This parameter determines whether or not smbd 8 will attempt to authenticate users using the NTLM encrypted password response for this local passdb (SAM or account database). If disabled, both NTLM and LanMan authentication against the local passdb is disabled. Note that these settings apply only to local users, authentication will still be forwarded to and NTLM authentication accepted against any domain we are joined to, and any trusted domain, even if disabled or if NTLMv2-only is enforced here. To control NTLM authentication for domain users, this option must be configured on each DC. By default with ntlm auth set to ntlmv2-only only NTLMv2 logins will be permitted. All modern clients support NTLMv2 by default, but some older clients will require special configuration to use it. The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x. The available settings are: ntlmv1-permitted (alias yes) - Allow NTLMv1 and above for all clients. This is the required setting to enable the lanman auth parameter. ntlmv2-only (alias no) - Do not allow NTLMv1 to be used, but permit NTLMv2. mschapv2-and-ntlmv2-only - Only allow NTLMv1 when the client promises that it is providing MSCHAPv2 authentication (such as the ntlm_auth tool). disabled - Do not accept NTLM (or LanMan) authentication of any level, nor permit NTLM password changes. WARNING: Both Microsoft Windows and Samba Read Only Domain Controllers (RODCs) convert a plain-text LDAP Simple Bind into an NTLMv2 authentication to forward to a full DC. Setting this option to disabled will cause these forwarded authentications to fail. Additionally, for Samba acting as an Active Directory Domain Controller, for user accounts, if nt hash store is set to the default setting of auto, the NT hash will not be stored in the sam.ldb database for new users and after a password change. The default changed from yes to no with Samba 4.5. The default changed again to ntlmv2-only with Samba 4.7, however the behaviour is unchanged. nt hash store lanman auth raw NTLMv2 auth ntlmv2-only