[thirdparty/squid.git] / src / auth / ntlm / SSPI / ntlm_sspi_auth.8

.if !'po4a'hide' .TH ntlm_sspi_auth.exe 8
.
.SH NAME
ntlm_sspi_auth.exe \- Native Windows NTLM/NTLMv2 authenticator for Squid
.PP
Version 1.22
.
.SH SYNOPSIS
.if !'po4a'hide' .B ntlm_sspi_auth.exe
.if !'po4a'hide' .B "[\-dhv] [\-A "
Group Name
.if !'po4a'hide' .B "] [\-D "
Group Name
.if !'po4a'hide' .B "]"
.
.SH DESCRIPTION
.B ntlm_sspi_auth.exe
is an installed binary built on Windows systems. It provides native access to the
Security Service Provider Interface of Windows for authenticating with NTLM / NTLMv2.
It has automatic support for NTLM NEGOTIATE packets.
.
.SH OPTIONS
.if !'po4a'hide' .TP 12
.if !'po4a'hide' .B \-A
Specify a Windows Local Group name allowed to authenticate.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-d
Write debug info to stderr.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-D
Specify a Windows Local Group name which is to be denied authentication.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-h
Display the binary help and command line syntax info using stderr.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-v
Enables verbose NTLM packet debugging.
.
.SH CONFIGURATION
.PP
.B Allowing Users
.PP
Users that are allowed to access the web proxy must have the Windows NT
User Rights "logon from the network".
.PP
Optionally the authenticator can verify the NT LOCAL group membership of
the user against the User Group specified in the Authenticator's command
line.
.PP
This can be accomplished creating a local user group on the NT machine,
grant the privilege, and adding users to it, it works only with MACHINE
Local Groups, not Domain Local Groups.
.PP
Better group checking is available with external ACL, see 
.B ext_ad_group_acl.exe
documentation.
.PP
.B squid.conf
typical minimal required changes:
.if !'po4a'hide' .RS
.if !'po4a'hide' .B auth_param ntlm program c:/squid/libexec/ntlm_sspi_auth.exe
.if !'po4a'hide' .B auth_param ntlm children 5
.if !'po4a'hide' .br
.if !'po4a'hide' .B acl password proxy_auth REQUIRED
.if !'po4a'hide' .br
.if !'po4a'hide' .B http_access allow password
.if !'po4a'hide' .B http_access deny all
.if !'po4a'hide' .RE
.
.PP
Refer to Squid documentation for more details.
.
.PP
Internet Explorer has some problems with 
.B ftp:// 
URLs when handling internal Squid FTP icons.
The following 
.B squid.conf 
ACL works around this when placed before the authentication ACL:
.if !'po4a'hide' .RS
.if !'po4a'hide' .B acl internal_icons urlpath_regex \-i /squid-internal-static/icons/
.if !'po4a'hide' .br
.if !'po4a'hide' .B http_access allow our_networks internal_icons
.if !'po4a'hide' .RE
.
.SH AUTHOR
This program was written by
.if !'po4a'hide' .I Guido Serassio <guido.serassio@acmeconsulting.it>
.PP
Based on prior work in by
.if !'po4a'hide' .I Francesco Chemolli <kinkie@squid-cache.org>
.if !'po4a'hide' .I Robert Collins <lifeless@squid-cache.org>
.PP
This manual was written by
.if !'po4a'hide' .I Guido Serassio <guido.serassio@acmeconsulting.it>
.if !'po4a'hide' .I Amos Jeffries <amosjeffries@squid-cache.org>
.
.SH COPYRIGHT
.PP
 * Copyright (C) 1996-2020 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
.PP
This program and documentation is copyright to the authors named above.
.PP
Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+).
.
.SH QUESTIONS
Questions on the usage of this program can be sent to the
.I Squid Users mailing list
.if !'po4a'hide' <squid-users@lists.squid-cache.org>
.
.SH REPORTING BUGS
Bug reports need to be made in English.
See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
.PP
Report bugs or bug fixes using http://bugs.squid-cache.org/
.PP
Report serious security bugs to
.I Squid Bugs <squid-bugs@lists.squid-cache.org>
.PP
Report ideas for new improvements to the
.I Squid Developers mailing list
.if !'po4a'hide' <squid-dev@lists.squid-cache.org>
.
.SH SEE ALSO
.if !'po4a'hide' .BR squid "(8), "
.if !'po4a'hide' .BR GPL "(7), "
.br
The Squid FAQ wiki
.if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq
.br
The Squid Configuration Manual
.if !'po4a'hide' http://www.squid-cache.org/Doc/config/
Commit	Line	Data
	1	.if !'po4a'hide' .TH ntlm_sspi_auth.exe 8
	2	.
	3	.SH NAME
	4	ntlm_sspi_auth.exe \- Native Windows NTLM/NTLMv2 authenticator for Squid
	5	.PP
	6	Version 1.22
	7	.
	8	.SH SYNOPSIS
	9	.if !'po4a'hide' .B ntlm_sspi_auth.exe
	10	.if !'po4a'hide' .B "[\-dhv] [\-A "
	11	Group Name
	12	.if !'po4a'hide' .B "] [\-D "
	13	Group Name
	14	.if !'po4a'hide' .B "]"
	15	.
	16	.SH DESCRIPTION
	17	.B ntlm_sspi_auth.exe
	18	is an installed binary built on Windows systems. It provides native access to the
	19	Security Service Provider Interface of Windows for authenticating with NTLM / NTLMv2.
	20	It has automatic support for NTLM NEGOTIATE packets.
	21	.
	22	.SH OPTIONS
	23	.if !'po4a'hide' .TP 12
	24	.if !'po4a'hide' .B \-A
	25	Specify a Windows Local Group name allowed to authenticate.
	26	.
	27	.if !'po4a'hide' .TP
	28	.if !'po4a'hide' .B \-d
	29	Write debug info to stderr.
	30	.
	31	.if !'po4a'hide' .TP
	32	.if !'po4a'hide' .B \-D
	33	Specify a Windows Local Group name which is to be denied authentication.
	34	.
	35	.if !'po4a'hide' .TP
	36	.if !'po4a'hide' .B \-h
	37	Display the binary help and command line syntax info using stderr.
	38	.
	39	.if !'po4a'hide' .TP
	40	.if !'po4a'hide' .B \-v
	41	Enables verbose NTLM packet debugging.
	42	.
	43	.SH CONFIGURATION
	44	.PP
	45	.B Allowing Users
	46	.PP
	47	Users that are allowed to access the web proxy must have the Windows NT
	48	User Rights "logon from the network".
	49	.PP
	50	Optionally the authenticator can verify the NT LOCAL group membership of
	51	the user against the User Group specified in the Authenticator's command
	52	line.
	53	.PP
	54	This can be accomplished creating a local user group on the NT machine,
	55	grant the privilege, and adding users to it, it works only with MACHINE
	56	Local Groups, not Domain Local Groups.
	57	.PP
	58	Better group checking is available with external ACL, see
	59	.B ext_ad_group_acl.exe
	60	documentation.
	61	.PP
	62	.B squid.conf
	63	typical minimal required changes:
	64	.if !'po4a'hide' .RS
	65	.if !'po4a'hide' .B auth_param ntlm program c:/squid/libexec/ntlm_sspi_auth.exe
	66	.if !'po4a'hide' .B auth_param ntlm children 5
	67	.if !'po4a'hide' .br
	68	.if !'po4a'hide' .B acl password proxy_auth REQUIRED
	69	.if !'po4a'hide' .br
	70	.if !'po4a'hide' .B http_access allow password
	71	.if !'po4a'hide' .B http_access deny all
	72	.if !'po4a'hide' .RE
	73	.
	74	.PP
	75	Refer to Squid documentation for more details.
	76	.
	77	.PP
	78	Internet Explorer has some problems with
	79	.B ftp://
	80	URLs when handling internal Squid FTP icons.
	81	The following
	82	.B squid.conf
	83	ACL works around this when placed before the authentication ACL:
	84	.if !'po4a'hide' .RS
	85	.if !'po4a'hide' .B acl internal_icons urlpath_regex \-i /squid-internal-static/icons/
	86	.if !'po4a'hide' .br
	87	.if !'po4a'hide' .B http_access allow our_networks internal_icons
	88	.if !'po4a'hide' .RE
	89	.
	90	.SH AUTHOR
	91	This program was written by
	92	.if !'po4a'hide' .I Guido Serassio <guido.serassio@acmeconsulting.it>
	93	.PP
	94	Based on prior work in by
	95	.if !'po4a'hide' .I Francesco Chemolli <kinkie@squid-cache.org>
	96	.if !'po4a'hide' .I Robert Collins <lifeless@squid-cache.org>
	97	.PP
	98	This manual was written by
	99	.if !'po4a'hide' .I Guido Serassio <guido.serassio@acmeconsulting.it>
	100	.if !'po4a'hide' .I Amos Jeffries <amosjeffries@squid-cache.org>
	101	.
	102	.SH COPYRIGHT
	103	.PP
	104	* Copyright (C) 1996-2020 The Squid Software Foundation and contributors
	105	*
	106	* Squid software is distributed under GPLv2+ license and includes
	107	* contributions from numerous individuals and organizations.
	108	* Please see the COPYING and CONTRIBUTORS files for details.
	109	.PP
	110	This program and documentation is copyright to the authors named above.
	111	.PP
	112	Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+).
	113	.
	114	.SH QUESTIONS
	115	Questions on the usage of this program can be sent to the
	116	.I Squid Users mailing list
	117	.if !'po4a'hide' <squid-users@lists.squid-cache.org>
	118	.
	119	.SH REPORTING BUGS
	120	Bug reports need to be made in English.
	121	See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
	122	.PP
	123	Report bugs or bug fixes using http://bugs.squid-cache.org/
	124	.PP
	125	Report serious security bugs to
	126	.I Squid Bugs <squid-bugs@lists.squid-cache.org>
	127	.PP
	128	Report ideas for new improvements to the
	129	.I Squid Developers mailing list
	130	.if !'po4a'hide' <squid-dev@lists.squid-cache.org>
	131	.
	132	.SH SEE ALSO
	133	.if !'po4a'hide' .BR squid "(8), "
	134	.if !'po4a'hide' .BR GPL "(7), "
	135	.br
	136	The Squid FAQ wiki
	137	.if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq
	138	.br
	139	The Squid Configuration Manual
	140	.if !'po4a'hide' http://www.squid-cache.org/Doc/config/