Commit e23e8d9f authored by Andrew Bartlett's avatar Andrew Bartlett

s3-rpc_server: Disable the NETLOGON server by default

The NETLOGON server is only needed when the classic/NT4 DC is enabled
and has been the source of security issues in the past.  Therefore
reduce the attack surface.
Signed-off-by: default avatarAndrew Bartlett <abartlet@samba.org>
Reviewed-by: default avatarGarming Sam <garming@catalyst.net.nz>
parent e13b21d9
......@@ -336,3 +336,7 @@
# We currently don't send referrals for LDAP modify of non-replicated attrs
^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_kerberos
# NETLOGON is disabled in any non-DC environments
^samba.tests.netlogonsvc.python\(ad_member\)
^samba.tests.netlogonsvc.python\(simpleserver\)
^samba.tests.netlogonsvc.python\(fileserver\)
......@@ -47,6 +47,7 @@ enum rpc_service_mode_e rpc_service_mode(const char *name)
const char *rpcsrv_type;
enum rpc_service_mode_e state;
const char *def;
enum server_role server_role = lp_server_role();
int i;
/* Handle pipes with multiple names */
......@@ -71,6 +72,21 @@ enum rpc_service_mode_e rpc_service_mode(const char *name)
}
}
/*
* Only enable the netlogon server by default if we are a
* classic/NT4 domain controller
*/
if (strcasecmp_m(name, "netlogon") == 0) {
switch (server_role) {
case ROLE_STANDALONE:
case ROLE_DOMAIN_MEMBER:
def = "disabled";
break;
default:
break;
}
}
rpcsrv_type = lp_parm_const_string(GLOBAL_SECTION_SNUM,
"rpc_server", pipe_name, def);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment