From b05332d2feb9ade2efc9e669a407df236d572486 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 24 Jul 2017 14:09:19 +1200 Subject: [PATCH] smb.conf: Explain that "ntlm auth" is a per-passdb setting This parameter has always applied to this passdb only, not to domain authentication. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12929 Signed-off-by: Andrew Bartlett --- docs-xml/smbdotconf/security/ntlmauth.xml | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml index f0969bf9ed2..dceae44d81b 100644 --- a/docs-xml/smbdotconf/security/ntlmauth.xml +++ b/docs-xml/smbdotconf/security/ntlmauth.xml @@ -6,8 +6,18 @@ This parameter determines whether or not smbd 8 will attempt to - authenticate users using the NTLM encrypted password response. - If disabled, NTLM and LanMan authencication is disabled server-wide. + authenticate users using the NTLM encrypted password response for + this local passdb (SAM or account database). + + If disabled, both NTLM and LanMan authencication against the + local passdb is disabled. + + Note that these settings apply only to local users, + authentication will still be forwarded to and NTLM authentication + accepted against any domain we are joined to, and any trusted + domain, even if disabled or if NTLMv2-only is enforced here. To + control NTLM authentiation for domain users, this must option must + be configured on each DC. By default with lanman auth set to no and @@ -41,8 +51,8 @@ - disabled - Do not allow NTLM (or - LanMan) authentication of any level as a server, nor permit + disabled - Do not accept NTLM (or + LanMan) authentication of any level, nor permit NTLM password changes. -- 2.11.0