Fix typo in warning message
[Samba/gebeck_regimport.git] / source4 / utils / man / ntlm_auth4.1.xml
blob3e26e3788517fa2f06b41f77ca6240cf514885ea
1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
3 <refentry id="ntlm-auth.1">
5 <refmeta>
6         <refentrytitle>ntlm_auth4</refentrytitle>
7         <manvolnum>1</manvolnum>
8         <refmiscinfo class="source">Samba</refmiscinfo>
9         <refmiscinfo class="manual">User Commands</refmiscinfo>
10         <refmiscinfo class="version">4.0</refmiscinfo>
11 </refmeta>
14 <refnamediv>
15         <refname>ntlm_auth4</refname>
16         <refpurpose>tool to allow external access to Winbind's NTLM authentication function</refpurpose>
17 </refnamediv>
19 <refsynopsisdiv>
20         <cmdsynopsis>
21                 <command>ntlm_auth4</command>
22                 <arg choice="opt">-d debuglevel</arg>
23                 <arg choice="opt">-l logdir</arg>
24                 <arg choice="opt">-s &lt;smb config file&gt;</arg>
25         </cmdsynopsis>
26 </refsynopsisdiv>
28 <refsect1>
29         <title>DESCRIPTION</title>
31         <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
32         <manvolnum>7</manvolnum></citerefentry> suite.</para>
34         <para><command>ntlm_auth4</command> is a helper utility that authenticates
35         users using NT/LM authentication. It returns 0 if the users is authenticated
36         successfully and 1 if access was denied. ntlm_auth4 uses winbind to access
37         the user and authentication data for a domain.  This utility
38         is only indended to be used by other programs (currently squid).
39         </para>
40 </refsect1>
42 <refsect1>
43         <title>OPERATIONAL REQUIREMENTS</title>
45     <para>
46     The <citerefentry><refentrytitle>winbindd</refentrytitle>
47     <manvolnum>8</manvolnum></citerefentry> daemon must be operational
48     for many of these commands to function.</para>
50     <para>Some of these commands also require access to the directory
51     <filename>winbindd_privileged</filename> in
52     <filename>$LOCKDIR</filename>.  This should be done either by running
53     this command as root or providing group access
54     to the <filename>winbindd_privileged</filename> directory.  For
55     security reasons, this directory should not be world-accessable. </para>
57 </refsect1>
60 <refsect1>
61         <title>OPTIONS</title>
63         <variablelist>
64         <varlistentry>
65         <term>--helper-protocol=PROTO</term>
66         <listitem><para>
67         Operate as a stdio-based helper.  Valid helper protocols are:
68         </para>
69         <variablelist>
70               <varlistentry>
71                 <term>squid-2.4-basic</term>
72                 <listitem><para>
73                 Server-side helper for use with Squid 2.4's basic (plaintext)
74                 authentication.  </para>
75                 </listitem>
76                 </varlistentry>
77               <varlistentry>
78                 <term>squid-2.5-basic</term>
79                 <listitem><para>
80                 Server-side helper for use with Squid 2.5's basic (plaintext)
81                 authentication. </para>
82                 </listitem>
83                 </varlistentry>
84               <varlistentry>
85                 <term>squid-2.5-ntlmssp</term>
86                 <listitem><para>
87                 Server-side helper for use with Squid 2.5's NTLMSSP
88                 authentication. </para>
89                   <para>Requires access to the directory
90                 <filename>winbindd_privileged</filename> in
91                 <filename>$LOCKDIR</filename>.  The protocol used is
92                 described here: <ulink
93                 url="http://devel.squid-cache.org/ntlm/squid_helper_protocol.html">http://devel.squid-cache.org/ntlm/squid_helper_protocol.html</ulink>
94                 </para>
95                 </listitem>
96               </varlistentry>
97               <varlistentry>
98                 <term>ntlmssp-client-1</term>
99                 <listitem><para>
100                 Cleint-side helper for use with arbitary external
101                 programs that may wish to use Samba's NTLMSSP
102                 authentication knowlege. </para>
103                   <para>This helper is a client, and as such may be run by any
104                 user.  The protocol used is
105                 effectivly the reverse of the previous protocol.
106                 </para>
107                 </listitem>
108               </varlistentry>
110               <varlistentry>
111                 <term>gss-spnego</term>
112                 <listitem><para>
113                 Server-side helper that implements GSS-SPNEGO.  This
114                 uses a protocol that is almost the same as
115                 <command>squid-2.5-ntlmssp</command>, but has some
116                 subtle differences that are undocumented outside the
117                 source at this stage.
118                 </para>
119                   <para>Requires access to the directory
120                 <filename>winbindd_privileged</filename> in
121                 <filename>$LOCKDIR</filename>.
122                </para>
123                 </listitem>
124                 </varlistentry>
126                 <varlistentry>
127                                 <term>gss-spnego-client</term>
128                 <listitem><para>
129                 Client-side helper that implements GSS-SPNEGO.  This
130                 also uses a protocol similar to the above helpers, but
131                 is currently undocumented.
132                 </para>
133                 </listitem>
134                 </varlistentry>
135         </variablelist>
136         </listitem>
137       </varlistentry>
139       <varlistentry>
140         <term>--username=USERNAME</term>
141         <listitem><para>
142         Specify username of user to authenticate
143         </para></listitem>
145       </varlistentry>
147       <varlistentry>
148         <term>--domain=DOMAIN</term>
149         <listitem><para>
150         Specify domain of user to authenticate
151         </para></listitem>
152       </varlistentry>
154       <varlistentry>
155         <term>--workstation=WORKSTATION</term>
156         <listitem><para>
157         Specify the workstation the user authenticated from
158         </para></listitem>
159       </varlistentry>
161         <varlistentry>
162         <term>--challenge=STRING</term>
163         <listitem><para>NTLM challenge (in HEXADECIMAL)</para>
164         </listitem>
165         </varlistentry>
167         <varlistentry>
168         <term>--lm-response=RESPONSE</term>
169         <listitem><para>LM Response to the challenge (in HEXADECIMAL)</para></listitem>
170         </varlistentry>
172         <varlistentry>
173         <term>--nt-response=RESPONSE</term>
174         <listitem><para>NT or NTLMv2 Response to the challenge (in HEXADECIMAL)</para></listitem>
175         </varlistentry>
177         <varlistentry>
178         <term>--password=PASSWORD</term>
179         <listitem><para>User's plaintext password</para><para>If
180         not specified on the command line, this is prompted for when
181         required.  </para></listitem>
182         </varlistentry>
184         <varlistentry>
185         <term>--request-lm-key</term>
186         <listitem><para>Retreive LM session key</para></listitem>
187         </varlistentry>
189         <varlistentry>
190         <term>--request-nt-key</term>
191         <listitem><para>Request NT key</para></listitem>
192         </varlistentry>
194       <varlistentry>
195         <term>--diagnostics</term>
196         <listitem><para>Perform Diagnostics on the authentication
197         chain.  Uses the password from <command>--password</command>
198         or prompts for one.</para>
199         </listitem>
200         </varlistentry>
202         <varlistentry>
203             <term>--require-membership-of={SID|Name}</term>
204             <listitem><para>Require that a user be a member of specified
205             group (either name or SID) for authentication to succeed.</para>
206             </listitem>
207         </varlistentry>
209         </variablelist>
210 </refsect1>
212 <refsect1>
213         <title>EXAMPLE SETUP</title>
215         <para>To setup ntlm_auth4 for use by squid 2.5, with both basic and
216         NTLMSSP authentication, the following
217         should be placed in the <filename>squid.conf</filename> file.
218 <programlisting>
219 auth_param ntlm program ntlm_auth4 --helper-protocol=squid-2.5-ntlmssp
220 auth_param basic program ntlm_auth4 --helper-protocol=squid-2.5-basic
221 auth_param basic children 5
222 auth_param basic realm Squid proxy-caching web server
223 auth_param basic credentialsttl 2 hours
224 </programlisting></para>
226 <note><para>This example assumes that ntlm_auth4 has been installed into your
227       path, and that the group permissions on
228       <filename>winbindd_privileged</filename> are as described above.</para></note>
230         <para>To setup ntlm_auth4 for use by squid 2.5 with group limitation in addition to the above
231         example, the following should be added to the <filename>squid.conf</filename> file.
232 <programlisting>
233 auth_param ntlm program ntlm_auth4 --helper-protocol=squid-2.5-ntlmssp --require-membership-of='WORKGROUP\Domain Users'
234 auth_param basic program ntlm_auth4 --helper-protocol=squid-2.5-basic --require-membership-of='WORKGROUP\Domain Users'
235 </programlisting></para>
237 </refsect1>
239 <refsect1>
240         <title>TROUBLESHOOTING</title>
242         <para>If you're experiencing problems with authenticating Internet Explorer running
243         under MS Windows 9X or Millenium Edition against ntlm_auth4's NTLMSSP authentication
244         helper (--helper-protocol=squid-2.5-ntlmssp), then please read
245         <ulink url="http://support.microsoft.com/support/kb/articles/Q239/8/69.ASP">
246         the Microsoft Knowledge Base article #239869 and follow instructions described there</ulink>.
247         </para>
248 </refsect1>
250 <refsect1>
251         <title>VERSION</title>
253         <para>This man page is correct for version 3.0 of the Samba
254         suite.</para>
255 </refsect1>
257 <refsect1>
258         <title>AUTHOR</title>
260         <para>The original Samba software and related utilities
261         were created by Andrew Tridgell. Samba is now developed
262         by the Samba Team as an Open Source project similar
263         to the way the Linux kernel is developed.</para>
265         <para>The ntlm_auth4 manpage was written by Jelmer Vernooij and
266         Andrew Bartlett.</para>
267 </refsect1>
269 </refentry>