13389 – Default ACE allows anonymous read of DNS root servers

Bug 13389 - Default ACE allows anonymous read of DNS root servers

Summary: Default ACE allows anonymous read of DNS root servers

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.8.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-04-18 07:14 UTC by William Brown
Modified:	2018-04-18 07:14 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description William Brown 2018-04-18 07:14:33 UTC

When enabling anonymous reads (cn=directory server: dsHeuristcs=0000002), and the internal DNS is enabled, by default the anonymous bind should not be able to read any objects.

However, when dsHeuristics is set to allow anonymous samba 4.8.0 allows anonymous to read the state of the root dns server configuration.

To reproduce:

* install s4.8.0 with internal_dns enabled
* allow anonymous reads
* perform an anonymous read on the default naming context