mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
a24de32556
Signed-off-by: Mathieu Parent <math.parent@gmail.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
72 lines
2.8 KiB
XML
72 lines
2.8 KiB
XML
<samba:parameter name="ntlm auth"
|
|
context="G"
|
|
type="enum"
|
|
enumlist="enum_ntlm_auth"
|
|
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
<description>
|
|
<para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
|
|
<manvolnum>8</manvolnum></citerefentry> will attempt to
|
|
authenticate users using the NTLM encrypted password response for
|
|
this local passdb (SAM or account database). </para>
|
|
|
|
<para>If disabled, both NTLM and LanMan authencication against the
|
|
local passdb is disabled.</para>
|
|
|
|
<para>Note that these settings apply only to local users,
|
|
authentication will still be forwarded to and NTLM authentication
|
|
accepted against any domain we are joined to, and any trusted
|
|
domain, even if disabled or if NTLMv2-only is enforced here. To
|
|
control NTLM authentiation for domain users, this must option must
|
|
be configured on each DC.</para>
|
|
|
|
<para>By default with <command moreinfo="none">ntlm auth</command> set to
|
|
<constant>ntlmv2-only</constant> only NTLMv2 logins will be
|
|
permitted. All modern clients support NTLMv2 by default, but some older
|
|
clients will require special configuration to use it.</para>
|
|
|
|
<para>The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.</para>
|
|
|
|
<para>The available settings are:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><constant>ntlmv1-permitted</constant>
|
|
(alias <constant>yes</constant>) - Allow NTLMv1 and above for all clients.</para>
|
|
|
|
<para>This is the required setting for to enable the <parameter
|
|
moreinfo="none">lanman auth</parameter> parameter.</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><constant>ntlmv2-only</constant>
|
|
(alias <constant>no</constant>) - Do not allow NTLMv1 to be used,
|
|
but permit NTLMv2.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><constant>mschapv2-and-ntlmv2-only</constant> - Only
|
|
allow NTLMv1 when the client promises that it is providing
|
|
MSCHAPv2 authentication (such as the <command
|
|
moreinfo="none">ntlm_auth</command> tool).</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><constant>disabled</constant> - Do not accept NTLM (or
|
|
LanMan) authentication of any level, nor permit
|
|
NTLM password changes.</para>
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
<para>The default changed from <constant>yes</constant> to
|
|
<constant>no</constant> with Samba 4.5. The default changed again
|
|
to <constant>ntlmv2-only</constant> with Samba 4.7, however the
|
|
behaviour is unchanged.</para>
|
|
</description>
|
|
|
|
<related>lanman auth</related>
|
|
<related>raw NTLMv2 auth</related>
|
|
<value type="default">ntlmv2-only</value>
|
|
</samba:parameter>
|