Bug 14207 - S3 SAMR server et al (correctly not) available on the Samba AD DC
Summary: S3 SAMR server et al (correctly not) available on the Samba AD DC
Status: RESOLVED INVALID
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.11.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-29 04:48 UTC by Andrew Bartlett
Modified: 2019-12-02 21:23 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2019-11-29 04:48:51 UTC 
It appears that the 'source3' SAMR server is available while the AD DC is configured.

This could allow access to (say) change a password under less strict access control than the AD DC is enforcing. 

Thankfully some access control appears to be in place, the same as found in a 'NT4-like' domain.

Found by Andrew Bartlett and Samuel Cabrero during discussions about the new RPC server stack. 

We need to work out if we have exposed anything catastrophic before we remove the embargo here.
Comment 1 Andrew Bartlett 2019-12-01 23:45:46 UTC 
A further investigation appears to show that the s3 rpc servers are not registered in this case, so they can't be accessed under any pipe name. 

I expect to un-embargo and close this soon.
Comment 2 Samuel Cabrero 2019-12-02 10:13:49 UTC 
When running as AD DC, the lp_enforce_ad_dc_settings() function sets the default service mode as external except for svcctl, srvsvc, eventlog, ntsvcs, winreg and spoolss which remain embedded. Then the rpc_setup_*() functions won't register the external s3 services, only the embedded ones.
Comment 3 Andrew Bartlett 2019-12-02 21:23:34 UTC 
Closing as invalid.  Thanks!