<para>If this option, and <command moreinfo="none">lanman
auth</command> are both disabled, then only NTLMv2 logins will be
permited. Not all clients support NTLMv2, and most will require
- special configuration to use it.</para>
+ special configuration to use it.</para>
+
+ <para>The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.</para>
+
+ <para>The default changed from "yes" to "no" with Samba 4.5.</para>
</description>
-<value type="default">yes</value>
+<related>lanman auth</related>
+<related>raw NTLMv2 auth</related>
+<value type="default">no</value>
</samba:parameter>
lpcfg_do_global_parameter(lp_ctx, "ClientLanManAuth", "False");
lpcfg_do_global_parameter(lp_ctx, "ClientNTLMv2Auth", "True");
lpcfg_do_global_parameter(lp_ctx, "LanmanAuth", "False");
- lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "True");
+ lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "False");
lpcfg_do_global_parameter(lp_ctx, "RawNTLMv2Auth", "False");
lpcfg_do_global_parameter(lp_ctx, "client use spnego principal", "False");
Globals.client_lanman_auth = false; /* Do NOT use the LanMan hash if it is available */
Globals.client_plaintext_auth = false; /* Do NOT use a plaintext password even if is requested by the server */
Globals.lanman_auth = false; /* Do NOT use the LanMan hash, even if it is supplied */
- Globals.ntlm_auth = true; /* Do use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
+ Globals.ntlm_auth = false; /* Do NOT use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
Globals.raw_ntlmv2_auth = false; /* Reject NTLMv2 without NTLMSSP */
Globals.client_ntlmv2_auth = true; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
/* Note, that we will also use NTLM2 session security (which is different), if it is available */