s3-rpc_server: Disable the NETLOGON server by default

The NETLOGON server is only needed when the classic/NT4 DC is enabled
and has been the source of security issues in the past.  Therefore
reduce the attack surface.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

1 files changed, 16 insertions, 0 deletions

diff --git a/source3/rpc_server/rpc_config.c b/source3/rpc_server/rpc_config.c
index 23c6f88eac4..9ee7ecaf96f 100644
--- a/source3/rpc_server/rpc_config.c
+++ b/source3/rpc_server/rpc_config.c
@@ -47,6 +47,7 @@ enum rpc_service_mode_e rpc_service_mode(const char *name)
 	const char *rpcsrv_type;
 	enum rpc_service_mode_e state;
 	const char *def;
+	enum server_role server_role = lp_server_role();
 	int i;
 
 	/* Handle pipes with multiple names */
@@ -71,6 +72,21 @@ enum rpc_service_mode_e rpc_service_mode(const char *name)
 		}
 	}
 
+	/*
+	 * Only enable the netlogon server by default if we are a
+	 * classic/NT4 domain controller
+	 */
+	if (strcasecmp_m(name, "netlogon") == 0) {
+		switch (server_role) {
+		case ROLE_STANDALONE:
+		case ROLE_DOMAIN_MEMBER:
+			def = "disabled";
+			break;
+		default:
+			break;
+		}
+	}
+
 	rpcsrv_type = lp_parm_const_string(GLOBAL_SECTION_SNUM,
 					   "rpc_server", pipe_name, def);