diff options
-rw-r--r-- | docs-xml/smbdotconf/security/lanmanauth.xml | 14 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/ntlmauth.xml | 9 |
2 files changed, 13 insertions, 10 deletions
diff --git a/docs-xml/smbdotconf/security/lanmanauth.xml b/docs-xml/smbdotconf/security/lanmanauth.xml index a9e4f88b89f..97f2fb04dcb 100644 --- a/docs-xml/smbdotconf/security/lanmanauth.xml +++ b/docs-xml/smbdotconf/security/lanmanauth.xml @@ -24,16 +24,18 @@ auth is re-enabled later on. </para> - <para>Unlike the <command moreinfo="none">encrypt - passwords</command> option, this parameter cannot alter client + <para>Unlike the <parameter moreinfo="none">encrypt + passwords</parameter> option, this parameter cannot alter client behaviour, and the LANMAN response will still be sent over the network. See the <command moreinfo="none">client lanman auth</command> to disable this for Samba's clients (such as smbclient)</para> - <para>If this option, and <command moreinfo="none">ntlm - auth</command> are both disabled, then only NTLMv2 logins will be - permited. Not all clients support NTLMv2, and most will require - special configuration to use it.</para> + <para>This parameter is overriden by <parameter moreinfo="none">ntlm + auth</parameter>, so unless that it is also set to + <constant>ntlmv1-permitted</constant> or <constant>yes</constant>, + then only NTLMv2 logins will be permited and no LM hash will be + stored. All modern clients support NTLMv2, and but some older + clients require special configuration to use it.</para> </description> <value type="default">no</value> diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml index dceae44d81b..dd5dbaea117 100644 --- a/docs-xml/smbdotconf/security/ntlmauth.xml +++ b/docs-xml/smbdotconf/security/ntlmauth.xml @@ -19,11 +19,9 @@ control NTLM authentiation for domain users, this must option must be configured on each DC.</para> - <para>By default with <command moreinfo="none">lanman - auth</command> set to <constant>no</constant> and - <command moreinfo="none">ntlm auth</command> set to + <para>By default with <command moreinfo="none">ntlm auth</command> set to <constant>ntlmv2-only</constant> only NTLMv2 logins will be - permited. Most clients support NTLMv2 by default, but some older + permited. All modern clients support NTLMv2 by default, but some older clients will require special configuration to use it.</para> <para>The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.</para> @@ -35,6 +33,9 @@ <para><constant>ntlmv1-permitted</constant> (alias <constant>yes</constant>) - Allow NTLMv1 and above for all clients.</para> + <para>This is the required setting for to enable the <parameter + moreinfo="none">lanman auth</parameter> parameter.</para> + </listitem> <listitem> |