[PATCH] Turn off NETLOGON by default on standalone/member servers
Richard Sharpe
realrichardsharpe at gmail.com
Wed Feb 25 21:07:12 MST 2015
On Wed, Feb 25, 2015 at 7:46 PM, Simo <simo at samba.org> wrote:
> On Wed, 2015-02-25 at 19:37 -0800, Richard Sharpe wrote:
>> On Wed, Feb 25, 2015 at 7:33 PM, Simo <simo at samba.org> wrote:
>> > On Wed, 2015-02-25 at 16:39 -0800, Jeremy Allison wrote:
>> >> On Tue, Feb 24, 2015 at 02:17:27PM +1300, Andrew Bartlett wrote:
>> >> > Our security advisory at
>> >> > https://www.samba.org/samba/security/CVE-2015-0240 suggests
>> >> >
>> >> > >
>> >> > > ==========
>> >> > > Workaround
>> >> > > ==========
>> >> > >
>> >> > > On Samba versions 4.0.0 and above, add the line:
>> >> > >
>> >> > > rpc_server:netlogon=disabled
>> >> > >
>> >> > > to the [global] section of your smb.conf.
>> >> >
>> >> > This patch enforces that, turning off NETLOGON when we are not a DC.
>> >> >
>> >> > Jeremy,
>> >> >
>> >> > Can you check this doesn't break anything? (I'm running an autobuild,
>> >> > but I'm not sure that will find anything much for this).
>> >>
>> >> Hmmm. It *looks* right, but how can I check it doesn't
>> >> break anything ? Might Windows clients make netlogon
>> >> requests to member servers ? I can't think of a reason
>> >> it should be running but at least in a Windows network
>> >> the netlogon service still runs on member servers.
>> >
>> > They may want to log in/deal with local member server accounts ?
>> > Like the local Administrator account ?
>>
>> Doesn't that come through SessionSetup?
>
> For actual user authentication yes, sorry I expressed myself poorly,
> what I was pointing at was the use of local administrative accounts to
> deal with administration functions exposed via Netlogon.
>
> Afaik the services defined by MS-NRPC 2.2.1.7 are exposed also on
> members via netlogon, I may be wrong, haven't looked into it in a long
> time.
Actually, I did not understand. Now that I have looked at MS-NRPC, it
seems to me that a Domain Member can only ever be a NETLOGON client
and should never function as a NETLOGON server.
Perhaps I am wrong.
In the case of a client trying to authenticate against a local account
on the member server, NETLOGON does not get involved at all, it would
seem, since there is no need for pass through auth.
Again, perhaps I am wrong.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list