ntlm_auth — tool to allow external access to Winbind's NTLM authentication function
ntlm_auth [-d debuglevel] [-l logdir] [-s <smb config file>]
This tool is part of the samba(7) suite.
ntlm_auth is a helper utility that authenticates + users using NT/LM authentication. It returns 0 if the users is authenticated + successfully and 1 if access was denied. ntlm_auth uses winbind to access + the user and authentication data for a domain. This utility + is only indended to be used by other programs (currently + Squid + and mod_ntlm_winbind) +
+ The winbindd(8) daemon must be operational + for many of these commands to function.
Some of these commands also require access to the directory
+ winbindd_privileged in
+ $LOCKDIR. This should be done either by running
+ this command as root or providing group access
+ to the winbindd_privileged directory. For
+ security reasons, this directory should not be world-accessable.
+ Operate as a stdio-based helper. Valid helper protocols are: +
+ Server-side helper for use with Squid 2.4's basic (plaintext) + authentication.
+ Server-side helper for use with Squid 2.5's basic (plaintext) + authentication.
+ Server-side helper for use with Squid 2.5's NTLMSSP + authentication.
Requires access to the directory
+ winbindd_privileged in
+ $LOCKDIR. The protocol used is
+ described here: http://devel.squid-cache.org/ntlm/squid_helper_protocol.html.
+ This protocol has been extended to allow the
+ NTLMSSP Negotiate packet to be included as an argument
+ to the YR command. (Thus avoiding
+ loss of information in the protocol exchange).
+
+ Client-side helper for use with arbitary external + programs that may wish to use Samba's NTLMSSP + authentication knowlege.
This helper is a client, and as such may be run by any + user. The protocol used is + effectivly the reverse of the previous protocol. A + YR command (without any arguments) + starts the authentication exchange. +
+ Server-side helper that implements GSS-SPNEGO. This + uses a protocol that is almost the same as + squid-2.5-ntlmssp, but has some + subtle differences that are undocumented outside the + source at this stage. +
Requires access to the directory
+ winbindd_privileged in
+ $LOCKDIR.
+
+ Client-side helper that implements GSS-SPNEGO. This + also uses a protocol similar to the above helpers, but + is currently undocumented. +
+ Server-side helper protocol, intended for use by a + RADIUS server or the 'winbind' plugin for pppd, for + the provision of MSCHAP and MSCHAPv2 authentication. +
This protocol consists of lines in for form: + Parameter: value and Paramter:: + Base64-encode value. The presence of a single + period . indicates that one side has + finished supplying data to the other. (Which in turn + could cause the helper to authenticate the + user).
Curently implemented parameters from the + external program to the helper are:
The user's domain, expected to be in + Samba's unix charset. +
The fully qualified username, expected to be in + Samba's and qualified with the + winbind separator. +
The 8 byte LANMAN Challenge value, + generated randomly by the server, or (in cases such as + MSCHAPv2) generated in some way by both the server and + the client. +
The 24 byte LANMAN Response value, + calculated from the user's password and the supplied + LANMAN Challenge. Typically, this + is provided over the network by a client wishing to authenticate. +
The >= 24 byte NT Response + calculated from the user's password and the supplied + LANMAN Challenge. Typically, this is + provided over the network by a client wishing to authenticate. +
The user's password. This would be + provided by a network client, if the helper is being + used in a legacy situation that exposes plaintext + passwords in this way. +
Apon sucessful authenticaiton, return + the user session key associated with the login. +
Apon sucessful authenticaiton, return + the LANMAN session key associated with the login. +
+ Specify username of user to authenticate +
+ Specify domain of user to authenticate +
+ Specify the workstation the user authenticated from +
NTLM challenge (in HEXADECIMAL)
LM Response to the challenge (in HEXADECIMAL)
NT or NTLMv2 Response to the challenge (in HEXADECIMAL)
User's plaintext password
If + not specified on the command line, this is prompted for when + required.
For the NTLMSSP based server roles, this paramter + specifies the expected password, allowing testing without + winbindd operational.
Retreive LM session key
Request NT key
Perform Diagnostics on the authentication + chain. Uses the password from --password + or prompts for one.
Require that a user be a member of specified + group (either name or SID) for authentication to succeed.
Prints the program version number. +
The file specified contains the
+configuration details required by the server. The
+information in this file includes server-specific
+information such as what printcap file to use, as well
+as descriptions of all the services that the server is
+to provide. See smb.conf for more information.
+The default configuration file name is determined at
+compile time.
level is an integer
+from 0 to 10. The default value if this parameter is
+not specified is zero.
The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day-to-day running - it generates a small amount of +information about operations carried out.
Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic.
Note that specifying this parameter here will
+override the parameter
+in the smb.conf file.
Base directory name for log/debug files. The extension
+".progname" will be appended (e.g. log.smbclient,
+log.smbd, etc...). The log file is never removed by the client.
+
Print a summary of command line options. +
To setup ntlm_auth for use by squid 2.5, with both basic and
+ NTLMSSP authentication, the following
+ should be placed in the squid.conf file.
+
+auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp +auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic +auth_param basic children 5 +auth_param basic realm Squid proxy-caching web server +auth_param basic credentialsttl 2 hours +
This example assumes that ntlm_auth has been installed into your
+ path, and that the group permissions on
+ winbindd_privileged are as described above.
To setup ntlm_auth for use by squid 2.5 with group limitation in addition to the above
+ example, the following should be added to the squid.conf file.
+
+auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='WORKGROUP\Domain Users' +auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='WORKGROUP\Domain Users' +
If you're experiencing problems with authenticating Internet Explorer running + under MS Windows 9X or Millenium Edition against ntlm_auth's NTLMSSP authentication + helper (--helper-protocol=squid-2.5-ntlmssp), then please read + + the Microsoft Knowledge Base article #239869 and follow instructions described there. +