Late security improvements and my work queue
Alexander Bokovoy
ab at samba.org
Fri Jun 30 21:58:25 UTC 2017
On la, 01 heinä 2017, Andrew Bartlett wrote:
> On Fri, 2017-06-30 at 15:34 +0300, Alexander Bokovoy via samba-
> technical wrote:
> > On pe, 30 kesä 2017, Andrew Bartlett via samba-technical wrote:
> > > Just a heads-up, that if I ever get free of ldb locking, I want to try
> > > and:
> > > - enforce a setting of restrict anonymous = 2 on the AD DC
> > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=12775
> > > - disable the s3 netlogon server when we are not a DC
> >
> > Can you explain what do you mean by the latter item? What DC you mean
> > here?
>
> (Not so) long ago, we had a remote root exploit that impacted on the
> file sever because the s3 netlogon server still runs when 'domain
> logons = no'.
>
> The impact would have been much smaller if the code could not have been
> accessed for the majority of our use case, the standlone or domain
> member fileserver.
I understand that. I just want to understand how we can legally access
functionality that's needed. ;)
> > FreeIPA heavily relies on s3 netlogon server in this configuration:
> >
> > [global]
> > security = user
> > domain master = yes
> > domain logons = yes
> > rpc_server:epmapper = external
> > rpc_server:lsarpc = external
> > rpc_server:lsass = external
> > rpc_server:lsasd = external
> > rpc_server:samr = external
> > rpc_server:netlogon = external
> > rpc_server:tcpip = yes
> > rpc_daemon:epmd = fork
> > rpc_daemon:lsasd = fork
>
> Thanks. It will be tricky to use smb.conf defaults for an override on
> this then, as they tend to be at the end of processing. I may be out
> of time, but just perhaps I'll find a way.
>
> Is there a good way to work out in loadparm if the value was still a
> default?
We do have store_lp_set_cmdline() and apply_lp_set_cmdline() in s3
loadparm. These are called when we do init_globals().
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list