barış tombul
2015-May-08 17:51 UTC
[Samba] samba 4.2.1 RDP && restrict anonymous = 2 problem
RDP working configuration:
restrict anonymous = 0
auth methods = sam winbind
server services = winbindd, s3fs, rpc, nbt, wrepl, cldap, ldap,
kdc, drepl, ntp_signd, kcc, dnsupdate
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver, remote, winreg, srvsvc
RDP working configuration but not the new client and join
restrict anonymous = 2
auth methods = sam winbind
server services = winbindd, s3fs, rpc, nbt, wrepl, cldap, ldap,
kdc, drepl, ntp_signd, kcc, dnsupdate
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver, remote, winreg, srvsvc
Rowland Penny
2015-May-08 18:36 UTC
[Samba] samba 4.2.1 RDP && restrict anonymous = 2 problem
On 08/05/15 18:51, bar?? tombul wrote:> RDP working configuration: > > restrict anonymous = 0 > auth methods = sam winbind > server services = winbindd, s3fs, rpc, nbt, wrepl, cldap, ldap, > kdc, drepl, ntp_signd, kcc, dnsupdate > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, > netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, > backupkey, dnsserver, remote, winreg, srvsvc > > > RDP working configuration but not the new client and join > > > restrict anonymous = 2 > auth methods = sam winbind > server services = winbindd, s3fs, rpc, nbt, wrepl, cldap, ldap, > kdc, drepl, ntp_signd, kcc, dnsupdate > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, > netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, > backupkey, dnsserver, remote, winreg, srvsvcOK, why are you setting it to 2 ? If you read 'man smb.page' , you will find this: This can break third party and Microsoft applications which expect to be allowed to perform operations anonymously. There is also this: The security advantage of using restrict anonymous = 2 is removed by setting guest ok = yes on any share. Also if you were to a bit of searching, you may find this: https://technet.microsoft.com/en-us/library/cc963223.aspx Where it says this: Do not set the value of this entry to 2 in mixed-mode environments. Only consider setting it to 2 in environments running only Windows 2000, and only after verifying that appropriate service levels and program function are maintained. You don't much more mixed-mode than samba4 :-D Bottom line, remove the line and it will revert to the default '0' Rowland
Rowland Penny
2015-May-08 18:38 UTC
[Samba] samba 4.2.1 RDP && restrict anonymous = 2 problem
On 08/05/15 19:36, Rowland Penny wrote:> On 08/05/15 18:51, bar?? tombul wrote: >> RDP working configuration: >> >> restrict anonymous = 0 >> auth methods = sam winbind >> server services = winbindd, s3fs, rpc, nbt, wrepl, cldap, ldap, >> kdc, drepl, ntp_signd, kcc, dnsupdate >> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, >> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, >> eventlog6, >> backupkey, dnsserver, remote, winreg, srvsvc >> >> >> RDP working configuration but not the new client and join >> >> >> restrict anonymous = 2 >> auth methods = sam winbind >> server services = winbindd, s3fs, rpc, nbt, wrepl, cldap, ldap, >> kdc, drepl, ntp_signd, kcc, dnsupdate >> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, >> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, >> eventlog6, >> backupkey, dnsserver, remote, winreg, srvsvc > > OK, why are you setting it to 2 ? If you read 'man smb.page' , you > will find this: > > This can break third party and Microsoft applications which expect to > be allowed > to perform operations anonymously. > > There is also this: > > The security advantage of using restrict anonymous = 2 is removed by > setting guest ok = yes on any share. > > Also if you were to a bit of searching, you may find this: > > https://technet.microsoft.com/en-us/library/cc963223.aspx > > Where it says this: > > Do not set the value of this entry to 2 in mixed-mode environments. > Only consider setting it to 2 in environments running only Windows > 2000, and only after verifying that appropriate service levels and > program function are maintained. > > You don't much more mixed-mode than samba4 :-D > > Bottom line, remove the line and it will revert to the default '0' > > Rowland >OOPS, that should have been 'man smb.conf' :-[ Rowland