<div dir="ltr">Hi Everyone,<div><br></div><div>I have Samba server 3.5.10 running on RHEL 5.8 platform and it has joined to our AD domain controller. Recently my Windows guys has done some changes to AD Security by stating "
<span lang="EN-GB" style="font-size:11pt;font-family:"Times New Roman",serif">CIFS Null Session
Vulnerability Fix via GPO - Security Requirement". After this change, my windows clients are not authenticating with domain credentials while accessing the shares, but nothing has changed on the Samba side. The "net ads" commands on the Samba server shows everything seems to be OK, but still Windows clients are not authenticating. The Windows guys are telling they have to make some AD GPO changes to avoid NULL or Anonymous connections coming in to the AD DC Servers.</span></div><div><font face="Times New Roman, serif"><span style="font-size:14.6667px"><br></span></font></div><div><font face="Times New Roman, serif"><span style="font-size:14.6667px">Can someone please tell me how i can solve this issue. How can i tell Samba to not to issue NULL/
<span style="color:rgb(34,34,34);font-family:"Times New Roman",serif;font-size:14.6667px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Anonymous<span> communications to AD DCs. Is this a known issue or bug with Samba3, is there any solution to it ? Any parameters in smb.conf which solves it? Please advice. </span></span><br clear="all"></span></font><div><br></div><div><br></div><div>My smb.conf looks like bellow. </div><div><br></div><div><br></div><div><br></div><div><div>workgroup = EMEA</div><div> server string = SambaStorage</div><div> password server = <a href="http://EMEA.NET">EMEA.NET</a></div><div> passdb backend = tdbsam</div><div> smb encrypt = disabled</div><div> realm = <a href="http://EMEA.NET">EMEA.NET</a></div><div> security = ADS</div><div> interfaces = 192.168.85.124 192.168.85.127 127.0.0.1</div><div># interfaces = bond1:1 bond1:2 bond1 lo</div><div><br></div><div> bind interfaces only = no</div><div> local master = no</div><div> preferred master = no</div><div> os level = 33</div><div> dns proxy = yes</div><div> wins support = no</div><div> wide links = yes</div><div> unix extensions = no</div><div><br></div><div><br></div><div> log file = /var/log/samba/smb3x.log</div><div><br></div><div> max log size = 50000</div><div><br></div><div><br></div><div> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 SO_KEEPALIVE</div><div> deadtime = 800</div><div><br></div><div><br></div><div> load printers = no</div><div> printcap name = /dev/null</div><div> disable spoolss = yes</div><div> winbind separator = +</div><div> winbind use default domain = true</div><div> winbind offline logon = false</div><div> username map = /etc/samba/smbusers.map</div><div> debug level = 1</div><div> smb ports = 139 445</div><div><br></div><div><br></div><div> netbios name = MYSAMBAX09</div><div> client use spnego = yes</div><div>#domain master = no</div><div> map to guest = bad uid</div><div> hide dot files = no</div><div> invalid users = netrun</div></div><div><br></div><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div>Thanks & Regards,<br>Shashi Kanth<br></div><div>9886455567</div></div></div>
</div></div>