This parameter determines whether or not smbd
8 will attempt to
authenticate users using the NTLM encrypted password response for
this local passdb (SAM or account database).
If disabled, both NTLM and LanMan authencication against the
local passdb is disabled.
Note that these settings apply only to local users,
authentication will still be forwarded to and NTLM authentication
accepted against any domain we are joined to, and any trusted
domain, even if disabled or if NTLMv2-only is enforced here. To
control NTLM authentiation for domain users, this must option must
be configured on each DC.
By default with ntlm auth set to
ntlmv2-only only NTLMv2 logins will be
permitted. All modern clients support NTLMv2 by default, but some older
clients will require special configuration to use it.
The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.
The available settings are:
ntlmv1-permitted (alias yes) - Allow NTLMv1 and above for all clients.
This is the required setting for to enable the lanman auth parameter.
ntlmv2-only (alias no) - Do not allow NTLMv1 to be used, but permit NTLMv2.
mschapv2-and-ntlmv2-only - Only
allow NTLMv1 when the client promises that it is providing
MSCHAPv2 authentication (such as the ntlm_auth tool).
disabled - Do not accept NTLM (or
LanMan) authentication of any level, nor permit
NTLM password changes.
The default changed from yes to
no with Samba 4.5. The default changed again
to ntlmv2-only with Samba 4.7, however the
behaviour is unchanged.
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Samba\smb_conf\ntlm auth |
Value Name | ntlm auth |
Value Type | REG_SZ |
Default Value | ntlmv2-only |