[PATCH] Turn off NETLOGON by default on standalone/member servers

Richard Sharpe realrichardsharpe at gmail.com
Wed Feb 25 20:37:37 MST 2015


On Wed, Feb 25, 2015 at 7:33 PM, Simo <simo at samba.org> wrote:
> On Wed, 2015-02-25 at 16:39 -0800, Jeremy Allison wrote:
>> On Tue, Feb 24, 2015 at 02:17:27PM +1300, Andrew Bartlett wrote:
>> > Our security advisory at
>> > https://www.samba.org/samba/security/CVE-2015-0240 suggests
>> >
>> > >
>> > > ==========
>> > > Workaround
>> > > ==========
>> > >
>> > > On Samba versions 4.0.0 and above, add the line:
>> > >
>> > > rpc_server:netlogon=disabled
>> > >
>> > > to the [global] section of your smb.conf.
>> >
>> > This patch enforces that, turning off NETLOGON when we are not a DC.
>> >
>> > Jeremy,
>> >
>> > Can you check this doesn't break anything?  (I'm running an autobuild,
>> > but I'm not sure that will find anything much for this).
>>
>> Hmmm. It *looks* right, but how can I check it doesn't
>> break anything ? Might Windows clients make netlogon
>> requests to member servers ? I can't think of a reason
>> it should be running but at least in a Windows network
>> the netlogon service still runs on member servers.
>
> They may want to log in/deal with local member server accounts ?
> Like the local Administrator account ?

Doesn't that come through SessionSetup?

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)


More information about the samba-technical mailing list