Late security improvements and my work queue

Stefan Metzmacher metze at
Mon Jul 3 06:33:40 UTC 2017

Am 03.07.2017 um 06:40 schrieb Andrew Bartlett via samba-technical:
> On Fri, 2017-06-30 at 23:11 +1200, Andrew Bartlett via samba-technical
> wrote:
>> Just a heads-up, that if I ever get free of ldb locking, I want to
>> try
>> and:
>>  - enforce a setting of restrict anonymous = 2 on the AD DC
>>    BUG:
> I've not managed this one yet, and it can still be set manually.

No, it's only available on an NT4 DC.

>>  - disable the s3 netlogon server when we are not a DC
>>  - add a way to disable NTLM entirely
>>    BUG:
> Attached are patches (without tests yet) for this.  Please comment. 
> It should be compatible with FreeIPA's use case, it only changes the
> default and the FreeIPA server still appears to be a PDC for the
> schannel case.

I like the attached patches, please also include the
tag for the block ntlm changes. I think if it passes the existing
tests it would be ok to get into master (and 4.7.0rc1),
additional test can follow later.

I think we can introduce more advanced options like proposed here:
But that can be done after 4.7.0rc1.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list