[PATCH] Turn off NETLOGON by default on standalone/member servers
Andrew Bartlett
abartlet at samba.org
Thu Feb 26 01:44:40 MST 2015
On Wed, 2015-02-25 at 20:07 -0800, Richard Sharpe wrote:
>
> Actually, I did not understand. Now that I have looked at MS-NRPC, it
> seems to me that a Domain Member can only ever be a NETLOGON client
> and should never function as a NETLOGON server.
>
> Perhaps I am wrong.
>
> In the case of a client trying to authenticate against a local account
> on the member server, NETLOGON does not get involved at all, it would
> seem, since there is no need for pass through auth.
>
> Again, perhaps I am wrong.
This is the position I would take. I've looked over the calls, and
there are only 3 or so in source3 that are even able to be called
without netlogon credentials, and I've never seen them being called.
For the longest time, we have quite rightly followed a lead of 'what
Microsoft does', but I think we should be more proactive and reduce our
attack surface.
But that is also why I was proposing this now, for 4.2.0, when we have
the most reasonable opportunity to change default behaviour.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list