[Samba] disable SMBv1 on AD

Thu Aug 3 08:42:06 UTC 2017

Hi,

There's also a "server min protocol" option in smb.conf which I didn't
tested but looks like something which could help...

2017-08-03 10:29 GMT+02:00 Denis Cardon via samba <samba at lists.samba.org>:

> Hi Sonic,
>
> Was looking into how to disable SMBv1 and NetBIOS on a Samba AD.
>>
>> I suspect that if one just wants to support Win7 and "greater" this
>> should work. However to prevent some open NetBIOS ports the "nbt"
>> service must be removed from the "server services" entry.
>>
>
> you can add the two lines to smb.conf to disable netbios support
>  [global]
>    ...
>    disable netbios = yes
>    smb ports = 445
>
> Before disabling, when running "samba-tool processes", you get a
>  ...
>  nbt_server             11464
>  ...
>
> After disabling it shouldn't be there anymore. You can doublecheck that
> netbios port are not open anymore
>
>  netstat -apn | grep ':139\|:138\|:137'
>
> Netbios can and should be removed on modern network. After it sometime
> fails the reality check with legacy applications, cnc, embedded system and
> all.
>
> Cheers,
>
> Denis
>
>
>
>> Basically these two entries (note nbt missing in the services line):
>>
>> server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd,
>> ntp_signd, kcc, dnsupdate
>> smb ports = 445
>>
>> are both necessary to close the NetBIOS tcp and udp ports.
>>
>> However, as these server services, although listed in the smb.conf man
>> page, are not fully defined, that is, what they do exactly and under
>> what conditions they may be needed. There is a mention in the wiki of
>> the "dns" entry being removed/added when alternating between the
>> internal dns and bind but I'm not finding any info on the others. I
>> suspect that in most cases most of them are needed, but are all of
>> them needed in all cases? I'd like to test removal of "nbt" in a live
>> network and more complete documentation of server services would
>> certainly help.
>>
>> For now, what's the short answer? Can "nbt" be removed and have the AD
>> properly support a network of Win7 and "greater"?
>>
>> Thanks.
>>
>>
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55
> http://www.tranquil-it-systems.fr
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>