Hi, Is there any setting in smb.conf that prevents the AD enumeration like user, group or computer enumeration? We tried to follow different methods recommended by Microsoft for the AD. But they don't seem to work. Still using apps like powershell, we can still enumerate the users, groups etc. Best regards, Anantha Raghava
On 10-07-2024 11:41, Anantha Raghava via samba wrote:> Hi, > > Is there any setting in smb.conf that prevents the AD enumeration like > user, group or computer enumeration? We tried to follow different > methods recommended by Microsoft for the AD. But they don't seem to > work. Still using apps like powershell, we can still enumerate the > users, groups etc. >Not that I am aware of. As an alternative I have setup an Openldap-proxy. It forwards queries to AD and limits visibility of AD's LDAP. In the Openldap configuration it is relatively simple to set acls on all kinds of operations and objects. Of course this solution is not suitable for domain-members. In my setup I use it for queries from services in the DMZ. The services just have a service-account in AD that they use to authenticate for their query. Firewall settings are in place to take care that it is not possible to connect from the DMZ to AD-DC's directly but just to the Openldap-proxy. - Kees.> Best regards, > > Anantha Raghava
10.07.2024 14:41, Anantha Raghava via samba ?????:> Hi, > > Is there any setting in smb.conf that prevents the AD enumeration like > user, group or computer enumeration? We tried to follow different > methods recommended by Microsoft for the AD. But they don't seem to > work. Still using apps like powershell, we can still enumerate the > users, groups etc./etc/samba/smb.conf [global] restrict anonymous = 2 Additionally samba-tool forest? directory_service dsheuristics 0000000 -- Anton
Seemingly Similar Threads
- Trust relationship between workstation and domain failed
- Trust relationship between workstation & server
- Export authentication & authorisation logs to Windows Event Viewer
- Trust relationship between workstation & server
- Samba Active Directory Domain Controller