[PATCH] Turn off NETLOGON by default on standalone/member servers
Simo
simo at samba.org
Wed Feb 25 20:33:05 MST 2015
On Wed, 2015-02-25 at 16:39 -0800, Jeremy Allison wrote:
> On Tue, Feb 24, 2015 at 02:17:27PM +1300, Andrew Bartlett wrote:
> > Our security advisory at
> > https://www.samba.org/samba/security/CVE-2015-0240 suggests
> >
> > >
> > > ==========
> > > Workaround
> > > ==========
> > >
> > > On Samba versions 4.0.0 and above, add the line:
> > >
> > > rpc_server:netlogon=disabled
> > >
> > > to the [global] section of your smb.conf.
> >
> > This patch enforces that, turning off NETLOGON when we are not a DC.
> >
> > Jeremy,
> >
> > Can you check this doesn't break anything? (I'm running an autobuild,
> > but I'm not sure that will find anything much for this).
>
> Hmmm. It *looks* right, but how can I check it doesn't
> break anything ? Might Windows clients make netlogon
> requests to member servers ? I can't think of a reason
> it should be running but at least in a Windows network
> the netlogon service still runs on member servers.
They may want to log in/deal with local member server accounts ?
Like the local Administrator account ?
Simo.
--
Simo Sorce
More information about the samba-technical
mailing list