[Samba] null session and "restrict anonymous" default value on samba4 AD
Andrew Bartlett
abartlet at samba.org
Tue Aug 2 09:49:00 UTC 2016
On Mon, 2016-08-01 at 20:38 +0200, Denis Cardon wrote:
> Hi everyone,
>
> there have already been some talk in the past about the null session
> access on samba, and that keeping "restrict anonymous" parameter
> below
> level 2 was necessary for NT4 domain support. [1]
>
> However I was wondering if it could be changed. For instance, on a
> samba4.4.5 AD with the default settings, when you run the following
> command, you'll get the domain user list without any authentication
> (even with netbios disabled):
>
> rpcclient -U '%' mysamba4 -c enumdomusers
>
> Is there still some reason to keep it that way on a samba4 AD? Is it
> possible to have the default value at 2? I understand that it used to
> be
> necessary for NT4 compatibility, and that changing the default value
> may
> break existing installation based on classic domain, however having
> that
> null session "vulnerability" on pentesting reports is a really a
> pity
> (restrict anonymous=2 behavior has been the default since XP).
>
> I know that the samba project is reluctant at changing default
> parameter
> value, especially when it may break existing installation. I'd say
> that
> it may be an option to add "restrict anonymous=2" by default to
> smb.conf
> when creating a new domain, or make it the default value if "server
> role
> = active directory domain controller" (I don't know if it is
> possible).
>
Thanks Denis,
This behaviour was never intended in the AD DC. Over LDAP
authentication is required, and this should have been fixed for RPC a
long time ago.
Sadly we probably can't change this for 4.5, because I would have liked
to. Please re-raise this on the samba-technical list so we can move
forward on it.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list