (Thus avoiding
|
|
loss of information in the protocol exchange).
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>ntlmssp-client-1</term>
|
|
<listitem><para>
|
|
Client-side helper for use with arbitrary external
|
|
programs that may wish to use Samba's NTLMSSP
|
|
authentication knowledge. </para>
|
|
<para>This helper is a client, and as such may be run by any
|
|
user. The protocol used is
|
|
effectively the reverse of the previous protocol. A
|
|
<command>YR</command> command (without any arguments)
|
|
starts the authentication exchange.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>gss-spnego</term>
|
|
<listitem><para>
|
|
Server-side helper that implements GSS-SPNEGO. This
|
|
uses a protocol that is almost the same as
|
|
<command>squid-2.5-ntlmssp</command>, but has some
|
|
subtle differences that are undocumented outside the
|
|
source at this stage.
|
|
</para>
|
|
<para>Requires access to the directory
|
|
<filename>winbindd_privileged</filename> in
|
|
<filename>$LOCKDIR</filename>.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>gss-spnego-client</term>
|
|
<listitem><para>
|
|
Client-side helper that implements GSS-SPNEGO. This
|
|
also uses a protocol similar to the above helpers, but
|
|
is currently undocumented.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ntlm-server-1</term>
|
|
<listitem><para>
|
|
Server-side helper protocol, intended for use by a
|
|
RADIUS server or the 'winbind' plugin for pppd, for
|
|
the provision of MSCHAP and MSCHAPv2 authentication.
|
|
</para>
|
|
<para>This protocol consists of lines in the form:
|
|
<command>Parameter: value</command> and <command>Parameter::
|
|
Base64-encode value</command>. The presence of a single
|
|
period <command>.</command> indicates that one side has
|
|
finished supplying data to the other. (Which in turn
|
|
could cause the helper to authenticate the
|
|
user). </para>
|
|
|
|
<para>Currently implemented parameters from the
|
|
external program to the helper are:</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>Username</term>
|
|
<listitem><para>The username, expected to be in
|
|
Samba's <smbconfoption name="unix charset"/>.
|
|
</para>
|
|
<varlistentry>
|
|
<term>Examples:</term>
|
|
<para>Username: bob</para>
|
|
<para>Username:: Ym9i</para>
|
|
</varlistentry>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>NT-Domain</term>
|
|
<listitem><para>The user's domain, expected to be in
|
|
Samba's <smbconfoption name="unix charset"/>.
|
|
</para>
|
|
|
|
<varlistentry>
|
|
<term>Examples:</term>
|
|
<para>NT-Domain: WORKGROUP</para>
|
|
<para>NT-Domain:: V09SS0dST1VQ</para>
|
|
</varlistentry>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Full-Username</term>
|
|
<listitem><para>The fully qualified username, expected to be
|
|
in Samba's <smbconfoption name="unix charset"/> and qualified
|
|
with the <smbconfoption name="winbind separator"/>.</para>
|
|
<varlistentry>
|
|
<term>Examples:</term>
|
|
<para>Full-Username: WORKGROUP\bob</para>
|
|
<para>Full-Username:: V09SS0dST1VQYm9i</para>
|
|
</varlistentry>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>LANMAN-Challenge</term>
|
|
<listitem><para>The 8 byte <command>LANMAN Challenge</command>
|
|
value, generated randomly by the server, or (in cases such
|
|
as MSCHAPv2) generated in some way by both the server and
|
|
the client.</para>
|
|
<varlistentry>
|
|
<term>Examples:</term>
|
|
<para>LANMAN-Challenge: 0102030405060708</para>
|
|
</varlistentry>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>LANMAN-Response</term>
|
|
<listitem><para>The 24 byte <command>LANMAN Response</command> value,
|
|
calculated from the user's password and the supplied
|
|
<command>LANMAN Challenge</command>. Typically, this
|
|
is provided over the network by a client wishing to authenticate.
|
|
</para>
|
|
<varlistentry>
|
|
<term>Examples:</term>
|
|
<para>LANMAN-Response: 0102030405060708090A0B0C0D0E0F101112131415161718</para>
|
|
</varlistentry>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>NT-Response</term>
|
|
<listitem><para>The >= 24 byte <command>NT Response</command>
|
|
calculated from the user's password and the supplied
|
|
<command>LANMAN Challenge</command>. Typically, this is
|
|
provided over the network by a client wishing to authenticate.
|
|
</para>
|
|
<varlistentry>
|
|
<term>Examples:</term>
|
|
<para>NT-Response: 0102030405060708090A0B0C0D0E0F10111213141516171</para>
|
|
</varlistentry>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Password</term>
|
|
<listitem><para>The user's password. This would be
|
|
provided by a network client, if the helper is being
|
|
used in a legacy situation that exposes plaintext
|
|
passwords in this way.</para>
|
|
<varlistentry>
|
|
<term>Examples:</term>
|
|
<para>Password: samba2</para>
|
|
<para>Password:: c2FtYmEy</para>
|
|
</varlistentry>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Request-User-Session-Key</term>
|
|
<listitem><para>Upon successful authentication, return
|
|
the user session key associated with the login.</para>
|
|
<varlistentry>
|
|
<term>Examples:</term>
|
|
<para>Request-User-Session-Key: Yes</para>
|
|
</varlistentry>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Request-LanMan-Session-Key</term>
|
|
<listitem><para>Upon successful authentication, return
|
|
the LANMAN session key associated with the login.
|
|
</para>
|
|
<varlistentry>
|
|
<term>Examples:</term>
|
|
<para>Request-LanMan-Session-Key: Yes</para>
|
|
</varlistentry>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
<warning><para>Implementers should take care to base64 encode
|
|
any data (such as usernames/passwords) that may contain malicious user data, such as
|
|
a newline. They may also need to decode strings from
|
|
the helper, which likewise may have been base64 encoded.</para></warning>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--username=USERNAME</term>
|
|
<listitem><para>
|
|
Specify username of user to authenticate
|
|
</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--domain=DOMAIN</term>
|
|
<listitem><para>
|
|
Specify domain of user to authenticate
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--workstation=WORKSTATION</term>
|
|
<listitem><para>
|
|
Specify the workstation the user authenticated from
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--challenge=STRING</term>
|
|
<listitem><para>NTLM challenge (in HEXADECIMAL)</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--lm-response=RESPONSE</term>
|
|
<listitem><para>LM Response to the challenge (in HEXADECIMAL)</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--nt-response=RESPONSE</term>
|
|
<listitem><para>NT or NTLMv2 Response to the challenge (in HEXADECIMAL)</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--password=PASSWORD</term>
|
|
<listitem><para>User's plaintext password</para><para>If
|
|
not specified on the command line, this is prompted for when
|
|
required. </para>
|
|
|
|
<para>For the NTLMSSP based server roles, this parameter
|
|
specifies the expected password, allowing testing without
|
|
winbindd operational.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--request-lm-key</term>
|
|
<listitem><para>Retrieve LM session key</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--request-nt-key</term>
|
|
<listitem><para>Request NT key</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--diagnostics</term>
|
|
<listitem><para>Perform Diagnostics on the authentication
|
|
chain. Uses the password from <command>--password</command>
|
|
or prompts for one.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--require-membership-of={SID|Name}</term>
|
|
<listitem><para>Require that a user be a member of specified
|
|
group (either name or SID) for authentication to succeed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--pam-winbind-conf=FILENAME</term>
|
|
<listitem><para>Define the path to the pam_winbind.conf file.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--target-hostname=HOSTNAME</term>
|
|
<listitem><para>Define the target hostname.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--target-service=SERVICE</term>
|
|
<listitem><para>Define the target service.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--use-cached-creds</term>
|
|
<listitem><para>Whether to use credentials cached by winbindd.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--allow-mschapv2</term>
|
|
<listitem><para>Explicitly allow MSCHAPv2.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--offline-logon</term>
|
|
<listitem><para>Allow offline logons for plain text auth.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
&popt.autohelp;
|
|
&cmdline.common.debug.client;
|
|
&cmdline.common.config.client;
|
|
&cmdline.common.option;
|
|
&cmdline.version;
|
|
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>EXAMPLE SETUP</title>
|
|
|
|
<para>To setup ntlm_auth for use by squid 2.5, with both basic and
|
|
NTLMSSP authentication, the following
|
|
should be placed in the <filename>squid.conf</filename> file.
|
|
<programlisting>
|
|
auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp
|
|
auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic
|
|
auth_param basic children 5
|
|
auth_param basic realm Squid proxy-caching web server
|
|
auth_param basic credentialsttl 2 hours
|
|
</programlisting></para>
|
|
|
|
<note><para>This example assumes that ntlm_auth has been installed into your
|
|
path, and that the group permissions on
|
|
<filename>winbindd_privileged</filename> are as described above.</para></note>
|
|
|
|
<para>To setup ntlm_auth for use by squid 2.5 with group limitation in addition to the above
|
|
example, the following should be added to the <filename>squid.conf</filename> file.
|
|
<programlisting>
|
|
auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='WORKGROUP\Domain Users'
|
|
auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='WORKGROUP\Domain Users'
|
|
</programlisting></para>
|
|
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>TROUBLESHOOTING</title>
|
|
|
|
<para>If you're experiencing problems with authenticating Internet Explorer running
|
|
under MS Windows 9X or Millennium Edition against ntlm_auth's NTLMSSP authentication
|
|
helper (--helper-protocol=squid-2.5-ntlmssp), then please read
|
|
<ulink url="http://support.microsoft.com/support/kb/articles/Q239/8/69.ASP">
|
|
the Microsoft Knowledge Base article #239869 and follow instructions described there</ulink>.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>VERSION</title>
|
|
|
|
<para>This man page is part of version &doc.version; of the Samba
|
|
suite.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>AUTHOR</title>
|
|
|
|
<para>The original Samba software and related utilities
|
|
were created by Andrew Tridgell. Samba is now developed
|
|
by the Samba Team as an Open Source project similar
|
|
to the way the Linux kernel is developed.</para>
|
|
|
|
<para>The ntlm_auth manpage was written by Jelmer Vernooij and
|
|
Andrew Bartlett.</para>
|
|
</refsect1>
|
|
|
|
</refentry>
|