Update the doco on 'restrict anonymous' (note that 'guest ok' kills off the

benifit of RA=2), explain better what 'ntlm auth' and 'lanman auth' do, and
fix use spnego - all win2k clients use spnego.

Work on the client-side still needs to be done, but I realised that I need
to add a paramter to close off all plaintext authentication before documenting
'client lanman auth' will make any sense.

Andrew Bartlett

docs/docbook/smbdotconf/protocol/usespnego.xml

@@ -5,7 +5,7 @@
 <listitem>
     <para> This variable controls controls whether samba will try 
     to use Simple and Protected NEGOciation (as specified by rfc2478) with 
-    WindowsXP and Windows2000sp2 clients to agree upon an authentication mechanism. 
+    WindowsXP and Windows2000 clients to agree upon an authentication mechanism. 
     Unless further issues are discovered with our SPNEGO
     implementation, there is no reason this should ever be
     disabled.</para>

docs/docbook/smbdotconf/security/lanmanauth.xml

@@ -8,7 +8,23 @@
     using the LANMAN password hash. If disabled, only clients which support NT 
     password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not 
     Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host.</para>
+
+    <para>The LANMAN encrypted response is easily broken, due to it's
+    case-insensitive nature, and the choice of algorithm.  Servers
+    without Windows 95/98 or MS DOS clients are advised to disable
+    this option.  </para>
 		
+    <para>Unlike the <command moreinfo="none">encypt
+    passwords</command> option, this parameter cannot alter client
+    behaviour, and the LANMAN response will still be sent over the
+    network.  See the <command moreinfo="none">client lanman
+    auth</command> to disable this for Samba's clients (such as smbclient)</para>
+
+    <para>If this option, and <command moreinfo="none">ntlm
+    auth</command> are both disabled, then only NTLMv2 logins will be
+    permited.  Not all clients support NTLMv2, and most will require
+    special configuration to us it.</para>
+
     <para>Default : <command moreinfo="none">lanman auth = yes</command></para>
 </listitem>
 </samba:parameter>

docs/docbook/smbdotconf/security/ntlmauth.xml

@@ -4,11 +4,15 @@
                  xmlns:samba="http://samba.org/common">
 <listitem>
     <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
-    <manvolnum>8</manvolnum></citerefentry> will attempt to authenticate users using the NTLM password hash.
-    If disabled, only the lanman password hashes will be used.</para>
+    <manvolnum>8</manvolnum></citerefentry> will attempt to
+    authenticate users using the NTLM encrypted password response.
+    If disabled, either the lanman password hash or an NTLMv2 response
+    will need to be sent by the client.</para>
 
-    <para>Please note that at least this option or <command moreinfo="none">lanman auth</command> should 
-    be enabled in order to be able to log in.</para>
+    <para>If this option, and <command moreinfo="none">lanman
+    auth</command> are both disabled, then only NTLMv2 logins will be
+    permited.  Not all clients support NTLMv2, and most will require
+    special configuration to us it.</para>
 		
     <para>Default : <command moreinfo="none">ntlm auth = yes</command></para>
 </listitem>

docs/docbook/smbdotconf/security/restrictanonymous.xml

@@ -19,6 +19,11 @@
     The security advantage of using restrict anonymous = 1 is dubious,
     as user and group list information can be obtained using other
     means.
+
+    The security advantage of using restrict anonymous = 2 is removed
+    by setting <link linkend="GUESTOK"><parameter moreinfo="none">guest
+    ok</parameter></link> = yes</para> on any share.
+
     </para>
 
     <para>Default: <command moreinfo="none">restrict anonymous = 0</command></para>