summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/docbook/smbdotconf/protocol/usespnego.xml2
-rw-r--r--docs/docbook/smbdotconf/security/lanmanauth.xml16
-rw-r--r--docs/docbook/smbdotconf/security/ntlmauth.xml12
-rw-r--r--docs/docbook/smbdotconf/security/restrictanonymous.xml5
4 files changed, 30 insertions, 5 deletions
diff --git a/docs/docbook/smbdotconf/protocol/usespnego.xml b/docs/docbook/smbdotconf/protocol/usespnego.xml
index 88c9f1df7a..7dddbd3f74 100644
--- a/docs/docbook/smbdotconf/protocol/usespnego.xml
+++ b/docs/docbook/smbdotconf/protocol/usespnego.xml
@@ -5,7 +5,7 @@
<listitem>
<para> This variable controls controls whether samba will try
to use Simple and Protected NEGOciation (as specified by rfc2478) with
- WindowsXP and Windows2000sp2 clients to agree upon an authentication mechanism.
+ WindowsXP and Windows2000 clients to agree upon an authentication mechanism.
Unless further issues are discovered with our SPNEGO
implementation, there is no reason this should ever be
disabled.</para>
diff --git a/docs/docbook/smbdotconf/security/lanmanauth.xml b/docs/docbook/smbdotconf/security/lanmanauth.xml
index e293242472..0a8fdd3ef3 100644
--- a/docs/docbook/smbdotconf/security/lanmanauth.xml
+++ b/docs/docbook/smbdotconf/security/lanmanauth.xml
@@ -8,7 +8,23 @@
using the LANMAN password hash. If disabled, only clients which support NT
password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not
Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host.</para>
+
+ <para>The LANMAN encrypted response is easily broken, due to it's
+ case-insensitive nature, and the choice of algorithm. Servers
+ without Windows 95/98 or MS DOS clients are advised to disable
+ this option. </para>
+ <para>Unlike the <command moreinfo="none">encypt
+ passwords</command> option, this parameter cannot alter client
+ behaviour, and the LANMAN response will still be sent over the
+ network. See the <command moreinfo="none">client lanman
+ auth</command> to disable this for Samba's clients (such as smbclient)</para>
+
+ <para>If this option, and <command moreinfo="none">ntlm
+ auth</command> are both disabled, then only NTLMv2 logins will be
+ permited. Not all clients support NTLMv2, and most will require
+ special configuration to us it.</para>
+
<para>Default : <command moreinfo="none">lanman auth = yes</command></para>
</listitem>
</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/ntlmauth.xml b/docs/docbook/smbdotconf/security/ntlmauth.xml
index b0b3179ab7..96092152c9 100644
--- a/docs/docbook/smbdotconf/security/ntlmauth.xml
+++ b/docs/docbook/smbdotconf/security/ntlmauth.xml
@@ -4,11 +4,15 @@
xmlns:samba="http://samba.org/common">
<listitem>
<para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> will attempt to authenticate users using the NTLM password hash.
- If disabled, only the lanman password hashes will be used.</para>
+ <manvolnum>8</manvolnum></citerefentry> will attempt to
+ authenticate users using the NTLM encrypted password response.
+ If disabled, either the lanman password hash or an NTLMv2 response
+ will need to be sent by the client.</para>
- <para>Please note that at least this option or <command moreinfo="none">lanman auth</command> should
- be enabled in order to be able to log in.</para>
+ <para>If this option, and <command moreinfo="none">lanman
+ auth</command> are both disabled, then only NTLMv2 logins will be
+ permited. Not all clients support NTLMv2, and most will require
+ special configuration to us it.</para>
<para>Default : <command moreinfo="none">ntlm auth = yes</command></para>
</listitem>
diff --git a/docs/docbook/smbdotconf/security/restrictanonymous.xml b/docs/docbook/smbdotconf/security/restrictanonymous.xml
index 803bc06b2b..8ec860c17e 100644
--- a/docs/docbook/smbdotconf/security/restrictanonymous.xml
+++ b/docs/docbook/smbdotconf/security/restrictanonymous.xml
@@ -19,6 +19,11 @@
The security advantage of using restrict anonymous = 1 is dubious,
as user and group list information can be obtained using other
means.
+
+ The security advantage of using restrict anonymous = 2 is removed
+ by setting <link linkend="GUESTOK"><parameter moreinfo="none">guest
+ ok</parameter></link> = yes</para> on any share.
+
</para>
<para>Default: <command moreinfo="none">restrict anonymous = 0</command></para>