On 26.10.2023 20:30, Peter Milesson via samba wrote:> Hi folks,
>
> I just noted that the Netbios ports are active and listening on a
> Samba AD DC with the default configuration. On member servers they
> don't exist.
>
> I have several domains with mixes of Windows and Linux servers and
> PCs, and I have disabled the old insecure protocols long ago.
>
> Is this by design, or are you supposed to plug them yourself after
> installation?
>
> I'm using Samba 4.18.8 everywhere (from Debian Bookworm backports).
>
> Best regards
>
> Peter
>
>
Hi folks,
I have been experimenting a little. I have set "disable netbios = yes"
and "smb ports = 445" in the smb.conf on the DCs of two domains. Now,
the ports used by Netbios are gone. I have not detected any adverse
effects so far.
I also executed testparm -s -v on a DC, and it seems the printing
subsystem is loaded. I also added the recommended lines for disabling
printing:
printcap name=/dev/null
load printers=no
disable spoolss=yes
printing=bsd
This resulted in a reduction of used memory of about 40 megs.
Wouldn't it be a good idea to make those settings default in modern
Samba installations WRT security (mostly disabling Netbios)? I guess
they could be appended to the auto generated smb.conf when provisioning
a DC.
If somebody knows of some bad side effects from my tweaking, I would be
very interested to know.
Best regards,
Peter