From 7aa3d6c2ad2ce7ba5dd76ccd03fdf90da672ed93 Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Fri, 25 Apr 2003 04:36:08 +0000
Subject: Fixing typos. (This used to be commit
 fe13a878d50f325482c6d626ed5dd6e399e4b853)

---
 docs/docbook/projdoc/securing-samba.sgml | 49 +++++++++++++++++++++++++-------
 1 file changed, 38 insertions(+), 11 deletions(-)

(limited to 'docs/docbook/projdoc/securing-samba.sgml')

diff --git a/docs/docbook/projdoc/securing-samba.sgml b/docs/docbook/projdoc/securing-samba.sgml
index e9e8c4f9f8..eedc7ba725 100644
--- a/docs/docbook/projdoc/securing-samba.sgml
+++ b/docs/docbook/projdoc/securing-samba.sgml
@@ -2,6 +2,7 @@
 
 <chapterinfo>
 	&author.tridge;
+	&author.jht;
 	<pubdate>17 March 2003</pubdate>
 </chapterinfo>
 
@@ -36,8 +37,8 @@ might be:
 </para>
 
 <para><programlisting>
-  hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
-  hosts deny = 0.0.0.0/0
+	hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
+	hosts deny = 0.0.0.0/0
 </programlisting></para>
 
 <para>
@@ -66,8 +67,8 @@ You can change this behaviour using options like the following:
 </para>
 
 <para><programlisting>
-  interfaces = eth* lo
-  bind interfaces only = yes
+	interfaces = eth* lo
+	bind interfaces only = yes
 </programlisting></para>
 
 <para>
@@ -105,10 +106,10 @@ UDP ports to allow and block. Samba uses the following:
 </para>
 
 <para><programlisting>
-UDP/137    - used by nmbd
-UDP/138    - used by nmbd
-TCP/139    - used by smbd
-TCP/445    - used by smbd
+	UDP/137    - used by nmbd
+	UDP/138    - used by nmbd
+	TCP/139    - used by smbd
+	TCP/445    - used by smbd
 </programlisting></para>
 
 <para>
@@ -135,9 +136,9 @@ To do that you could use:
 </para>
 
 <para><programlisting>
-  [ipc$]
-     hosts allow = 192.168.115.0/24 127.0.0.1
-     hosts deny = 0.0.0.0/0
+	[ipc$]
+	     hosts allow = 192.168.115.0/24 127.0.0.1
+	     hosts deny = 0.0.0.0/0
 </programlisting></para>
 
 <para>
@@ -163,6 +164,32 @@ methods listed above for some reason.
 
 </sect1>
 
+<sect1>
+<title>NTLMv2 Security</title>
+
+<para>
+To configure NTLMv2 authentication the following registry keys are worth knowing about:
+</para>
+
+<para>
+<programlisting>
+	[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
+	"lmcompatibilitylevel"=dword:00000003
+
+	0x3 - Send NTLMv2 response only. Clients will use NTLMv2 authentication,
+	use NTLMv2 session security if the server supports it. Domain
+	controllers accept LM, NTLM and NTLMv2 authentication.
+
+	[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
+	"NtlmMinClientSec"=dword:00080000
+
+	0x80000 - NTLMv2 session security. If either NtlmMinClientSec or
+	NtlmMinServerSec is set to 0x80000, the connection will fail if NTLMv2
+	session security is not negotiated.
+</programlisting>
+</para>
+</sect1>
+
 <sect1>
 <title>Upgrading Samba</title>
 
-- 
cgit