Attachment 15240 Details for Bug 13981 – patch for 4.9 and 4.10 cherry-picked from master

[patch] patch for 4.9 and 4.10 cherry-picked from master

0001-docs-Improve-documentation-of-lanman-auth-and-ntlm-a.patch (text/plain), 3.36 KB, created by Andrew Bartlett on 2019-06-11 10:30:28 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Andrew Bartlett

Created: 2019-06-11 10:30:28 UTC

Size: 3.36 KB

patch

obsolete

>From 07fdf8d7560e728596c9376966474b88a00e19fc Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Sat, 1 Jun 2019 09:04:48 +1200
>Subject: [PATCH] docs: Improve documentation of "lanman auth" and "ntlm auth"
> connection
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=13981
>
>Signed-off-by: Andrew Bartlett <abartlet@samba.org>
>Reviewed-by: Andreas Schneider <asn@samba.org>
>(cherry picked from commit dbf3e81f7f0b28c69dca004b32ea3a7344b0cad3)
>---
> docs-xml/smbdotconf/security/lanmanauth.xml | 14 ++++++++------
> docs-xml/smbdotconf/security/ntlmauth.xml   |  9 +++++----
> 2 files changed, 13 insertions(+), 10 deletions(-)
>
>diff --git a/docs-xml/smbdotconf/security/lanmanauth.xml b/docs-xml/smbdotconf/security/lanmanauth.xml
>index a9e4f88b89f..97f2fb04dcb 100644
>--- a/docs-xml/smbdotconf/security/lanmanauth.xml
>+++ b/docs-xml/smbdotconf/security/lanmanauth.xml
>@@ -24,16 +24,18 @@
>     auth is re-enabled later on.
>     </para>
> 		
>-    <para>Unlike the <command moreinfo="none">encrypt
>-    passwords</command> option, this parameter cannot alter client
>+    <para>Unlike the <parameter moreinfo="none">encrypt
>+    passwords</parameter> option, this parameter cannot alter client
>     behaviour, and the LANMAN response will still be sent over the
>     network.  See the <command moreinfo="none">client lanman
>     auth</command> to disable this for Samba's clients (such as smbclient)</para>
> 
>-    <para>If this option, and <command moreinfo="none">ntlm
>-    auth</command> are both disabled, then only NTLMv2 logins will be
>-    permited.  Not all clients support NTLMv2, and most will require
>-    special configuration to use it.</para>
>+    <para>This parameter is overriden by <parameter moreinfo="none">ntlm
>+    auth</parameter>, so unless that it is also set to
>+    <constant>ntlmv1-permitted</constant> or <constant>yes</constant>,
>+    then only NTLMv2 logins will be permited and no LM hash will be
>+    stored.  All modern clients support NTLMv2, and but some older
>+    clients require special configuration to use it.</para>
> </description>
> 
> <value type="default">no</value>
>diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml
>index dceae44d81b..dd5dbaea117 100644
>--- a/docs-xml/smbdotconf/security/ntlmauth.xml
>+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
>@@ -19,11 +19,9 @@
>     control NTLM authentiation for domain users, this must option must
>     be configured on each DC.</para>
> 
>-    <para>By default with <command moreinfo="none">lanman
>-    auth</command> set to <constant>no</constant> and
>-    <command moreinfo="none">ntlm auth</command> set to
>+    <para>By default with <command moreinfo="none">ntlm auth</command> set to
>     <constant>ntlmv2-only</constant> only NTLMv2 logins will be
>-    permited.  Most clients support NTLMv2 by default, but some older
>+    permited.  All modern clients support NTLMv2 by default, but some older
>     clients will require special configuration to use it.</para>
> 
>     <para>The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.</para>
>@@ -35,6 +33,9 @@
>           <para><constant>ntlmv1-permitted</constant>
> 	  (alias <constant>yes</constant>) - Allow NTLMv1 and above for all clients.</para>
> 
>+	  <para>This is the required setting for to enable the <parameter
>+	  moreinfo="none">lanman auth</parameter> parameter.</para>
>+
>         </listitem>
> 
>         <listitem>
>-- 
>2.17.1
>

Flags:

abartlet: review? (gary)
gary: review+

Actions: View

Attachments on bug 13981: 15240