Web lists-archives.com

Re: [Samba] disable SMBv1 on AD

Hi Sonic,

Was looking into how to disable SMBv1 and NetBIOS on a Samba AD.

I suspect that if one just wants to support Win7 and "greater" this
should work. However to prevent some open NetBIOS ports the "nbt"
service must be removed from the "server services" entry.

you can add the two lines to smb.conf to disable netbios support
   disable netbios = yes
   smb ports = 445

Before disabling, when running "samba-tool processes", you get a
 nbt_server             11464

After disabling it shouldn't be there anymore. You can doublecheck that netbios port are not open anymore

 netstat -apn | grep ':139\|:138\|:137'

Netbios can and should be removed on modern network. After it sometime fails the reality check with legacy applications, cnc, embedded system and all.



Basically these two entries (note nbt missing in the services line):

server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
smb ports = 445

are both necessary to close the NetBIOS tcp and udp ports.

However, as these server services, although listed in the smb.conf man
page, are not fully defined, that is, what they do exactly and under
what conditions they may be needed. There is a mention in the wiki of
the "dns" entry being removed/added when alternating between the
internal dns and bind but I'm not finding any info on the others. I
suspect that in most cases most of them are needed, but are all of
them needed in all cases? I'd like to test removal of "nbt" in a live
network and more complete documentation of server services would
certainly help.

For now, what's the short answer? Can "nbt" be removed and have the AD
properly support a network of Win7 and "greater"?


Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0)

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba