Bug 13389 - Default ACE allows anonymous read of DNS root servers
Summary: Default ACE allows anonymous read of DNS root servers
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.8.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2018-04-18 07:14 UTC by William Brown
Modified: 2018-04-18 07:14 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description William Brown 2018-04-18 07:14:33 UTC
When enabling anonymous reads (cn=directory server: dsHeuristcs=0000002), and the internal DNS is enabled, by default the anonymous bind should not be able to read any objects.

However, when dsHeuristics is set to allow anonymous samba 4.8.0 allows anonymous to read the state of the root dns server configuration.

To reproduce:

* install s4.8.0 with internal_dns enabled
* allow anonymous reads
* perform an anonymous read on the default naming context