An RODC will forward an LDAP Simple bind, just like any other authentication,
when the password is not present locally.
If the full DC does not support NTLMv2 authentication this forwarded password
will be rejected. A future Samba version should prefer Kerberos or send the
plaintext, but we can not change the MS Windows behaviour, so we document this.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
<para><constant>disabled</constant> - Do not accept NTLM (or
LanMan) authentication of any level, nor permit
NTLM password changes.</para>
+
+ <para><emphasis>WARNING:</emphasis> Both Microsoft Windows
+ and Samba <emphasis>Read Only Domain Controllers</emphasis>
+ (RODCs) convert a plain-text LDAP Simple Bind into an NTLMv2
+ authentication to forward to a full DC. Setting this option
+ to <constant>disabled</constant> will cause these forwarded
+ authentications to fail.</para>
</listitem>
</itemizedlist>