diff options
-rw-r--r-- | docs-xml/smbdotconf/security/ntlmauth.xml | 10 | ||||
-rw-r--r-- | lib/param/loadparm.c | 2 | ||||
-rw-r--r-- | source3/param/loadparm.c | 2 |
3 files changed, 10 insertions, 4 deletions
diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml index 6af190805e8..884ee9dbf1a 100644 --- a/docs-xml/smbdotconf/security/ntlmauth.xml +++ b/docs-xml/smbdotconf/security/ntlmauth.xml @@ -12,8 +12,14 @@ <para>If this option, and <command moreinfo="none">lanman auth</command> are both disabled, then only NTLMv2 logins will be permited. Not all clients support NTLMv2, and most will require - special configuration to use it.</para> + special configuration to use it.</para> + + <para>The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.</para> + + <para>The default changed from "yes" to "no" with Samba 4.5.</para> </description> -<value type="default">yes</value> +<related>lanman auth</related> +<related>raw NTLMv2 auth</related> +<value type="default">no</value> </samba:parameter> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 548d1055a31..5f4610ead7e 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2630,7 +2630,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "ClientLanManAuth", "False"); lpcfg_do_global_parameter(lp_ctx, "ClientNTLMv2Auth", "True"); lpcfg_do_global_parameter(lp_ctx, "LanmanAuth", "False"); - lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "True"); + lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "False"); lpcfg_do_global_parameter(lp_ctx, "RawNTLMv2Auth", "False"); lpcfg_do_global_parameter(lp_ctx, "client use spnego principal", "False"); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 71e9e2ec14c..f2826514041 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -690,7 +690,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.client_lanman_auth = false; /* Do NOT use the LanMan hash if it is available */ Globals.client_plaintext_auth = false; /* Do NOT use a plaintext password even if is requested by the server */ Globals.lanman_auth = false; /* Do NOT use the LanMan hash, even if it is supplied */ - Globals.ntlm_auth = true; /* Do use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */ + Globals.ntlm_auth = false; /* Do NOT use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */ Globals.raw_ntlmv2_auth = false; /* Reject NTLMv2 without NTLMSSP */ Globals.client_ntlmv2_auth = true; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */ /* Note, that we will also use NTLM2 session security (which is different), if it is available */ |