[PATCH] Turn off NETLOGON by default on standalone/member servers
Andreas Schneider
asn at samba.org
Mon Jun 13 06:55:45 UTC 2016
On Monday, 13 June 2016 11:54:20 CEST Andrew Bartlett wrote:
> On Sun, 2016-06-12 at 10:22 +0200, Volker Lendecke wrote:
> > On Sun, Jun 12, 2016 at 06:37:29PM +1200, Andrew Bartlett wrote:
> > > Can we change this for 4.5? I think we really should reduce our
> > > attack
> > > surface, and stop offering so many protocols by default.
> >
> > +1. Can we make that a compile-time option such that the NETLOGON
> > code is not even built if all an OEM wants is a file server?
>
> I'm happy to add that when I write up the patch. Any ideas what other
> protocols we want to keep or disable?
>
> spoolss comes to mind in particular, but what about epmapper and
> dssetup?
epmd is not running if you don't enable it in the config file.
spoolss can be disabled via a smb.conf option.
>
> epmapper appears never to get registration (unless
> rpc_server:register_embedded_np = true), so I think that is safe to
> disable for file servers. (Is it used in FreeIPA somehow?).
FreeIPA uses the lsasd (lsarpc, samr, netlogon daemon) and epmd to be able to
establish a trust with an AD server.
-- andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list