The NETLOGON server is only needed when the classic/NT4 DC is enabled
and has been the source of security issues in the past. Therefore
reduce the attack surface.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
# We currently don't send referrals for LDAP modify of non-replicated attrs
^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_kerberos
+# NETLOGON is disabled in any non-DC environments
+^samba.tests.netlogonsvc.python\(ad_member\)
+^samba.tests.netlogonsvc.python\(simpleserver\)
+^samba.tests.netlogonsvc.python\(fileserver\)
const char *rpcsrv_type;
enum rpc_service_mode_e state;
const char *def;
+ enum server_role server_role = lp_server_role();
int i;
/* Handle pipes with multiple names */
}
}
+ /*
+ * Only enable the netlogon server by default if we are a
+ * classic/NT4 domain controller
+ */
+ if (strcasecmp_m(name, "netlogon") == 0) {
+ switch (server_role) {
+ case ROLE_STANDALONE:
+ case ROLE_DOMAIN_MEMBER:
+ def = "disabled";
+ break;
+ default:
+ break;
+ }
+ }
+
rpcsrv_type = lp_parm_const_string(GLOBAL_SECTION_SNUM,
"rpc_server", pipe_name, def);