[PATCH] Clarify new 'ntlm auth' behaviour in smb.conf

Andrew Bartlett abartlet at samba.org
Mon Jul 24 02:13:24 UTC 2017 

This patch clarifies that 'ntlm auth = disabled' only disables ntlm
authentication for this server passdb, not against a trusted or or own
domain. 

Please review/push!

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba



-------------- next part --------------
From b05332d2feb9ade2efc9e669a407df236d572486 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Mon, 24 Jul 2017 14:09:19 +1200
Subject: [PATCH] smb.conf: Explain that "ntlm auth" is a per-passdb setting

This parameter has always applied to this passdb only, not to domain
authentication.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12929
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
---
 docs-xml/smbdotconf/security/ntlmauth.xml | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml
index f0969bf9ed2..dceae44d81b 100644
--- a/docs-xml/smbdotconf/security/ntlmauth.xml
+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
@@ -6,8 +6,18 @@
 <description>
     <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
     <manvolnum>8</manvolnum></citerefentry> will attempt to
-    authenticate users using the NTLM encrypted password response.
-    If disabled, NTLM and LanMan authencication is disabled server-wide.</para>
+    authenticate users using the NTLM encrypted password response for
+    this local passdb (SAM or account database). </para>
+
+    <para>If disabled, both NTLM and LanMan authencication against the
+    local passdb is disabled.</para>
+
+    <para>Note that these settings apply only to local users,
+    authentication will still be forwarded to and NTLM authentication
+    accepted against any domain we are joined to, and any trusted
+    domain, even if disabled or if NTLMv2-only is enforced here.  To
+    control NTLM authentiation for domain users, this must option must
+    be configured on each DC.</para>
 
     <para>By default with <command moreinfo="none">lanman
     auth</command> set to <constant>no</constant> and
@@ -41,8 +51,8 @@
         </listitem>
 
         <listitem>
-          <para><constant>disabled</constant> - Do not allow NTLM (or
-          LanMan) authentication of any level as a server, nor permit
+          <para><constant>disabled</constant> - Do not accept NTLM (or
+          LanMan) authentication of any level, nor permit
           NTLM password changes.</para>
         </listitem>
 
-- 
2.11.0

More information about the samba-technical mailing list