sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-22 22:04:08 +03:00
Code

docs-xml: Update documentation for 'restrict anonymous' option

Browse Source 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
This commit is contained in:
Andreas Schneider 2019-02-05 16:08:46 +01:00 committed by David Disseldorp
parent f132c3767e
commit 3e25d4d55f
1 changed files with 24 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
docs-xml/smbdotconf/security/restrictanonymous.xml
View File

@ -3,34 +3,35 @@
context="G"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>The setting of this parameter determines whether user and
group list information is returned for an anonymous connection.
and mirrors the effects of the
<programlisting>
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\LSA\RestrictAnonymous
</programlisting>
registry key in Windows 2000 and Windows NT. When set to 0, user
and group list information is returned to anyone who asks. When set
to 1, only an authenticated user can retrieve user and
group list information. For the value 2, supported by
Windows 2000/XP and Samba, no anonymous connections are allowed at
all. This can break third party and Microsoft
applications which expect to be allowed to perform
operations anonymously.</para>
<para>
The security advantage of using restrict anonymous = 1 is dubious,
as user and group list information can be obtained using other
means.
The setting of this parameter determines whether SAMR and LSA
DCERPC services can be accessed anonymously. This corresponds
to the following Windows Server registry options:
</para>
<note>
<programlisting>
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous
</programlisting>
<para>
The security advantage of using restrict anonymous = 2 is removed
by setting <smbconfoption name="guest ok">yes</smbconfoption> on any share.
The option also affects the browse option which is required by
legacy clients which rely on Netbios browsing. While modern
Windows version should be fine with restricting the access
there could still be applications relying on anonymous access.
</para>
<para>
Setting <smbconfoption name="restrict anonymous">1</smbconfoption>
will disable anonymous SAMR access.
</para>
<para>
Setting <smbconfoption name="restrict anonymous">2</smbconfoption>
will, in addition to restricting SAMR access, disallow anonymous
connections to the IPC$ share in general.
Setting <smbconfoption name="guest ok">yes</smbconfoption> on any share
will remove the security advantage.
</para>
</note>
</description>
<value type="default">0</value>