samba - May 2015 - samba 4.2.1 RDP && restrict anonymous = 2 problem

RDP working configuration:

        restrict anonymous = 0
        auth methods = sam winbind
        server services = winbindd, s3fs, rpc, nbt, wrepl, cldap, ldap,
kdc, drepl, ntp_signd, kcc, dnsupdate
        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver, remote, winreg, srvsvc


    RDP working configuration but not the new client and join


        restrict anonymous = 2
        auth methods = sam winbind
        server services = winbindd, s3fs, rpc, nbt, wrepl, cldap, ldap,
kdc, drepl, ntp_signd, kcc, dnsupdate
        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver, remote, winreg, srvsvc

On 08/05/15 18:51, bar?? tombul wrote:
>        RDP working configuration:
>
>          restrict anonymous = 0
>          auth methods = sam winbind
>          server services = winbindd, s3fs, rpc, nbt, wrepl, cldap, ldap,
> kdc, drepl, ntp_signd, kcc, dnsupdate
>          dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
> backupkey, dnsserver, remote, winreg, srvsvc
>
>
>      RDP working configuration but not the new client and join
>
>
>          restrict anonymous = 2
>          auth methods = sam winbind
>          server services = winbindd, s3fs, rpc, nbt, wrepl, cldap, ldap,
> kdc, drepl, ntp_signd, kcc, dnsupdate
>          dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
> backupkey, dnsserver, remote, winreg, srvsvc
OK, why are you setting it to 2 ? If you read 'man smb.page' , you will 
find this:

This can break third party and Microsoft applications which expect to be 
allowed
            to perform operations anonymously.

There is also this:

The security advantage of using restrict anonymous = 2 is removed by 
setting guest ok = yes on any share.

Also if you were to a bit of searching, you may find this:

https://technet.microsoft.com/en-us/library/cc963223.aspx

Where it says this:

Do not set the value of this entry to 2 in mixed-mode environments. Only 
consider setting it to 2 in environments running only Windows 2000, and 
only after verifying that appropriate service levels and program 
function are maintained.

You don't much more mixed-mode than samba4 :-D

Bottom line, remove the line and it will revert to the default '0'

Rowland

On 08/05/15 19:36, Rowland Penny wrote:
> On 08/05/15 18:51, bar?? tombul wrote:
>>        RDP working configuration:
>>
>>          restrict anonymous = 0
>>          auth methods = sam winbind
>>          server services = winbindd, s3fs, rpc, nbt, wrepl, cldap,
ldap,
>> kdc, drepl, ntp_signd, kcc, dnsupdate
>>          dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
>> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, 
>> eventlog6,
>> backupkey, dnsserver, remote, winreg, srvsvc
>>
>>
>>      RDP working configuration but not the new client and join
>>
>>
>>          restrict anonymous = 2
>>          auth methods = sam winbind
>>          server services = winbindd, s3fs, rpc, nbt, wrepl, cldap,
ldap,
>> kdc, drepl, ntp_signd, kcc, dnsupdate
>>          dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
>> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, 
>> eventlog6,
>> backupkey, dnsserver, remote, winreg, srvsvc
>
> OK, why are you setting it to 2 ? If you read 'man smb.page' , you 
> will find this:
>
> This can break third party and Microsoft applications which expect to 
> be allowed
>            to perform operations anonymously.
>
> There is also this:
>
> The security advantage of using restrict anonymous = 2 is removed by 
> setting guest ok = yes on any share.
>
> Also if you were to a bit of searching, you may find this:
>
> https://technet.microsoft.com/en-us/library/cc963223.aspx
>
> Where it says this:
>
> Do not set the value of this entry to 2 in mixed-mode environments. 
> Only consider setting it to 2 in environments running only Windows 
> 2000, and only after verifying that appropriate service levels and 
> program function are maintained.
>
> You don't much more mixed-mode than samba4 :-D
>
> Bottom line, remove the line and it will revert to the default '0'
>
> Rowland
>
OOPS, that should have been 'man smb.conf' :-[

Rowland