[PATCH] Update 'restrict anonymous' in smb.conf.5 manpage

Denis Cardon dcardon at tranquil.it
Thu Feb 7 08:44:32 UTC 2019

Hi Andreas,

Le 02/07/2019 à 08:18 AM, Andreas Schneider a écrit :
> On Wednesday, February 6, 2019 6:31:17 PM CET Denis Cardon wrote:
>> Hi Andreas,
> Hi Denis,
>>> I had some questions about this options so I've looked at the code and
>>> updated the manpage accordingly.
>>> Review is much appreciated.
>> ---
>> 	 <value type="default">0</value>
>> ---
>> It would be great if we could have this value switched to 2 by default
>> (at least for domain controllers).
>> SAMR Anonymous access is red flagged by vulnerability scanner as it
>> allows to get the list of domain users and groups without any
>> authentication. It sadly does not give a nice perception of Samba AD
>> when people forget to change it and then discover their blunder during
>> their next security audit :-)
> this option is probably more than 15 years old. It *only* affects smbd and is
> NOT implemented in Samba AD!
> If you want to have support for this you should open a bug for the issue.
> Also I don't think hat hiding the IPC$ share provides any security at all as
> there are several RPC services which are available over TCP/IP too.

It is perhaps not implemented in the Samba-AD part, but it works anyway 
on a stock Samba-AD installation:

rpcclient -c enumdomusers -U ""%"" DC_IP_ADDRESS
rpcclient -c enumdomgroups -U ""%'' DC_IP_ADDRESS
rpcclient -c "querygroupmem 512"  -U ""%''DC_IP_ADDRESS

Setting it to 2 does not change anything on Samba-AD production network 
(at least the way we are using it), and if set to 1, the above command 
is still working.

In case we don't change this, we could at least underline in the 
documentation that a value other than 2 on a DC is leaking users list, 
groups and group membership from the DC.



> Cheers,
> 	Andreas

Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0)

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

More information about the samba-technical mailing list