sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Code
b8b874ef5e
samba-mirror/docs-xml/smbdotconf/security/ntlmauth.xml

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

88 lines
3.5 KiB
XML
Raw Normal View History

Add all the source files from the old CVS tree, add the 5 missing chapters from the HOWTO and add jht's Samba by Example book. (This used to be commit 9fb5bcb93e57c5162b3ee6f9c7d777dc0269d100)
2004-04-07 14:15:11 +04:00
<samba:parameter name="ntlm auth"
context="G"
auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth =' The ntlm auth parameter is expanded to more clearly describe the role of each option, and to allow the new mode that permits MSCHAPv2 (as declared by the client over the NETLOGON protocol) while still banning NTLMv1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>: Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth") added the --allow-mschapv2 option, but didn't implement checking for it server-side. This implements such checking. Additionally, Samba now disables NTLMv1 authentication by default for security reasons. To avoid having to re-enable it globally, 'ntlm auth' becomes an enum and a new setting is added to allow only MSCHAPv2. Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-03 03:11:51 +03:00
type="enum"
enumlist="enum_ntlm_auth"
Update DTD location (This used to be commit 889dfcc532bd3357314313fe8f70a022a174eef4)
2005-03-13 01:41:20 +03:00
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
Add all the source files from the old CVS tree, add the 5 missing chapters from the HOWTO and add jht's Samba by Example book. (This used to be commit 9fb5bcb93e57c5162b3ee6f9c7d777dc0269d100)
2004-04-07 14:15:11 +04:00
<description>
<para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> will attempt to
smb.conf: Explain that "ntlm auth" is a per-passdb setting This parameter has always applied to this passdb only, not to domain authentication. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12929 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-07-24 05:09:19 +03:00
authenticate users using the NTLM encrypted password response for
this local passdb (SAM or account database). </para>
spelling: connnect encrytion exisit expection explicit invalide missmatch paramater paramter partion privilige relase reponse seperate unkown verson authencication progagated Tree-wide spellcheck for some common misspellings. source3/utils/status.c has misspelled local variable (unkown_dialect). "missmatch" is a known historical misspelling, only the incorrect misspellings are fixed. source3/locale/net/de.po has the spelling error (unkown) in two msgids - it probably should be updated with current source. Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2022-04-01 10:07:47 +03:00
<para>If disabled, both NTLM and LanMan authentication against the
smb.conf: Explain that "ntlm auth" is a per-passdb setting This parameter has always applied to this passdb only, not to domain authentication. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12929 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-07-24 05:09:19 +03:00
local passdb is disabled.</para>
<para>Note that these settings apply only to local users,
authentication will still be forwarded to and NTLM authentication
accepted against any domain we are joined to, and any trusted
domain, even if disabled or if NTLMv2-only is enforced here. To
docs-xml: Fix code spelling Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-09 07:03:12 +03:00
control NTLM authentication for domain users, this option must
smb.conf: Explain that "ntlm auth" is a per-passdb setting This parameter has always applied to this passdb only, not to domain authentication. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12929 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-07-24 05:09:19 +03:00
be configured on each DC.</para>
Add all the source files from the old CVS tree, add the 5 missing chapters from the HOWTO and add jht's Samba by Example book. (This used to be commit 9fb5bcb93e57c5162b3ee6f9c7d777dc0269d100)
2004-04-07 14:15:11 +04:00
docs: Improve documentation of "lanman auth" and "ntlm auth" connection BUG: https://bugzilla.samba.org/show_bug.cgi?id=13981 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2019-06-01 00:04:48 +03:00
<para>By default with <command moreinfo="none">ntlm auth</command> set to
auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth =' The ntlm auth parameter is expanded to more clearly describe the role of each option, and to allow the new mode that permits MSCHAPv2 (as declared by the client over the NETLOGON protocol) while still banning NTLMv1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>: Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth") added the --allow-mschapv2 option, but didn't implement checking for it server-side. This implements such checking. Additionally, Samba now disables NTLMv1 authentication by default for security reasons. To avoid having to re-enable it globally, 'ntlm auth' becomes an enum and a new setting is added to allow only MSCHAPv2. Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-03 03:11:51 +03:00
<constant>ntlmv2-only</constant> only NTLMv2 logins will be
Spelling fixes s/permited/permitted/ Signed-off-by: Mathieu Parent <math.parent@gmail.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-08-29 23:42:36 +03:00
permitted. All modern clients support NTLMv2 by default, but some older
auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth =' The ntlm auth parameter is expanded to more clearly describe the role of each option, and to allow the new mode that permits MSCHAPv2 (as declared by the client over the NETLOGON protocol) while still banning NTLMv1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>: Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth") added the --allow-mschapv2 option, but didn't implement checking for it server-side. This implements such checking. Additionally, Samba now disables NTLMv1 authentication by default for security reasons. To avoid having to re-enable it globally, 'ntlm auth' becomes an enum and a new setting is added to allow only MSCHAPv2. Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-03 03:11:51 +03:00
clients will require special configuration to use it.</para>
docs-xml:smbdotconf: default "ntlm auth" to "no" Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-15 23:59:42 +03:00
<para>The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.</para>
auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth =' The ntlm auth parameter is expanded to more clearly describe the role of each option, and to allow the new mode that permits MSCHAPv2 (as declared by the client over the NETLOGON protocol) while still banning NTLMv1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>: Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth") added the --allow-mschapv2 option, but didn't implement checking for it server-side. This implements such checking. Additionally, Samba now disables NTLMv1 authentication by default for security reasons. To avoid having to re-enable it globally, 'ntlm auth' becomes an enum and a new setting is added to allow only MSCHAPv2. Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-03 03:11:51 +03:00
<para>The available settings are:</para>
<itemizedlist>
<listitem>
<para><constant>ntlmv1-permitted</constant>
(alias <constant>yes</constant>) - Allow NTLMv1 and above for all clients.</para>
docs-xml: Fix code spelling Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-09 07:03:12 +03:00
<para>This is the required setting to enable the <parameter
docs: Improve documentation of "lanman auth" and "ntlm auth" connection BUG: https://bugzilla.samba.org/show_bug.cgi?id=13981 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2019-06-01 00:04:48 +03:00
moreinfo="none">lanman auth</parameter> parameter.</para>
auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth =' The ntlm auth parameter is expanded to more clearly describe the role of each option, and to allow the new mode that permits MSCHAPv2 (as declared by the client over the NETLOGON protocol) while still banning NTLMv1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>: Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth") added the --allow-mschapv2 option, but didn't implement checking for it server-side. This implements such checking. Additionally, Samba now disables NTLMv1 authentication by default for security reasons. To avoid having to re-enable it globally, 'ntlm auth' becomes an enum and a new setting is added to allow only MSCHAPv2. Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-03 03:11:51 +03:00
</listitem>
<listitem>
<para><constant>ntlmv2-only</constant>
(alias <constant>no</constant>) - Do not allow NTLMv1 to be used,
but permit NTLMv2.</para>
</listitem>
<listitem>
<para><constant>mschapv2-and-ntlmv2-only</constant> - Only
allow NTLMv1 when the client promises that it is providing
MSCHAPv2 authentication (such as the <command
moreinfo="none">ntlm_auth</command> tool).</para>
</listitem>
param: Add new "disabled" value to "ntlm auth" to disable NTLM totally Signed-off-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923 Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-03 05:16:50 +03:00
<listitem>
smb.conf: Explain that "ntlm auth" is a per-passdb setting This parameter has always applied to this passdb only, not to domain authentication. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12929 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-07-24 05:09:19 +03:00
<para><constant>disabled</constant> - Do not accept NTLM (or
LanMan) authentication of any level, nor permit
samr: Disable NTLM-based password changes on the server if NTLM is disabled Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-03 05:39:09 +03:00
NTLM password changes.</para>
docs: Explain the impact of "ntlm auth = disabled" on simple bind forwarding An RODC will forward an LDAP Simple bind, just like any other authentication, when the password is not present locally. If the full DC does not support NTLMv2 authentication this forwarded password will be rejected. A future Samba version should prefer Kerberos or send the plaintext, but we can not change the MS Windows behaviour, so we document this. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2022-04-12 03:23:54 +03:00
<para><emphasis>WARNING:</emphasis> Both Microsoft Windows
and Samba <emphasis>Read Only Domain Controllers</emphasis>
(RODCs) convert a plain-text LDAP Simple Bind into an NTLMv2
authentication to forward to a full DC. Setting this option
to <constant>disabled</constant> will cause these forwarded
authentications to fail.</para>
dsdb: Allow password history and password changes without an NT hash We now allow this to be via the ENCTYPE_AES256_CTS_HMAC_SHA1_96 hash instead which allows us to decouple Samba from the unsalted NT hash for organisations that are willing to take this step (for user accounts). (History checking is limited to the last three passwords only, as ntPwdHistory is limited to NT hash values, and the PrimaryKerberosCtr4 package only stores three sets of keys.) Since we don't store a salt per-key, but only a single salt, the check will fail for a previous password if the account was renamed prior to a newer password being set. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-31 04:08:13 +03:00
<para>Additionally, for Samba acting as an Active Directory
Domain Controller, for user accounts, if <parameter moreinfo="none">nt hash store</parameter>
is set to the default setting of <constant>auto</constant>,
the <emphasis>NT hash will not be stored</emphasis>
in the sam.ldb database for new users and after a
password change.</para>
param: Add new "disabled" value to "ntlm auth" to disable NTLM totally Signed-off-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923 Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-03 05:16:50 +03:00
</listitem>
auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth =' The ntlm auth parameter is expanded to more clearly describe the role of each option, and to allow the new mode that permits MSCHAPv2 (as declared by the client over the NETLOGON protocol) while still banning NTLMv1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>: Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth") added the --allow-mschapv2 option, but didn't implement checking for it server-side. This implements such checking. Additionally, Samba now disables NTLMv1 authentication by default for security reasons. To avoid having to re-enable it globally, 'ntlm auth' becomes an enum and a new setting is added to allow only MSCHAPv2. Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-03 03:11:51 +03:00
</itemizedlist>
<para>The default changed from <constant>yes</constant> to
docs: fix typo in "ntlm auth" doc in smb.conf man page Thanks to Amit Kumar <amitkuma@redhat.com> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13784 Signed-off-by: Björn Baumbach <bb@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Björn Baumbach <bb@sernet.de> Autobuild-Date(master): Thu Jun 20 17:14:50 UTC 2019 on sn-devel-184
2019-06-19 23:35:43 +03:00
<constant>no</constant> with Samba 4.5. The default changed again
auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth =' The ntlm auth parameter is expanded to more clearly describe the role of each option, and to allow the new mode that permits MSCHAPv2 (as declared by the client over the NETLOGON protocol) while still banning NTLMv1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>: Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth") added the --allow-mschapv2 option, but didn't implement checking for it server-side. This implements such checking. Additionally, Samba now disables NTLMv1 authentication by default for security reasons. To avoid having to re-enable it globally, 'ntlm auth' becomes an enum and a new setting is added to allow only MSCHAPv2. Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-03 03:11:51 +03:00
to <constant>ntlmv2-only</constant> with Samba 4.7, however the
behaviour is unchanged.</para>
Add all the source files from the old CVS tree, add the 5 missing chapters from the HOWTO and add jht's Samba by Example book. (This used to be commit 9fb5bcb93e57c5162b3ee6f9c7d777dc0269d100)
2004-04-07 14:15:11 +04:00
</description>
dsdb: Allow password history and password changes without an NT hash We now allow this to be via the ENCTYPE_AES256_CTS_HMAC_SHA1_96 hash instead which allows us to decouple Samba from the unsalted NT hash for organisations that are willing to take this step (for user accounts). (History checking is limited to the last three passwords only, as ntPwdHistory is limited to NT hash values, and the PrimaryKerberosCtr4 package only stores three sets of keys.) Since we don't store a salt per-key, but only a single salt, the check will fail for a previous password if the account was renamed prior to a newer password being set. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-31 04:08:13 +03:00
<related>nt hash store</related>
docs-xml:smbdotconf: default "ntlm auth" to "no" Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-15 23:59:42 +03:00
<related>lanman auth</related>
<related>raw NTLMv2 auth</related>
auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth =' The ntlm auth parameter is expanded to more clearly describe the role of each option, and to allow the new mode that permits MSCHAPv2 (as declared by the client over the NETLOGON protocol) while still banning NTLMv1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>: Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth") added the --allow-mschapv2 option, but didn't implement checking for it server-side. This implements such checking. Additionally, Samba now disables NTLMv1 authentication by default for security reasons. To avoid having to re-enable it globally, 'ntlm auth' becomes an enum and a new setting is added to allow only MSCHAPv2. Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-03 03:11:51 +03:00
<value type="default">ntlmv2-only</value>
Add all the source files from the old CVS tree, add the 5 missing chapters from the HOWTO and add jht's Samba by Example book. (This used to be commit 9fb5bcb93e57c5162b3ee6f9c7d777dc0269d100)
2004-04-07 14:15:11 +04:00
</samba:parameter>
Copy Permalink