Re: [Samba] disable SMBv1 on AD
- Date: Thu, 3 Aug 2017 10:29:28 +0200
- From: Denis Cardon via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] disable SMBv1 on AD
Was looking into how to disable SMBv1 and NetBIOS on a Samba AD.
I suspect that if one just wants to support Win7 and "greater" this
should work. However to prevent some open NetBIOS ports the "nbt"
service must be removed from the "server services" entry.
you can add the two lines to smb.conf to disable netbios support
disable netbios = yes
smb ports = 445
Before disabling, when running "samba-tool processes", you get a
After disabling it shouldn't be there anymore. You can doublecheck that
netbios port are not open anymore
netstat -apn | grep ':139\|:138\|:137'
Netbios can and should be removed on modern network. After it sometime
fails the reality check with legacy applications, cnc, embedded system
Basically these two entries (note nbt missing in the services line):
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
smb ports = 445
are both necessary to close the NetBIOS tcp and udp ports.
However, as these server services, although listed in the smb.conf man
page, are not fully defined, that is, what they do exactly and under
what conditions they may be needed. There is a mention in the wiki of
the "dns" entry being removed/added when alternating between the
internal dns and bind but I'm not finding any info on the others. I
suspect that in most cases most of them are needed, but are all of
them needed in all cases? I'd like to test removal of "nbt" in a live
network and more complete documentation of server services would
For now, what's the short answer? Can "nbt" be removed and have the AD
properly support a network of Win7 and "greater"?
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 220.127.116.11.55
To unsubscribe from this list go to the following URL and read the