[Samba] null session and "restrict anonymous" default value on samba4 AD

Denis Cardon denis.cardon at tranquil-it-systems.fr
Mon Aug 1 18:38:33 UTC 2016

Hi everyone,

there have already been some talk in the past about the null session 
access on samba, and that keeping "restrict anonymous" parameter below 
level 2 was necessary for NT4 domain support. [1]

However I was wondering if it could be changed. For instance, on a 
samba4.4.5 AD with the default settings, when you run the following 
command, you'll get the domain user list without any authentication 
(even with netbios disabled):

  rpcclient -U '%' mysamba4 -c enumdomusers

Is there still some reason to keep it that way on a samba4 AD? Is it 
possible to have the default value at 2? I understand that it used to be 
necessary for NT4 compatibility, and that changing the default value may 
break existing installation based on classic domain, however having that 
null session "vulnerability" on pentesting reports is a really a pity 
(restrict anonymous=2 behavior has been the default since XP).

I know that the samba project is reluctant at changing default parameter 
value, especially when it may break existing installation. I'd say that 
it may be an option to add "restrict anonymous=2" by default to smb.conf 
when creating a new domain, or make it the default value if "server role 
= active directory domain controller" (I don't know if it is possible).



[1] https://lists.samba.org/archive/samba/2007-July/133938.html
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0)

More information about the samba mailing list