disable SMBv1 on AD

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

disable SMBv1 on AD

Samba - General mailing list
Was looking into how to disable SMBv1 and NetBIOS on a Samba AD.

I suspect that if one just wants to support Win7 and "greater" this
should work. However to prevent some open NetBIOS ports the "nbt"
service must be removed from the "server services" entry.

Basically these two entries (note nbt missing in the services line):

server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
smb ports = 445

are both necessary to close the NetBIOS tcp and udp ports.

However, as these server services, although listed in the smb.conf man
page, are not fully defined, that is, what they do exactly and under
what conditions they may be needed. There is a mention in the wiki of
the "dns" entry being removed/added when alternating between the
internal dns and bind but I'm not finding any info on the others. I
suspect that in most cases most of them are needed, but are all of
them needed in all cases? I'd like to test removal of "nbt" in a live
network and more complete documentation of server services would
certainly help.

For now, what's the short answer? Can "nbt" be removed and have the AD
properly support a network of Win7 and "greater"?

Thanks.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: disable SMBv1 on AD

Samba - General mailing list
Hi Sonic,

> Was looking into how to disable SMBv1 and NetBIOS on a Samba AD.
>
> I suspect that if one just wants to support Win7 and "greater" this
> should work. However to prevent some open NetBIOS ports the "nbt"
> service must be removed from the "server services" entry.

you can add the two lines to smb.conf to disable netbios support
  [global]
    ...
    disable netbios = yes
    smb ports = 445

Before disabling, when running "samba-tool processes", you get a
  ...
  nbt_server             11464
  ...

After disabling it shouldn't be there anymore. You can doublecheck that
netbios port are not open anymore

  netstat -apn | grep ':139\|:138\|:137'

Netbios can and should be removed on modern network. After it sometime
fails the reality check with legacy applications, cnc, embedded system
and all.

Cheers,

Denis


>
> Basically these two entries (note nbt missing in the services line):
>
> server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd,
> ntp_signd, kcc, dnsupdate
> smb ports = 445
>
> are both necessary to close the NetBIOS tcp and udp ports.
>
> However, as these server services, although listed in the smb.conf man
> page, are not fully defined, that is, what they do exactly and under
> what conditions they may be needed. There is a mention in the wiki of
> the "dns" entry being removed/added when alternating between the
> internal dns and bind but I'm not finding any info on the others. I
> suspect that in most cases most of them are needed, but are all of
> them needed in all cases? I'd like to test removal of "nbt" in a live
> network and more complete documentation of server services would
> certainly help.
>
> For now, what's the short answer? Can "nbt" be removed and have the AD
> properly support a network of Win7 and "greater"?
>
> Thanks.
>

--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: disable SMBv1 on AD

Samba - General mailing list
Hi,

There's also a "server min protocol" option in smb.conf which I didn't
tested but looks like something which could help...

2017-08-03 10:29 GMT+02:00 Denis Cardon via samba <[hidden email]>:

> Hi Sonic,
>
> Was looking into how to disable SMBv1 and NetBIOS on a Samba AD.
>>
>> I suspect that if one just wants to support Win7 and "greater" this
>> should work. However to prevent some open NetBIOS ports the "nbt"
>> service must be removed from the "server services" entry.
>>
>
> you can add the two lines to smb.conf to disable netbios support
>  [global]
>    ...
>    disable netbios = yes
>    smb ports = 445
>
> Before disabling, when running "samba-tool processes", you get a
>  ...
>  nbt_server             11464
>  ...
>
> After disabling it shouldn't be there anymore. You can doublecheck that
> netbios port are not open anymore
>
>  netstat -apn | grep ':139\|:138\|:137'
>
> Netbios can and should be removed on modern network. After it sometime
> fails the reality check with legacy applications, cnc, embedded system and
> all.
>
> Cheers,
>
> Denis
>
>
>
>> Basically these two entries (note nbt missing in the services line):
>>
>> server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd,
>> ntp_signd, kcc, dnsupdate
>> smb ports = 445
>>
>> are both necessary to close the NetBIOS tcp and udp ports.
>>
>> However, as these server services, although listed in the smb.conf man
>> page, are not fully defined, that is, what they do exactly and under
>> what conditions they may be needed. There is a mention in the wiki of
>> the "dns" entry being removed/added when alternating between the
>> internal dns and bind but I'm not finding any info on the others. I
>> suspect that in most cases most of them are needed, but are all of
>> them needed in all cases? I'd like to test removal of "nbt" in a live
>> network and more complete documentation of server services would
>> certainly help.
>>
>> For now, what's the short answer? Can "nbt" be removed and have the AD
>> properly support a network of Win7 and "greater"?
>>
>> Thanks.
>>
>>
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55
> http://www.tranquil-it-systems.fr
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...