diff options
author | Andrew Bartlett <abartlet@samba.org> | 2017-07-03 11:28:06 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-07-04 06:57:20 +0200 |
commit | e23e8d9ff9144dabea8738c9ab28862c5996c9a8 (patch) | |
tree | e6b9f084fde320ced184e8213a2989b91ff3e650 /source3 | |
parent | e13b21d9644445636a7657c73f501772ac8d96bf (diff) | |
download | samba-e23e8d9ff9144dabea8738c9ab28862c5996c9a8.tar.gz |
s3-rpc_server: Disable the NETLOGON server by default
The NETLOGON server is only needed when the classic/NT4 DC is enabled
and has been the source of security issues in the past. Therefore
reduce the attack surface.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Diffstat (limited to 'source3')
-rw-r--r-- | source3/rpc_server/rpc_config.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/source3/rpc_server/rpc_config.c b/source3/rpc_server/rpc_config.c index 23c6f88eac4..9ee7ecaf96f 100644 --- a/source3/rpc_server/rpc_config.c +++ b/source3/rpc_server/rpc_config.c @@ -47,6 +47,7 @@ enum rpc_service_mode_e rpc_service_mode(const char *name) const char *rpcsrv_type; enum rpc_service_mode_e state; const char *def; + enum server_role server_role = lp_server_role(); int i; /* Handle pipes with multiple names */ @@ -71,6 +72,21 @@ enum rpc_service_mode_e rpc_service_mode(const char *name) } } + /* + * Only enable the netlogon server by default if we are a + * classic/NT4 domain controller + */ + if (strcasecmp_m(name, "netlogon") == 0) { + switch (server_role) { + case ROLE_STANDALONE: + case ROLE_DOMAIN_MEMBER: + def = "disabled"; + break; + default: + break; + } + } + rpcsrv_type = lp_parm_const_string(GLOBAL_SECTION_SNUM, "rpc_server", pipe_name, def); |