diff options
Diffstat (limited to 'docs-xml/smbdotconf/security/clientntlmv2auth.xml')
| -rw-r--r-- | docs-xml/smbdotconf/security/clientntlmv2auth.xml | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/security/clientntlmv2auth.xml b/docs-xml/smbdotconf/security/clientntlmv2auth.xml new file mode 100644 index 0000000..9b47944 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientntlmv2auth.xml @@ -0,0 +1,46 @@ +<samba:parameter name="client NTLMv2 auth" + context="G" + type="boolean" + deprecated="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter has been deprecated since Samba 4.13 and + support for NTLM and LanMan (as distinct from NTLMv2 or + Kerberos authentication) + will be removed in a future Samba release.</para> + <para>That is, in the future, the current default of + <command>client NTLMv2 auth = yes</command> + will be the enforced behaviour.</para> + + <para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> will attempt to + authenticate itself to servers using the NTLMv2 encrypted password + response.</para> + + <para>If enabled, only an NTLMv2 and LMv2 response (both much more + secure than earlier versions) will be sent. Older servers + (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with + NTLMv2 when not in an NTLMv2 supporting domain</para> + + <para>Similarly, if enabled, NTLMv1, <command + moreinfo="none">client lanman auth</command> and <command + moreinfo="none">client plaintext auth</command> + authentication will be disabled. This also disables share-level + authentication. </para> + + <para>If disabled, an NTLM response (and possibly a LANMAN response) + will be sent by the client, depending on the value of <command + moreinfo="none">client lanman auth</command>. </para> + + <para>Note that Windows Vista and later versions already use + NTLMv2 by default, and some sites (particularly those following + 'best practice' security polices) only allow NTLMv2 responses, and + not the weaker LM or NTLM.</para> + + <para>When <smbconfoption name="client use spnego"/> is also set to + <constant>yes</constant> extended security (SPNEGO) is required + in order to use NTLMv2 only within NTLMSSP. This behavior was + introduced with the patches for CVE-2016-2111.</para> +</description> +<value type="default">yes</value> +</samba:parameter> |