[PATCH] Turn off NETLOGON by default on standalone/member servers

Andreas Schneider asn at samba.org
Mon Jun 13 06:55:45 UTC 2016

On Monday, 13 June 2016 11:54:20 CEST Andrew Bartlett wrote:
> On Sun, 2016-06-12 at 10:22 +0200, Volker Lendecke wrote:
> > On Sun, Jun 12, 2016 at 06:37:29PM +1200, Andrew Bartlett wrote:
> > > Can we change this for 4.5?  I think we really should reduce our
> > > attack
> > > surface, and stop offering so many protocols by default.  
> > 
> > +1. Can we make that a compile-time option such that the NETLOGON
> > code is not even built if all an OEM wants is a file server?
> I'm happy to add that when I write up the patch. Any ideas what other
> protocols we want to keep or disable?
> spoolss comes to mind in particular, but what about epmapper and
> dssetup?

epmd is not running if you don't enable it in the config file.
spoolss can be disabled via a smb.conf option.

> epmapper appears never to get registration (unless
> rpc_server:register_embedded_np = true), so I think that is safe to
> disable for file servers.  (Is it used in FreeIPA somehow?).

FreeIPA uses the lsasd (lsarpc, samr, netlogon daemon) and epmd to be able to 
establish a trust with an AD server.

	-- andreas

Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org

More information about the samba-technical mailing list