Re: [Samba] disable SMBv1 on AD
- Date: Thu, 3 Aug 2017 10:42:06 +0200
- From: mathias dufresne via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] disable SMBv1 on AD
There's also a "server min protocol" option in smb.conf which I didn't
tested but looks like something which could help...
2017-08-03 10:29 GMT+02:00 Denis Cardon via samba <samba@xxxxxxxxxxxxxxx>:
> Hi Sonic,
> Was looking into how to disable SMBv1 and NetBIOS on a Samba AD.
>> I suspect that if one just wants to support Win7 and "greater" this
>> should work. However to prevent some open NetBIOS ports the "nbt"
>> service must be removed from the "server services" entry.
> you can add the two lines to smb.conf to disable netbios support
> disable netbios = yes
> smb ports = 445
> Before disabling, when running "samba-tool processes", you get a
> nbt_server 11464
> After disabling it shouldn't be there anymore. You can doublecheck that
> netbios port are not open anymore
> netstat -apn | grep ':139\|:138\|:137'
> Netbios can and should be removed on modern network. After it sometime
> fails the reality check with legacy applications, cnc, embedded system and
>> Basically these two entries (note nbt missing in the services line):
>> server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd,
>> ntp_signd, kcc, dnsupdate
>> smb ports = 445
>> are both necessary to close the NetBIOS tcp and udp ports.
>> However, as these server services, although listed in the smb.conf man
>> page, are not fully defined, that is, what they do exactly and under
>> what conditions they may be needed. There is a mention in the wiki of
>> the "dns" entry being removed/added when alternating between the
>> internal dns and bind but I'm not finding any info on the others. I
>> suspect that in most cases most of them are needed, but are all of
>> them needed in all cases? I'd like to test removal of "nbt" in a live
>> network and more complete documentation of server services would
>> certainly help.
>> For now, what's the short answer? Can "nbt" be removed and have the AD
>> properly support a network of Win7 and "greater"?
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 18.104.22.168.55
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the