How secure is Samba4?

Andrew Bartlett abartlet at
Tue May 4 07:59:28 MDT 2010

On Tue, 2010-05-04 at 11:51 +0000, Alex Besogonov wrote:
> Good $time_of_day!
> I'm planning to deploy Samba4 on several sites (Samba4 will be limited to their
> internal networks) and also on a central server with a public IPv4 and IPv6
> addresses to serve as a central 'hub' for replication and Kerberos
> authorization. So I have a question - how secure is Samba4?
> Looking at the list of open ports, I guess it's not that much secure :) Is it
> possible to turn off everything except Kerberos, LDAP and replication services?

The biggest problem with Samba4 at the moment is that LDAP access is
permitted from anonymous clients.  We need to lock this down, but that's
how it is right now.

I would not expose a Samba4 server in a situation where you would not
expose a Windows server - the protocols are complex, and not really
designed for internet use.  But you should be able to restrict access to
your client sites with iptables etc.

You can't really just turn off ports without turning off services -
many/most of which come into play with replication. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list