From c49b32e492580f774ef7faa323e244749196027d Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Sun, 1 Jun 2003 06:40:35 +0000
Subject: Update the doco on 'restrict anonymous' (note that 'guest ok' kills
 off the benifit of RA=2), explain better what 'ntlm auth' and 'lanman auth'
 do, and fix use spnego - all win2k clients use spnego.

Work on the client-side still needs to be done, but I realised that I need
to add a paramter to close off all plaintext authentication before documenting
'client lanman auth' will make any sense.

Andrew Bartlett
(This used to be commit f264846537d7aa66e7bbb71c17bf215dc23f07e2)
---
 docs/docbook/smbdotconf/protocol/usespnego.xml         |  2 +-
 docs/docbook/smbdotconf/security/lanmanauth.xml        | 16 ++++++++++++++++
 docs/docbook/smbdotconf/security/ntlmauth.xml          | 12 ++++++++----
 docs/docbook/smbdotconf/security/restrictanonymous.xml |  5 +++++
 4 files changed, 30 insertions(+), 5 deletions(-)

(limited to 'docs/docbook/smbdotconf')

diff --git a/docs/docbook/smbdotconf/protocol/usespnego.xml b/docs/docbook/smbdotconf/protocol/usespnego.xml
index 88c9f1df7a..7dddbd3f74 100644
--- a/docs/docbook/smbdotconf/protocol/usespnego.xml
+++ b/docs/docbook/smbdotconf/protocol/usespnego.xml
@@ -5,7 +5,7 @@
 <listitem>
     <para> This variable controls controls whether samba will try 
     to use Simple and Protected NEGOciation (as specified by rfc2478) with 
-    WindowsXP and Windows2000sp2 clients to agree upon an authentication mechanism. 
+    WindowsXP and Windows2000 clients to agree upon an authentication mechanism. 
     Unless further issues are discovered with our SPNEGO
     implementation, there is no reason this should ever be
     disabled.</para>
diff --git a/docs/docbook/smbdotconf/security/lanmanauth.xml b/docs/docbook/smbdotconf/security/lanmanauth.xml
index e293242472..0a8fdd3ef3 100644
--- a/docs/docbook/smbdotconf/security/lanmanauth.xml
+++ b/docs/docbook/smbdotconf/security/lanmanauth.xml
@@ -8,7 +8,23 @@
     using the LANMAN password hash. If disabled, only clients which support NT 
     password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not 
     Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host.</para>
+
+    <para>The LANMAN encrypted response is easily broken, due to it's
+    case-insensitive nature, and the choice of algorithm.  Servers
+    without Windows 95/98 or MS DOS clients are advised to disable
+    this option.  </para>
 		
+    <para>Unlike the <command moreinfo="none">encypt
+    passwords</command> option, this parameter cannot alter client
+    behaviour, and the LANMAN response will still be sent over the
+    network.  See the <command moreinfo="none">client lanman
+    auth</command> to disable this for Samba's clients (such as smbclient)</para>
+
+    <para>If this option, and <command moreinfo="none">ntlm
+    auth</command> are both disabled, then only NTLMv2 logins will be
+    permited.  Not all clients support NTLMv2, and most will require
+    special configuration to us it.</para>
+
     <para>Default : <command moreinfo="none">lanman auth = yes</command></para>
 </listitem>
 </samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/ntlmauth.xml b/docs/docbook/smbdotconf/security/ntlmauth.xml
index b0b3179ab7..96092152c9 100644
--- a/docs/docbook/smbdotconf/security/ntlmauth.xml
+++ b/docs/docbook/smbdotconf/security/ntlmauth.xml
@@ -4,11 +4,15 @@
                  xmlns:samba="http://samba.org/common">
 <listitem>
     <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
-    <manvolnum>8</manvolnum></citerefentry> will attempt to authenticate users using the NTLM password hash.
-    If disabled, only the lanman password hashes will be used.</para>
+    <manvolnum>8</manvolnum></citerefentry> will attempt to
+    authenticate users using the NTLM encrypted password response.
+    If disabled, either the lanman password hash or an NTLMv2 response
+    will need to be sent by the client.</para>
 
-    <para>Please note that at least this option or <command moreinfo="none">lanman auth</command> should 
-    be enabled in order to be able to log in.</para>
+    <para>If this option, and <command moreinfo="none">lanman
+    auth</command> are both disabled, then only NTLMv2 logins will be
+    permited.  Not all clients support NTLMv2, and most will require
+    special configuration to us it.</para>
 		
     <para>Default : <command moreinfo="none">ntlm auth = yes</command></para>
 </listitem>
diff --git a/docs/docbook/smbdotconf/security/restrictanonymous.xml b/docs/docbook/smbdotconf/security/restrictanonymous.xml
index 803bc06b2b..8ec860c17e 100644
--- a/docs/docbook/smbdotconf/security/restrictanonymous.xml
+++ b/docs/docbook/smbdotconf/security/restrictanonymous.xml
@@ -19,6 +19,11 @@
     The security advantage of using restrict anonymous = 1 is dubious,
     as user and group list information can be obtained using other
     means.
+
+    The security advantage of using restrict anonymous = 2 is removed
+    by setting <link linkend="GUESTOK"><parameter moreinfo="none">guest
+    ok</parameter></link> = yes</para> on any share.
+
     </para>
 
     <para>Default: <command moreinfo="none">restrict anonymous = 0</command></para>
-- 
cgit