[Samba] disable SMBv1 on AD

[Denis Cardon]

Hi Sonic,

> Was looking into how to disable SMBv1 and NetBIOS on a Samba AD.
>
> I suspect that if one just wants to support Win7 and "greater" this
> should work. However to prevent some open NetBIOS ports the "nbt"
> service must be removed from the "server services" entry.

you can add the two lines to smb.conf to disable netbios support
  [global]
    ...
    disable netbios = yes
    smb ports = 445

Before disabling, when running "samba-tool processes", you get a
  ...
  nbt_server             11464
  ...

After disabling it shouldn't be there anymore. You can doublecheck that 
netbios port are not open anymore

  netstat -apn | grep ':139\|:138\|:137'

Netbios can and should be removed on modern network. After it sometime 
fails the reality check with legacy applications, cnc, embedded system 
and all.

Cheers,

Denis


>
> Basically these two entries (note nbt missing in the services line):
>
> server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd,
> ntp_signd, kcc, dnsupdate
> smb ports = 445
>
> are both necessary to close the NetBIOS tcp and udp ports.
>
> However, as these server services, although listed in the smb.conf man
> page, are not fully defined, that is, what they do exactly and under
> what conditions they may be needed. There is a mention in the wiki of
> the "dns" entry being removed/added when alternating between the
> internal dns and bind but I'm not finding any info on the others. I
> suspect that in most cases most of them are needed, but are all of
> them needed in all cases? I'd like to test removal of "nbt" in a live
> network and more complete documentation of server services would
> certainly help.
>
> For now, what's the short answer? Can "nbt" be removed and have the AD
> properly support a network of Win7 and "greater"?
>
> Thanks.
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr