From c49b32e492580f774ef7faa323e244749196027d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 1 Jun 2003 06:40:35 +0000 Subject: Update the doco on 'restrict anonymous' (note that 'guest ok' kills off the benifit of RA=2), explain better what 'ntlm auth' and 'lanman auth' do, and fix use spnego - all win2k clients use spnego. Work on the client-side still needs to be done, but I realised that I need to add a paramter to close off all plaintext authentication before documenting 'client lanman auth' will make any sense. Andrew Bartlett (This used to be commit f264846537d7aa66e7bbb71c17bf215dc23f07e2) --- docs/docbook/smbdotconf/security/lanmanauth.xml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'docs/docbook/smbdotconf/security/lanmanauth.xml') diff --git a/docs/docbook/smbdotconf/security/lanmanauth.xml b/docs/docbook/smbdotconf/security/lanmanauth.xml index e293242472..0a8fdd3ef3 100644 --- a/docs/docbook/smbdotconf/security/lanmanauth.xml +++ b/docs/docbook/smbdotconf/security/lanmanauth.xml @@ -8,7 +8,23 @@ using the LANMAN password hash. If disabled, only clients which support NT password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host. + + The LANMAN encrypted response is easily broken, due to it's + case-insensitive nature, and the choice of algorithm. Servers + without Windows 95/98 or MS DOS clients are advised to disable + this option. + Unlike the encypt + passwords option, this parameter cannot alter client + behaviour, and the LANMAN response will still be sent over the + network. See the client lanman + auth to disable this for Samba's clients (such as smbclient) + + If this option, and ntlm + auth are both disabled, then only NTLMv2 logins will be + permited. Not all clients support NTLMv2, and most will require + special configuration to us it. + Default : lanman auth = yes -- cgit