CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

diff --git a/docs-xml/smbdotconf/protocol/clientusespnego.xml b/docs-xml/smbdotconf/protocol/clientusespnego.xml
index f5a35122c0a6af175dc841fd6b71cb27a76ff3ee..b2f3b1257fba653b2db09cb201f9c3aae2fdcd00 100644 (file)
--- a/docs-xml/smbdotconf/protocol/clientusespnego.xml
+++ b/docs-xml/smbdotconf/protocol/clientusespnego.xml
@@ -8,6 +8,11 @@
     supporting servers (including WindowsXP, Windows2000 and Samba
     3.0) to agree upon an authentication
     mechanism.  This enables Kerberos authentication in particular.</para>
+
+    <para>When <smbconfoption name="client NTLMv2 auth"/> is also set to
+    <constant>yes</constant> extended security (SPNEGO) is required
+    in order to use NTLMv2 only within NTLMSSP. This behavior was
+    introduced with the patches for CVE-2016-2111.</para>
 </description>
 
 <value type="default">yes</value>

diff --git a/docs-xml/smbdotconf/security/clientntlmv2auth.xml b/docs-xml/smbdotconf/security/clientntlmv2auth.xml
index 531c8fcb96aaf7e35a2e2aaeb47763b8b4979ce2..f42f627bc08167a07b960e28ab7e60782da6bbc5 100644 (file)
--- a/docs-xml/smbdotconf/security/clientntlmv2auth.xml
+++ b/docs-xml/smbdotconf/security/clientntlmv2auth.xml
@@ -27,6 +27,11 @@
     NTLMv2 by default, and some sites (particularly those following
     'best practice' security polices) only allow NTLMv2 responses, and
     not the weaker LM or NTLM.</para>
+
+    <para>When <smbconfoption name="client use spnego"/> is also set to
+    <constant>yes</constant> extended security (SPNEGO) is required
+    in order to use NTLMv2 only within NTLMSSP. This behavior was
+    introduced with the patches for CVE-2016-2111.</para>
 </description>
 <value type="default">yes</value>
 </samba:parameter>