| 1 | '\" t
|
|---|
| 2 | .\" Title: ntlm_auth
|
|---|
| 3 | .\" Author: [see the "AUTHOR" section]
|
|---|
| 4 | .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
|
|---|
| 5 | .\" Date: 05/02/2016
|
|---|
| 6 | .\" Manual: User Commands
|
|---|
| 7 | .\" Source: Samba 4.4
|
|---|
| 8 | .\" Language: English
|
|---|
| 9 | .\"
|
|---|
| 10 | .TH "NTLM_AUTH" "1" "05/02/2016" "Samba 4\&.4" "User Commands"
|
|---|
| 11 | .\" -----------------------------------------------------------------
|
|---|
| 12 | .\" * Define some portability stuff
|
|---|
| 13 | .\" -----------------------------------------------------------------
|
|---|
| 14 | .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|---|
| 15 | .\" http://bugs.debian.org/507673
|
|---|
| 16 | .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
|
|---|
| 17 | .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|---|
| 18 | .ie \n(.g .ds Aq \(aq
|
|---|
| 19 | .el .ds Aq '
|
|---|
| 20 | .\" -----------------------------------------------------------------
|
|---|
| 21 | .\" * set default formatting
|
|---|
| 22 | .\" -----------------------------------------------------------------
|
|---|
| 23 | .\" disable hyphenation
|
|---|
| 24 | .nh
|
|---|
| 25 | .\" disable justification (adjust text to left margin only)
|
|---|
| 26 | .ad l
|
|---|
| 27 | .\" -----------------------------------------------------------------
|
|---|
| 28 | .\" * MAIN CONTENT STARTS HERE *
|
|---|
| 29 | .\" -----------------------------------------------------------------
|
|---|
| 30 | .SH "NAME"
|
|---|
| 31 | ntlm_auth \- tool to allow external access to Winbind\*(Aqs NTLM authentication function
|
|---|
| 32 | .SH "SYNOPSIS"
|
|---|
| 33 | .HP \w'\ 'u
|
|---|
| 34 | ntlm_auth
|
|---|
| 35 | .SH "DESCRIPTION"
|
|---|
| 36 | .PP
|
|---|
| 37 | This tool is part of the
|
|---|
| 38 | \fBsamba\fR(7)
|
|---|
| 39 | suite\&.
|
|---|
| 40 | .PP
|
|---|
| 41 | ntlm_auth
|
|---|
| 42 | is a helper utility that authenticates users using NT/LM authentication\&. It returns 0 if the users is authenticated successfully and 1 if access was denied\&. ntlm_auth uses winbind to access the user and authentication data for a domain\&. This utility is only intended to be used by other programs (currently
|
|---|
| 43 | Squid
|
|---|
| 44 | and
|
|---|
| 45 | mod_ntlm_winbind)
|
|---|
| 46 | .SH "OPERATIONAL REQUIREMENTS"
|
|---|
| 47 | .PP
|
|---|
| 48 | The
|
|---|
| 49 | \fBwinbindd\fR(8)
|
|---|
| 50 | daemon must be operational for many of these commands to function\&.
|
|---|
| 51 | .PP
|
|---|
| 52 | Some of these commands also require access to the directory
|
|---|
| 53 | winbindd_privileged
|
|---|
| 54 | in
|
|---|
| 55 | $LOCKDIR\&. This should be done either by running this command as root or providing group access to the
|
|---|
| 56 | winbindd_privileged
|
|---|
| 57 | directory\&. For security reasons, this directory should not be world\-accessable\&.
|
|---|
| 58 | .SH "OPTIONS"
|
|---|
| 59 | .PP
|
|---|
| 60 | \-\-helper\-protocol=PROTO
|
|---|
| 61 | .RS 4
|
|---|
| 62 | Operate as a stdio\-based helper\&. Valid helper protocols are:
|
|---|
| 63 | .PP
|
|---|
| 64 | squid\-2\&.4\-basic
|
|---|
| 65 | .RS 4
|
|---|
| 66 | Server\-side helper for use with Squid 2\&.4\*(Aqs basic (plaintext) authentication\&.
|
|---|
| 67 | .RE
|
|---|
| 68 | .PP
|
|---|
| 69 | squid\-2\&.5\-basic
|
|---|
| 70 | .RS 4
|
|---|
| 71 | Server\-side helper for use with Squid 2\&.5\*(Aqs basic (plaintext) authentication\&.
|
|---|
| 72 | .RE
|
|---|
| 73 | .PP
|
|---|
| 74 | squid\-2\&.5\-ntlmssp
|
|---|
| 75 | .RS 4
|
|---|
| 76 | Server\-side helper for use with Squid 2\&.5\*(Aqs NTLMSSP authentication\&.
|
|---|
| 77 | .sp
|
|---|
| 78 | Requires access to the directory
|
|---|
| 79 | winbindd_privileged
|
|---|
| 80 | in
|
|---|
| 81 | $LOCKDIR\&. The protocol used is described here:
|
|---|
| 82 | http://devel\&.squid\-cache\&.org/ntlm/squid_helper_protocol\&.html\&. This protocol has been extended to allow the NTLMSSP Negotiate packet to be included as an argument to the
|
|---|
| 83 | YR
|
|---|
| 84 | command\&. (Thus avoiding loss of information in the protocol exchange)\&.
|
|---|
| 85 | .RE
|
|---|
| 86 | .PP
|
|---|
| 87 | ntlmssp\-client\-1
|
|---|
| 88 | .RS 4
|
|---|
| 89 | Client\-side helper for use with arbitrary external programs that may wish to use Samba\*(Aqs NTLMSSP authentication knowledge\&.
|
|---|
| 90 | .sp
|
|---|
| 91 | This helper is a client, and as such may be run by any user\&. The protocol used is effectively the reverse of the previous protocol\&. A
|
|---|
| 92 | YR
|
|---|
| 93 | command (without any arguments) starts the authentication exchange\&.
|
|---|
| 94 | .RE
|
|---|
| 95 | .PP
|
|---|
| 96 | gss\-spnego
|
|---|
| 97 | .RS 4
|
|---|
| 98 | Server\-side helper that implements GSS\-SPNEGO\&. This uses a protocol that is almost the same as
|
|---|
| 99 | squid\-2\&.5\-ntlmssp, but has some subtle differences that are undocumented outside the source at this stage\&.
|
|---|
| 100 | .sp
|
|---|
| 101 | Requires access to the directory
|
|---|
| 102 | winbindd_privileged
|
|---|
| 103 | in
|
|---|
| 104 | $LOCKDIR\&.
|
|---|
| 105 | .RE
|
|---|
| 106 | .PP
|
|---|
| 107 | gss\-spnego\-client
|
|---|
| 108 | .RS 4
|
|---|
| 109 | Client\-side helper that implements GSS\-SPNEGO\&. This also uses a protocol similar to the above helpers, but is currently undocumented\&.
|
|---|
| 110 | .RE
|
|---|
| 111 | .PP
|
|---|
| 112 | ntlm\-server\-1
|
|---|
| 113 | .RS 4
|
|---|
| 114 | Server\-side helper protocol, intended for use by a RADIUS server or the \*(Aqwinbind\*(Aq plugin for pppd, for the provision of MSCHAP and MSCHAPv2 authentication\&.
|
|---|
| 115 | .sp
|
|---|
| 116 | This protocol consists of lines in the form:
|
|---|
| 117 | Parameter: value
|
|---|
| 118 | and
|
|---|
| 119 | Parameter:: Base64\-encode value\&. The presence of a single period
|
|---|
| 120 | \&.
|
|---|
| 121 | indicates that one side has finished supplying data to the other\&. (Which in turn could cause the helper to authenticate the user)\&.
|
|---|
| 122 | .sp
|
|---|
| 123 | Currently implemented parameters from the external program to the helper are:
|
|---|
| 124 | .PP
|
|---|
| 125 | Username
|
|---|
| 126 | .RS 4
|
|---|
| 127 | The username, expected to be in Samba\*(Aqs
|
|---|
| 128 | \m[blue]\fBunix charset\fR\m[]\&.
|
|---|
| 129 | .PP
|
|---|
| 130 | Examples:
|
|---|
| 131 | .RS 4
|
|---|
| 132 | Username: bob
|
|---|
| 133 | .sp
|
|---|
| 134 | Username:: Ym9i
|
|---|
| 135 | .RE
|
|---|
| 136 | .RE
|
|---|
| 137 | .PP
|
|---|
| 138 | NT\-Domain
|
|---|
| 139 | .RS 4
|
|---|
| 140 | The user\*(Aqs domain, expected to be in Samba\*(Aqs
|
|---|
| 141 | \m[blue]\fBunix charset\fR\m[]\&.
|
|---|
| 142 | .PP
|
|---|
| 143 | Examples:
|
|---|
| 144 | .RS 4
|
|---|
| 145 | NT\-Domain: WORKGROUP
|
|---|
| 146 | .sp
|
|---|
| 147 | NT\-Domain:: V09SS0dST1VQ
|
|---|
| 148 | .RE
|
|---|
| 149 | .RE
|
|---|
| 150 | .PP
|
|---|
| 151 | Full\-Username
|
|---|
| 152 | .RS 4
|
|---|
| 153 | The fully qualified username, expected to be in Samba\*(Aqs
|
|---|
| 154 | \m[blue]\fBunix charset\fR\m[]
|
|---|
| 155 | and qualified with the
|
|---|
| 156 | \m[blue]\fBwinbind separator\fR\m[]\&.
|
|---|
| 157 | .PP
|
|---|
| 158 | Examples:
|
|---|
| 159 | .RS 4
|
|---|
| 160 | Full\-Username: WORKGROUP\ebob
|
|---|
| 161 | .sp
|
|---|
| 162 | Full\-Username:: V09SS0dST1VQYm9i
|
|---|
| 163 | .RE
|
|---|
| 164 | .RE
|
|---|
| 165 | .PP
|
|---|
| 166 | LANMAN\-Challenge
|
|---|
| 167 | .RS 4
|
|---|
| 168 | The 8 byte
|
|---|
| 169 | LANMAN Challenge
|
|---|
| 170 | value, generated randomly by the server, or (in cases such as MSCHAPv2) generated in some way by both the server and the client\&.
|
|---|
| 171 | .PP
|
|---|
| 172 | Examples:
|
|---|
| 173 | .RS 4
|
|---|
| 174 | LANMAN\-Challenge: 0102030405060708
|
|---|
| 175 | .RE
|
|---|
| 176 | .RE
|
|---|
| 177 | .PP
|
|---|
| 178 | LANMAN\-Response
|
|---|
| 179 | .RS 4
|
|---|
| 180 | The 24 byte
|
|---|
| 181 | LANMAN Response
|
|---|
| 182 | value, calculated from the user\*(Aqs password and the supplied
|
|---|
| 183 | LANMAN Challenge\&. Typically, this is provided over the network by a client wishing to authenticate\&.
|
|---|
| 184 | .PP
|
|---|
| 185 | Examples:
|
|---|
| 186 | .RS 4
|
|---|
| 187 | LANMAN\-Response: 0102030405060708090A0B0C0D0E0F101112131415161718
|
|---|
| 188 | .RE
|
|---|
| 189 | .RE
|
|---|
| 190 | .PP
|
|---|
| 191 | NT\-Response
|
|---|
| 192 | .RS 4
|
|---|
| 193 | The >= 24 byte
|
|---|
| 194 | NT Response
|
|---|
| 195 | calculated from the user\*(Aqs password and the supplied
|
|---|
| 196 | LANMAN Challenge\&. Typically, this is provided over the network by a client wishing to authenticate\&.
|
|---|
| 197 | .PP
|
|---|
| 198 | Examples:
|
|---|
| 199 | .RS 4
|
|---|
| 200 | NT\-Response: 0102030405060708090A0B0C0D0E0F10111213141516171
|
|---|
| 201 | .RE
|
|---|
| 202 | .RE
|
|---|
| 203 | .PP
|
|---|
| 204 | Password
|
|---|
| 205 | .RS 4
|
|---|
| 206 | The user\*(Aqs password\&. This would be provided by a network client, if the helper is being used in a legacy situation that exposes plaintext passwords in this way\&.
|
|---|
| 207 | .PP
|
|---|
| 208 | Examples:
|
|---|
| 209 | .RS 4
|
|---|
| 210 | Password: samba2
|
|---|
| 211 | .sp
|
|---|
| 212 | Password:: c2FtYmEy
|
|---|
| 213 | .RE
|
|---|
| 214 | .RE
|
|---|
| 215 | .PP
|
|---|
| 216 | Request\-User\-Session\-Key
|
|---|
| 217 | .RS 4
|
|---|
| 218 | Upon successful authenticaiton, return the user session key associated with the login\&.
|
|---|
| 219 | .PP
|
|---|
| 220 | Examples:
|
|---|
| 221 | .RS 4
|
|---|
| 222 | Request\-User\-Session\-Key: Yes
|
|---|
| 223 | .RE
|
|---|
| 224 | .RE
|
|---|
| 225 | .PP
|
|---|
| 226 | Request\-LanMan\-Session\-Key
|
|---|
| 227 | .RS 4
|
|---|
| 228 | Upon successful authenticaiton, return the LANMAN session key associated with the login\&.
|
|---|
| 229 | .PP
|
|---|
| 230 | Examples:
|
|---|
| 231 | .RS 4
|
|---|
| 232 | Request\-LanMan\-Session\-Key: Yes
|
|---|
|
|---|
