[PATCH] Turn off NETLOGON by default on standalone/member servers
Jeremy Allison
jra at samba.org
Wed Feb 25 17:39:22 MST 2015
On Tue, Feb 24, 2015 at 02:17:27PM +1300, Andrew Bartlett wrote:
> Our security advisory at
> https://www.samba.org/samba/security/CVE-2015-0240 suggests
>
> >
> > ==========
> > Workaround
> > ==========
> >
> > On Samba versions 4.0.0 and above, add the line:
> >
> > rpc_server:netlogon=disabled
> >
> > to the [global] section of your smb.conf.
>
> This patch enforces that, turning off NETLOGON when we are not a DC.
>
> Jeremy,
>
> Can you check this doesn't break anything? (I'm running an autobuild,
> but I'm not sure that will find anything much for this).
Hmmm. It *looks* right, but how can I check it doesn't
break anything ? Might Windows clients make netlogon
requests to member servers ? I can't think of a reason
it should be running but at least in a Windows network
the netlogon service still runs on member servers.
More information about the samba-technical
mailing list