1bbf21555SRichard Lowe.\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved. 2bbf21555SRichard Lowe.\" Copyright 2017, Nexenta Systems, Inc. All Rights Reserved. 3814e0daaSGordon Ross.\" Copyright 2022, RackTop Systems, Inc. All Rights Reserved. 47854c36dSJason King.\" Copyright 2022 Jason King 57df48878SBill Sommerfeld.\" Copyright 2023 Bill Sommerfeld 6bbf21555SRichard Lowe.\" The contents of this file are subject to the terms of the 7bbf21555SRichard Lowe.\" Common Development and Distribution License (the "License"). 8bbf21555SRichard Lowe.\" You may not use this file except in compliance with the License. 9bbf21555SRichard Lowe.\" 10bbf21555SRichard Lowe.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 11bbf21555SRichard Lowe.\" or http://www.opensolaris.org/os/licensing. 12bbf21555SRichard Lowe.\" See the License for the specific language governing permissions 13bbf21555SRichard Lowe.\" and limitations under the License. 14bbf21555SRichard Lowe.\" 15bbf21555SRichard Lowe.\" When distributing Covered Code, include this CDDL HEADER in each 16bbf21555SRichard Lowe.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE. 17bbf21555SRichard Lowe.\" If applicable, add the following below this CDDL HEADER, with the 18bbf21555SRichard Lowe.\" fields enclosed by brackets "[]" replaced with your own identifying 19bbf21555SRichard Lowe.\" information: Portions Copyright [yyyy] [name of copyright owner] 20bbf21555SRichard Lowe.\" 21b0bb0d63SGordon Ross.Dd March 13, 2023 227854c36dSJason King.Dt SMB 5 237854c36dSJason King.Os 247854c36dSJason King.Sh NAME 257854c36dSJason King.Nm smb 267854c36dSJason King.Nd configuration properties for illumos CIFS server 277854c36dSJason King.Sh DESCRIPTION 287854c36dSJason KingBehavior of the illumos CIFS server is defined by property values that are 297854c36dSJason Kingstored in the Service Management Facility, 307854c36dSJason King.Xr smf 7 . 317854c36dSJason King.Pp 327854c36dSJason KingAn authorized user can use the 337854c36dSJason King.Xr sharectl 8 347854c36dSJason Kingcommand to set global values 35bbf21555SRichard Lowefor these properties in SMF. 367854c36dSJason King.Pp 37bbf21555SRichard LoweThe following list describes the properties: 387854c36dSJason King.Bl -tag -width x 397854c36dSJason King.It Sy ads_site 407854c36dSJason King.Pp 41bbf21555SRichard LoweSpecifies the site configured in DNS to look up Active Directory information. 42bbf21555SRichard LoweSites provide a mechanism to partition or delegate administration and policy 43bbf21555SRichard Lowemanagement, which are typically used in large or complex domains. 447854c36dSJason King.Pp 45bbf21555SRichard LoweThe value should not be set if you do not have a local Active Directory site. 46bbf21555SRichard LoweBy default, no value is set. 477854c36dSJason King.It Sy autohome_map 487854c36dSJason King.Pp 497854c36dSJason KingSpecifies the full path for the SMD autohome map file, 507854c36dSJason King.Pa smbautohome . 517854c36dSJason KingThe default path is 527854c36dSJason King.Pa /etc . 537854c36dSJason King.It Sy bypass_traverse_checking 547854c36dSJason King.Pp 557854c36dSJason KingWhen set, allows the SMB server to bypass ACL 567854c36dSJason King.Dq traverse 577854c36dSJason Kingchecks. 587854c36dSJason KingThe default value is 597854c36dSJason King.Ql true , 607854c36dSJason Kingfor Windows compatibility. 617854c36dSJason KingIf this parameter is 627854c36dSJason King.Ql false , 637854c36dSJason KingACL checks require that 647854c36dSJason King.Dq traverse 657854c36dSJason King.Pq directory execute 667854c36dSJason Kingis granted on every directory 67bbf21555SRichard Loweabove the directory the SMB client tries to access. 68bbf21555SRichard LoweWindows shares are normally setup with the higher level 69bbf21555SRichard Lowedirectories not specifically granting such access. 707854c36dSJason King.It Sy disposition 717854c36dSJason King.Pp 72bbf21555SRichard LoweA value that controls whether to disconnect the share or proceed if the map 737854c36dSJason Kingcommand fails. 747854c36dSJason KingThe disposition property only has meaning when the map property 757854c36dSJason Kinghas been set. 767854c36dSJason KingOtherwise it will have no effect. 777854c36dSJason King.Bd -literal -offset 2n 78bbf21555SRichard Lowedisposition = [ continue | terminate ] 797854c36dSJason King.Ed 807854c36dSJason King.Bl -tag -width terminate 817854c36dSJason King.It Sy continue 827854c36dSJason KingProceed with share connection if the map command fails. 837854c36dSJason KingThis is the default in the event that disposition is not specified. 847854c36dSJason King.It Sy terminate 85bbf21555SRichard LoweDisconnect the share if the map command fails. 867854c36dSJason King.El 877854c36dSJason King.It Sy ddns_enable 887854c36dSJason King.Pp 897854c36dSJason KingEnables or disables dynamic DNS updates. 907854c36dSJason KingA value of 917854c36dSJason King.Ql true 927854c36dSJason Kingenables dynamic updates, while a value of 937854c36dSJason King.Ql false 947854c36dSJason Kingdisables dynamic updates. 957854c36dSJason KingBy default, the value is 967854c36dSJason King.Ql false . 977854c36dSJason King.It Sy encrypt 987854c36dSJason King.Pp 997854c36dSJason KingControls SMB3 Encryption. 1007854c36dSJason KingFor requests on a particular share, the server's 101bbf21555SRichard Lowebehavior is controlled by the stricter of this option and the per-share 1027854c36dSJason King.Dq encrypt 1037854c36dSJason Kingoption. 1047854c36dSJason King.Pp 1057854c36dSJason KingWhen set to 1067854c36dSJason King.Ql disabled , 1077854c36dSJason Kingthe server will not ask clients to encrypt requests. 108b0bb0d63SGordon RossNote that this setting does not actually disable encryption, but leaves the 109b0bb0d63SGordon Rossdecision about whether to encrypt up to the client and/or the per-share options. 1107854c36dSJason KingWhen set to 1117854c36dSJason King.Ql enabled , 1127854c36dSJason Kingthe server will ask clients to encrypt requests, 1137854c36dSJason Kingbut will not require that they do so. 1147854c36dSJason KingAny message that can be encrypted will be encrypted. 1157854c36dSJason KingWhen set to 1167854c36dSJason King.Ql required , 1177854c36dSJason Kingthe server will deny access to or disconnect 118bbf21555SRichard Loweany client that does not support encryption or fails to encrypt requests 119bbf21555SRichard Lowethat they should. 1207854c36dSJason King.Pp 1217854c36dSJason KingIn other words, the 1227854c36dSJason King.Ql enabled 1237854c36dSJason Kingbehavior is that any message that 1247854c36dSJason King.Em can 1257854c36dSJason Kingbe encrypted 1267854c36dSJason King.Em should 1277854c36dSJason Kingbe encrypted, while the 1287854c36dSJason King.Ql required 1297854c36dSJason Kingbehavior is that any message that 1307854c36dSJason King.Em can 1317854c36dSJason Kingbe encrypted 1327854c36dSJason King.Em must 1337854c36dSJason Kingbe encrypted. 134b0bb0d63SGordon Ross.It Sy encrypt_ciphers 1357854c36dSJason King.Pp 1367854c36dSJason KingSpecifies a list of enabled SMB 3.1.1 encryption ciphers. 1377854c36dSJason KingThis property is only used when encryption is 1387854c36dSJason King.Ql enabled 1397854c36dSJason King.Po 1407854c36dSJason Kingsee 1417854c36dSJason King.Sy encrypt 1427854c36dSJason Kingproperty 1437854c36dSJason King.Pc 1447854c36dSJason Kingand negotiated SMB dialect is 3.1.1 or higher 1457854c36dSJason King.Po 1467854c36dSJason Kingsee 1477854c36dSJason King.Sy max_protocol 1487854c36dSJason Kingproperty 1497854c36dSJason King.Pc . 1507854c36dSJason KingOtherwise it is ignored. 1517854c36dSJason King.Pp 152bbf21555SRichard LoweWhen the property is set, a list of comma separated ciphers should be specified, 1537854c36dSJason Kingor the value 1547854c36dSJason King.Ql all 1557854c36dSJason Kingshould be used instead to enable all supported ciphers. 156b0bb0d63SGordon RossWhen the property is empty, it is equivalent to value 1577854c36dSJason King.Ql all 158b0bb0d63SGordon Ross\(em all supported ciphers are enabled. 1597854c36dSJason King.Pp 160bbf21555SRichard LoweThe list of ciphers should contain these values: 1617854c36dSJason King.Bl -tag -width "aes128-ccm" 1627854c36dSJason King.It Sy aes128-ccm 1637854c36dSJason KingAES-128-CCM cipher is enabled. 1647854c36dSJason KingIt is the only cipher used for SMB 3.0.2 dialect. 1657854c36dSJason King.It Sy aes128-gcm 166bbf21555SRichard LoweAES-128-GCM cipher is enabled. 167*a4568e19SAlexander Stetsenko.It Sy aes256-ccm 168*a4568e19SAlexander StetsenkoAES-256-CCM cipher is enabled. 169*a4568e19SAlexander Stetsenko.It Sy aes256-gcm 170*a4568e19SAlexander StetsenkoAES-256-GCM cipher is enabled. 1717854c36dSJason King.It Sy all 172bbf21555SRichard LoweAll ciphers are enabled. 1737854c36dSJason King.El 1747854c36dSJason King.It Sy ipv6_enable 1757854c36dSJason King.Pp 1767854c36dSJason KingEnables IPv6 Internet protocol support within the CIFS Service. 1777854c36dSJason KingValid values are 1787854c36dSJason King.Ql true 1797854c36dSJason Kingand 1807854c36dSJason King.Ql false . 1817854c36dSJason KingThe default value is 1827854c36dSJason King.Ql false . 1837854c36dSJason King.It Sy keep_alive 1847854c36dSJason King.Pp 185bbf21555SRichard LoweSpecifies the number of seconds before an idle SMB connection is dropped by the 1867854c36dSJason Kingillumos CIFS server. 1877854c36dSJason KingIf set to 1887854c36dSJason King.Ql 0 , 1897854c36dSJason Kingidle connections are not dropped. 1907854c36dSJason KingValid values are 1917854c36dSJason King.Ql 0 1927854c36dSJason Kingand from 1937854c36dSJason King.Ql 20 1947854c36dSJason Kingseconds and above. 1957854c36dSJason KingThe default value is 1967854c36dSJason King.Ql 0 . 1977854c36dSJason King.It Sy lmauth_level 1987854c36dSJason KingSpecifies the LAN Manager (LM) authentication level. 1997854c36dSJason KingThe LM compatibility level 200bbf21555SRichard Lowecontrols the type of user authentication to use in workgroup mode or domain 2017854c36dSJason Kingmode. 2027df48878SBill SommerfeldThe default value is 4. 2037854c36dSJason King.Pp 204bbf21555SRichard LoweThe following describes the behavior at each level. 2057854c36dSJason King.Bl -tag -width "1" 2067854c36dSJason King.It Sy 2 2077854c36dSJason KingIn Windows workgroup mode, the illumos CIFS server accepts LM, NTLM, LMv2, and 2087854c36dSJason KingNTLMv2 requests. 2097854c36dSJason KingIn domain mode, the SMB redirector on the illumos CIFS server 210bbf21555SRichard Lowesends NTLM requests. 2117854c36dSJason King.It Sy 3 2127854c36dSJason KingIn Windows workgroup mode, the illumos CIFS server accepts LM, NTLM, LMv2, and 2137854c36dSJason KingNTLMv2 requests. 2147854c36dSJason KingIn domain mode, the SMB redirector on the illumos CIFS server 215bbf21555SRichard Lowesends LMv2 and NTLMv2 requests. 2167854c36dSJason King.It Sy 4 2177854c36dSJason KingIn Windows workgroup mode, the illumos CIFS server accepts NTLM, LMv2, and 2187854c36dSJason KingNTLMv2 requests. 2197854c36dSJason KingIn domain mode, the SMB redirector on the illumos CIFS server 220bbf21555SRichard Lowesends LMv2 and NTLMv2 requests. 2217854c36dSJason King.It Sy 5 2227854c36dSJason KingIn Windows workgroup mode, the illumos CIFS server accepts LMv2 and NTLMv2 2237854c36dSJason Kingrequests. 2247854c36dSJason KingIn domain mode, the SMB redirector on the illumos CIFS server sends 225bbf21555SRichard LoweLMv2 and NTLMv2 requests. 2267854c36dSJason King.El 2277854c36dSJason King.It Sy map 2287854c36dSJason King.Pp 2297854c36dSJason KingThe value is a command to be executed when connecting to the share. 2307854c36dSJason KingThe command 231bbf21555SRichard Lowecan take the following arguments, which will be substituted when the command is 232bbf21555SRichard Loweexec'd as described below: 2337854c36dSJason King.Bl -tag -width "xx" 2347854c36dSJason King.It Sy % Ns Sy U 235bbf21555SRichard LoweWindows username. 2367854c36dSJason King.It Sy % Ns Sy D 2377854c36dSJason KingName of the domain or workgroup of 2387854c36dSJason King.Sy % Ns Sy U . 2397854c36dSJason King.It Sy %h 240bbf21555SRichard LoweThe server hostname. 2417854c36dSJason King.It Sy %M 2427854c36dSJason KingThe client hostname, or 2437854c36dSJason King.Dq "" 2447854c36dSJason Kingif not available. 2457854c36dSJason King.It Sy %L 246bbf21555SRichard LoweThe server NetBIOS name. 2477854c36dSJason King.It Sy %m 2487854c36dSJason KingThe client NetBIOS name, or 2497854c36dSJason King.Dq "" 2507854c36dSJason Kingif not available. 2517854c36dSJason KingThis option is only valid for NetBIOS connections (port 139). 2527854c36dSJason King.It Sy % Ns Sy I 253bbf21555SRichard LoweThe IP address of the client machine. 2547854c36dSJason King.It Sy %i 255bbf21555SRichard LoweThe local IP address to which the client is connected. 2567854c36dSJason King.It Sy %S 257bbf21555SRichard LoweThe name of the share. 2587854c36dSJason King.It Sy % Ns Sy P 259bbf21555SRichard LoweThe root directory of the share. 2607854c36dSJason King.It Sy %u 261bbf21555SRichard LoweThe UID of the Unix user. 2627854c36dSJason King.El 2637854c36dSJason King.It Sy max_protocol 2647854c36dSJason King.Pp 265bbf21555SRichard LoweSpecifies the maximum SMB protocol level that the SMB service 2667854c36dSJason Kingshould allow clients to negotiate. 2677854c36dSJason KingThe default value is 2687854c36dSJason King.Ql 3.11 . 2697854c36dSJason KingValid settings include: 2707854c36dSJason King.Ql 1 , 2717854c36dSJason King.Ql 2.1 , 2727854c36dSJason King.Ql 3.0 , 2737854c36dSJason King.Ql 3.02 , 2747854c36dSJason King.Ql 3.11 . 2757854c36dSJason King.It Sy min_protocol 2767854c36dSJason King.Pp 277bbf21555SRichard LoweSpecifies the minimum SMB protocol level that the SMB service 2787854c36dSJason Kingshould allow clients to negotiate. 2797854c36dSJason KingThe default value is 2807854c36dSJason King.Ql 1 . 2817854c36dSJason KingValid settings include: 2827854c36dSJason King.Ql 1 , 2837854c36dSJason King.Ql 2.1 , 2847854c36dSJason King.Ql 3.0 . 2857854c36dSJason King.It Sy max_workers 2867854c36dSJason King.Pp 287bbf21555SRichard LoweSpecifies the maximum number of worker threads that will be launched to process 2887854c36dSJason Kingincoming CIFS requests. 2897854c36dSJason KingThe SMB 2907854c36dSJason King.Sy max_mpx 2917854c36dSJason Kingvalue, which indicates to a 292bbf21555SRichard Loweclient the maximum number of outstanding SMB requests that it may have pending 2937854c36dSJason Kingon the server, is derived from the 2947854c36dSJason King.Sy max_workers 2957854c36dSJason Kingvalue. 2967854c36dSJason KingTo ensure compatibility with older versions of Windows the lower 8-bits of 2977854c36dSJason King.Sy max_mpx 2987854c36dSJason Kingmust not be zero. 2997854c36dSJason KingIf the lower byte of 3007854c36dSJason King.Sy max_workers 3017854c36dSJason Kingis zero, 3027854c36dSJason King.Ql 64 3037854c36dSJason Kingis added to the value. 3047854c36dSJason KingThus the minimum value is 3057854c36dSJason King.Ql 64 3067854c36dSJason Kingand the default value, which appears in 3077854c36dSJason King.Xr sharectl 8 3087854c36dSJason Kingas 3097854c36dSJason King.Ql 1024 , 3107854c36dSJason Kingis 3117854c36dSJason King.Ql 1088 . 3127854c36dSJason King.It Sy netbios_scope 3137854c36dSJason King.Pp 314bbf21555SRichard LoweSpecifies the NetBIOS scope identifier, which identifies logical NetBIOS 3157854c36dSJason Kingnetworks that are on the same physical network. 3167854c36dSJason KingWhen you specify a NetBIOS 317bbf21555SRichard Lowescope identifier, the server filters the number of machines that are listed in 3187854c36dSJason Kingthe browser display to make it easier to find other hosts. 3197854c36dSJason KingThe value is a text string that represents a domain name. 3207854c36dSJason KingBy default, no value is set. 3217854c36dSJason King.It Sy oplock_enable 3227854c36dSJason King.Pp 3237854c36dSJason KingControls whether 3247854c36dSJason King.Dq oplocks 3257854c36dSJason Kingmay be granted by the SMB server. 3267854c36dSJason KingThe term 3277854c36dSJason King.Dq oplock 3287854c36dSJason Kingis short for 3297854c36dSJason King.Dq opportunistic lock , 3307854c36dSJason Kingwhich is the legacy name for cache delegations in SMB. 331bbf21555SRichard LoweBy default, oplocks are enabled. 3327854c36dSJason KingNote that if oplocks are disabled, file I/O performance may be severely reduced. 3337854c36dSJason King.It Sy pdc 3347854c36dSJason King.Pp 3357854c36dSJason KingSpecifies the preferred IP address for the domain controller. 3367854c36dSJason KingThis property is 337bbf21555SRichard Lowesometimes used when there are multiple domain controllers to indicate which one 3387854c36dSJason Kingis preferred. 3397854c36dSJason KingIf the specified domain controller responds, it is chosen even if 3407854c36dSJason Kingthe other domain controllers are also available. 3417854c36dSJason KingBy default, no value is set. 3427854c36dSJason King.It Sy restrict_anonymous 3437854c36dSJason King.Pp 3447854c36dSJason KingDisables anonymous access to 3457854c36dSJason King.Sy IPC$ , 3467854c36dSJason Kingwhich requires that the client be authenticated to get access to MSRPC 3477854c36dSJason Kingservices through 3487854c36dSJason King.Sy IPC$ . 3497854c36dSJason KingA value of 3507854c36dSJason King.Ql true 3517854c36dSJason Kingdisables anonymous access to 3527854c36dSJason King.Sy IPC$ , 3537854c36dSJason Kingwhile a value of 3547854c36dSJason King.Ql false 355bbf21555SRichard Loweenables anonymous access. 3567854c36dSJason King.It Sy short_names 3577854c36dSJason King.Pp 3587854c36dSJason KingEnables the use of 3597854c36dSJason King.Dq short names 3607854c36dSJason Kingby SMB clients. 3617854c36dSJason KingThe default value is 3627854c36dSJason King.Ql false 3637854c36dSJason Kingbecause modern SMB clients do not need short names, and 364814e0daaSGordon Rossusing short names has some performance cost while listing directories 365814e0daaSGordon Rossand opening or renaming files. 3667854c36dSJason King.It Sy signing_enabled 3677854c36dSJason King.Pp 3687854c36dSJason KingEnables SMB signing. 3697854c36dSJason KingWhen signing is enabled but not required it is possible 370bbf21555SRichard Lowefor clients to connect regardless of whether or not the client supports SMB 3717854c36dSJason Kingsigning. 3727854c36dSJason KingIf a packet has been signed, the signature will be verified. 3737854c36dSJason KingIf a 374bbf21555SRichard Lowepacket has not been signed it will be accepted without signature verification. 3757854c36dSJason KingValid values are 3767854c36dSJason King.Ql true 3777854c36dSJason Kingand 3787854c36dSJason King.Ql false . 3797854c36dSJason KingThe default value is 3807df48878SBill Sommerfeld.Ql true . 3817854c36dSJason King.It Sy signing_required 3827854c36dSJason King.Pp 383bbf21555SRichard LoweWhen SMB signing is required, all packets must be signed or they will be 384bbf21555SRichard Lowerejected, and clients that do not support signing will be unable to connect to 3857854c36dSJason Kingthe server. 3867854c36dSJason KingThe 3877854c36dSJason King.Sy signing_required 3887854c36dSJason Kingsetting is only taken into account when 3897854c36dSJason King.Sy signing_enabled 3907854c36dSJason Kingis 3917854c36dSJason King.Ql true . 3927854c36dSJason KingValid values are 3937854c36dSJason King.Ql true 3947854c36dSJason Kingand 3957854c36dSJason King.Ql false . 3967854c36dSJason KingThe default value is 3977df48878SBill Sommerfeld.Ql true . 3987854c36dSJason King.It Sy system_comment 3997854c36dSJason King.Pp 4007854c36dSJason KingSpecifies an optional description for the system, which is a text string. 4017854c36dSJason KingThis 402bbf21555SRichard Loweproperty value might appear in various places, such as Network Neighborhood or 4037854c36dSJason KingNetwork Places on Windows clients. 4047854c36dSJason KingBy default, no value is set. 4057854c36dSJason King.It Sy traverse_mounts 4067854c36dSJason King.Pp 4077854c36dSJason KingThe 4087854c36dSJason King.Sy traverse_mounts 4097854c36dSJason Kingsetting determines how the SMB server 4107854c36dSJason Kingpresents sub-mounts underneath an SMB share. 4117854c36dSJason KingWhen 4127854c36dSJason King.Sy traverse_mounts 4137854c36dSJason Kingis 4147854c36dSJason King.Ql true 4157854c36dSJason King(the default), sub-mounts are presented to SMB clients 4167854c36dSJason Kinglike any other subdirectory. 4177854c36dSJason KingWhen 4187854c36dSJason King.Sy traverse_mounts 4197854c36dSJason Kingis 4207854c36dSJason King.Ql false , 421bbf21555SRichard Lowesub-mounts are not shown to SMB clients. 4227854c36dSJason King.It Sy unmap 4237854c36dSJason King.Pp 4247854c36dSJason KingThe value is a command to be executed when disconnecting the share. 4257854c36dSJason KingThe command can take the same substitutions listed on the 4267854c36dSJason King.Sy map 4277854c36dSJason Kingproperty. 4287854c36dSJason King.It Sy wins_exclude 4297854c36dSJason King.Pp 430bbf21555SRichard LoweSpecifies a comma-separated list of network interfaces that should not be 4317854c36dSJason Kingregistered with WINS. 4327854c36dSJason KingNetBIOS host announcements are made on excluded interfaces. 4337df48878SBill SommerfeldBy default, no value is set. 4347854c36dSJason King.It Sy wins_server_1 4357854c36dSJason King.Pp 4367854c36dSJason KingSpecifies the IP address of the primary WINS server. 4377854c36dSJason KingBy default, no value is set. 4387854c36dSJason King.It Sy wins_server_2 4397854c36dSJason King.Pp 4407854c36dSJason KingSpecifies the IP address of the secondary WINS server. 4417854c36dSJason KingBy default, no value is set. 4427854c36dSJason King.El 4437854c36dSJason King.Sh INTERFACE STABILITY 4447854c36dSJason KingUncommitted 4457854c36dSJason King.Sh SEE ALSO 4467854c36dSJason King.Xr attributes 7 , 4477854c36dSJason King.Xr smf 7 , 4487854c36dSJason King.Xr sharectl 8 , 4497854c36dSJason King.Xr smbadm 8 , 4507854c36dSJason King.Xr smbd 8 , 4517854c36dSJason King.Xr smbstat 8 452