[thirdparty/squid.git] / src / auth / ntlm / SSPI / ntlm_sspi_auth.8

.if !'po4a'hide' .TH ntlm_sspi_auth.exe 8
.
.SH NAME
ntlm_sspi_auth.exe \- Native Windows NTLM/NTLMv2 authenticator for Squid
.PP
Version 1.22
.
.SH SYNOPSIS
.if !'po4a'hide' .B ntlm_sspi_auth.exe
.if !'po4a'hide' .B "[\-dhv] [\-A "
Group Name
.if !'po4a'hide' .B "] [\-D "
Group Name
.if !'po4a'hide' .B "]"
.
.SH DESCRIPTION
.B ntlm_sspi_auth.exe
is an installed binary built on Windows systems. It provides native access to the
Security Service Provider Interface of Windows for authenticating with NTLM / NTLMv2.
It has automatic support for NTLM NEGOTIATE packets.
.
.SH OPTIONS
.if !'po4a'hide' .TP 12
.if !'po4a'hide' .B \-A
Specify a Windows Local Group name allowed to authenticate.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-d
Write debug info to stderr.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-D
Specify a Windows Local Group name which is to be denied authentication.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-h
Display the binary help and command line syntax info using stderr.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-v
Enables verbose NTLM packet debugging.
.
.SH CONFIGURATION
.PP
.B Allowing Users
.PP
Users that are allowed to access the web proxy must have the Windows NT
User Rights "logon from the network".
.PP
Optionally the authenticator can verify the NT LOCAL group membership of
the user against the User Group specified in the Authenticator's command
line.
.PP
This can be accomplished creating a local user group on the NT machine,
grant the privilege, and adding users to it, it works only with MACHINE
Local Groups, not Domain Local Groups.
.PP
Better group checking is available with external ACL, see 
.B ext_ad_group_acl.exe
documentation.
.PP
.B squid.conf
typical minimal required changes:
.if !'po4a'hide' .RS
.if !'po4a'hide' .B auth_param ntlm program c:/squid/libexec/ntlm_sspi_auth.exe
.if !'po4a'hide' .B auth_param ntlm children 5
.if !'po4a'hide' .br
.if !'po4a'hide' .B acl password proxy_auth REQUIRED
.if !'po4a'hide' .br
.if !'po4a'hide' .B http_access allow password
.if !'po4a'hide' .B http_access deny all
.if !'po4a'hide' .RE
.
.PP
Refer to Squid documentation for more details.
.
.PP
Internet Explorer has some problems with 
.B ftp:// 
URLs when handling internal Squid FTP icons.
The following 
.B squid.conf 
ACL works around this when placed before the authentication ACL:
.if !'po4a'hide' .RS
.if !'po4a'hide' .B acl internal_icons urlpath_regex \-i /squid-internal-static/icons/
.if !'po4a'hide' .br
.if !'po4a'hide' .B http_access allow our_networks internal_icons
.if !'po4a'hide' .RE
.
.SH AUTHOR
This program was written by
.if !'po4a'hide' .I Guido Serassio <guido.serassio@acmeconsulting.it>
.PP
Based on prior work in by
.if !'po4a'hide' .I Francesco Chemolli <kinkie@squid-cache.org>
.if !'po4a'hide' .I Robert Collins <lifeless@squid-cache.org>
.PP
This manual was written by
.if !'po4a'hide' .I Guido Serassio <guido.serassio@acmeconsulting.it>
.if !'po4a'hide' .I Amos Jeffries <amosjeffries@squid-cache.org>
.
.SH COPYRIGHT
.PP
 * Copyright (C) 1996-2020 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
.PP
This program and documentation is copyright to the authors named above.
.PP
Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+).
.
.SH QUESTIONS
Questions on the usage of this program can be sent to the
.I Squid Users mailing list
.if !'po4a'hide' <squid-users@lists.squid-cache.org>
.
.SH REPORTING BUGS
Bug reports need to be made in English.
See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
.PP
Report bugs or bug fixes using http://bugs.squid-cache.org/
.PP
Report serious security bugs to
.I Squid Bugs <squid-bugs@lists.squid-cache.org>
.PP
Report ideas for new improvements to the
.I Squid Developers mailing list
.if !'po4a'hide' <squid-dev@lists.squid-cache.org>
.
.SH SEE ALSO
.if !'po4a'hide' .BR squid "(8), "
.if !'po4a'hide' .BR GPL "(7), "
.br
The Squid FAQ wiki
.if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq
.br
The Squid Configuration Manual
.if !'po4a'hide' http://www.squid-cache.org/Doc/config/
Commit	Line	Data
bc25525a AJ	1	.if !'po4a'hide' .TH ntlm_sspi_auth.exe 8
	2	.
	3	.SH NAME
d632afde	4	ntlm_sspi_auth.exe \- Native Windows NTLM/NTLMv2 authenticator for Squid
bc25525a AJ	5	.PP
	6	Version 1.22
	7	.
	8	.SH SYNOPSIS
	9	.if !'po4a'hide' .B ntlm_sspi_auth.exe
	10	.if !'po4a'hide' .B "[\-dhv] [\-A "
	11	Group Name
	12	.if !'po4a'hide' .B "] [\-D "
	13	Group Name
	14	.if !'po4a'hide' .B "]"
	15	.
	16	.SH DESCRIPTION
	17	.B ntlm_sspi_auth.exe
	18	is an installed binary built on Windows systems. It provides native access to the
	19	Security Service Provider Interface of Windows for authenticating with NTLM / NTLMv2.
	20	It has automatic support for NTLM NEGOTIATE packets.
	21	.
	22	.SH OPTIONS
	23	.if !'po4a'hide' .TP 12
06fcded4 AJ	24	.if !'po4a'hide' .B \-A
	25	Specify a Windows Local Group name allowed to authenticate.
	26	.
	27	.if !'po4a'hide' .TP
bc25525a AJ	28	.if !'po4a'hide' .B \-d
bc25525a AJ	29	Write debug info to stderr.
06fcded4 AJ	30	.
	31	.if !'po4a'hide' .TP
	32	.if !'po4a'hide' .B \-D
	33	Specify a Windows Local Group name which is to be denied authentication.
	34	.
	35	.if !'po4a'hide' .TP
bc25525a AJ	36	.if !'po4a'hide' .B \-h
bc25525a AJ	37	Display the binary help and command line syntax info using stderr.
06fcded4 AJ	38	.
06fcded4 AJ	39	.if !'po4a'hide' .TP
bc25525a AJ	40	.if !'po4a'hide' .B \-v
bc25525a AJ	41	Enables verbose NTLM packet debugging.
bc25525a AJ	42	.
bc25525a AJ	43	.SH CONFIGURATION
06fcded4 AJ	44	.PP
06fcded4 AJ	45	.B Allowing Users
bc25525a AJ	46	.PP
	47	Users that are allowed to access the web proxy must have the Windows NT
	48	User Rights "logon from the network".
	49	.PP
	50	Optionally the authenticator can verify the NT LOCAL group membership of
	51	the user against the User Group specified in the Authenticator's command
	52	line.
	53	.PP
	54	This can be accomplished creating a local user group on the NT machine,
	55	grant the privilege, and adding users to it, it works only with MACHINE
	56	Local Groups, not Domain Local Groups.
	57	.PP
06fcded4 AJ	58	Better group checking is available with external ACL, see
06fcded4 AJ	59	.B ext_ad_group_acl.exe
bc25525a AJ	60	documentation.
	61	.PP
	62	.B squid.conf
	63	typical minimal required changes:
	64	.if !'po4a'hide' .RS
06fcded4 AJ	65	.if !'po4a'hide' .B auth_param ntlm program c:/squid/libexec/ntlm_sspi_auth.exe
	66	.if !'po4a'hide' .B auth_param ntlm children 5
	67	.if !'po4a'hide' .br
	68	.if !'po4a'hide' .B acl password proxy_auth REQUIRED
	69	.if !'po4a'hide' .br
	70	.if !'po4a'hide' .B http_access allow password
	71	.if !'po4a'hide' .B http_access deny all
	72	.if !'po4a'hide' .RE
bc25525a	73	.
e1b65506 AJ	74	.PP
e1b65506 AJ	75	Refer to Squid documentation for more details.
bc25525a AJ	76	.
	77	.PP
	78	Internet Explorer has some problems with
	79	.B ftp://
	80	URLs when handling internal Squid FTP icons.
	81	The following
	82	.B squid.conf
	83	ACL works around this when placed before the authentication ACL:
	84	.if !'po4a'hide' .RS
06fcded4 AJ	85	.if !'po4a'hide' .B acl internal_icons urlpath_regex \-i /squid-internal-static/icons/
	86	.if !'po4a'hide' .br
	87	.if !'po4a'hide' .B http_access allow our_networks internal_icons
	88	.if !'po4a'hide' .RE
bc25525a AJ	89	.
	90	.SH AUTHOR
	91	This program was written by
	92	.if !'po4a'hide' .I Guido Serassio <guido.serassio@acmeconsulting.it>
	93	.PP
	94	Based on prior work in by
	95	.if !'po4a'hide' .I Francesco Chemolli <kinkie@squid-cache.org>
	96	.if !'po4a'hide' .I Robert Collins <lifeless@squid-cache.org>
	97	.PP
	98	This manual was written by
	99	.if !'po4a'hide' .I Guido Serassio <guido.serassio@acmeconsulting.it>
	100	.if !'po4a'hide' .I Amos Jeffries <amosjeffries@squid-cache.org>
	101	.
	102	.SH COPYRIGHT
ca02e0ec	103	.PP
77b1029d	104	* Copyright (C) 1996-2020 The Squid Software Foundation and contributors
ca02e0ec AJ	105	*
	106	* Squid software is distributed under GPLv2+ license and includes
	107	* contributions from numerous individuals and organizations.
	108	* Please see the COPYING and CONTRIBUTORS files for details.
	109	.PP
bc25525a AJ	110	This program and documentation is copyright to the authors named above.
	111	.PP
	112	Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+).
	113	.
	114	.SH QUESTIONS
	115	Questions on the usage of this program can be sent to the
	116	.I Squid Users mailing list
8311b837	117	.if !'po4a'hide' <squid-users@lists.squid-cache.org>
bc25525a AJ	118	.
	119	.SH REPORTING BUGS
	120	Bug reports need to be made in English.
	121	See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
	122	.PP
	123	Report bugs or bug fixes using http://bugs.squid-cache.org/
	124	.PP
	125	Report serious security bugs to
8311b837	126	.I Squid Bugs <squid-bugs@lists.squid-cache.org>
bc25525a AJ	127	.PP
	128	Report ideas for new improvements to the
	129	.I Squid Developers mailing list
8311b837	130	.if !'po4a'hide' <squid-dev@lists.squid-cache.org>
bc25525a AJ	131	.
	132	.SH SEE ALSO
	133	.if !'po4a'hide' .BR squid "(8), "
	134	.if !'po4a'hide' .BR GPL "(7), "
	135	.br
	136	The Squid FAQ wiki
	137	.if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq
	138	.br
	139	The Squid Configuration Manual
	140	.if !'po4a'hide' http://www.squid-cache.org/Doc/config/