[PATCH] Update 'restrict anonymous' in smb.conf.5 manpage
Andreas Schneider
asn at samba.org
Thu Feb 7 10:35:46 UTC 2019
On Thursday, February 7, 2019 9:44:32 AM CET Denis Cardon wrote:
> It is perhaps not implemented in the Samba-AD part, but it works anyway
> on a stock Samba-AD installation:
>
> rpcclient -c enumdomusers -U ""%"" DC_IP_ADDRESS
> rpcclient -c enumdomgroups -U ""%'' DC_IP_ADDRESS
> rpcclient -c "querygroupmem 512" -U ""%''DC_IP_ADDRESS
>
> Setting it to 2 does not change anything on Samba-AD production network
> (at least the way we are using it), and if set to 1, the above command
> is still working.
>
> In case we don't change this, we could at least underline in the
> documentation that a value other than 2 on a DC is leaking users list,
> groups and group membership from the DC.
I think we should allow restricting it.
Please file a bug at: https://bugzilla.samba.org/
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the samba-technical
mailing list