[Samba] Flooding Samba DC with random requests

Julian Zielke jzielke at next-level-integration.com
Tue Apr 25 12:45:08 UTC 2017 

OK Thanks for your advise.

- Julian

-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rpenny at samba.org]
Gesendet: Dienstag, 25. April 2017 14:41
An: samba at lists.samba.org
Cc: Julian Zielke <jzielke at next-level-integration.com>
Betreff: Re: [Samba] Flooding Samba DC with random requests

On Tue, 25 Apr 2017 12:07:35 +0000
Julian Zielke via samba <samba at lists.samba.org> wrote:

> Smb.conf on our clients:
> ==================
> #Ansible managed
> # global options
> [global]
>   workgroup = NLI
>   realm = NLI.LOCAL
>   netbios name = xxxxxx
>   server string = Samba AD Client Version %v
>   security = ads
>   password server = dc3.nli.local, dc4.nli.local, dc2.nli.local,
> dc1.nli.local, * server role = member server
>   socket options = TCP_NODELAY SO_KEEPALIVE=4
>   deadtime = 15
>
> # winbind options
>   winbind enum users = yes
>   winbind enum groups = yes
>   winbind refresh tickets = yes
>   winbind offline logon = true
>   winbind nested groups = yes
>   winbind use default domain = yes
>   winbind cache time = 300
>
>   winbind nss info = template
>   template shell = /bin/bash
>   template homedir = /home/NLI.LOCAL/%U
>
> # local user id mapping
>   idmap config * : backend = tdb
>   idmap config * : range = 3000-7999
>
> # domain user id mapping
>   idmap config NLI : backend = rid
>   idmap config NLI : range = 10000-999999
>
> # log configuration
>   log file = /var/log/samba/log.%m
>   log level = 1
>   max log size = 1000
>
> # root to domain admin mapping
>   username map = /etc/samba/user.map

It is probably as Andrew has said, but I would make a few changes to the clients smb.conf:
Remove the  'password server' line, you should allow the client to find the DC via DNS Remove the 'socket options' line, this really isn't required now.
Remove the 'winbind enum' lines, you definitely don't need these.

Rowland

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.

More information about the samba mailing list