[PATCH] Turn off NETLOGON by default on standalone/member servers

Andrew Bartlett abartlet at samba.org
Sun Jun 12 23:54:20 UTC 2016

On Sun, 2016-06-12 at 10:22 +0200, Volker Lendecke wrote:
> On Sun, Jun 12, 2016 at 06:37:29PM +1200, Andrew Bartlett wrote:
> > 
> > Can we change this for 4.5?  I think we really should reduce our
> > attack
> > surface, and stop offering so many protocols by default.  
> +1. Can we make that a compile-time option such that the NETLOGON
> code is not even built if all an OEM wants is a file server?

I'm happy to add that when I write up the patch. Any ideas what other
protocols we want to keep or disable?

spoolss comes to mind in particular, but what about epmapper and

epmapper appears never to get registration (unless
rpc_server:register_embedded_np = true), so I think that is safe to
disable for file servers.  (Is it used in FreeIPA somehow?).

Otherwise, perhaps we list what Apple exposes and use that as a guide
for what we really should leave on file servers?


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

More information about the samba-technical mailing list