thr3ads.net - samba - [Samba] Security hardening for Microsoft RPC Netlogon protocol question [Jul 2025]

If this information is useful, please help other people find it:
Share via:

Eric Gurevitz

2025-Jul-14 11:55 UTC

[Samba] Security hardening for Microsoft RPC Netlogon protocol question

Hi All,

We have Linux pcs joined to AD domains as member servers. We use a usermap
script to strip the domain\  :

username map script = /etc/samba/usermap.sh

#!/bin/bash
ACCOUNTNAME="$1"
echo "${ACCOUNTNAME}" | sed -e 's/[^\\]*\\//'
exit 0

I don't see us using  'ad' idmapping backend or any idmap at all. We
rely on Linux userid and Linux groups for all permissions on the file systems.

Do I need to do anything regarding the upcoming change to the Microsoft RPC
Netlogon protocol?

Eric

Ralph Boehme

2025-Jul-14 12:22 UTC

head link

[Samba] Security hardening for Microsoft RPC Netlogon protocol question

On 7/14/25 1:55 PM, Eric Gurevitz via samba wrote:> Do I need to do anything regarding the upcoming change to the
> Microsoft RPC Netlogon protocol?
if you're not using winbindd in nsswitch.conf and not using the
"ad"
idmap backend in winbindd, you're fine.

-slow

-- 
SerNet Samba Team Lead https://sernet.de/
Samba Team Member      https://samba.org/
Samba Support and Dev  https://samba.plus/services/
SAMBA+ packages        https://samba.plus/products/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20250714/048174f0/OpenPGP_signature.sig>

Rowland Penny

2025-Jul-14 14:54 UTC

head link

[Samba] Security hardening for Microsoft RPC Netlogon protocol question

On Mon, 14 Jul 2025 11:55:43 +0000
Eric Gurevitz via samba <samba at lists.samba.org> wrote:
> Hi All,
> 
> We have Linux pcs joined to AD domains as member servers. We use a
> usermap script to strip the domain\  :
> 
> username map script = /etc/samba/usermap.sh
> 
> #!/bin/bash
> ACCOUNTNAME="$1"
> echo "${ACCOUNTNAME}" | sed -e 's/[^\\]*\\//'
> exit 0
> 
> I don't see us using  'ad' idmapping backend or any idmap at
all. We
> rely on Linux userid and Linux groups for all permissions on the file
> systems.
> 
> Do I need to do anything regarding the upcoming change to the
> Microsoft RPC Netlogon protocol?
> 
> Eric
No, if you are not using the 'ad' idmap backend, then it doesn't
effect
you, but just one question, why do you not use 'winbind use default
domain = yes' in your smb.conf, it will give you the same effect as your
script.

Rowland

samba - Jul 2025 - Security hardening for Microsoft RPC Netlogon protocol question

[Samba] Security hardening for Microsoft RPC Netlogon protocol question

[Samba] Security hardening for Microsoft RPC Netlogon protocol question

[Samba] Security hardening for Microsoft RPC Netlogon protocol question