diff options
author | Andrew Bartlett <abartlet@samba.org> | 2019-06-01 09:04:48 +1200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2019-06-04 22:13:07 +0000 |
commit | dbf3e81f7f0b28c69dca004b32ea3a7344b0cad3 (patch) | |
tree | b27ec9a42de62fbfcdbc9289fad6f6b8481e5b77 /docs-xml/smbdotconf | |
parent | 046de055215615697619452f9735cfad01fdbb03 (diff) | |
download | samba-dbf3e81f7f0b28c69dca004b32ea3a7344b0cad3.tar.gz |
docs: Improve documentation of "lanman auth" and "ntlm auth" connection
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13981
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'docs-xml/smbdotconf')
-rw-r--r-- | docs-xml/smbdotconf/security/lanmanauth.xml | 14 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/ntlmauth.xml | 9 |
2 files changed, 13 insertions, 10 deletions
diff --git a/docs-xml/smbdotconf/security/lanmanauth.xml b/docs-xml/smbdotconf/security/lanmanauth.xml index a9e4f88b89f..97f2fb04dcb 100644 --- a/docs-xml/smbdotconf/security/lanmanauth.xml +++ b/docs-xml/smbdotconf/security/lanmanauth.xml @@ -24,16 +24,18 @@ auth is re-enabled later on. </para> - <para>Unlike the <command moreinfo="none">encrypt - passwords</command> option, this parameter cannot alter client + <para>Unlike the <parameter moreinfo="none">encrypt + passwords</parameter> option, this parameter cannot alter client behaviour, and the LANMAN response will still be sent over the network. See the <command moreinfo="none">client lanman auth</command> to disable this for Samba's clients (such as smbclient)</para> - <para>If this option, and <command moreinfo="none">ntlm - auth</command> are both disabled, then only NTLMv2 logins will be - permited. Not all clients support NTLMv2, and most will require - special configuration to use it.</para> + <para>This parameter is overriden by <parameter moreinfo="none">ntlm + auth</parameter>, so unless that it is also set to + <constant>ntlmv1-permitted</constant> or <constant>yes</constant>, + then only NTLMv2 logins will be permited and no LM hash will be + stored. All modern clients support NTLMv2, and but some older + clients require special configuration to use it.</para> </description> <value type="default">no</value> diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml index dceae44d81b..dd5dbaea117 100644 --- a/docs-xml/smbdotconf/security/ntlmauth.xml +++ b/docs-xml/smbdotconf/security/ntlmauth.xml @@ -19,11 +19,9 @@ control NTLM authentiation for domain users, this must option must be configured on each DC.</para> - <para>By default with <command moreinfo="none">lanman - auth</command> set to <constant>no</constant> and - <command moreinfo="none">ntlm auth</command> set to + <para>By default with <command moreinfo="none">ntlm auth</command> set to <constant>ntlmv2-only</constant> only NTLMv2 logins will be - permited. Most clients support NTLMv2 by default, but some older + permited. All modern clients support NTLMv2 by default, but some older clients will require special configuration to use it.</para> <para>The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.</para> @@ -35,6 +33,9 @@ <para><constant>ntlmv1-permitted</constant> (alias <constant>yes</constant>) - Allow NTLMv1 and above for all clients.</para> + <para>This is the required setting for to enable the <parameter + moreinfo="none">lanman auth</parameter> parameter.</para> + </listitem> <listitem> |