[PATCH] Turn off NETLOGON by default on standalone/member servers
Alexander Bokovoy
ab at samba.org
Mon Jun 13 07:11:13 UTC 2016
On Mon, 13 Jun 2016, Andrew Bartlett wrote:
> On Sun, 2016-06-12 at 10:22 +0200, Volker Lendecke wrote:
> > On Sun, Jun 12, 2016 at 06:37:29PM +1200, Andrew Bartlett wrote:
> > >
> > > Can we change this for 4.5? I think we really should reduce our
> > > attack
> > > surface, and stop offering so many protocols by default.
> > +1. Can we make that a compile-time option such that the NETLOGON
> > code is not even built if all an OEM wants is a file server?
>
> I'm happy to add that when I write up the patch. Any ideas what other
> protocols we want to keep or disable?
>
> spoolss comes to mind in particular, but what about epmapper and
> dssetup?
>
> epmapper appears never to get registration (unless
> rpc_server:register_embedded_np = true), so I think that is safe to
> disable for file servers. (Is it used in FreeIPA somehow?).
FreeIPA heavily relies on using epmapper and lsasd as separate processes.
Below is the typical configuration used by FreeIPA:
# net conf list
[global]
workgroup = IPAF24
netbios name = F24-MASTER
realm = IPA.AD.TEST
kerberos method = dedicated keytab
dedicated keytab file = FILE:/etc/samba/samba.keytab
create krb5 conf = no
security = user
domain master = yes
domain logons = yes
max log size = 100000
log file = /var/log/samba/log.%m
passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-IPA-AD-TEST.socket
disable spoolss = yes
ldapsam:trusted = yes
ldap ssl = off
ldap suffix = dc=ipa,dc=ad,dc=test
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
rpc_server:epmapper = external
rpc_server:lsarpc = external
rpc_server:lsass = external
rpc_server:lsasd = external
rpc_server:samr = external
rpc_server:netlogon = external
rpc_server:tcpip = yes
rpc_daemon:epmd = fork
rpc_daemon:lsasd = fork
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list