[Samba] samba 4.2.1 RDP && restrict anonymous = 2 problem

Mario Pio Russo mariopiorusso at ie.ibm.com
Mon May 11 03:54:31 MDT 2015 

I have a similar behaviour on my samba 4.2.1 DC, this seems to be related
to this bug

https://bugzilla.samba.org/show_bug.cgi?id=11061


___________________________________________________________________________________________

Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic29007.gif)



From:	Rowland Penny <rowlandpenny at googlemail.com>
To:	samba at lists.samba.org
Date:	08/05/2015 19:39
Subject:	Re: [Samba] samba 4.2.1 RDP && restrict anonymous = 2 problem
Sent by:	samba-bounces at lists.samba.org



On 08/05/15 19:36, Rowland Penny wrote:
> On 08/05/15 18:51, barış tombul wrote:
>>        RDP working configuration:
>>
>>          restrict anonymous = 0
>>          auth methods = sam winbind
>>          server services = winbindd, s3fs, rpc, nbt, wrepl, cldap, ldap,
>> kdc, drepl, ntp_signd, kcc, dnsupdate
>>          dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
>> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
>> eventlog6,
>> backupkey, dnsserver, remote, winreg, srvsvc
>>
>>
>>      RDP working configuration but not the new client and join
>>
>>
>>          restrict anonymous = 2
>>          auth methods = sam winbind
>>          server services = winbindd, s3fs, rpc, nbt, wrepl, cldap, ldap,
>> kdc, drepl, ntp_signd, kcc, dnsupdate
>>          dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
>> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
>> eventlog6,
>> backupkey, dnsserver, remote, winreg, srvsvc
>
> OK, why are you setting it to 2 ? If you read 'man smb.page' , you
> will find this:
>
> This can break third party and Microsoft applications which expect to
> be allowed
>            to perform operations anonymously.
>
> There is also this:
>
> The security advantage of using restrict anonymous = 2 is removed by
> setting guest ok = yes on any share.
>
> Also if you were to a bit of searching, you may find this:
>
> https://technet.microsoft.com/en-us/library/cc963223.aspx
>
> Where it says this:
>
> Do not set the value of this entry to 2 in mixed-mode environments.
> Only consider setting it to 2 in environments running only Windows
> 2000, and only after verifying that appropriate service levels and
> program function are maintained.
>
> You don't much more mixed-mode than samba4 :-D
>
> Bottom line, remove the line and it will revert to the default '0'
>
> Rowland
>

OOPS, that should have been 'man smb.conf' :-[

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list