blob: 88105e69ed5b096b7c97c010eef6e39f6e6a061c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
<samba:parameter name="ntlm auth"
context="G"
type="enum"
enumlist="enum_ntlm_auth"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> will attempt to
authenticate users using the NTLM encrypted password response.
If disabled, NTLM and LanMan authencication is disabled server-wide.</para>
<para>By default with <command moreinfo="none">lanman
auth</command> set to <constant>no</constant> and
<command moreinfo="none">ntlm auth</command> set to
<constant>ntlmv2-only</constant> only NTLMv2 logins will be
permited. Most clients support NTLMv2 by default, but some older
clients will require special configuration to use it.</para>
<para>The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.</para>
<para>The available settings are:</para>
<itemizedlist>
<listitem>
<para><constant>ntlmv1-permitted</constant>
(alias <constant>yes</constant>) - Allow NTLMv1 and above for all clients.</para>
</listitem>
<listitem>
<para><constant>ntlmv2-only</constant>
(alias <constant>no</constant>) - Do not allow NTLMv1 to be used,
but permit NTLMv2.</para>
</listitem>
<listitem>
<para><constant>mschapv2-and-ntlmv2-only</constant> - Only
allow NTLMv1 when the client promises that it is providing
MSCHAPv2 authentication (such as the <command
moreinfo="none">ntlm_auth</command> tool).</para>
</listitem>
<listitem>
<para><constant>disabled</constant> - Do not allow NTLM (or
LanMan) authentication of any level as a server.</para>
</listitem>
</itemizedlist>
<para>The default changed from <constant>yes</constant> to
<constant>no</constant> with Samba 4.5. The default chagned again
to <constant>ntlmv2-only</constant> with Samba 4.7, however the
behaviour is unchanged.</para>
</description>
<related>lanman auth</related>
<related>raw NTLMv2 auth</related>
<value type="default">ntlmv2-only</value>
</samba:parameter>
|
