mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
5543c11c8b
This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific authentication options for possible removal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
47 lines
2.1 KiB
XML
47 lines
2.1 KiB
XML
<samba:parameter name="client NTLMv2 auth"
|
|
context="G"
|
|
type="boolean"
|
|
deprecated="1"
|
|
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
<description>
|
|
<para>This parameter has been deprecated since Samba 4.13 and
|
|
support for NTLM and LanMan (as distinct from NTLMv2 or
|
|
Kerberos authentication)
|
|
will be removed in a future Samba release.</para>
|
|
<para>That is, in the future, the current default of
|
|
<command>client NTLMv2 auth = yes</command>
|
|
will be the enforced behaviour.</para>
|
|
|
|
<para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle>
|
|
<manvolnum>8</manvolnum></citerefentry> will attempt to
|
|
authenticate itself to servers using the NTLMv2 encrypted password
|
|
response.</para>
|
|
|
|
<para>If enabled, only an NTLMv2 and LMv2 response (both much more
|
|
secure than earlier versions) will be sent. Older servers
|
|
(including NT4 < SP4, Win9x and Samba 2.2) are not compatible with
|
|
NTLMv2 when not in an NTLMv2 supporting domain</para>
|
|
|
|
<para>Similarly, if enabled, NTLMv1, <command
|
|
moreinfo="none">client lanman auth</command> and <command
|
|
moreinfo="none">client plaintext auth</command>
|
|
authentication will be disabled. This also disables share-level
|
|
authentication. </para>
|
|
|
|
<para>If disabled, an NTLM response (and possibly a LANMAN response)
|
|
will be sent by the client, depending on the value of <command
|
|
moreinfo="none">client lanman auth</command>. </para>
|
|
|
|
<para>Note that Windows Vista and later versions already use
|
|
NTLMv2 by default, and some sites (particularly those following
|
|
'best practice' security polices) only allow NTLMv2 responses, and
|
|
not the weaker LM or NTLM.</para>
|
|
|
|
<para>When <smbconfoption name="client use spnego"/> is also set to
|
|
<constant>yes</constant> extended security (SPNEGO) is required
|
|
in order to use NTLMv2 only within NTLMSSP. This behavior was
|
|
introduced with the patches for CVE-2016-2111.</para>
|
|
</description>
|
|
<value type="default">yes</value>
|
|
</samba:parameter>
|