Late security improvements and my work queue
Andrew Bartlett
abartlet at samba.org
Fri Jun 30 20:24:32 UTC 2017
On Fri, 2017-06-30 at 15:34 +0300, Alexander Bokovoy via samba-
technical wrote:
> On pe, 30 kesä 2017, Andrew Bartlett via samba-technical wrote:
> > Just a heads-up, that if I ever get free of ldb locking, I want to try
> > and:
> > - enforce a setting of restrict anonymous = 2 on the AD DC
> > BUG: https://bugzilla.samba.org/show_bug.cgi?id=12775
> > - disable the s3 netlogon server when we are not a DC
>
> Can you explain what do you mean by the latter item? What DC you mean
> here?
(Not so) long ago, we had a remote root exploit that impacted on the
file sever because the s3 netlogon server still runs when 'domain
logons = no'.
The impact would have been much smaller if the code could not have been
accessed for the majority of our use case, the standlone or domain
member fileserver.
> FreeIPA heavily relies on s3 netlogon server in this configuration:
>
> [global]
> security = user
> domain master = yes
> domain logons = yes
> rpc_server:epmapper = external
> rpc_server:lsarpc = external
> rpc_server:lsass = external
> rpc_server:lsasd = external
> rpc_server:samr = external
> rpc_server:netlogon = external
> rpc_server:tcpip = yes
> rpc_daemon:epmd = fork
> rpc_daemon:lsasd = fork
Thanks. It will be tricky to use smb.conf defaults for an override on
this then, as they tend to be at the end of processing. I may be out
of time, but just perhaps I'll find a way.
Is there a good way to work out in loadparm if the value was still a
default?
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list