I am trying to lock down Samba's null session accessibility by using the
"restrict anonymous = 2" setting but when I configure this option it
stops the test XP client from being able to logon in to the domain.
"restrict anonymous = 1" allows logins to work correctly but Samba
still
shows some account information when checking with the GetAcct tool. I am
using a Samba 3.0.25b domain configured as a PDC with a test WinXP
client.
Is anyone using "restrict anonymous = 2" while still being able to
login
to the Samba domain or I have I gone wrong somewhere?
Thanks
Dean
smb.conf
[global]
workgroup = DOMTEST
netbios name = MYMACHINE
security = user
enable privileges = yes
server string = Samba Server
encrypt passwords = Yes
#pam password change = no
#obey pam restrictions = No
#ldap passwd sync = Yes
debug level = 103
log level = 0
syslog = 0
# TEST SETTINGS
restrict anonymous = 2
ntlm auth = no
lanman auth = no
client ntlmv2 auth = yes
client lanman auth = no
#
log file = /var/log/samba/%m.log
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
# logon script = logon.bat
# logon drive = H:
logon home = ""
logon path = ""
domain logons = Yes
domain master = Yes
os level = 65
preferred master = Yes
wins support = yes
passdb backend = ldapsam:"ldap://localhost"
ldap admin dn = cn=Manager,dc=testdomain,dc=com
ldap suffix = dc=testdomain,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
idmap backend = "ldap:ldap://localhost"
add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
#ldap delete dn = Yes
delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 5 -w
"%m"
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
#delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m
"%u" "%g"
delete user from group script /opt/IDEALX/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g
'%g' '%u'
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
load printers = No
printcap cache time = 750
cups server iprint server addprinter command
deleteprinter command show add printer wizard = No
printer admin min print space = 0
max reported print jobs = 0
max print jobs = 0
printable = No
printing cups options print command printer name
force printername = No
printcap name = /dev/null
disable spoolss = yes
On Thu, 2007-07-19 at 10:50 +0100, Plant, Dean wrote:> I am trying to lock down Samba's null session accessibility by using the > "restrict anonymous = 2" setting but when I configure this option it > stops the test XP client from being able to logon in to the domain. > "restrict anonymous = 1" allows logins to work correctly but Samba still > shows some account information when checking with the GetAcct tool. I am > using a Samba 3.0.25b domain configured as a PDC with a test WinXP > client. > > Is anyone using "restrict anonymous = 2" while still being able to login > to the Samba domain or I have I gone wrong somewhere?This won't be possible until Samba4 is available - restrict anonymous 2 prevents the NT4 domain logon mechanism. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20070723/244204c3/attachment.bin