[prev in list] [next in list] [prev in thread] [next in thread] 

List:       samba
Subject:    Re: [Samba] dcerpc endpoint servers?
From:       Andrew Bartlett via samba <samba () lists ! samba ! org>
Date:       2024-04-08 3:55:42
Message-ID: cf0b89dda761165104b92a4de87b716a83b3fcc6.camel () samba ! org
[Download RAW message or body]

On Sat, 2024-04-06 at 09:23 +0300, Michael Tokarev via samba wrote:
> Hi!
> 
> Is there a list of dcerpc endpoint servers with their explanation
> somewhere?
> 
> I found a 9-years-old thread on this list (replied by Rowland),
> https://samba.samba.narkive.com/AyDt3e7L/4-4-1-wiki-explanation-dcerpc-endpoint-servers
> 
> which basically says there's no documentation about this.
> Has anything been changed during these years?
> 
> In particular, I see numerous restarts of rpcd_classic and
> rpcd_winreg on
> our "famous" anonymous read-only samba server, and wonder if these
> are
> really needed or just asked for by client "just in case" and can be
> turned off.  On the other hand, neither of these are mentioned in the
> manpage.
> 
> It is more: winreg is mentioned only in "allow dcerpc auth level
> connect"
> context, not in "dcerpc endpoint servers" context, and in the latter
> place,
> it is not included in the "default:" list, so I wonder how it starts
> if
> it isn't enabled by default?

So, what has happened here is that in the original Samba4 branch with
the NTVFS fileserver, a winreg server was implemented, as was a srvsvc
server. 

With the big merge, code in that branch was fitted back into the same
tree as the continuing efforts on the smbd filesever, with much of the
AD DC code ending up in source4

Since this commit, by default these are provided by the source3 code,
originally just out of smbd, and later out the maturing RPC server
infrastructure that has been built in source3:

commit 39766b75a40fbab73fc23dd947de44f8349ed466
Author: Andrew Bartlett <abartlet@samba.org>
Date:   Sat Jun 16 12:54:12 2012 +1000

    s4-lib/param: FLAG DAY for the default FILE SERVER
    
    This commit changes the default file server to be s3fs.  Existing
    installs wishing to keep the ntvfs file server need to set this in
    their smb.conf:
    
    server services = +smb -s3fs
    dcerpc endpoint services = +winreg +srvsvc
 

However the reference in "allow dcerpc auth level connect" would be due
to our testsuite that runs the NTVFS file server, which sets things up
like in the commit message. 

Anyway, the source3 code, which provides rpcd_classic (which includes
an LSA server, SAMR and NETLOGON) and rpcd_winreg doesn't honour this
parameter.

Instead, to turn those off I think the invocation (eg for winreg) is
"rpc_server:winreg = disabled"

As to if you need these services. LSA is used for name/SID translation
in the permissions dialog, SAMR is less used by a typcial fileserver
client, and many of the others are provided because windows provides
them, and we have tried to match as closely as we can.

(I did go to quite some effort to disable the NETLOGON server except on
the DC, to reduce the attack surface). 

I hope this helps.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
[prev in list] [next in list] [prev in thread] [next in thread]