Andrew Bartlett abartlet at samba.org
Mon Jul 28 23:42:11 GMT 2003

On Tue, 2003-07-29 at 06:29, Javid Abdul-AJAVID1 wrote:
> Sorry to bother technical group, but I have been looking for this for long.
> Any body knows the vulnerability for "nt-netbios-nullsession".
> Samba runs in domain mode/heterogenous enviroment here. Ver 2.2.8a on solaris ( in windows domain )
> Security is major concern in our corp here.
> Is there fix out ther for null sessions.

Null sessions are only an issue in that they allow information leakage. 
You can find out user-names that are valid on the system.  In most
organisations, this is available anyway, so you don't actually gain much
- but that doesn't stop those with the power to impose such

> Will this escape the ISS (security scans ) for "nt-netbios-nullsession"
> restrict anonymous = yes.

Only in Samba 3.0 - and it causes samba to be unable to perform a number
of roles on the network - in particular, you cannot be a DC, or
particpate in browsing.  In Samba 3.0 that option is an integer
'restrict anonymous = 2' does not permit the null user to connect to

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030728/6d2ea5ba/attachment.bin

More information about the samba-technical mailing list