This parameter has been deprecated since Samba 4.11 and
support for LanMan (as distinct from NTLM, NTLMv2 or
Kerberos authentication)
will be removed in a future Samba release.
That is, in the future, the current default of
lanman auth = no
will be the enforced behaviour.
This parameter determines whether or not smbd
8 will attempt to
authenticate users or permit password changes
using the LANMAN password hash. If disabled, only clients which support NT
password hashes (e.g. Windows NT/2000 clients, smbclient, but not
Windows 95/98 or the MS DOS network client) will be able to
connect to the Samba host.
The LANMAN encrypted response is easily broken, due to its
case-insensitive nature, and the choice of algorithm. Servers
without Windows 95/98/ME or MS DOS clients are advised to disable
this option.
When this parameter is set to no this
will also result in sambaLMPassword in Samba's passdb being
blanked after the next password change. As a result of that
lanman clients won't be able to authenticate, even if lanman
auth is re-enabled later on.
Unlike the encrypt
passwords option, this parameter cannot alter client
behaviour, and the LANMAN response will still be sent over the
network. See the client lanman
auth to disable this for Samba's clients (such as smbclient)
This parameter is overridden by ntlm
auth, so unless that it is also set to
ntlmv1-permitted or yes,
then only NTLMv2 logins will be permitted and no LM hash will be
stored. All modern clients support NTLMv2, and but some older
clients require special configuration to use it.
This parameter has no impact on the Samba AD DC,
LM authentication is always disabled and no LM password is ever
stored.
no