[PATCH] Update 'restrict anonymous' in smb.conf.5 manpage

Andreas Schneider asn at samba.org
Thu Feb 7 10:35:46 UTC 2019

On Thursday, February 7, 2019 9:44:32 AM CET Denis Cardon wrote:
> It is perhaps not implemented in the Samba-AD part, but it works anyway
> on a stock Samba-AD installation:
> rpcclient -c enumdomusers -U ""%"" DC_IP_ADDRESS
> rpcclient -c enumdomgroups -U ""%'' DC_IP_ADDRESS
> rpcclient -c "querygroupmem 512"  -U ""%''DC_IP_ADDRESS
> Setting it to 2 does not change anything on Samba-AD production network
> (at least the way we are using it), and if set to 1, the above command
> is still working.
> In case we don't change this, we could at least underline in the
> documentation that a value other than 2 on a DC is leaking users list,
> groups and group membership from the DC.

I think we should allow restricting it.

Please file a bug at: https://bugzilla.samba.org/

Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the samba-technical mailing list