diff options
author | Stefan Metzmacher <metze@samba.org> | 2016-03-27 01:09:05 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2016-04-12 19:25:24 +0200 |
commit | 6cd48add111a6655791226593cc28ac9d2596602 (patch) | |
tree | a01bef938e7be240a8ffa140e6e04d0aec545e64 /docs-xml | |
parent | 2c73047ecfc863d7b73449ecef0037804560a448 (diff) | |
download | samba-6cd48add111a6655791226593cc28ac9d2596602.tar.gz |
CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Diffstat (limited to 'docs-xml')
-rw-r--r-- | docs-xml/smbdotconf/protocol/clientusespnego.xml | 5 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/clientntlmv2auth.xml | 5 |
2 files changed, 10 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/protocol/clientusespnego.xml b/docs-xml/smbdotconf/protocol/clientusespnego.xml index f5a35122c0a..b2f3b1257fb 100644 --- a/docs-xml/smbdotconf/protocol/clientusespnego.xml +++ b/docs-xml/smbdotconf/protocol/clientusespnego.xml @@ -8,6 +8,11 @@ supporting servers (including WindowsXP, Windows2000 and Samba 3.0) to agree upon an authentication mechanism. This enables Kerberos authentication in particular.</para> + + <para>When <smbconfoption name="client NTLMv2 auth"/> is also set to + <constant>yes</constant> extended security (SPNEGO) is required + in order to use NTLMv2 only within NTLMSSP. This behavior was + introduced with the patches for CVE-2016-2111.</para> </description> <value type="default">yes</value> diff --git a/docs-xml/smbdotconf/security/clientntlmv2auth.xml b/docs-xml/smbdotconf/security/clientntlmv2auth.xml index 531c8fcb96a..f42f627bc08 100644 --- a/docs-xml/smbdotconf/security/clientntlmv2auth.xml +++ b/docs-xml/smbdotconf/security/clientntlmv2auth.xml @@ -27,6 +27,11 @@ NTLMv2 by default, and some sites (particularly those following 'best practice' security polices) only allow NTLMv2 responses, and not the weaker LM or NTLM.</para> + + <para>When <smbconfoption name="client use spnego"/> is also set to + <constant>yes</constant> extended security (SPNEGO) is required + in order to use NTLMv2 only within NTLMSSP. This behavior was + introduced with the patches for CVE-2016-2111.</para> </description> <value type="default">yes</value> </samba:parameter> |