Denis Cardon
2016-Aug-01 18:38 UTC
[Samba] null session and "restrict anonymous" default value on samba4 AD
Hi everyone, there have already been some talk in the past about the null session access on samba, and that keeping "restrict anonymous" parameter below level 2 was necessary for NT4 domain support. [1] However I was wondering if it could be changed. For instance, on a samba4.4.5 AD with the default settings, when you run the following command, you'll get the domain user list without any authentication (even with netbios disabled): rpcclient -U '%' mysamba4 -c enumdomusers Is there still some reason to keep it that way on a samba4 AD? Is it possible to have the default value at 2? I understand that it used to be necessary for NT4 compatibility, and that changing the default value may break existing installation based on classic domain, however having that null session "vulnerability" on pentesting reports is a really a pity (restrict anonymous=2 behavior has been the default since XP). I know that the samba project is reluctant at changing default parameter value, especially when it may break existing installation. I'd say that it may be an option to add "restrict anonymous=2" by default to smb.conf when creating a new domain, or make it the default value if "server role = active directory domain controller" (I don't know if it is possible). Thanks, Denis [1] https://lists.samba.org/archive/samba/2007-July/133938.html -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr
Andrew Bartlett
2016-Aug-02 09:49 UTC
[Samba] null session and "restrict anonymous" default value on samba4 AD
On Mon, 2016-08-01 at 20:38 +0200, Denis Cardon wrote:> Hi everyone, > > there have already been some talk in the past about the null session > access on samba, and that keeping "restrict anonymous" parameter > below > level 2 was necessary for NT4 domain support. [1] > > However I was wondering if it could be changed. For instance, on a > samba4.4.5 AD with the default settings, when you run the following > command, you'll get the domain user list without any authentication > (even with netbios disabled): > > rpcclient -U '%' mysamba4 -c enumdomusers > > Is there still some reason to keep it that way on a samba4 AD? Is it > possible to have the default value at 2? I understand that it used to > be > necessary for NT4 compatibility, and that changing the default value > may > break existing installation based on classic domain, however having > that > null session "vulnerability" on pentesting reports is a really a > pity > (restrict anonymous=2 behavior has been the default since XP). > > I know that the samba project is reluctant at changing default > parameter > value, especially when it may break existing installation. I'd say > that > it may be an option to add "restrict anonymous=2" by default to > smb.conf > when creating a new domain, or make it the default value if "server > role > = active directory domain controller" (I don't know if it is > possible). >Thanks Denis, This behaviour was never intended in the AD DC. Over LDAP authentication is required, and this should have been fixed for RPC a long time ago. Sadly we probably can't change this for 4.5, because I would have liked to. Please re-raise this on the samba-technical list so we can move forward on it. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba