docs: Explain the impact of "ntlm auth = disabled" on simple bind forwarding

An RODC will forward an LDAP Simple bind, just like any other authentication,
when the password is not present locally.

If the full DC does not support NTLMv2 authentication this forwarded password
will be rejected.  A future Samba version should prefer Kerberos or send the
plaintext, but we can not change the MS Windows behaviour, so we document this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

1 files changed, 7 insertions, 0 deletions

diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml
index 9fa3d5c1ce5..84b3488e411 100644
--- a/docs-xml/smbdotconf/security/ntlmauth.xml
+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
@@ -55,6 +55,13 @@
           <para><constant>disabled</constant> - Do not accept NTLM (or
           LanMan) authentication of any level, nor permit
           NTLM password changes.</para>
+
+	  <para><emphasis>WARNING:</emphasis> Both Microsoft Windows
+	  and Samba <emphasis>Read Only Domain Controllers</emphasis>
+	  (RODCs) convert a plain-text LDAP Simple Bind into an NTLMv2
+	  authentication to forward to a full DC.  Setting this option
+	  to <constant>disabled</constant> will cause these forwarded
+	  authentications to fail.</para>
         </listitem>
 
     </itemizedlist>