Was looking into how to disable SMBv1 and NetBIOS on a Samba AD. I suspect that if one just wants to support Win7 and "greater" this should work. However to prevent some open NetBIOS ports the "nbt" service must be removed from the "server services" entry. Basically these two entries (note nbt missing in the services line): server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate smb ports = 445 are both necessary to close the NetBIOS tcp and udp ports. However, as these server services, although listed in the smb.conf man page, are not fully defined, that is, what they do exactly and under what conditions they may be needed. There is a mention in the wiki of the "dns" entry being removed/added when alternating between the internal dns and bind but I'm not finding any info on the others. I suspect that in most cases most of them are needed, but are all of them needed in all cases? I'd like to test removal of "nbt" in a live network and more complete documentation of server services would certainly help. For now, what's the short answer? Can "nbt" be removed and have the AD properly support a network of Win7 and "greater"? Thanks.
Hi Sonic,> Was looking into how to disable SMBv1 and NetBIOS on a Samba AD. > > I suspect that if one just wants to support Win7 and "greater" this > should work. However to prevent some open NetBIOS ports the "nbt" > service must be removed from the "server services" entry.you can add the two lines to smb.conf to disable netbios support [global] ... disable netbios = yes smb ports = 445 Before disabling, when running "samba-tool processes", you get a ... nbt_server 11464 ... After disabling it shouldn't be there anymore. You can doublecheck that netbios port are not open anymore netstat -apn | grep ':139\|:138\|:137' Netbios can and should be removed on modern network. After it sometime fails the reality check with legacy applications, cnc, embedded system and all. Cheers, Denis> > Basically these two entries (note nbt missing in the services line): > > server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, > ntp_signd, kcc, dnsupdate > smb ports = 445 > > are both necessary to close the NetBIOS tcp and udp ports. > > However, as these server services, although listed in the smb.conf man > page, are not fully defined, that is, what they do exactly and under > what conditions they may be needed. There is a mention in the wiki of > the "dns" entry being removed/added when alternating between the > internal dns and bind but I'm not finding any info on the others. I > suspect that in most cases most of them are needed, but are all of > them needed in all cases? I'd like to test removal of "nbt" in a live > network and more complete documentation of server services would > certainly help. > > For now, what's the short answer? Can "nbt" be removed and have the AD > properly support a network of Win7 and "greater"? > > Thanks. >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr
Hi, There's also a "server min protocol" option in smb.conf which I didn't tested but looks like something which could help... 2017-08-03 10:29 GMT+02:00 Denis Cardon via samba <samba at lists.samba.org>:> Hi Sonic, > > Was looking into how to disable SMBv1 and NetBIOS on a Samba AD. >> >> I suspect that if one just wants to support Win7 and "greater" this >> should work. However to prevent some open NetBIOS ports the "nbt" >> service must be removed from the "server services" entry. >> > > you can add the two lines to smb.conf to disable netbios support > [global] > ... > disable netbios = yes > smb ports = 445 > > Before disabling, when running "samba-tool processes", you get a > ... > nbt_server 11464 > ... > > After disabling it shouldn't be there anymore. You can doublecheck that > netbios port are not open anymore > > netstat -apn | grep ':139\|:138\|:137' > > Netbios can and should be removed on modern network. After it sometime > fails the reality check with legacy applications, cnc, embedded system and > all. > > Cheers, > > Denis > > > >> Basically these two entries (note nbt missing in the services line): >> >> server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, >> ntp_signd, kcc, dnsupdate >> smb ports = 445 >> >> are both necessary to close the NetBIOS tcp and udp ports. >> >> However, as these server services, although listed in the smb.conf man >> page, are not fully defined, that is, what they do exactly and under >> what conditions they may be needed. There is a mention in the wiki of >> the "dns" entry being removed/added when alternating between the >> internal dns and bind but I'm not finding any info on the others. I >> suspect that in most cases most of them are needed, but are all of >> them needed in all cases? I'd like to test removal of "nbt" in a live >> network and more complete documentation of server services would >> certainly help. >> >> For now, what's the short answer? Can "nbt" be removed and have the AD >> properly support a network of Win7 and "greater"? >> >> Thanks. >> >> > -- > Denis Cardon > Tranquil IT Systems > Les Espaces Jules Verne, bâtiment A > 12 avenue Jules Verne > 44230 Saint Sébastien sur Loire > tel : +33 (0) 2.40.97.57.55 > http://www.tranquil-it-systems.fr > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >