[Samba] disable SMBv1 on AD

Sonic sonicsmith at gmail.com
Wed Aug 2 21:19:42 UTC 2017

Was looking into how to disable SMBv1 and NetBIOS on a Samba AD.

I suspect that if one just wants to support Win7 and "greater" this
should work. However to prevent some open NetBIOS ports the "nbt"
service must be removed from the "server services" entry.

Basically these two entries (note nbt missing in the services line):

server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
smb ports = 445

are both necessary to close the NetBIOS tcp and udp ports.

However, as these server services, although listed in the smb.conf man
page, are not fully defined, that is, what they do exactly and under
what conditions they may be needed. There is a mention in the wiki of
the "dns" entry being removed/added when alternating between the
internal dns and bind but I'm not finding any info on the others. I
suspect that in most cases most of them are needed, but are all of
them needed in all cases? I'd like to test removal of "nbt" in a live
network and more complete documentation of server services would
certainly help.

For now, what's the short answer? Can "nbt" be removed and have the AD
properly support a network of Win7 and "greater"?


More information about the samba mailing list