--- /dev/null
+.\"Generated by db2man.xsl. Don't modify this, modify the source.
+.de Sh \" Subsection
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.TH "NTLM_AUTH" 1 "" "" ""
+.SH NAME
+ntlm_auth \- tool to allow external access to Winbind's NTLM authentication function
+.SH "SYNOPSIS"
+.ad l
+.hy 0
+.HP 10
+\fBntlm_auth\fR [\-d\ debuglevel] [\-l\ logdir] [\-s\ <smb\ config\ file>]
+.ad
+.hy
+
+.SH "DESCRIPTION"
+
+.PP
+This tool is part of the \fBsamba\fR(7) suite\&.
+
+.PP
+\fBntlm_auth\fR is a helper utility that authenticates users using NT/LM authentication\&. It returns 0 if the users is authenticated successfully and 1 if access was denied\&. ntlm_auth uses winbind to access the user and authentication data for a domain\&. This utility is only indended to be used by other programs (currentlySquid and mod_ntlm_winbind)
+
+.SH "OPERATIONAL REQUIREMENTS"
+
+.PP
+The \fBwinbindd\fR(8) daemon must be operational for many of these commands to function\&.
+
+.PP
+Some of these commands also require access to the directory \fIwinbindd_privileged\fR in \fI$LOCKDIR\fR\&. This should be done either by running this command as root or providing group access to the \fIwinbindd_privileged\fR directory\&. For security reasons, this directory should not be world\-accessable\&.
+
+.SH "OPTIONS"
+
+.TP
+\-\-helper\-protocol=PROTO
+Operate as a stdio\-based helper\&. Valid helper protocols are:
+
+.RS
+
+.TP
+squid\-2\&.4\-basic
+Server\-side helper for use with Squid 2\&.4's basic (plaintext) authentication\&.
+
+.TP
+squid\-2\&.5\-basic
+Server\-side helper for use with Squid 2\&.5's basic (plaintext) authentication\&.
+
+.TP
+squid\-2\&.5\-ntlmssp
+Server\-side helper for use with Squid 2\&.5's NTLMSSP authentication\&.
+
+Requires access to the directory \fIwinbindd_privileged\fR in\fI$LOCKDIR\fR\&. The protocol used is described here: http://devel\&.squid\-cache\&.org/ntlm/squid_helper_protocol\&.html\&. This protocol has been extended to allow the NTLMSSP Negotiate packet to be included as an argument to the \fBYR\fR command\&. (Thus avoiding loss of information in the protocol exchange)\&.
+
+.TP
+ntlmssp\-client\-1
+Client\-side helper for use with arbitary external programs that may wish to use Samba's NTLMSSP authentication knowlege\&.
+
+This helper is a client, and as such may be run by any user\&. The protocol used is effectivly the reverse of the previous protocol\&. A\fBYR\fR command (without any arguments) starts the authentication exchange\&.
+
+.TP
+gss\-spnego
+Server\-side helper that implements GSS\-SPNEGO\&. This uses a protocol that is almost the same as\fBsquid\-2\&.5\-ntlmssp\fR, but has some subtle differences that are undocumented outside the source at this stage\&.
+
+Requires access to the directory \fIwinbindd_privileged\fR in\fI$LOCKDIR\fR\&.
+
+.TP
+gss\-spnego\-client
+Client\-side helper that implements GSS\-SPNEGO\&. This also uses a protocol similar to the above helpers, but is currently undocumented\&.
+
+.TP
+ntlm\-server\-1
+Server\-side helper protocol, intended for use by a RADIUS server or the 'winbind' plugin for pppd, for the provision of MSCHAP and MSCHAPv2 authentication\&.
+
+This protocol consists of lines in for form: \fBParameter: value\fR and \fBParamter:: Base64\-encode value\fR\&. The presence of a single period \fB\&.\fR indicates that one side has finished supplying data to the other\&. (Which in turn could cause the helper to authenticate the user)\&.
+
+Curently implemented parameters from the external program to the helper are:
+
+.RS
+
+.TP
+Username
+The username, expected to be in Samba's unix charset\&.
+
+Example 1. Username: bob
+
+Example 2. Username:: Ym9i
+
+.TP
+Username
+The user's domain, expected to be in Samba's unix charset\&.
+
+Example 3. Domain: WORKGROUP
+
+Example 4. Domain:: V09SS0dST1VQ
+
+.TP
+Full\-Username
+The fully qualified username, expected to be in Samba's and qualified with the winbind separator\&.
+
+Example 5. Full\-Username: WORKGROUP\\bob
+
+Example 6. Full\-Username:: V09SS0dST1VQYm9i
+
+.TP
+LANMAN\-Challenge
+The 8 byte \fBLANMAN Challenge\fR value, generated randomly by the server, or (in cases such as MSCHAPv2) generated in some way by both the server and the client\&.
+
+Example 7. LANMAN\-Challege: 0102030405060708
+
+.TP
+LANMAN\-Response
+The 24 byte \fBLANMAN Response\fR value, calculated from the user's password and the supplied \fBLANMAN Challenge\fR\&. Typically, this is provided over the network by a client wishing to authenticate\&.
+
+Example 8. LANMAN\-Response: 0102030405060708090A0B0C0D0E0F101112131415161718
+
+.TP
+NT\-Response
+The >= 24 byte \fBNT Response\fR calculated from the user's password and the supplied \fBLANMAN Challenge\fR\&. Typically, this is provided over the network by a client wishing to authenticate\&.
+
+Example 9. NT\-Response: 0102030405060708090A0B0C0D0E0F101112131415161718
+
+.TP
+Password
+The user's password\&. This would be provided by a network client, if the helper is being used in a legacy situation that exposes plaintext passwords in this way\&.
+
+Example 10. Password: samba2
+
+Example 11. Password:: c2FtYmEy
+
+.TP
+Request\-User\-Session\-Key
+Apon sucessful authenticaiton, return the user session key associated with the login\&.
+
+Example 12. Request\-User\-Session\-Key: Yes
+
+.TP
+Request\-LanMan\-Session\-Key
+Apon sucessful authenticaiton, return the LANMAN session key associated with the login\&.
+
+Example 13. Request\-LanMan\-Session\-Key: Yes
+.RS .Sh "Warning" Implementors should take care to base64 encode any data (such as usernames/passwords) that may contain malicous user data, such as a newline\&. They may also need to decode strings from the helper, which likewise may have been base64 encoded\&. .RE
+
+.RE
+.IP
+
+.RE
+.IP
+
+.TP
+\-\-username=USERNAME
+Specify username of user to authenticate
+
+.TP
+\-\-domain=DOMAIN
+Specify domain of user to authenticate
+
+.TP
+\-\-workstation=WORKSTATION
+Specify the workstation the user authenticated from
+
+.TP
+\-\-challenge=STRING
+NTLM challenge (in HEXADECIMAL)
+
+.TP
+\-\-lm\-response=RESPONSE
+LM Response to the challenge (in HEXADECIMAL)
+
+.TP
+\-\-nt\-response=RESPONSE
+NT or NTLMv2 Response to the challenge (in HEXADECIMAL)
+
+.TP
+\-\-password=PASSWORD
+User's plaintext password
+
+If not specified on the command line, this is prompted for when required\&.
+
+For the NTLMSSP based server roles, this paramter specifies the expected password, allowing testing without winbindd operational\&.
+
+.TP
+\-\-request\-lm\-key
+Retreive LM session key
+
+.TP
+\-\-request\-nt\-key
+Request NT key
+
+.TP
+\-\-diagnostics
+Perform Diagnostics on the authentication chain\&. Uses the password from \fB\-\-password\fR or prompts for one\&.
+
+.TP
+\-\-require\-membership\-of={SID|Name}
+Require that a user be a member of specified group (either name or SID) for authentication to succeed\&.
+
+.TP
+\-V
+Prints the program version number\&.
+
+.TP
+\-s <configuration file>
+The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See \fIsmb\&.conf\fR for more information\&. The default configuration file name is determined at compile time\&.
+
+.TP
+\-d|\-\-debuglevel=level
+\fIlevel\fR is an integer from 0 to 10\&. The default value if this parameter is not specified is zero\&.
+
+The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
+
+Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
+
+Note that specifying this parameter here will override the parameter in the \fIsmb\&.conf\fR file\&.
+
+.TP
+\-l|\-\-logfile=logdirectory
+Base directory name for log/debug files\&. The extension \fB"\&.progname"\fR will be appended (e\&.g\&. log\&.smbclient, log\&.smbd, etc\&.\&.\&.)\&. The log file is never removed by the client\&.
+
+.TP
+\-h|\-\-help
+Print a summary of command line options\&.
+
+.SH "EXAMPLE SETUP"
+
+.PP
+To setup ntlm_auth for use by squid 2\&.5, with both basic and NTLMSSP authentication, the following should be placed in the \fIsquid\&.conf\fR file\&.
+.nf
+
+auth_param ntlm program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-ntlmssp
+auth_param basic program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-basic
+auth_param basic children 5
+auth_param basic realm Squid proxy\-caching web server
+auth_param basic credentialsttl 2 hours
+.fi
+
+
+.RS
+.Sh "Note"
+
+.PP
+This example assumes that ntlm_auth has been installed into your path, and that the group permissions on \fIwinbindd_privileged\fR are as described above\&.
+
+.RE
+
+.PP
+To setup ntlm_auth for use by squid 2\&.5 with group limitation in addition to the above example, the following should be added to the \fIsquid\&.conf\fR file\&.
+.nf
+
+auth_param ntlm program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-ntlmssp \-\-require\-membership\-of='WORKGROUP\\Domain Users'
+auth_param basic program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-basic \-\-require\-membership\-of='WORKGROUP\\Domain Users'
+.fi
+
+
+.SH "TROUBLESHOOTING"
+
+.PP
+If you're experiencing problems with authenticating Internet Explorer running under MS Windows 9X or Millenium Edition against ntlm_auth's NTLMSSP authentication helper (\-\-helper\-protocol=squid\-2\&.5\-ntlmssp), then please readthe Microsoft Knowledge Base article #239869 and follow instructions described there\&.
+
+.SH "VERSION"
+
+.PP
+This man page is correct for version 3\&.0 of the Samba suite\&.
+
+.SH "AUTHOR"
+
+.PP
+The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
+
+.PP
+The ntlm_auth manpage was written by Jelmer Vernooij and Andrew Bartlett\&.
+
projects / samba / blobdiff