mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
1006f7abe8
This feature is only available for SMB1 and we need to warn users that this is going away soon, and allow the removal in a future release under our rules for parameter deprecation. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Sep 5 04:04:18 UTC 2019 on sn-devel-184
52 lines
2.3 KiB
XML
52 lines
2.3 KiB
XML
<samba:parameter name="lanman auth"
|
|
context="G"
|
|
type="boolean"
|
|
function="_lanman_auth"
|
|
deprecated="1"
|
|
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
<description>
|
|
<para>This parameter has been deprecated since Samba 4.11 and
|
|
support for LanMan (as distinct from NTLM, NTLMv2 or
|
|
Kerberos authentication)
|
|
will be removed in a future Samba release.</para>
|
|
<para>That is, in the future, the current default of
|
|
<command>lanman auth = no</command>
|
|
will be the enforced behaviour.</para>
|
|
|
|
<para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
|
|
<manvolnum>8</manvolnum></citerefentry> will attempt to
|
|
authenticate users or permit password changes
|
|
using the LANMAN password hash. If disabled, only clients which support NT
|
|
password hashes (e.g. Windows NT/2000 clients, smbclient, but not
|
|
Windows 95/98 or the MS DOS network client) will be able to
|
|
connect to the Samba host.</para>
|
|
|
|
<para>The LANMAN encrypted response is easily broken, due to its
|
|
case-insensitive nature, and the choice of algorithm. Servers
|
|
without Windows 95/98/ME or MS DOS clients are advised to disable
|
|
this option. </para>
|
|
|
|
<para>When this parameter is set to <value>no</value> this
|
|
will also result in sambaLMPassword in Samba's passdb being
|
|
blanked after the next password change. As a result of that
|
|
lanman clients won't be able to authenticate, even if lanman
|
|
auth is re-enabled later on.
|
|
</para>
|
|
|
|
<para>Unlike the <parameter moreinfo="none">encrypt
|
|
passwords</parameter> option, this parameter cannot alter client
|
|
behaviour, and the LANMAN response will still be sent over the
|
|
network. See the <command moreinfo="none">client lanman
|
|
auth</command> to disable this for Samba's clients (such as smbclient)</para>
|
|
|
|
<para>This parameter is overridden by <parameter moreinfo="none">ntlm
|
|
auth</parameter>, so unless that it is also set to
|
|
<constant>ntlmv1-permitted</constant> or <constant>yes</constant>,
|
|
then only NTLMv2 logins will be permitted and no LM hash will be
|
|
stored. All modern clients support NTLMv2, and but some older
|
|
clients require special configuration to use it.</para>
|
|
</description>
|
|
|
|
<value type="default">no</value>
|
|
</samba:parameter>
|