Update the doco on 'restrict anonymous' (note that 'guest ok' kills off the

benifit of RA=2), explain better what 'ntlm auth' and 'lanman auth' do, and
fix use spnego - all win2k clients use spnego.

Work on the client-side still needs to be done, but I realised that I need
to add a paramter to close off all plaintext authentication before documenting
'client lanman auth' will make any sense.

Andrew Bartlett
(This used to be commit f264846537d7aa66e7bbb71c17bf215dc23f07e2)

1 files changed, 8 insertions, 4 deletions

diff --git a/docs/docbook/smbdotconf/security/ntlmauth.xml b/docs/docbook/smbdotconf/security/ntlmauth.xml
index b0b3179ab7..96092152c9 100644
--- a/docs/docbook/smbdotconf/security/ntlmauth.xml
+++ b/docs/docbook/smbdotconf/security/ntlmauth.xml
@@ -4,11 +4,15 @@
                  xmlns:samba="http://samba.org/common">
 <listitem>
     <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
-    <manvolnum>8</manvolnum></citerefentry> will attempt to authenticate users using the NTLM password hash.
-    If disabled, only the lanman password hashes will be used.</para>
+    <manvolnum>8</manvolnum></citerefentry> will attempt to
+    authenticate users using the NTLM encrypted password response.
+    If disabled, either the lanman password hash or an NTLMv2 response
+    will need to be sent by the client.</para>
 
-    <para>Please note that at least this option or <command moreinfo="none">lanman auth</command> should 
-    be enabled in order to be able to log in.</para>
+    <para>If this option, and <command moreinfo="none">lanman
+    auth</command> are both disabled, then only NTLMv2 logins will be
+    permited.  Not all clients support NTLMv2, and most will require
+    special configuration to us it.</para>
 		
     <para>Default : <command moreinfo="none">ntlm auth = yes</command></para>
 </listitem>