Bug 12775 - Change default value of restrict anonymous = 2
Change default value of restrict anonymous = 2
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.6.3
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-05 18:44 UTC by Denis Cardon
Modified: 2017-06-27 19:00 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Denis Cardon 2017-05-05 18:44:32 UTC
Currently the default value of restrict anonymous is 0 even on Samba AD DC. It allows a user to list the domain users from a client without authentication using the following command and it is detected as a security issue by network security tools:
 rpcclient -U "" server_ip

It should be changed to restrict anonymous = 2, at when running in DC mode.