[PATCH] Turn off NETLOGON by default on standalone/member servers

[Andrew Bartlett]

On Thu, 2015-02-26 at 08:38 -0800, Jeremy Allison wrote:
> On Thu, Feb 26, 2015 at 09:44:40PM +1300, Andrew Bartlett wrote:
> > On Wed, 2015-02-25 at 20:07 -0800, Richard Sharpe wrote:
> > 
> > > 
> > > Actually, I did not understand. Now that I have looked at MS
> > > -NRPC, it
> > > seems to me that a Domain Member can only ever be a NETLOGON
> > > client
> > > and should never function as a NETLOGON server.
> > > 
> > > Perhaps I am wrong.
> > > 
> > > In the case of a client trying to authenticate against a local
> > > account
> > > on the member server, NETLOGON does not get involved at all, it
> > > would
> > > seem, since there is no need for pass through auth.
> > > 
> > > Again, perhaps I am wrong.
> > 
> > This is the position I would take.  I've looked over the calls, and
> > there are only 3 or so in source3 that are even able to be called
> > without netlogon credentials, and I've never seen them being
> > called. 
> > 
> > For the longest time, we have quite rightly followed a lead of
> > 'what
> > Microsoft does', but I think we should be more proactive and reduce
> > our
> > attack surface. 
> > 
> > But that is also why I was proposing this now, for 4.2.0, when we
> > have
> > the most reasonable opportunity to change default behaviour.
> 
> I think this change is too late for 4.2.0, as we don't know
> what it might break.
> 
> Let's ship 4.2.0, then add it in to give lead time for 4.3.0.

Can we change this for 4.5?  I think we really should reduce our attack
surface, and stop offering so many protocols by default.  

With the changes we made around unencrypted LDAP, we have started to
lead Microsoft in setting security defaults, and this seems a
reasonable place to continue doing that. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba