From 9b983aebcc3e617a1cb7c84b06a4618ad5b0fb4d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sun, 27 Mar 2016 01:09:05 +0100 Subject: [PATCH] CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749 Signed-off-by: Stefan Metzmacher Reviewed-by: Alexander Bokovoy --- docs-xml/smbdotconf/protocol/clientusespnego.xml | 5 +++++ docs-xml/smbdotconf/security/clientntlmv2auth.xml | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/docs-xml/smbdotconf/protocol/clientusespnego.xml b/docs-xml/smbdotconf/protocol/clientusespnego.xml index c688a656f4f..e53874583b0 100644 --- a/docs-xml/smbdotconf/protocol/clientusespnego.xml +++ b/docs-xml/smbdotconf/protocol/clientusespnego.xml @@ -9,6 +9,11 @@ supporting servers (including WindowsXP, Windows2000 and Samba 3.0) to agree upon an authentication mechanism. This enables Kerberos authentication in particular. + + When is also set to + yes extended security (SPNEGO) is required + in order to use NTLMv2 only within NTLMSSP. This behavior was + introduced with the patches for CVE-2016-2111. yes diff --git a/docs-xml/smbdotconf/security/clientntlmv2auth.xml b/docs-xml/smbdotconf/security/clientntlmv2auth.xml index 7f303565ba5..451e1803c75 100644 --- a/docs-xml/smbdotconf/security/clientntlmv2auth.xml +++ b/docs-xml/smbdotconf/security/clientntlmv2auth.xml @@ -28,6 +28,11 @@ NTLMv2 by default, and some sites (particularly those following 'best practice' security polices) only allow NTLMv2 responses, and not the weaker LM or NTLM. + + When is also set to + yes extended security (SPNEGO) is required + in order to use NTLMv2 only within NTLMSSP. This behavior was + introduced with the patches for CVE-2016-2111. yes -- 2.47.2