diff options
author | Andrew Bartlett <abartlet@samba.org> | 2022-04-12 12:23:54 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2022-05-02 23:15:37 +0000 |
commit | e93d73b618797565dec66b31de961dc062264bd2 (patch) | |
tree | 804ab981059db71f34e138aa3417b6125ca0d6f2 | |
parent | 54c6cf8666b073818301d3a71a37453b44e57b5c (diff) | |
download | samba-e93d73b618797565dec66b31de961dc062264bd2.tar.gz |
docs: Explain the impact of "ntlm auth = disabled" on simple bind forwarding
An RODC will forward an LDAP Simple bind, just like any other authentication,
when the password is not present locally.
If the full DC does not support NTLMv2 authentication this forwarded password
will be rejected. A future Samba version should prefer Kerberos or send the
plaintext, but we can not change the MS Windows behaviour, so we document this.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
-rw-r--r-- | docs-xml/smbdotconf/security/ntlmauth.xml | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml index 9fa3d5c1ce5..84b3488e411 100644 --- a/docs-xml/smbdotconf/security/ntlmauth.xml +++ b/docs-xml/smbdotconf/security/ntlmauth.xml @@ -55,6 +55,13 @@ <para><constant>disabled</constant> - Do not accept NTLM (or LanMan) authentication of any level, nor permit NTLM password changes.</para> + + <para><emphasis>WARNING:</emphasis> Both Microsoft Windows + and Samba <emphasis>Read Only Domain Controllers</emphasis> + (RODCs) convert a plain-text LDAP Simple Bind into an NTLMv2 + authentication to forward to a full DC. Setting this option + to <constant>disabled</constant> will cause these forwarded + authentications to fail.</para> </listitem> </itemizedlist> |