docs: Explain the impact of "ntlm auth = disabled" on simple bind forwarding

An RODC will forward an LDAP Simple bind, just like any other authentication,
when the password is not present locally.

If the full DC does not support NTLMv2 authentication this forwarded password
will be rejected.  A future Samba version should prefer Kerberos or send the
plaintext, but we can not change the MS Windows behaviour, so we document this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml
index 9fa3d5c1ce5778f6c34b6bc939102ef505517a35..84b3488e4116aada89dfc3a228bd9efb57abbf31 100644 (file)
--- a/docs-xml/smbdotconf/security/ntlmauth.xml
+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
@@ -55,6 +55,13 @@
           <para><constant>disabled</constant> - Do not accept NTLM (or
           LanMan) authentication of any level, nor permit
           NTLM password changes.</para>
+
+         <para><emphasis>WARNING:</emphasis> Both Microsoft Windows
+         and Samba <emphasis>Read Only Domain Controllers</emphasis>
+         (RODCs) convert a plain-text LDAP Simple Bind into an NTLMv2
+         authentication to forward to a full DC.  Setting this option
+         to <constant>disabled</constant> will cause these forwarded
+         authentications to fail.</para>
         </listitem>
 
     </itemizedlist>