[Samba] Help with restrict anonymous = 2
Plant, Dean
dean.plant at roke.co.uk
Thu Jul 19 09:50:15 GMT 2007
I am trying to lock down Samba's null session accessibility by using the
"restrict anonymous = 2" setting but when I configure this option it
stops the test XP client from being able to logon in to the domain.
"restrict anonymous = 1" allows logins to work correctly but Samba still
shows some account information when checking with the GetAcct tool. I am
using a Samba 3.0.25b domain configured as a PDC with a test WinXP
client.
Is anyone using "restrict anonymous = 2" while still being able to login
to the Samba domain or I have I gone wrong somewhere?
Thanks
Dean
smb.conf
[global]
workgroup = DOMTEST
netbios name = MYMACHINE
security = user
enable privileges = yes
server string = Samba Server
encrypt passwords = Yes
#pam password change = no
#obey pam restrictions = No
#ldap passwd sync = Yes
debug level = 103
log level = 0
syslog = 0
# TEST SETTINGS
restrict anonymous = 2
ntlm auth = no
lanman auth = no
client ntlmv2 auth = yes
client lanman auth = no
#
log file = /var/log/samba/%m.log
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
# logon script = logon.bat
# logon drive = H:
logon home = ""
logon path = ""
domain logons = Yes
domain master = Yes
os level = 65
preferred master = Yes
wins support = yes
passdb backend = ldapsam:"ldap://localhost"
ldap admin dn = cn=Manager,dc=testdomain,dc=com
ldap suffix = dc=testdomain,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
idmap backend = "ldap:ldap://localhost"
add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
#ldap delete dn = Yes
delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 5 -w
"%m"
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
#delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m
"%u" "%g"
delete user from group script =
/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g
'%g' '%u'
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
load printers = No
printcap cache time = 750
cups server =
iprint server =
addprinter command =
deleteprinter command =
show add printer wizard = No
printer admin =
min print space = 0
max reported print jobs = 0
max print jobs = 0
printable = No
printing =
cups options =
print command =
printer name =
force printername = No
printcap name = /dev/null
disable spoolss = yes
More information about the samba
mailing list