Bug 12775 – Change default value of restrict anonymous = 2

Bug 12775 - Change default value of restrict anonymous = 2


Summary:	Change default value of restrict anonymous = 2

Status:	NEW

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB
Version:	4.6.3
Hardware:	All All

Importance:	P5 normal
Target Milestone:	---
Assigned To:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-05-05 18:44 UTC by Denis Cardon
Modified:	2017-06-27 19:00 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Denis Cardon 2017-05-05 18:44:32 UTC

Currently the default value of restrict anonymous is 0 even on Samba AD DC. It allows a user to list the domain users from a client without authentication using the following command and it is detected as a security issue by network security tools:
 rpcclient -U "" server_ip

It should be changed to restrict anonymous = 2, at when running in DC mode.