From 8daa83a594a2e98f39d764422bfbdbc62c9efd44 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 19:20:00 +0200 Subject: Adding upstream version 2:4.20.0+dfsg. Signed-off-by: Daniel Baumann --- docs-xml/smbdotconf/security/ntlmauth.xml | 87 +++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 docs-xml/smbdotconf/security/ntlmauth.xml (limited to 'docs-xml/smbdotconf/security/ntlmauth.xml') diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml new file mode 100644 index 0000000..7ea38a4 --- /dev/null +++ b/docs-xml/smbdotconf/security/ntlmauth.xml @@ -0,0 +1,87 @@ + + + This parameter determines whether or not smbd + 8 will attempt to + authenticate users using the NTLM encrypted password response for + this local passdb (SAM or account database). + + If disabled, both NTLM and LanMan authentication against the + local passdb is disabled. + + Note that these settings apply only to local users, + authentication will still be forwarded to and NTLM authentication + accepted against any domain we are joined to, and any trusted + domain, even if disabled or if NTLMv2-only is enforced here. To + control NTLM authentication for domain users, this option must + be configured on each DC. + + By default with ntlm auth set to + ntlmv2-only only NTLMv2 logins will be + permitted. All modern clients support NTLMv2 by default, but some older + clients will require special configuration to use it. + + The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x. + + The available settings are: + + + + ntlmv1-permitted + (alias yes) - Allow NTLMv1 and above for all clients. + + This is the required setting to enable the lanman auth parameter. + + + + + ntlmv2-only + (alias no) - Do not allow NTLMv1 to be used, + but permit NTLMv2. + + + + mschapv2-and-ntlmv2-only - Only + allow NTLMv1 when the client promises that it is providing + MSCHAPv2 authentication (such as the ntlm_auth tool). + + + + disabled - Do not accept NTLM (or + LanMan) authentication of any level, nor permit + NTLM password changes. + + WARNING: Both Microsoft Windows + and Samba Read Only Domain Controllers + (RODCs) convert a plain-text LDAP Simple Bind into an NTLMv2 + authentication to forward to a full DC. Setting this option + to disabled will cause these forwarded + authentications to fail. + + Additionally, for Samba acting as an Active Directory + Domain Controller, for user accounts, if nt hash store + is set to the default setting of auto, + the NT hash will not be stored + in the sam.ldb database for new users and after a + password change. + + + + + + The default changed from yes to + no with Samba 4.5. The default changed again + to ntlmv2-only with Samba 4.7, however the + behaviour is unchanged. + + +nt hash store +lanman auth +raw NTLMv2 auth +ntlmv2-only + -- cgit v1.2.3