[Samba] anonymous ldap search, how disable it?
Kees van Vloten
keesvanvloten at gmail.com
Wed Jul 3 18:14:19 UTC 2024
On 03-07-2024 19:36, Rowland Penny via samba wrote:
> On Wed, 3 Jul 2024 21:52:39 +0500
> Anton Shevtsov via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> I tried ldap anonymous search in samba.
>>
>> Downloaded kali linux, run
>>
>> enum4linux -a my.dc.domain
>>
>> and get all group, users, sids, rids... without any password o_O
> I do not think you are using ldap there, unless you explicitly set
> anonymous search in AD, you must supply a valid username & password, or
> use kerberos.
set dsheuristics: 0000002
This means anonymous ldap is enabled.
I used it for a while, you also have to set dsacls on the objects you
want to allow in anonymous queries.
- Kees.
>
> Rowland
>
More information about the samba
mailing list