diff options
| -rw-r--r-- | docs/docbook/smbdotconf/protocol/usespnego.xml | 2 | ||||
| -rw-r--r-- | docs/docbook/smbdotconf/security/lanmanauth.xml | 16 | ||||
| -rw-r--r-- | docs/docbook/smbdotconf/security/ntlmauth.xml | 12 | ||||
| -rw-r--r-- | docs/docbook/smbdotconf/security/restrictanonymous.xml | 5 |
4 files changed, 30 insertions, 5 deletions
diff --git a/docs/docbook/smbdotconf/protocol/usespnego.xml b/docs/docbook/smbdotconf/protocol/usespnego.xml index 88c9f1df7a..7dddbd3f74 100644 --- a/docs/docbook/smbdotconf/protocol/usespnego.xml +++ b/docs/docbook/smbdotconf/protocol/usespnego.xml @@ -5,7 +5,7 @@ <listitem> <para> This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with - WindowsXP and Windows2000sp2 clients to agree upon an authentication mechanism. + WindowsXP and Windows2000 clients to agree upon an authentication mechanism. Unless further issues are discovered with our SPNEGO implementation, there is no reason this should ever be disabled.</para> diff --git a/docs/docbook/smbdotconf/security/lanmanauth.xml b/docs/docbook/smbdotconf/security/lanmanauth.xml index e293242472..0a8fdd3ef3 100644 --- a/docs/docbook/smbdotconf/security/lanmanauth.xml +++ b/docs/docbook/smbdotconf/security/lanmanauth.xml @@ -8,7 +8,23 @@ using the LANMAN password hash. If disabled, only clients which support NT password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host.</para> + + <para>The LANMAN encrypted response is easily broken, due to it's + case-insensitive nature, and the choice of algorithm. Servers + without Windows 95/98 or MS DOS clients are advised to disable + this option. </para> + <para>Unlike the <command moreinfo="none">encypt + passwords</command> option, this parameter cannot alter client + behaviour, and the LANMAN response will still be sent over the + network. See the <command moreinfo="none">client lanman + auth</command> to disable this for Samba's clients (such as smbclient)</para> + + <para>If this option, and <command moreinfo="none">ntlm + auth</command> are both disabled, then only NTLMv2 logins will be + permited. Not all clients support NTLMv2, and most will require + special configuration to us it.</para> + <para>Default : <command moreinfo="none">lanman auth = yes</command></para> </listitem> </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/ntlmauth.xml b/docs/docbook/smbdotconf/security/ntlmauth.xml index b0b3179ab7..96092152c9 100644 --- a/docs/docbook/smbdotconf/security/ntlmauth.xml +++ b/docs/docbook/smbdotconf/security/ntlmauth.xml @@ -4,11 +4,15 @@ xmlns:samba="http://samba.org/common"> <listitem> <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle> - <manvolnum>8</manvolnum></citerefentry> will attempt to authenticate users using the NTLM password hash. - If disabled, only the lanman password hashes will be used.</para> + <manvolnum>8</manvolnum></citerefentry> will attempt to + authenticate users using the NTLM encrypted password response. + If disabled, either the lanman password hash or an NTLMv2 response + will need to be sent by the client.</para> - <para>Please note that at least this option or <command moreinfo="none">lanman auth</command> should - be enabled in order to be able to log in.</para> + <para>If this option, and <command moreinfo="none">lanman + auth</command> are both disabled, then only NTLMv2 logins will be + permited. Not all clients support NTLMv2, and most will require + special configuration to us it.</para> <para>Default : <command moreinfo="none">ntlm auth = yes</command></para> </listitem> diff --git a/docs/docbook/smbdotconf/security/restrictanonymous.xml b/docs/docbook/smbdotconf/security/restrictanonymous.xml index 803bc06b2b..8ec860c17e 100644 --- a/docs/docbook/smbdotconf/security/restrictanonymous.xml +++ b/docs/docbook/smbdotconf/security/restrictanonymous.xml @@ -19,6 +19,11 @@ The security advantage of using restrict anonymous = 1 is dubious, as user and group list information can be obtained using other means. + + The security advantage of using restrict anonymous = 2 is removed + by setting <link linkend="GUESTOK"><parameter moreinfo="none">guest + ok</parameter></link> = yes</para> on any share. + </para> <para>Default: <command moreinfo="none">restrict anonymous = 0</command></para> |