1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
samba-mirror/docs-xml/smbdotconf/security/clientntlmv2auth.xml
Andrew Bartlett 5543c11c8b docs: deprecate "client NTLMv2 auth"
This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific
authentication options for possible removal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-18 00:10:40 +00:00

47 lines
2.1 KiB
XML

<samba:parameter name="client NTLMv2 auth"
context="G"
type="boolean"
deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This parameter has been deprecated since Samba 4.13 and
support for NTLM and LanMan (as distinct from NTLMv2 or
Kerberos authentication)
will be removed in a future Samba release.</para>
<para>That is, in the future, the current default of
<command>client NTLMv2 auth = yes</command>
will be the enforced behaviour.</para>
<para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> will attempt to
authenticate itself to servers using the NTLMv2 encrypted password
response.</para>
<para>If enabled, only an NTLMv2 and LMv2 response (both much more
secure than earlier versions) will be sent. Older servers
(including NT4 &lt; SP4, Win9x and Samba 2.2) are not compatible with
NTLMv2 when not in an NTLMv2 supporting domain</para>
<para>Similarly, if enabled, NTLMv1, <command
moreinfo="none">client lanman auth</command> and <command
moreinfo="none">client plaintext auth</command>
authentication will be disabled. This also disables share-level
authentication. </para>
<para>If disabled, an NTLM response (and possibly a LANMAN response)
will be sent by the client, depending on the value of <command
moreinfo="none">client lanman auth</command>. </para>
<para>Note that Windows Vista and later versions already use
NTLMv2 by default, and some sites (particularly those following
'best practice' security polices) only allow NTLMv2 responses, and
not the weaker LM or NTLM.</para>
<para>When <smbconfoption name="client use spnego"/> is also set to
<constant>yes</constant> extended security (SPNEGO) is required
in order to use NTLMv2 only within NTLMSSP. This behavior was
introduced with the patches for CVE-2016-2111.</para>
</description>
<value type="default">yes</value>
</samba:parameter>