Given PrintNightmare, should spoolss go the way of SMB1: off by default?

Andrew Bartlett abartlet at
Mon Jul 26 18:09:40 UTC 2021

I'm quite swamped right now, so could another team member please take
on the task of flipping this default for Samba 4.15 please?


Andrew Bartlett

On Fri, 2021-07-02 at 13:26 +1200, Andrew Bartlett via samba-technical
> On Wed, 2021-06-30 at 23:39 -0400, Andrew Walker wrote:
> > We've had it disabled in FreeNAS for ages. I think it's an easy /
> > quick win to reduce default exposed attack surface. 
> Any chance you could work on the patch to disable this for the next
> release?
> I can help advise, but just need to be careful what I promise to
> invest
> my own time into.
> We could add an alias with a easy to explain name, but I'll settle
> for
> the default being changed, selftest still working and this all
> documented etc.
> We do need to double-check that it makes all printing code
> inaccessible, via all methods.  (The manpage is a lie these days, as
> everything should go via spoolss under the hood, but do check). 
> I would love, later, if we could actually compile out the printing
> code, like we can compile out the AD DC. 
> Andrew Bartlett
Andrew Bartlett (he/him)
Samba Team Member (since 2001)
Samba Team Lead, Catalyst IT

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba-technical mailing list