On Sat, 2024-04-06 at 09:23 +0300, Michael Tokarev via samba
wrote:> Hi!
>
> Is there a list of dcerpc endpoint servers with their explanation
> somewhere?
>
> I found a 9-years-old thread on this list (replied by Rowland),
>
https://samba.samba.narkive.com/AyDt3e7L/4-4-1-wiki-explanation-dcerpc-endpoint-servers
>
> which basically says there's no documentation about this.
> Has anything been changed during these years?
>
> In particular, I see numerous restarts of rpcd_classic and
> rpcd_winreg on
> our "famous" anonymous read-only samba server, and wonder if
these
> are
> really needed or just asked for by client "just in case" and can
be
> turned off. On the other hand, neither of these are mentioned in the
> manpage.
>
> It is more: winreg is mentioned only in "allow dcerpc auth level
> connect"
> context, not in "dcerpc endpoint servers" context, and in the
latter
> place,
> it is not included in the "default:" list, so I wonder how it
starts
> if
> it isn't enabled by default?
So, what has happened here is that in the original Samba4 branch with
the NTVFS fileserver, a winreg server was implemented, as was a srvsvc
server.
With the big merge, code in that branch was fitted back into the same
tree as the continuing efforts on the smbd filesever, with much of the
AD DC code ending up in source4
Since this commit, by default these are provided by the source3 code,
originally just out of smbd, and later out the maturing RPC server
infrastructure that has been built in source3:
commit 39766b75a40fbab73fc23dd947de44f8349ed466
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Jun 16 12:54:12 2012 +1000
s4-lib/param: FLAG DAY for the default FILE SERVER
This commit changes the default file server to be s3fs. Existing
installs wishing to keep the ntvfs file server need to set this in
their smb.conf:
server services = +smb -s3fs
dcerpc endpoint services = +winreg +srvsvc
However the reference in "allow dcerpc auth level connect" would be
due
to our testsuite that runs the NTVFS file server, which sets things up
like in the commit message.
Anyway, the source3 code, which provides rpcd_classic (which includes
an LSA server, SAMR and NETLOGON) and rpcd_winreg doesn't honour this
parameter.
Instead, to turn those off I think the invocation (eg for winreg) is
"rpc_server:winreg = disabled"
As to if you need these services. LSA is used for name/SID translation
in the permissions dialog, SAMR is less used by a typcial fileserver
client, and many of the others are provided because windows provides
them, and we have tried to match as closely as we can.
(I did go to quite some effort to disable the NETLOGON server except on
the DC, to reduce the attack surface).
I hope this helps.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions