diff options
author | Andrew Bartlett <abartlet@samba.org> | 2003-06-01 06:40:35 +0000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2003-06-01 06:40:35 +0000 |
commit | c49b32e492580f774ef7faa323e244749196027d (patch) | |
tree | 773c61fc89af061a9ea22b08f0629eb99e725a58 /docs/docbook/smbdotconf | |
parent | 72cc0c82c415c872e270d924c795d6ac907a32fb (diff) | |
download | samba-c49b32e492580f774ef7faa323e244749196027d.tar.gz samba-c49b32e492580f774ef7faa323e244749196027d.tar.bz2 samba-c49b32e492580f774ef7faa323e244749196027d.zip |
Update the doco on 'restrict anonymous' (note that 'guest ok' kills off the
benifit of RA=2), explain better what 'ntlm auth' and 'lanman auth' do, and
fix use spnego - all win2k clients use spnego.
Work on the client-side still needs to be done, but I realised that I need
to add a paramter to close off all plaintext authentication before documenting
'client lanman auth' will make any sense.
Andrew Bartlett
(This used to be commit f264846537d7aa66e7bbb71c17bf215dc23f07e2)
Diffstat (limited to 'docs/docbook/smbdotconf')
-rw-r--r-- | docs/docbook/smbdotconf/protocol/usespnego.xml | 2 | ||||
-rw-r--r-- | docs/docbook/smbdotconf/security/lanmanauth.xml | 16 | ||||
-rw-r--r-- | docs/docbook/smbdotconf/security/ntlmauth.xml | 12 | ||||
-rw-r--r-- | docs/docbook/smbdotconf/security/restrictanonymous.xml | 5 |
4 files changed, 30 insertions, 5 deletions
diff --git a/docs/docbook/smbdotconf/protocol/usespnego.xml b/docs/docbook/smbdotconf/protocol/usespnego.xml index 88c9f1df7a..7dddbd3f74 100644 --- a/docs/docbook/smbdotconf/protocol/usespnego.xml +++ b/docs/docbook/smbdotconf/protocol/usespnego.xml @@ -5,7 +5,7 @@ <listitem> <para> This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with - WindowsXP and Windows2000sp2 clients to agree upon an authentication mechanism. + WindowsXP and Windows2000 clients to agree upon an authentication mechanism. Unless further issues are discovered with our SPNEGO implementation, there is no reason this should ever be disabled.</para> diff --git a/docs/docbook/smbdotconf/security/lanmanauth.xml b/docs/docbook/smbdotconf/security/lanmanauth.xml index e293242472..0a8fdd3ef3 100644 --- a/docs/docbook/smbdotconf/security/lanmanauth.xml +++ b/docs/docbook/smbdotconf/security/lanmanauth.xml @@ -8,7 +8,23 @@ using the LANMAN password hash. If disabled, only clients which support NT password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host.</para> + + <para>The LANMAN encrypted response is easily broken, due to it's + case-insensitive nature, and the choice of algorithm. Servers + without Windows 95/98 or MS DOS clients are advised to disable + this option. </para> + <para>Unlike the <command moreinfo="none">encypt + passwords</command> option, this parameter cannot alter client + behaviour, and the LANMAN response will still be sent over the + network. See the <command moreinfo="none">client lanman + auth</command> to disable this for Samba's clients (such as smbclient)</para> + + <para>If this option, and <command moreinfo="none">ntlm + auth</command> are both disabled, then only NTLMv2 logins will be + permited. Not all clients support NTLMv2, and most will require + special configuration to us it.</para> + <para>Default : <command moreinfo="none">lanman auth = yes</command></para> </listitem> </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/ntlmauth.xml b/docs/docbook/smbdotconf/security/ntlmauth.xml index b0b3179ab7..96092152c9 100644 --- a/docs/docbook/smbdotconf/security/ntlmauth.xml +++ b/docs/docbook/smbdotconf/security/ntlmauth.xml @@ -4,11 +4,15 @@ xmlns:samba="http://samba.org/common"> <listitem> <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle> - <manvolnum>8</manvolnum></citerefentry> will attempt to authenticate users using the NTLM password hash. - If disabled, only the lanman password hashes will be used.</para> + <manvolnum>8</manvolnum></citerefentry> will attempt to + authenticate users using the NTLM encrypted password response. + If disabled, either the lanman password hash or an NTLMv2 response + will need to be sent by the client.</para> - <para>Please note that at least this option or <command moreinfo="none">lanman auth</command> should - be enabled in order to be able to log in.</para> + <para>If this option, and <command moreinfo="none">lanman + auth</command> are both disabled, then only NTLMv2 logins will be + permited. Not all clients support NTLMv2, and most will require + special configuration to us it.</para> <para>Default : <command moreinfo="none">ntlm auth = yes</command></para> </listitem> diff --git a/docs/docbook/smbdotconf/security/restrictanonymous.xml b/docs/docbook/smbdotconf/security/restrictanonymous.xml index 803bc06b2b..8ec860c17e 100644 --- a/docs/docbook/smbdotconf/security/restrictanonymous.xml +++ b/docs/docbook/smbdotconf/security/restrictanonymous.xml @@ -19,6 +19,11 @@ The security advantage of using restrict anonymous = 1 is dubious, as user and group list information can be obtained using other means. + + The security advantage of using restrict anonymous = 2 is removed + by setting <link linkend="GUESTOK"><parameter moreinfo="none">guest + ok</parameter></link> = yes</para> on any share. + </para> <para>Default: <command moreinfo="none">restrict anonymous = 0</command></para> |