When samba is started using /etc/init.d/samba script nmbd daemon is also started everytime EVEN I define parameter "disable netbios = Yes" to /etc/samba/smb.conf config file. Reproducible: Always Steps to Reproduce: 1. Edit /etc/samba/smb.conf and add disable netbios = Yes to global section 2. start samba /etc/init.d/samba start 3. Use netstat to verify that UDP ports 137-139 are used by nmbd daemon Actual Results: Netbios isn't disabled and UDP ports 137-139 are still bind by nmbd daemon Expected Results: thos UDP ports (137-139) shouldn't be bind and mayby nmbd daemon should not start also. kernel version linux-2.6.11-gentoo-r11 running samba version 3.0.14a-r1 I see this as major problem because netbios itself is in many ways insecure
(In reply to comment #0) > When samba is started using /etc/init.d/samba script nmbd daemon is also started > everytime EVEN I define parameter "disable netbios = Yes" to /etc/samba/smb.conf > config file. > > Reproducible: Always > Steps to Reproduce: > 1. Edit /etc/samba/smb.conf and add disable netbios = Yes to global section > 2. start samba /etc/init.d/samba start > 3. Use netstat to verify that UDP ports 137-139 are used by nmbd daemon > > Actual Results: > Netbios isn't disabled and UDP ports 137-139 are still bind by nmbd daemon > > Expected Results: > thos UDP ports (137-139) shouldn't be bind and mayby nmbd daemon should not > start also. > > kernel version linux-2.6.11-gentoo-r11 > running samba version 3.0.14a-r1 > > I see this as major problem because netbios itself is in many ways insecure Hi, In the world of SMB networking you need to know that clients usually rely on netbios to browse the network and shares. Through port 139/445 SMB/NETBT communication flows so it will be open weather u like it or not, the only thing you made by disabling netbios support in samba is making your clients ( not 2wk and XP because apart of netbios they default to tcp/ip but same thing will happen to them aswell ) unable to browse network and shares. Unfortinately there is no other way of stopping nmbd, but to either disable/remove it in /etc/conf.d/samba, or by using iptables and restrict access to these ports only to your local clients/network. My suggestion is to not to remove nmbd as functionality but if you really want to dothis do it by removing nmbd argument from variable daemon_list, and hash down all entries starting with nmbd in /etc/conf.d/samba file.
(In reply to comment #1) > (In reply to comment #0) > > When samba is started using /etc/init.d/samba script nmbd daemon is also started > > everytime EVEN I define parameter "disable netbios = Yes" to /etc/samba/smb. conf > > config file. > > > > Reproducible: Always > > Steps to Reproduce: > > 1. Edit /etc/samba/smb.conf and add disable netbios = Yes to global section > > 2. start samba /etc/init.d/samba start > > 3. Use netstat to verify that UDP ports 137-139 are used by nmbd daemon > > > > Actual Results: > > Netbios isn't disabled and UDP ports 137-139 are still bind by nmbd daemon > > > > Expected Results: > > thos UDP ports (137-139) shouldn't be bind and mayby nmbd daemon should not > > start also. > > > > kernel version linux-2.6.11-gentoo-r11 > > running samba version 3.0.14a-r1 > > > > I see this as major problem because netbios itself is in many ways insecure > > > Hi, > > In the world of SMB networking you need to know that clients usually rely on > netbios to browse the network and shares. Through port 139/445 SMB/NETBT > communication flows so it will be open weather u like it or not, the only thing > you made by disabling netbios support in samba is making your clients ( not 2wk > and XP because apart of netbios they default to tcp/ip but same thing will > happen to them aswell ) unable to browse network and shares. > > Unfortinately there is no other way of stopping nmbd, but to either > disable/remove it in /etc/conf.d/samba, or by using iptables and restrict access > to these ports only to your local clients/network. > > My suggestion is to not to remove nmbd as functionality but if you really want > to dothis do it by removing nmbd argument from variable daemon_list, and hash > down all entries starting with nmbd in /etc/conf.d/samba file. The thing is that I know there is no clients in my SMB network that need netbios (aal clients are newer windows machines and Linux systems that don't need netbios). And also in Debian systems if you use that parameter (disable netbios = Yes) in /etc/samba/smb.conf in Debian systems it works exactly like I thought it should (disabling netbios and lefting ONLY SMB directly over TCP/IP support on). Also if you edit smb.conf and add line "smb ports = 445" samba stops listening tcp port 139 and only listens tcp 445 and nothing else (this also works with gentoo disabling listening of tcp 139 BUT still nmbd keeps running and binding the 137-139 UDP ports). To me it seems that gentoo init scripts SHOULD test for disable netbios parameter and shut down nmbd if it is YES because now that parameter has no effect at all (or at least it seems to be that way)
well, a simple way of leaving nmbd off is to edit /etc/conf.d/samba, and putting into the 'daemon_list' variable the list of daemons to activate. I prefer not to change the initscript, unless you point me a strong motivation to not use the conf.d/samba way.