[PATCH] Turn off NETLOGON by default on standalone/member servers

Simo simo at samba.org
Wed Feb 25 20:46:50 MST 2015


On Wed, 2015-02-25 at 19:37 -0800, Richard Sharpe wrote:
> On Wed, Feb 25, 2015 at 7:33 PM, Simo <simo at samba.org> wrote:
> > On Wed, 2015-02-25 at 16:39 -0800, Jeremy Allison wrote:
> >> On Tue, Feb 24, 2015 at 02:17:27PM +1300, Andrew Bartlett wrote:
> >> > Our security advisory at
> >> > https://www.samba.org/samba/security/CVE-2015-0240 suggests
> >> >
> >> > >
> >> > > ==========
> >> > > Workaround
> >> > > ==========
> >> > >
> >> > > On Samba versions 4.0.0 and above, add the line:
> >> > >
> >> > > rpc_server:netlogon=disabled
> >> > >
> >> > > to the [global] section of your smb.conf.
> >> >
> >> > This patch enforces that, turning off NETLOGON when we are not a DC.
> >> >
> >> > Jeremy,
> >> >
> >> > Can you check this doesn't break anything?  (I'm running an autobuild,
> >> > but I'm not sure that will find anything much for this).
> >>
> >> Hmmm. It *looks* right, but how can I check it doesn't
> >> break anything ? Might Windows clients make netlogon
> >> requests to member servers ? I can't think of a reason
> >> it should be running but at least in a Windows network
> >> the netlogon service still runs on member servers.
> >
> > They may want to log in/deal with local member server accounts ?
> > Like the local Administrator account ?
> 
> Doesn't that come through SessionSetup?

For actual user authentication yes, sorry I expressed myself poorly,
what I was pointing at was the use of local administrative accounts to
deal with administration functions exposed via Netlogon.

Afaik the services defined by MS-NRPC 2.2.1.7 are exposed also on
members via netlogon, I may be wrong, haven't looked into it in a long
time.

Simo.




More information about the samba-technical mailing list