Changeset 596 for trunk/server/docs/manpages/ntlm_auth.1
- Timestamp:
- Jul 2, 2011, 3:35:33 PM (14 years ago)
- File:
-
- 1 edited
-
trunk/server/docs/manpages/ntlm_auth.1 (modified) (21 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/server/docs/manpages/ntlm_auth.1
r480 r596 1 '\" t 1 2 .\" Title: ntlm_auth 2 3 .\" Author: [see the "AUTHOR" section] 3 .\" Generator: DocBook XSL Stylesheets v1.7 4.0<http://docbook.sf.net/>4 .\" Date: 0 6/18/20104 .\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/> 5 .\" Date: 03/06/2011 5 6 .\" Manual: User Commands 6 7 .\" Source: Samba 3.5 7 8 .\" Language: English 8 9 .\" 9 .TH "NTLM_AUTH" "1" "06/18/2010" "Samba 3\&.5" "User Commands" 10 .\" ----------------------------------------------------------------- 11 .\" * (re)Define some macros 12 .\" ----------------------------------------------------------------- 13 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 14 .\" toupper - uppercase a string (locale-aware) 15 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 16 .de toupper 17 .tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ 18 \\$* 19 .tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz 20 .. 21 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 22 .\" SH-xref - format a cross-reference to an SH section 23 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 24 .de SH-xref 25 .ie n \{\ 26 .\} 27 .toupper \\$* 28 .el \{\ 29 \\$* 30 .\} 31 .. 32 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 33 .\" SH - level-one heading that works better for non-TTY output 34 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 35 .de1 SH 36 .\" put an extra blank line of space above the head in non-TTY output 37 .if t \{\ 38 .sp 1 39 .\} 40 .sp \\n[PD]u 41 .nr an-level 1 42 .set-an-margin 43 .nr an-prevailing-indent \\n[IN] 44 .fi 45 .in \\n[an-margin]u 46 .ti 0 47 .HTML-TAG ".NH \\n[an-level]" 48 .it 1 an-trap 49 .nr an-no-space-flag 1 50 .nr an-break-flag 1 51 \." make the size of the head bigger 52 .ps +3 53 .ft B 54 .ne (2v + 1u) 55 .ie n \{\ 56 .\" if n (TTY output), use uppercase 57 .toupper \\$* 58 .\} 59 .el \{\ 60 .nr an-break-flag 0 61 .\" if not n (not TTY), use normal case (not uppercase) 62 \\$1 63 .in \\n[an-margin]u 64 .ti 0 65 .\" if not n (not TTY), put a border/line under subheading 66 .sp -.6 67 \l'\n(.lu' 68 .\} 69 .. 70 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 71 .\" SS - level-two heading that works better for non-TTY output 72 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 73 .de1 SS 74 .sp \\n[PD]u 75 .nr an-level 1 76 .set-an-margin 77 .nr an-prevailing-indent \\n[IN] 78 .fi 79 .in \\n[IN]u 80 .ti \\n[SN]u 81 .it 1 an-trap 82 .nr an-no-space-flag 1 83 .nr an-break-flag 1 84 .ps \\n[PS-SS]u 85 \." make the size of the head bigger 86 .ps +2 87 .ft B 88 .ne (2v + 1u) 89 .if \\n[.$] \&\\$* 90 .. 91 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 92 .\" BB/BE - put background/screen (filled box) around block of text 93 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 94 .de BB 95 .if t \{\ 96 .sp -.5 97 .br 98 .in +2n 99 .ll -2n 100 .gcolor red 101 .di BX 102 .\} 103 .. 104 .de EB 105 .if t \{\ 106 .if "\\$2"adjust-for-leading-newline" \{\ 107 .sp -1 108 .\} 109 .br 110 .di 111 .in 112 .ll 113 .gcolor 114 .nr BW \\n(.lu-\\n(.i 115 .nr BH \\n(dn+.5v 116 .ne \\n(BHu+.5v 117 .ie "\\$2"adjust-for-leading-newline" \{\ 118 \M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] 119 .\} 120 .el \{\ 121 \M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] 122 .\} 123 .in 0 124 .sp -.5v 125 .nf 126 .BX 127 .in 128 .sp .5v 129 .fi 130 .\} 131 .. 132 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 133 .\" BM/EM - put colored marker in margin next to block of text 134 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 135 .de BM 136 .if t \{\ 137 .br 138 .ll -2n 139 .gcolor red 140 .di BX 141 .\} 142 .. 143 .de EM 144 .if t \{\ 145 .br 146 .di 147 .ll 148 .gcolor 149 .nr BH \\n(dn 150 .ne \\n(BHu 151 \M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] 152 .in 0 153 .nf 154 .BX 155 .in 156 .fi 157 .\} 158 .. 10 .TH "NTLM_AUTH" "1" "03/06/2011" "Samba 3\&.5" "User Commands" 159 11 .\" ----------------------------------------------------------------- 160 12 .\" * set default formatting … … 167 19 .\" * MAIN CONTENT STARTS HERE * 168 20 .\" ----------------------------------------------------------------- 169 .SH "N ame"21 .SH "NAME" 170 22 ntlm_auth \- tool to allow external access to Winbind\'s NTLM authentication function 171 .SH "Synopsis" 172 .fam C 23 .SH "SYNOPSIS" 173 24 .HP \w'\ 'u 174 \FCntlm_auth\F[] [\-d\ debuglevel] [\-l\ logdir] [\-s\ <smb\ config\ file>] 175 .fam 25 ntlm_auth [\-d\ debuglevel] [\-l\ logdir] [\-s\ <smb\ config\ file>] 176 26 .SH "DESCRIPTION" 177 27 .PP … … 180 30 suite\&. 181 31 .PP 182 \FCntlm_auth\F[] 32 ntlm_auth 183 33 is a helper utility that authenticates users using NT/LM authentication\&. It returns 0 if the users is authenticated successfully and 1 if access was denied\&. ntlm_auth uses winbind to access the user and authentication data for a domain\&. This utility is only intended to be used by other programs (currently 184 34 Squid … … 192 42 .PP 193 43 Some of these commands also require access to the directory 194 \FCwinbindd_privileged\F[] 44 winbindd_privileged 195 45 in 196 \FC$LOCKDIR\F[]\&. This should be done either by running this command as root or providing group access to the197 \FCwinbindd_privileged\F[] 46 $LOCKDIR\&. This should be done either by running this command as root or providing group access to the 47 winbindd_privileged 198 48 directory\&. For security reasons, this directory should not be world\-accessable\&. 199 49 .SH "OPTIONS" … … 218 68 .sp 219 69 Requires access to the directory 220 \FCwinbindd_privileged\F[] 70 winbindd_privileged 221 71 in 222 \FC$LOCKDIR\F[]\&. The protocol used is described here:72 $LOCKDIR\&. The protocol used is described here: 223 73 http://devel\&.squid\-cache\&.org/ntlm/squid_helper_protocol\&.html\&. This protocol has been extended to allow the NTLMSSP Negotiate packet to be included as an argument to the 224 \FCYR\F[] 74 YR 225 75 command\&. (Thus avoiding loss of information in the protocol exchange)\&. 226 76 .RE … … 231 81 .sp 232 82 This helper is a client, and as such may be run by any user\&. The protocol used is effectively the reverse of the previous protocol\&. A 233 \FCYR\F[] 83 YR 234 84 command (without any arguments) starts the authentication exchange\&. 235 85 .RE … … 238 88 .RS 4 239 89 Server\-side helper that implements GSS\-SPNEGO\&. This uses a protocol that is almost the same as 240 \FCsquid\-2\&.5\-ntlmssp\F[], but has some subtle differences that are undocumented outside the source at this stage\&.90 squid\-2\&.5\-ntlmssp, but has some subtle differences that are undocumented outside the source at this stage\&. 241 91 .sp 242 92 Requires access to the directory 243 \FCwinbindd_privileged\F[] 93 winbindd_privileged 244 94 in 245 \FC$LOCKDIR\F[]\&.95 $LOCKDIR\&. 246 96 .RE 247 97 .PP … … 256 106 .sp 257 107 This protocol consists of lines in the form: 258 \FCParameter: value\F[] 108 Parameter: value 259 109 and 260 \FCParameter:: Base64\-encode value\F[]\&. The presence of a single period261 \ FC\&.\F[]110 Parameter:: Base64\-encode value\&. The presence of a single period 111 \&. 262 112 indicates that one side has finished supplying data to the other\&. (Which in turn could cause the helper to authenticate the user)\&. 263 113 .sp … … 293 143 .RS 4 294 144 The 8 byte 295 \FCLANMAN Challenge\F[] 145 LANMAN Challenge 296 146 value, generated randomly by the server, or (in cases such as MSCHAPv2) generated in some way by both the server and the client\&. 297 147 .PP \fBExample\ \&7.\ \&\fR LANMAN\-Challege: 0102030405060708 … … 301 151 .RS 4 302 152 The 24 byte 303 \FCLANMAN Response\F[] 153 LANMAN Response 304 154 value, calculated from the user\'s password and the supplied 305 \FCLANMAN Challenge\F[]\&. Typically, this is provided over the network by a client wishing to authenticate\&.155 LANMAN Challenge\&. Typically, this is provided over the network by a client wishing to authenticate\&. 306 156 .PP \fBExample\ \&8.\ \&\fR LANMAN\-Response: 0102030405060708090A0B0C0D0E0F101112131415161718 307 157 .RE … … 310 160 .RS 4 311 161 The >= 24 byte 312 \FCNT Response\F[] 162 NT Response 313 163 calculated from the user\'s password and the supplied 314 \FCLANMAN Challenge\F[]\&. Typically, this is provided over the network by a client wishing to authenticate\&.164 LANMAN Challenge\&. Typically, this is provided over the network by a client wishing to authenticate\&. 315 165 .PP \fBExample\ \&9.\ \&\fR NT\-Response: 0102030405060708090A0B0C0D0E0F101112131415161718 316 166 .RE … … 338 188 .\} 339 189 .RS 4 340 .BM yellow341 190 .it 1 an-trap 342 191 .nr an-no-space-flag 1 … … 351 200 a newline\&. They may also need to decode strings from 352 201 the helper, which likewise may have been base64 encoded\&..sp .5v 353 .EM yellow354 202 .RE 355 203 .RE … … 408 256 .RS 4 409 257 Perform Diagnostics on the authentication chain\&. Uses the password from 410 \ FC\-\-password\F[]258 \-\-password 411 259 or prompts for one\&. 412 260 .RE … … 429 277 \m[blue]\fB\%smb.conf.5.html#\fR\m[] 430 278 parameter in the 431 \FCsmb\&.conf\F[] 279 smb\&.conf 432 280 file\&. 433 281 .RE … … 441 289 .RS 4 442 290 The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See 443 \FCsmb\&.conf\F[] 291 smb\&.conf 444 292 for more information\&. The default configuration file name is determined at compile time\&. 445 293 .RE … … 459 307 .PP 460 308 To setup ntlm_auth for use by squid 2\&.5, with both basic and NTLMSSP authentication, the following should be placed in the 461 \FCsquid\&.conf\F[] 309 squid\&.conf 462 310 file\&. 463 311 .sp … … 465 313 .RS 4 466 314 .\} 467 .fam C468 .ps -1469 315 .nf 470 .if t \{\471 .sp -1472 .\}473 .BB lightgray adjust-for-leading-newline474 .sp -1475 476 316 auth_param ntlm program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-ntlmssp 477 317 auth_param basic program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-basic … … 479 319 auth_param basic realm Squid proxy\-caching web server 480 320 auth_param basic credentialsttl 2 hours 481 .EB lightgray adjust-for-leading-newline482 .if t \{\483 .sp 1484 .\}485 321 .fi 486 .fam 487 .ps +1 488 .if n \{\ 489 .RE 490 .\} 491 .if n \{\ 492 .sp 493 .\} 494 .RS 4 495 .BM yellow 322 .if n \{\ 323 .RE 324 .\} 325 .if n \{\ 326 .sp 327 .\} 328 .RS 4 496 329 .it 1 an-trap 497 330 .nr an-no-space-flag 1 … … 504 337 .PP 505 338 This example assumes that ntlm_auth has been installed into your path, and that the group permissions on 506 \FCwinbindd_privileged\F[] 339 winbindd_privileged 507 340 are as described above\&. 508 341 .sp .5v 509 .EM yellow510 342 .RE 511 343 .PP 512 344 To setup ntlm_auth for use by squid 2\&.5 with group limitation in addition to the above example, the following should be added to the 513 \FCsquid\&.conf\F[] 345 squid\&.conf 514 346 file\&. 515 347 .sp … … 517 349 .RS 4 518 350 .\} 519 .fam C520 .ps -1521 351 .nf 522 .if t \{\523 .sp -1524 .\}525 .BB lightgray adjust-for-leading-newline526 .sp -1527 528 352 auth_param ntlm program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-ntlmssp \-\-require\-membership\-of=\'WORKGROUP\eDomain Users\' 529 353 auth_param basic program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-basic \-\-require\-membership\-of=\'WORKGROUP\eDomain Users\' 530 .EB lightgray adjust-for-leading-newline531 .if t \{\532 .sp 1533 .\}534 354 .fi 535 .fam536 .ps +1537 355 .if n \{\ 538 356 .RE
Note:
See TracChangeset
for help on using the changeset viewer.
