[Samba] anonymous ldap search, how disable it?
Anton Shevtsov
shevtsovay at basealt.ru
Thu Jul 4 05:22:49 UTC 2024
03.07.2024 23:14, Kees van Vloten via samba пишет:
>
> On 03-07-2024 19:36, Rowland Penny via samba wrote:
>> On Wed, 3 Jul 2024 21:52:39 +0500
>> Anton Shevtsov via samba <samba at lists.samba.org> wrote:
>>
>>> Hi,
>>>
>>> I tried ldap anonymous search in samba.
>>>
>>> Downloaded kali linux, run
>>>
>>> enum4linux -a my.dc.domain
>>>
>>> and get all group, users, sids, rids... without any password o_O
>> I do not think you are using ldap there, unless you explicitly set
>> anonymous search in AD, you must supply a valid username & password, or
>> use kerberos.
> set dsheuristics: 0000002
>
> This means anonymous ldap is enabled.
>
> I used it for a while, you also have to set dsacls on the objects you
> want to allow in anonymous queries.
I set 0 (and 0000000) - but anonymous access dont disabled
Also, tried on MS AD - work fine - user, groups - not available
>
> - Kees.
>
>>
>> Rowland
>>
>
--
basealt logo *Шевцов Антон Юрьевич*
/Старший специалист отдела технического пресейла/
ООО Базальт СПО
мобильный : +79222651692
telegram : @anton_shevtsov
More information about the samba
mailing list