[PATCH] Clarify new 'ntlm auth' behaviour in smb.conf
Andrew Bartlett
abartlet at samba.org
Mon Jul 24 02:13:24 UTC 2017
This patch clarifies that 'ntlm auth = disabled' only disables ntlm
authentication for this server passdb, not against a trusted or or own
domain.
Please review/push!
Thanks,
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
-------------- next part --------------
From b05332d2feb9ade2efc9e669a407df236d572486 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Mon, 24 Jul 2017 14:09:19 +1200
Subject: [PATCH] smb.conf: Explain that "ntlm auth" is a per-passdb setting
This parameter has always applied to this passdb only, not to domain
authentication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12929
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
---
docs-xml/smbdotconf/security/ntlmauth.xml | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml
index f0969bf9ed2..dceae44d81b 100644
--- a/docs-xml/smbdotconf/security/ntlmauth.xml
+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
@@ -6,8 +6,18 @@
<description>
<para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> will attempt to
- authenticate users using the NTLM encrypted password response.
- If disabled, NTLM and LanMan authencication is disabled server-wide.</para>
+ authenticate users using the NTLM encrypted password response for
+ this local passdb (SAM or account database). </para>
+
+ <para>If disabled, both NTLM and LanMan authencication against the
+ local passdb is disabled.</para>
+
+ <para>Note that these settings apply only to local users,
+ authentication will still be forwarded to and NTLM authentication
+ accepted against any domain we are joined to, and any trusted
+ domain, even if disabled or if NTLMv2-only is enforced here. To
+ control NTLM authentiation for domain users, this must option must
+ be configured on each DC.</para>
<para>By default with <command moreinfo="none">lanman
auth</command> set to <constant>no</constant> and
@@ -41,8 +51,8 @@
</listitem>
<listitem>
- <para><constant>disabled</constant> - Do not allow NTLM (or
- LanMan) authentication of any level as a server, nor permit
+ <para><constant>disabled</constant> - Do not accept NTLM (or
+ LanMan) authentication of any level, nor permit
NTLM password changes.</para>
</listitem>
--
2.11.0
More information about the samba-technical
mailing list