Currently the default value of restrict anonymous is 0 even on Samba AD DC. It allows a user to list the domain users from a client without authentication using the following command and it is detected as a security issue by network security tools:
rpcclient -U "" server_ip
It should be changed to restrict anonymous = 2, at when running in DC mode.
I agree, we should do this on the Samba AD DC.
We should implement 'restrict anonyous samr' and 'restrict anonymous lsa' options and turn them on by default. It should be implemented in both samr and lsa implementation. Doesn't make sense to have this turned on in smbd either.
I think the is what 'restrict anonymous = 1' was meant to mean. Good solid investigation needed.
Microsoft has apparently made some changes here, so we now might have a pattern to more strongly match: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925