[PATCH] Update 'restrict anonymous' in smb.conf.5 manpage

Denis Cardon dcardon at tranquil.it
Thu Feb 7 11:21:24 UTC 2019

Hi Andreas,

Le 02/07/2019 à 11:35 AM, Andreas Schneider a écrit :
> On Thursday, February 7, 2019 9:44:32 AM CET Denis Cardon wrote:
>> It is perhaps not implemented in the Samba-AD part, but it works anyway
>> on a stock Samba-AD installation:
>> rpcclient -c enumdomusers -U ""%"" DC_IP_ADDRESS
>> rpcclient -c enumdomgroups -U ""%'' DC_IP_ADDRESS
>> rpcclient -c "querygroupmem 512"  -U ""%''DC_IP_ADDRESS
>> Setting it to 2 does not change anything on Samba-AD production network
>> (at least the way we are using it), and if set to 1, the above command
>> is still working.
>> In case we don't change this, we could at least underline in the
>> documentation that a value other than 2 on a DC is leaking users list,
>> groups and group membership from the DC.
> I think we should allow restricting it.
> Please file a bug at: https://bugzilla.samba.org/

Thanks for your answer. I filled a bug about this issue some time ago:





Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0)

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

More information about the samba-technical mailing list