[PATCH] Update 'restrict anonymous' in smb.conf.5 manpage
Denis Cardon
dcardon at tranquil.it
Thu Feb 7 11:21:24 UTC 2019
Hi Andreas,
Le 02/07/2019 à 11:35 AM, Andreas Schneider a écrit :
> On Thursday, February 7, 2019 9:44:32 AM CET Denis Cardon wrote:
>> It is perhaps not implemented in the Samba-AD part, but it works anyway
>> on a stock Samba-AD installation:
>>
>> rpcclient -c enumdomusers -U ""%"" DC_IP_ADDRESS
>> rpcclient -c enumdomgroups -U ""%'' DC_IP_ADDRESS
>> rpcclient -c "querygroupmem 512" -U ""%''DC_IP_ADDRESS
>>
>> Setting it to 2 does not change anything on Samba-AD production network
>> (at least the way we are using it), and if set to 1, the above command
>> is still working.
>>
>> In case we don't change this, we could at least underline in the
>> documentation that a value other than 2 on a DC is leaking users list,
>> groups and group membership from the DC.
>
> I think we should allow restricting it.
>
>
> Please file a bug at: https://bugzilla.samba.org/
Thanks for your answer. I filled a bug about this issue some time ago:
https://bugzilla.samba.org/show_bug.cgi?id=12775
Cheers,
Denis
>
>
>
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr
More information about the samba-technical
mailing list