Attachment 13340 Details for Bug 12870 – patch for master

patch for master

disable-netlogon.patch.txt (text/plain), 3.17 KB, created by Andrew Bartlett on 2017-07-03 04:35:06 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Andrew Bartlett

Created: 2017-07-03 04:35:06 UTC

Size: 3.17 KB

patch

obsolete

>From 35242f231285989bb7f5d3fe66fd743464b4b6a7 Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Mon, 3 Jul 2017 11:28:06 +1200
>Subject: [PATCH 1/2] s3-rpc_server: Disable the NETLOGON server by default
>
>The NETLOGON server is only needed when the classic/NT4 DC is enabled
>and has been the source of security issues in the past.  Therefore
>reduce the attack surface.
>
>Signed-off-by: Andrew Bartlett <abartlet@samba.org>
>---
> source3/rpc_server/rpc_config.c | 14 +++++++++++++-
> 1 file changed, 13 insertions(+), 1 deletion(-)
>
>diff --git a/source3/rpc_server/rpc_config.c b/source3/rpc_server/rpc_config.c
>index 23c6f88eac4..01e338e1a89 100644
>--- a/source3/rpc_server/rpc_config.c
>+++ b/source3/rpc_server/rpc_config.c
>@@ -96,6 +96,7 @@ struct rpc_daemon_defaults {
> 	const char *def_type;
> } rpc_daemon_defaults[] = {
> 	{ "epmd", "disabled" },
>+	{ "netlogon", "disabled" },
> 	/* { "spoolssd", "embedded" }, */
> 	/* { "lsasd", "embedded" }, */
> 	{ "fssd", "disabled" },
>@@ -109,7 +110,8 @@ enum rpc_daemon_type_e rpc_daemon_type(const char *name)
> 	enum rpc_daemon_type_e type;
> 	const char *def;
> 	int i;
>-
>+	enum server_role server_role = lp_server_role();
>+	
> 	def = "embedded";
> 	for (i = 0; rpc_daemon_defaults[i].name; i++) {
> 		if (strcasecmp_m(name, rpc_daemon_defaults[i].name) == 0) {
>@@ -117,6 +119,16 @@ enum rpc_daemon_type_e rpc_daemon_type(const char *name)
> 		}
> 	}
> 
>+	/*
>+	 * Only enable the netlogon server by default if we are a
>+	 * classic/NT4 domain controller
>+	 */
>+	if ((strcasecmp_m(name, "netlogon") == 0) &&
>+	    (server_role == ROLE_DOMAIN_BDC ||
>+	     server_role == ROLE_DOMAIN_PDC)) {
>+		def = "embedded";
>+	}
>+
> 	rpcsrv_type = lp_parm_const_string(GLOBAL_SECTION_SNUM,
> 					   "rpc_daemon", name, def);
> 
>-- 
>2.11.0
>
>
>From 77631c85eaa91e9e6fc0932015a95f37cfaf65bd Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Mon, 3 Jul 2017 13:10:35 +1200
>Subject: [PATCH 2/2] auth: Disable SChannel authentication if we are not a DC
>
>Signed-off-by: Andrew Bartlett <abartlet@samba.org>
>---
> auth/gensec/schannel.c | 17 ++++++++++++++++-
> 1 file changed, 16 insertions(+), 1 deletion(-)
>
>diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
>index 41f635182cf..c018ec608de 100644
>--- a/auth/gensec/schannel.c
>+++ b/auth/gensec/schannel.c
>@@ -34,6 +34,7 @@
> #include "param/param.h"
> #include "auth/gensec/gensec_toplevel_proto.h"
> #include "lib/crypto/crypto.h"
>+#include "libds/common/roles.h"
> 
> struct schannel_state {
> 	struct gensec_security *gensec;
>@@ -723,9 +724,23 @@ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
> 	return NT_STATUS_OK;
> }
> 
>+/* 
>+ * Reduce the attack surface by ensuring schannel is not availble when
>+ * we are not a DC 
>+ */
> static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
> {
>-	return NT_STATUS_OK;
>+	enum server_role server_role
>+		= lpcfg_server_role(gensec_security->settings->lp_ctx);
>+
>+	switch (server_role) {
>+	case ROLE_DOMAIN_BDC:
>+	case ROLE_DOMAIN_PDC:
>+	case ROLE_ACTIVE_DIRECTORY_DC:
>+		return NT_STATUS_OK;
>+	default:
>+		return NT_STATUS_NOT_IMPLEMENTED;
>+	}
> }
> 
> static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
>-- 
>2.11.0
>

Actions: View

Attachments on bug 12870: 13340