The Samba-Bugzilla – Attachment 13340 Details for
Bug 12870
No way to disable the NETLOGON server on the file server
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
patch for master
disable-netlogon.patch.txt (text/plain), 3.17 KB, created by
Andrew Bartlett
on 2017-07-03 04:35:06 UTC
(
hide
)
Description:
patch for master
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2017-07-03 04:35:06 UTC
Size:
3.17 KB
patch
obsolete
>From 35242f231285989bb7f5d3fe66fd743464b4b6a7 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 3 Jul 2017 11:28:06 +1200 >Subject: [PATCH 1/2] s3-rpc_server: Disable the NETLOGON server by default > >The NETLOGON server is only needed when the classic/NT4 DC is enabled >and has been the source of security issues in the past. Therefore >reduce the attack surface. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > source3/rpc_server/rpc_config.c | 14 +++++++++++++- > 1 file changed, 13 insertions(+), 1 deletion(-) > >diff --git a/source3/rpc_server/rpc_config.c b/source3/rpc_server/rpc_config.c >index 23c6f88eac4..01e338e1a89 100644 >--- a/source3/rpc_server/rpc_config.c >+++ b/source3/rpc_server/rpc_config.c >@@ -96,6 +96,7 @@ struct rpc_daemon_defaults { > const char *def_type; > } rpc_daemon_defaults[] = { > { "epmd", "disabled" }, >+ { "netlogon", "disabled" }, > /* { "spoolssd", "embedded" }, */ > /* { "lsasd", "embedded" }, */ > { "fssd", "disabled" }, >@@ -109,7 +110,8 @@ enum rpc_daemon_type_e rpc_daemon_type(const char *name) > enum rpc_daemon_type_e type; > const char *def; > int i; >- >+ enum server_role server_role = lp_server_role(); >+ > def = "embedded"; > for (i = 0; rpc_daemon_defaults[i].name; i++) { > if (strcasecmp_m(name, rpc_daemon_defaults[i].name) == 0) { >@@ -117,6 +119,16 @@ enum rpc_daemon_type_e rpc_daemon_type(const char *name) > } > } > >+ /* >+ * Only enable the netlogon server by default if we are a >+ * classic/NT4 domain controller >+ */ >+ if ((strcasecmp_m(name, "netlogon") == 0) && >+ (server_role == ROLE_DOMAIN_BDC || >+ server_role == ROLE_DOMAIN_PDC)) { >+ def = "embedded"; >+ } >+ > rpcsrv_type = lp_parm_const_string(GLOBAL_SECTION_SNUM, > "rpc_daemon", name, def); > >-- >2.11.0 > > >From 77631c85eaa91e9e6fc0932015a95f37cfaf65bd Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 3 Jul 2017 13:10:35 +1200 >Subject: [PATCH 2/2] auth: Disable SChannel authentication if we are not a DC > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > auth/gensec/schannel.c | 17 ++++++++++++++++- > 1 file changed, 16 insertions(+), 1 deletion(-) > >diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c >index 41f635182cf..c018ec608de 100644 >--- a/auth/gensec/schannel.c >+++ b/auth/gensec/schannel.c >@@ -34,6 +34,7 @@ > #include "param/param.h" > #include "auth/gensec/gensec_toplevel_proto.h" > #include "lib/crypto/crypto.h" >+#include "libds/common/roles.h" > > struct schannel_state { > struct gensec_security *gensec; >@@ -723,9 +724,23 @@ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security, > return NT_STATUS_OK; > } > >+/* >+ * Reduce the attack surface by ensuring schannel is not availble when >+ * we are not a DC >+ */ > static NTSTATUS schannel_server_start(struct gensec_security *gensec_security) > { >- return NT_STATUS_OK; >+ enum server_role server_role >+ = lpcfg_server_role(gensec_security->settings->lp_ctx); >+ >+ switch (server_role) { >+ case ROLE_DOMAIN_BDC: >+ case ROLE_DOMAIN_PDC: >+ case ROLE_ACTIVE_DIRECTORY_DC: >+ return NT_STATUS_OK; >+ default: >+ return NT_STATUS_NOT_IMPLEMENTED; >+ } > } > > static NTSTATUS schannel_client_start(struct gensec_security *gensec_security) >-- >2.11.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 12870
: 13340