This parameter determines whether or not samba 8 will, as an AD DC, attempt to store the NT password hash used in NTLM and NTLMv2 authentication for users in this domain. If so configured, the Samba Active Directory Domain Controller, will, except for trust accounts (computers, domain controllers and inter-domain trusts) the NOT store the NT hash for new and changed accounts in the sam.ldb database. This avoids the storage of an unsalted hash for these user-created passwords. As a consequence the arcfour-hmac-md5 Kerberos key type is also unavailable in the KDC for these users - thankfully modern clients will select an AES based key instead. NOTE: As the password history in Active Directory is stored as an NT hash (and thus unavailable), a workaround is used, relying instead on Kerberos password hash values. This stores three passwords, the current, previous and second previous password. This allows some checking against reuse. However as these values are salted, changing the sAMAccountName, userAccountControl or userPrincipalName of an account will cause the salt to change. After the rare combination of both a rename and a password change only the current password will be recognised for password history purposes. The available settings are: always - Always store the NT hash (as machine accounts will also always store an NT hash, a hash will be stored for all accounts). This setting may be useful if ntlm auth is set to disabled for a trial period never - Never store the NT hash for user accounts, only for machine accounts auto - Store an NT hash if ntlm auth is not set to disabled. ntlm auth always