Given PrintNightmare, should spoolss go the way of SMB1: off by default?

ronnie sahlberg ronniesahlberg at
Thu Jul 1 02:06:07 UTC 2021

On Thu, Jul 1, 2021 at 11:58 AM Andrew Bartlett via samba-technical
<samba-technical at> wrote:
> G'Day all,
> It seems the current keep-the-sysadmin-up-at-night is a thing called
> PrintNightmare (CVE-2021-1675):
> Hopefully this doesn't read on Samba, nobody really knows the details
> right now, and if you find out please mail the Samba security alias
> with the details of how and we will deal with that confidentially.
> But the public question I have is this:  For Samba 4.15, can we set
> 'disable spoolss = true' by default please?
> I love printing just as much as any other team member (joke!), but we
> have a lot of juicy code in printing that many use cases don't need.
> When the next printing exploit comes our way, it would be nice if like
> SMB1, many of our installs have it turned off already.
> What do folks think?


I don't work on that codebase so take my input for what it is or ignore it.
Do people still need/use smb/dcerpc based printers in 2021?

Since it is a huge codebase, that runs as root, where I assume there
is no one actively working on,
and where for end-users there are much better solutions in the last 20
years anyway;

I suggest : disabling it by default sounds like the right thing to do.
And maybe deleting it at a later stage.

ronnie sahlberg

> Andrew Bartlett
> --
> Andrew Bartlett (he/him)
> Samba Team Member (since 2001)
> Samba Team Lead, Catalyst IT
> Samba Development and Support, Catalyst IT - Expert Open Source
> Solutions

More information about the samba-technical mailing list