summaryrefslogtreecommitdiffstats
path: root/docs
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2003-06-01 06:40:35 +0000
committerAndrew Bartlett <abartlet@samba.org>2003-06-01 06:40:35 +0000
commitc49b32e492580f774ef7faa323e244749196027d (patch)
tree773c61fc89af061a9ea22b08f0629eb99e725a58 /docs
parent72cc0c82c415c872e270d924c795d6ac907a32fb (diff)
downloadsamba-c49b32e492580f774ef7faa323e244749196027d.tar.gz
samba-c49b32e492580f774ef7faa323e244749196027d.tar.xz
samba-c49b32e492580f774ef7faa323e244749196027d.zip
Update the doco on 'restrict anonymous' (note that 'guest ok' kills off the
benifit of RA=2), explain better what 'ntlm auth' and 'lanman auth' do, and fix use spnego - all win2k clients use spnego. Work on the client-side still needs to be done, but I realised that I need to add a paramter to close off all plaintext authentication before documenting 'client lanman auth' will make any sense. Andrew Bartlett (This used to be commit f264846537d7aa66e7bbb71c17bf215dc23f07e2)
Diffstat (limited to 'docs')
-rw-r--r--docs/docbook/smbdotconf/protocol/usespnego.xml2
-rw-r--r--docs/docbook/smbdotconf/security/lanmanauth.xml16
-rw-r--r--docs/docbook/smbdotconf/security/ntlmauth.xml12
-rw-r--r--docs/docbook/smbdotconf/security/restrictanonymous.xml5
4 files changed, 30 insertions, 5 deletions
diff --git a/docs/docbook/smbdotconf/protocol/usespnego.xml b/docs/docbook/smbdotconf/protocol/usespnego.xml
index 88c9f1df7a6..7dddbd3f74f 100644
--- a/docs/docbook/smbdotconf/protocol/usespnego.xml
+++ b/docs/docbook/smbdotconf/protocol/usespnego.xml
@@ -5,7 +5,7 @@
<listitem>
<para> This variable controls controls whether samba will try
to use Simple and Protected NEGOciation (as specified by rfc2478) with
- WindowsXP and Windows2000sp2 clients to agree upon an authentication mechanism.
+ WindowsXP and Windows2000 clients to agree upon an authentication mechanism.
Unless further issues are discovered with our SPNEGO
implementation, there is no reason this should ever be
disabled.</para>
diff --git a/docs/docbook/smbdotconf/security/lanmanauth.xml b/docs/docbook/smbdotconf/security/lanmanauth.xml
index e293242472b..0a8fdd3ef35 100644
--- a/docs/docbook/smbdotconf/security/lanmanauth.xml
+++ b/docs/docbook/smbdotconf/security/lanmanauth.xml
@@ -8,7 +8,23 @@
using the LANMAN password hash. If disabled, only clients which support NT
password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not
Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host.</para>
+
+ <para>The LANMAN encrypted response is easily broken, due to it's
+ case-insensitive nature, and the choice of algorithm. Servers
+ without Windows 95/98 or MS DOS clients are advised to disable
+ this option. </para>
+ <para>Unlike the <command moreinfo="none">encypt
+ passwords</command> option, this parameter cannot alter client
+ behaviour, and the LANMAN response will still be sent over the
+ network. See the <command moreinfo="none">client lanman
+ auth</command> to disable this for Samba's clients (such as smbclient)</para>
+
+ <para>If this option, and <command moreinfo="none">ntlm
+ auth</command> are both disabled, then only NTLMv2 logins will be
+ permited. Not all clients support NTLMv2, and most will require
+ special configuration to us it.</para>
+
<para>Default : <command moreinfo="none">lanman auth = yes</command></para>
</listitem>
</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/ntlmauth.xml b/docs/docbook/smbdotconf/security/ntlmauth.xml
index b0b3179ab78..96092152c9c 100644
--- a/docs/docbook/smbdotconf/security/ntlmauth.xml
+++ b/docs/docbook/smbdotconf/security/ntlmauth.xml
@@ -4,11 +4,15 @@
xmlns:samba="http://samba.org/common">
<listitem>
<para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> will attempt to authenticate users using the NTLM password hash.
- If disabled, only the lanman password hashes will be used.</para>
+ <manvolnum>8</manvolnum></citerefentry> will attempt to
+ authenticate users using the NTLM encrypted password response.
+ If disabled, either the lanman password hash or an NTLMv2 response
+ will need to be sent by the client.</para>
- <para>Please note that at least this option or <command moreinfo="none">lanman auth</command> should
- be enabled in order to be able to log in.</para>
+ <para>If this option, and <command moreinfo="none">lanman
+ auth</command> are both disabled, then only NTLMv2 logins will be
+ permited. Not all clients support NTLMv2, and most will require
+ special configuration to us it.</para>
<para>Default : <command moreinfo="none">ntlm auth = yes</command></para>
</listitem>
diff --git a/docs/docbook/smbdotconf/security/restrictanonymous.xml b/docs/docbook/smbdotconf/security/restrictanonymous.xml
index 803bc06b2bf..8ec860c17e5 100644
--- a/docs/docbook/smbdotconf/security/restrictanonymous.xml
+++ b/docs/docbook/smbdotconf/security/restrictanonymous.xml
@@ -19,6 +19,11 @@
The security advantage of using restrict anonymous = 1 is dubious,
as user and group list information can be obtained using other
means.
+
+ The security advantage of using restrict anonymous = 2 is removed
+ by setting <link linkend="GUESTOK"><parameter moreinfo="none">guest
+ ok</parameter></link> = yes</para> on any share.
+
</para>
<para>Default: <command moreinfo="none">restrict anonymous = 0</command></para>