[Samba] null session and "restrict anonymous" default value on samba4 AD

[Andrew Bartlett]

On Mon, 2016-08-01 at 20:38 +0200, Denis Cardon wrote:
> Hi everyone,
> 
> there have already been some talk in the past about the null session 
> access on samba, and that keeping "restrict anonymous" parameter
> below 
> level 2 was necessary for NT4 domain support. [1]
> 
> However I was wondering if it could be changed. For instance, on a 
> samba4.4.5 AD with the default settings, when you run the following 
> command, you'll get the domain user list without any authentication 
> (even with netbios disabled):
> 
>   rpcclient -U '%' mysamba4 -c enumdomusers
> 
> Is there still some reason to keep it that way on a samba4 AD? Is it 
> possible to have the default value at 2? I understand that it used to
> be 
> necessary for NT4 compatibility, and that changing the default value
> may 
> break existing installation based on classic domain, however having
> that 
> null session "vulnerability" on pentesting reports is a really a
> pity 
> (restrict anonymous=2 behavior has been the default since XP).
> 
> I know that the samba project is reluctant at changing default
> parameter 
> value, especially when it may break existing installation. I'd say
> that 
> it may be an option to add "restrict anonymous=2" by default to
> smb.conf 
> when creating a new domain, or make it the default value if "server
> role 
> = active directory domain controller" (I don't know if it is
> possible).
> 

Thanks Denis,

This behaviour was never intended in the AD DC.  Over LDAP
authentication is required, and this should have been fixed for RPC a
long time ago.

Sadly we probably can't change this for 4.5, because I would have liked
to.  Please re-raise this on the samba-technical list so we can move
forward on it.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba