taking back the 'restrict anonymous' parameter

abartlet at samba.org abartlet at samba.org
Thu May 30 18:15:02 GMT 2002

On Thu, May 30, 2002 at 05:13:20PM +1000, Tim Potter wrote:
> I'm thinking about taking back the restrict anonymous parameter and
> using it to do Good Things.  Previously in HEAD and currently in 2.2 it
> stops people connecting to shares anonymously but I think Mr Bartlett 
> removed it because it was either buggy or didn't do anything useful.

Buggy and wasn't useful.  It was added by luke to fix 'problems' that occur
when people overuse our % macros in certain circustances.  

It did not previously stop connections, except with smbclient (due to the way
smbclient makes its connections).

> I propose that this parameter act like the RestrictAnonymous registry
> setting, i.e it prevents anonymous access to the SAMR pipe and anonymous
> access to the NetShareEnum RPC when set to 1.  When set to 2, it
> disallows anonymous access to all RPC pipes.
> Any objections?  There's still some more testing and coding to be done.
> This may be a good opportunity to implement security descriptors on
> pipes.

The only objection I have is to the naming - we need to consider the fact
that 2.2 has this paramater, but it does somthing compleatly different.

Other than that (and particuarly if the new syntax causes the previous syntax
to 'break') I'm fine with it.

Andrew Bartlett

More information about the samba-technical mailing list