[PATCH] Turn off NETLOGON by default on standalone/member servers
Andrew Bartlett
abartlet at samba.org
Sun Jun 12 23:54:20 UTC 2016
On Sun, 2016-06-12 at 10:22 +0200, Volker Lendecke wrote:
> On Sun, Jun 12, 2016 at 06:37:29PM +1200, Andrew Bartlett wrote:
> >
> > Can we change this for 4.5? I think we really should reduce our
> > attack
> > surface, and stop offering so many protocols by default.
> +1. Can we make that a compile-time option such that the NETLOGON
> code is not even built if all an OEM wants is a file server?
I'm happy to add that when I write up the patch. Any ideas what other
protocols we want to keep or disable?
spoolss comes to mind in particular, but what about epmapper and
dssetup?
epmapper appears never to get registration (unless
rpc_server:register_embedded_np = true), so I think that is safe to
disable for file servers. (Is it used in FreeIPA somehow?).
Otherwise, perhaps we list what Apple exposes and use that as a guide
for what we really should leave on file servers?
Thanks,
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list