[Samba] Help with restrict anonymous = 2

Plant, Dean dean.plant at roke.co.uk
Thu Jul 19 09:50:15 GMT 2007


I am trying to lock down Samba's null session accessibility by using the
"restrict anonymous = 2" setting but when I configure this option it
stops the test XP client from being able to logon in to the domain.
"restrict anonymous = 1" allows logins to work correctly but Samba still
shows some account information when checking with the GetAcct tool. I am
using a Samba 3.0.25b domain configured as a PDC with a test WinXP
client.

Is anyone using "restrict anonymous = 2" while still being able to login
to the Samba domain or I have I gone wrong somewhere?

Thanks

Dean

smb.conf

[global]
   workgroup = DOMTEST
        netbios name = MYMACHINE
   security = user
        enable privileges = yes
        server string = Samba Server
        encrypt passwords = Yes
        #pam password change = no
        #obey pam restrictions = No
        #ldap passwd sync = Yes
        debug level = 103
        log level = 0
        syslog = 0
# TEST SETTINGS
restrict anonymous = 2
ntlm auth = no
lanman auth = no
client ntlmv2 auth = yes
client lanman auth = no
#
        log file = /var/log/samba/%m.log
        max log size = 100000
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        mangling method = hash2
        Dos charset = 850
        Unix charset = ISO8859-1
#       logon script = logon.bat
#       logon drive = H:
        logon home = ""
        logon path = ""
        domain logons = Yes
        domain master = Yes
        os level = 65
        preferred master = Yes
        wins support = yes
        passdb backend = ldapsam:"ldap://localhost"
        ldap admin dn = cn=Manager,dc=testdomain,dc=com
        ldap suffix = dc=testdomain,dc=com
        ldap group suffix = ou=Groups
        ldap user suffix = ou=Users
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Idmap
        idmap backend = "ldap:ldap://localhost"

        add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
        #ldap delete dn = Yes
        delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
        add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 5 -w
"%m"
        add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
        #delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
        add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m
"%u" "%g"
        delete user from group script =
/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g
'%g' '%u'
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/false
   winbind use default domain = no
        load printers = No
        printcap cache time = 750
        cups server =
        iprint server =
        addprinter command =
        deleteprinter command =
        show add printer wizard = No
        printer admin =
        min print space = 0
        max reported print jobs = 0
        max print jobs = 0
        printable = No
        printing =
        cups options =
        print command =
        printer name =
        force printername = No
        printcap name = /dev/null
        disable spoolss = yes
 


More information about the samba mailing list