[PATCH] Clarify new 'ntlm auth' behaviour in smb.conf

Andrew Bartlett abartlet at samba.org
Mon Jul 24 02:13:24 UTC 2017

This patch clarifies that 'ntlm auth = disabled' only disables ntlm
authentication for this server passdb, not against a trusted or or own

Please review/push!


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

-------------- next part --------------
From b05332d2feb9ade2efc9e669a407df236d572486 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Mon, 24 Jul 2017 14:09:19 +1200
Subject: [PATCH] smb.conf: Explain that "ntlm auth" is a per-passdb setting

This parameter has always applied to this passdb only, not to domain

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12929
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
 docs-xml/smbdotconf/security/ntlmauth.xml | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml
index f0969bf9ed2..dceae44d81b 100644
--- a/docs-xml/smbdotconf/security/ntlmauth.xml
+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
@@ -6,8 +6,18 @@
     <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
     <manvolnum>8</manvolnum></citerefentry> will attempt to
-    authenticate users using the NTLM encrypted password response.
-    If disabled, NTLM and LanMan authencication is disabled server-wide.</para>
+    authenticate users using the NTLM encrypted password response for
+    this local passdb (SAM or account database). </para>
+    <para>If disabled, both NTLM and LanMan authencication against the
+    local passdb is disabled.</para>
+    <para>Note that these settings apply only to local users,
+    authentication will still be forwarded to and NTLM authentication
+    accepted against any domain we are joined to, and any trusted
+    domain, even if disabled or if NTLMv2-only is enforced here.  To
+    control NTLM authentiation for domain users, this must option must
+    be configured on each DC.</para>
     <para>By default with <command moreinfo="none">lanman
     auth</command> set to <constant>no</constant> and
@@ -41,8 +51,8 @@
-          <para><constant>disabled</constant> - Do not allow NTLM (or
-          LanMan) authentication of any level as a server, nor permit
+          <para><constant>disabled</constant> - Do not accept NTLM (or
+          LanMan) authentication of any level, nor permit
           NTLM password changes.</para>

More information about the samba-technical mailing list