Univention Bugzilla – Bug 52455
Add support to disable Netbios service (nmbd) completely
Last modified: 2020-12-03 19:05:57 CET
During a project the customer asked to disable Netbios-Services completely as the claim that this is neither required by current Windows-Clients nor the (Windows-) applications used. This approach appears to be valid (see also https://www.bsi.bund.de/DE/Themen/Cyber-Sicherheit/Aktivitaeten/CERT-Bund/CERT-Reports/HOWTOs/Offene-NetBIOS-Namensdienste/Offene-NetBIOS-Namensdienste_node.html) Looking at available configuration option the UCRV samba4/service/nmb was found. samba4/service/nmb: nmbd If this variable is set to 'nmbd', NetBIOS services are provided (i.a. Windows clients can browse the network environment). If the variable is unset, NetBIOS is not used. The description to be wrong as unsetting the UCRV doesnt remove "-nbt" from "server services". When looking at the template smb.conf.d/10global another possible value for the UCRV is shown: print('\t# use nmbd; to disable set samba4/service/nmb to s4') This will remove the "-nbt" option as well as some other lines. When trying to (re-)start Samba with this configuration, the init-script will still try to start nmbd because of the hard-coded start/stop of nmbd which results into a failure.
You way want to keep in mind that running UCS without nmdb is untested and not documented in the manual and as such not supported. Feel free to experiment.
While it is obviously true that there is not much experience with running Samba in UCS without NetBIOS and the customer was advised that some features might be limited I can not follow the argumentation that it should be treated as unsupported because of the documentation status. It is common practise that a description of an existing UCRV is enough evidence that a feature is supported. The ability to deactivate NetBIOS by using samba4/service/nmb was mentioned in https://docs.software-univention.de/windows-nt-4.2.html#windows:netbios. Even if the hint may be misplaced in this particular documentation I havent found any indication that the support was removed at a later time.
> While it is obviously true that there is not much experience with running Samba in UCS without NetBIOS and the customer was advised that some features might > be limited I can not follow the argumentation that it should be treated as unsupported because of the documentation status. Yes, it's a borderline case, our policy can be found in the Wiki under the term "Support-Umfang". I would also agree, that this should not be a problem, I just wanted to the the expectation out of the way that, just because there is a UCR variable with a help string doesn't mean that setting it to a non-default value does anything useful and/or harmless. Example: connector/s4/mapping/* > It is common practise that a description of an existing UCRV is enough evidence that a feature is supported. I disagree. The process defined in the Wiki says: Insufficient documentation is not a reason to not support, if somebody calls. But then a bug needs to be created that adds documentation (which in turn should cause raised eyebrows for the developer which is assigned to the task, triggering the check *if* we can support it, e.g. by testing it). It's a different thing to actively tell people to do this, before having ensured that it may work and that it is actually supportable. > I havent found any indication that the support was removed at a later time. The document name indicates two things: "windows-nt-4.2" -> 1) "Windows-NT" 2) UCS 4.2 It has not been documented for Samba/AD domains because nobody tested that explicitly.