Winbind on Solaris 2.6

Tim Potter tpot at samba.org
Thu Dec 20 17:59:02 GMT 2001


On Thu, Dec 20, 2001 at 09:27:41PM -0000, Dean Ward wrote:

> Problem found - our domain controllers have the RestrictAnonymous setting in
> their registries (HKLM\CurrentControlSet\Control\LSA, RestrictAnonymous
> DWORD) to prevent anonymous users getting access to account information. I'm
> not sure whether I should enable this on the production domain controllers
> as the ability to enumerate users anonymously is somewhat of a security risk
> - is there a need to enumerate users and groups simply to do authentication
> using Winbind (I've not got that far yet :)

The CVS HEAD and the CVS 2.2 version (i.e unreleased 2.2.3) contain a
new parameter to the wbinfo program to specify a username and password
to enumerate users and groups as.  This is in response to people using
the RestrictAnonymous registry key which breaks winbindd.

The syntax is 'wbinfo -A username%password' which, when run as root,
stores the username and password specified in secrets.tdb.  When
winbindd makes connections to domain controllers it uses this account
which makes the enumeration non-anonymous.


Tim.




More information about the samba mailing list