NTAuth - External Authentication Module for Windows User Database
NB: This authentication module is currently in beta form only!
NTAuth is an external authentication program, it uses Netwin's
External Authentication Protocol. Documentation on this standard
can be found in the User Administration section of this
DMail Manual.
NTAuth accesses the Windows operating system user database, i.e. the OS's User Accounts which you
would normally administer with something like, User Manager.
NTAuth has been designed to replace the 'nt_user' option of the
authent_method dmail.conf setting. It
allows DMail to run an external authentication module but still access Window's user accounts.
It also allows our web admin tool,
NetAuth to be used to administer Window's user accounts.
To install NTAuth you need to set,
authent_method external
authent_process c:\dmail\ntauth.exe
in your c:\winnt\system32\dmail.conf file and restart both DSMTP and DPOP.
We suggest that you edit the ntauth.ini file first and then test it from a dos command line, e.g., entering the
following adds a user called bob and checks that he can be looked up and 'checked' (authenticated),
c:
cd \dmail
ntauth
set bob secret
lookup bob
check bob secret
quit
NTAuth has been designed to work with Windows NT and Windows 2000.
On this page ...
- 1. Ini Settings.
- 2. Error codes.
- 3. Output.
- 4. Download and History.
Although you can put the ntauth.ini file in the same directory as the ntauth executable, e.g. c:\dmail\ , we
recommend that you ensure your machine has only one copy of the file and that you put it in the system32 directory as,
c:\winnt\system32\ntauth.ini
Click on this link to download an example ntauth.ini file.
The ini file allows you to specify any of the following settings...
path <path> | Path sets the path for locating the ini file, and
also determines where the log file will be created.
For example running ntauth -path \here will cause
it to load the ntauth.ini file from the \here directory
if in the \here\ntauth.ini file there is a path
setting ntauth will then create it's log file in the
new directory.
|
log <level> | This setting can be used as just "log" or you can specify
a level of logging like so, "log debug" or "-log debug".
It has three valid logging levels error, info, and debug. |
debug | This setting causes ntauth to run with logging set to
debug mode, it is equivalent to a "log debug" or "-log debug". |
group <name> | This specifies the group that user created will belong to,
this group must belong on the host the users are being
added to. This can be a string or on Unix a GID. |
script_path | Path to the script files, any script setting must exist
in this path, there is no default for this, if no setting
is found script settings are assumed to be from the root. |
host <name> | This specifies the host users are added, deleted and verified
on. This is an NT only setting. |
EXAMPLE NT ini file <ntauth.ini>
path c:\dmail
log error
host internet.mail.com
group Guests
These errors were written in an attempt to be descriptive enough so that
you could problem solve without too much hassle. If you are completely
stumped and have no idea why you are recieving an error then it could be
our fault entirely :-), so simply email the error and what you were trying
to do to "Sysauth Help"
<support-netauth@netwinsite.com>.
"-ERR ##:Unknown error has occurred."
There was an error. We need the error number ## to determine what went
wrong.
"-ERR Not a valid command (nocommand) use help"
You didn't enter a command.
"-ERR Not a valid command (<command>) use "help""
You entered <command> which was not recognised by ntauth as a valid
command.
"-DEAD Unable to open {<file>,<reason>}"
Sysauth couldn't open a required file <file> for <reason>.
"-DEAD Unable to close log file {<reason>}"
Sysauth could not close it's log file for <reason>.
"-ERR Group %s does not exist."
The group specified to add users to didn't exist.
"-ERR User was already a member of group %s."
The user already belongs to the group specified.
"-ERR ##:Unknown group error."
There was an error adding the new user to a group. We need the error
number ## to determine the error.
"-ERR The user does not have access to the requested information."
"-ERR The operation is allowed only on the primary domain controller of the domain."
"-ERR This operation is not allowed while you are a member or your current group."
"-ERR This operation is not allowed on the last administrative account."
"-ERR Incorrect Privilege (Dmail setup may be incorrect)."
The privilege required to carryout the command is not held by this user.
"-ERR The computer name is invalid."
The computer specified by the "host" setting can not be found.
"-ERR The group already exists."
A group by that name exists.
"-ERR The password is shorter than required."
The password supplied is too short.
"-ERR The password is invalid."
The password is incorrect.
"-ERR User account not found."
The user account does not exist.
"-ERR Home directory must contain a drive letter."
Home directory has to contain a drive letter specifying the drive on
which it exists.
"-ERR Home directory must exist."
Home directory must exist.
"-ERR Script must exist."
The script specified does not exist.
"-ERR Setting %s incorrect"
Format for the setting was incorrect. Use setting="value".
"-ERR Parameter ## is in error."
The user information parameter ## is incorrect see below..
If you recieve any of the following errors then we have probably fouled
something up, please email us the error at
"Sysauth Help" <support-netauth@netwinsite.com>
1. "-ERR Username invalid."
2. "-ERR Password invalid."
3. "-ERR Password age invalid."
4. "-ERR Privilage invalid."
5. "-ERR Home directory invalid."
6. "-ERR Comment invlaid."
7. "-ERR Flags invalid."
8. "-ERR Script path invalid."
If you recieve any of the following UNICODE errors then again we have
made a mess of something, please email us the error at
"Sysauth Help" <support-netauth@netwinsite.com>
"-ERR Unable to convert to unicode, insufficient buffer space."
"-ERR Unable to convert to unicode, invalid flags."
"-ERR Unable to convert to unicode, invalid parameter."
"-ERR Unable to convert to unicode, no possible translation."
"-ERR ##:Unable to convert to unicode."
The reply messages are part of the Netwin standard External Authentication Protocol.
Command | Message |
set | +OK User <name> added to the database |
del | +OK Deleted user successfully
|
lookup | +OK <user> config 0 <info>
-ERR <user> password wrong or not a valid user |
check | +OK <user> config 0 <info> |
search | +DATA ...
+DATA ...
+OK search complete <number> items found |
version | +OK NT Auth version <version number> |
help | +DATA Valid commands
+DATA <command>
+DATA <command>
+DATA <command>
+OK |
Generally you will find the latest download in with your distribution set. You can check what
version of ntauth you have by running ntauth at a dos command prompt, e.g.,
c:\dmail\ntauth -version
If we put a download on the site for a version, it will listed in the history below as a link,
ntauth10i.exe
History:
4 Jan 2001 TRW 1.0i
- ntauth now looks for system32\ntauth.ini now instead of unixauth.ini!
12 Dec 2000 TRW 1.0g
- made host setting add \\ on front if not given in ini file. Without them the lookup command fails for
users where the check command succeeds!.
- change myfree define so that it does not try to free a null.
- fixed bug in get_hostname when no host ini setting, failed to get from registry because
not using inicode version of key location string.
- fixed fatal bug in get_hostname, could return "" static instead of malloc'd space when no
host setting set, so free of "" caused death.
12 Dec 2000 TRW 1.0f
- added -version command line option.
4 Dec 2000 TRW 1.0d
- make unixauth use /etc/unixauth.ini or SYSTEM_DIR\ntauth.ini if can't find one in same directory.
- fixed set_logfile so does not call myfopen as causes dmsg loop
- added logging to stdout only when -debug is called at command line.
24 Nov 2000 TRW 1.0c
- fixed so 'debug' in log by itself sets loglevel to debug
- added defaults for, script_path and shadow_file
- added myfree for sfile in clear_ini
- Fixed BUG: where multiple responses were being given with a done_neg_msg static, e.g.
-DEAD Unable to open shadow file {(null),Bad address}
-ERR User tam does not exist or password incorrect.
05-10-2000: RMH: 1.0b
- Bug in NT build where it didn't output the result from a set.
- Bug in NT build where it produced an error and then continued to work.
1.0a 14 Aug 2000 (also in dmail 2.8 versions)
|