source: vendor/current/docs/manpages/ntlm_auth.1@ 594

'\" t
.\"     Title: ntlm_auth
.\"    Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
.\"      Date: 03/06/2011
.\"    Manual: User Commands
.\"    Source: Samba 3.5
.\"  Language: English
.\"
.TH "NTLM_AUTH" "1" "03/06/2011" "Samba 3\&.5" "User Commands"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
ntlm_auth \- tool to allow external access to Winbind\'s NTLM authentication function
.SH "SYNOPSIS"
.HP \w'\ 'u
ntlm_auth [\-d\ debuglevel] [\-l\ logdir] [\-s\ <smb\ config\ file>]
.SH "DESCRIPTION"
.PP
This tool is part of the
\fBsamba\fR(7)
suite\&.
.PP
ntlm_auth
is a helper utility that authenticates users using NT/LM authentication\&. It returns 0 if the users is authenticated successfully and 1 if access was denied\&. ntlm_auth uses winbind to access the user and authentication data for a domain\&. This utility is only intended to be used by other programs (currently
Squid
and
mod_ntlm_winbind)
.SH "OPERATIONAL REQUIREMENTS"
.PP
The
\fBwinbindd\fR(8)
daemon must be operational for many of these commands to function\&.
.PP
Some of these commands also require access to the directory
winbindd_privileged
in
$LOCKDIR\&. This should be done either by running this command as root or providing group access to the
winbindd_privileged
directory\&. For security reasons, this directory should not be world\-accessable\&.
.SH "OPTIONS"
.PP
\-\-helper\-protocol=PROTO
.RS 4
Operate as a stdio\-based helper\&. Valid helper protocols are:
.PP
squid\-2\&.4\-basic
.RS 4
Server\-side helper for use with Squid 2\&.4\'s basic (plaintext) authentication\&.
.RE
.PP
squid\-2\&.5\-basic
.RS 4
Server\-side helper for use with Squid 2\&.5\'s basic (plaintext) authentication\&.
.RE
.PP
squid\-2\&.5\-ntlmssp
.RS 4
Server\-side helper for use with Squid 2\&.5\'s NTLMSSP authentication\&.
.sp
Requires access to the directory
winbindd_privileged
in
$LOCKDIR\&. The protocol used is described here:
http://devel\&.squid\-cache\&.org/ntlm/squid_helper_protocol\&.html\&. This protocol has been extended to allow the NTLMSSP Negotiate packet to be included as an argument to the
YR
command\&. (Thus avoiding loss of information in the protocol exchange)\&.
.RE
.PP
ntlmssp\-client\-1
.RS 4
Client\-side helper for use with arbitrary external programs that may wish to use Samba\'s NTLMSSP authentication knowledge\&.
.sp
This helper is a client, and as such may be run by any user\&. The protocol used is effectively the reverse of the previous protocol\&. A
YR
command (without any arguments) starts the authentication exchange\&.
.RE
.PP
gss\-spnego
.RS 4
Server\-side helper that implements GSS\-SPNEGO\&. This uses a protocol that is almost the same as
squid\-2\&.5\-ntlmssp, but has some subtle differences that are undocumented outside the source at this stage\&.
.sp
Requires access to the directory
winbindd_privileged
in
$LOCKDIR\&.
.RE
.PP
gss\-spnego\-client
.RS 4
Client\-side helper that implements GSS\-SPNEGO\&. This also uses a protocol similar to the above helpers, but is currently undocumented\&.
.RE
.PP
ntlm\-server\-1
.RS 4
Server\-side helper protocol, intended for use by a RADIUS server or the \'winbind\' plugin for pppd, for the provision of MSCHAP and MSCHAPv2 authentication\&.
.sp
This protocol consists of lines in the form:
Parameter: value
and
Parameter:: Base64\-encode value\&. The presence of a single period
\&.
indicates that one side has finished supplying data to the other\&. (Which in turn could cause the helper to authenticate the user)\&.
.sp
Curently implemented parameters from the external program to the helper are:
.PP
Username
.RS 4
The username, expected to be in Samba\'s
\m[blue]\fBunix charset\fR\m[]\&.
.PP \fBExample\ \&1.\ \&\fR Username: bob
.PP \fBExample\ \&2.\ \&\fR Username:: Ym9i
.RE
.PP
NT\-Domain
.RS 4
The user\'s domain, expected to be in Samba\'s
\m[blue]\fBunix charset\fR\m[]\&.
.PP \fBExample\ \&3.\ \&\fR NT\-Domain: WORKGROUP
.PP \fBExample\ \&4.\ \&\fR NT\-Domain:: V09SS0dST1VQ
.RE
.PP
Full\-Username
.RS 4
The fully qualified username, expected to be in Samba\'s
\m[blue]\fBunix charset\fR\m[]
and qualified with the
\m[blue]\fBwinbind separator\fR\m[]\&.
.PP \fBExample\ \&5.\ \&\fR Full\-Username: WORKGROUP\ebob
.PP \fBExample\ \&6.\ \&\fR Full\-Username:: V09SS0dST1VQYm9i
.RE
.PP
LANMAN\-Challenge
.RS 4
The 8 byte
LANMAN Challenge
value, generated randomly by the server, or (in cases such as MSCHAPv2) generated in some way by both the server and the client\&.
.PP \fBExample\ \&7.\ \&\fR LANMAN\-Challege: 0102030405060708
.RE
.PP
LANMAN\-Response
.RS 4
The 24 byte
LANMAN Response
value, calculated from the user\'s password and the supplied
LANMAN Challenge\&. Typically, this is provided over the network by a client wishing to authenticate\&.
.PP \fBExample\ \&8.\ \&\fR LANMAN\-Response: 0102030405060708090A0B0C0D0E0F101112131415161718
.RE
.PP
NT\-Response
.RS 4
The >= 24 byte
NT Response
calculated from the user\'s password and the supplied
LANMAN Challenge\&. Typically, this is provided over the network by a client wishing to authenticate\&.
.PP \fBExample\ \&9.\ \&\fR NT\-Response: 0102030405060708090A0B0C0D0E0F101112131415161718
.RE
.PP
Password
.RS 4
The user\'s password\&. This would be provided by a network client, if the helper is being used in a legacy situation that exposes plaintext passwords in this way\&.
.PP \fBExample\ \&10.\ \&\fR Password: samba2
.PP \fBExample\ \&11.\ \&\fR Password:: c2FtYmEy
.RE
.PP
Request\-User\-Session\-Key
.RS 4
Apon sucessful authenticaiton, return the user session key associated with the login\&.
.PP \fBExample\ \&12.\ \&\fR Request\-User\-Session\-Key: Yes
.RE
.PP
Request\-LanMan\-Session\-Key
.RS 4
Apon sucessful authenticaiton, return the LANMAN session key associated with the login\&.
.PP \fBExample\ \&13.\ \&\fR Request\-LanMan\-Session\-Key: Yes
.RE
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBWarning\fR
.ps -1
.br
Implementors should take care to base64 encode
                any data (such as usernames/passwords) that may contain malicous user data, such as
                a newline\&.  They may also need to decode strings from
                the helper, which likewise may have been base64 encoded\&..sp .5v
.RE
.RE
.RE
.PP
\-\-username=USERNAME
.RS 4
Specify username of user to authenticate
.RE
.PP
\-\-domain=DOMAIN
.RS 4
Specify domain of user to authenticate
.RE
.PP
\-\-workstation=WORKSTATION
.RS 4
Specify the workstation the user authenticated from
.RE
.PP
\-\-challenge=STRING
.RS 4
NTLM challenge (in HEXADECIMAL)
.RE
.PP
\-\-lm\-response=RESPONSE
.RS 4
LM Response to the challenge (in HEXADECIMAL)
.RE
.PP