Late security improvements and my work queue

Andrew Bartlett abartlet at
Fri Jun 30 20:24:32 UTC 2017

On Fri, 2017-06-30 at 15:34 +0300, Alexander Bokovoy via samba-
technical wrote:
> On pe, 30 kesä 2017, Andrew Bartlett via samba-technical wrote:
> > Just a heads-up, that if I ever get free of ldb locking, I want to try
> > and:
> >  - enforce a setting of restrict anonymous = 2 on the AD DC
> >    BUG:
> >  - disable the s3 netlogon server when we are not a DC
> Can you explain what do you mean by the latter item? What DC you mean
> here?

(Not so) long ago, we had a remote root exploit that impacted on the
file sever because the s3 netlogon server still runs when 'domain
logons = no'.  

The impact would have been much smaller if the code could not have been
accessed for the majority of our use case, the standlone or domain
member fileserver.

> FreeIPA heavily relies on s3 netlogon server in this configuration:
> [global]
>   security = user
>   domain master = yes
>   domain logons = yes
>   rpc_server:epmapper = external
>   rpc_server:lsarpc = external
>   rpc_server:lsass = external
>   rpc_server:lsasd = external
>   rpc_server:samr = external
>   rpc_server:netlogon = external
>   rpc_server:tcpip = yes
>   rpc_daemon:epmd = fork
>   rpc_daemon:lsasd = fork

Thanks.  It will be tricky to use smb.conf defaults for an override on
this then, as they tend to be at the end of processing.  I may be out
of time, but just perhaps I'll find a way.

Is there a good way to work out in loadparm if the value was still a


Andrew Bartlett

Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list