[Samba] disable SMBv1 on AD

Denis Cardon dcardon at tranquil.it
Thu Aug 3 08:29:28 UTC 2017

Hi Sonic,

> Was looking into how to disable SMBv1 and NetBIOS on a Samba AD.
> I suspect that if one just wants to support Win7 and "greater" this
> should work. However to prevent some open NetBIOS ports the "nbt"
> service must be removed from the "server services" entry.

you can add the two lines to smb.conf to disable netbios support
    disable netbios = yes
    smb ports = 445

Before disabling, when running "samba-tool processes", you get a
  nbt_server             11464

After disabling it shouldn't be there anymore. You can doublecheck that 
netbios port are not open anymore

  netstat -apn | grep ':139\|:138\|:137'

Netbios can and should be removed on modern network. After it sometime 
fails the reality check with legacy applications, cnc, embedded system 
and all.



> Basically these two entries (note nbt missing in the services line):
> server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd,
> ntp_signd, kcc, dnsupdate
> smb ports = 445
> are both necessary to close the NetBIOS tcp and udp ports.
> However, as these server services, although listed in the smb.conf man
> page, are not fully defined, that is, what they do exactly and under
> what conditions they may be needed. There is a mention in the wiki of
> the "dns" entry being removed/added when alternating between the
> internal dns and bind but I'm not finding any info on the others. I
> suspect that in most cases most of them are needed, but are all of
> them needed in all cases? I'd like to test removal of "nbt" in a live
> network and more complete documentation of server services would
> certainly help.
> For now, what's the short answer? Can "nbt" be removed and have the AD
> properly support a network of Win7 and "greater"?
> Thanks.

Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0)

More information about the samba mailing list