Hi, I found some discussion here in 2010 about allowing/disallowing anonymous ldap access in samba4, however, nothing much recent comes up. I see that my samba4 does not allow anonymous access. Is there a way to enable it in samba4, like the way we had it with samba3/openldap? (we restricted access to sensitive info, but allowed anon search access to many user details like mail addresses, etc, etc) Regards, MJ
On 17/01/14 13:49, mourik jan heupink wrote:> Hi, > > I found some discussion here in 2010 about allowing/disallowing > anonymous ldap access in samba4, however, nothing much recent comes up. > > I see that my samba4 does not allow anonymous access. Is there a way > to enable it in samba4, like the way we had it with samba3/openldap? > > (we restricted access to sensitive info, but allowed anon search > access to many user details like mail addresses, etc, etc) > > Regards, > MJHi, whilst you cannot do anonymous access, what your users can do is read the entire AD database: ldapsearch -x -H ldap://dc.example.com:389 -b DC=example,DC=com -D CN=username,CN=Users,DC=example,DC=com -w usernames-password This is from a linux machine, but no doubt it is possible to do something similar from a windows box Rowland
On Fri, 2014-01-17 at 14:49 +0100, mourik jan heupink wrote:> Hi, > > I found some discussion here in 2010 about allowing/disallowing > anonymous ldap access in samba4, however, nothing much recent comes up. > > I see that my samba4 does not allow anonymous access. Is there a way to > enable it in samba4, like the way we had it with samba3/openldap? > > (we restricted access to sensitive info, but allowed anon search access > to many user details like mail addresses, etc, etc)While there are many good reasons to do or not do this, Samba follows AD, including honouring the dsHuristics flag for this. http://support.microsoft.com/kb/326690 However, it is better to authenticate, and Kerberos if used correctly can make that transparent. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba