[PATCH] Turn off NETLOGON by default on standalone/member servers

Jeremy Allison jra at samba.org
Thu Feb 26 09:38:54 MST 2015

On Thu, Feb 26, 2015 at 09:44:40PM +1300, Andrew Bartlett wrote:
> On Wed, 2015-02-25 at 20:07 -0800, Richard Sharpe wrote:
> > 
> > Actually, I did not understand. Now that I have looked at MS-NRPC, it
> > seems to me that a Domain Member can only ever be a NETLOGON client
> > and should never function as a NETLOGON server.
> > 
> > Perhaps I am wrong.
> > 
> > In the case of a client trying to authenticate against a local account
> > on the member server, NETLOGON does not get involved at all, it would
> > seem, since there is no need for pass through auth.
> > 
> > Again, perhaps I am wrong.
> This is the position I would take.  I've looked over the calls, and
> there are only 3 or so in source3 that are even able to be called
> without netlogon credentials, and I've never seen them being called. 
> For the longest time, we have quite rightly followed a lead of 'what
> Microsoft does', but I think we should be more proactive and reduce our
> attack surface. 
> But that is also why I was proposing this now, for 4.2.0, when we have
> the most reasonable opportunity to change default behaviour.

I think this change is too late for 4.2.0, as we don't know
what it might break.

Let's ship 4.2.0, then add it in to give lead time for 4.3.0.

More information about the samba-technical mailing list