[PATCH] Turn off NETLOGON by default on standalone/member servers

Andrew Bartlett abartlet at samba.org
Thu Feb 26 01:44:40 MST 2015

On Wed, 2015-02-25 at 20:07 -0800, Richard Sharpe wrote:

> Actually, I did not understand. Now that I have looked at MS-NRPC, it
> seems to me that a Domain Member can only ever be a NETLOGON client
> and should never function as a NETLOGON server.
> Perhaps I am wrong.
> In the case of a client trying to authenticate against a local account
> on the member server, NETLOGON does not get involved at all, it would
> seem, since there is no need for pass through auth.
> Again, perhaps I am wrong.

This is the position I would take.  I've looked over the calls, and
there are only 3 or so in source3 that are even able to be called
without netlogon credentials, and I've never seen them being called. 

For the longest time, we have quite rightly followed a lead of 'what
Microsoft does', but I think we should be more proactive and reduce our
attack surface. 

But that is also why I was proposing this now, for 4.2.0, when we have
the most reasonable opportunity to change default behaviour.


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list