xref: /illumos-gate/usr/src/man/man5/smb.5 (revision 012e6ce759c490003aed29439cc47d3d73a99ad3)
1.\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
2.\" Copyright 2017, Nexenta Systems, Inc. All Rights Reserved.
3.\" Copyright 2022, RackTop Systems, Inc. All Rights Reserved.
4.\" Copyright 2022 Jason King
5.\" Copyright 2023 Bill Sommerfeld
6.\" The contents of this file are subject to the terms of the
7.\" Common Development and Distribution License (the "License").
8.\" You may not use this file except in compliance with the License.
9.\"
10.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
11.\" or http://www.opensolaris.org/os/licensing.
12.\" See the License for the specific language governing permissions
13.\" and limitations under the License.
14.\"
15.\" When distributing Covered Code, include this CDDL HEADER in each
16.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE.
17.\" If applicable, add the following below this CDDL HEADER, with the
18.\" fields enclosed by brackets "[]" replaced with your own identifying
19.\" information: Portions Copyright [yyyy] [name of copyright owner]
20.\"
21.Dd March 13, 2023
22.Dt SMB 5
23.Os
24.Sh NAME
25.Nm smb
26.Nd configuration properties for illumos CIFS server
27.Sh DESCRIPTION
28Behavior of the illumos CIFS server is defined by property values that are
29stored in the Service Management Facility,
30.Xr smf 7 .
31.Pp
32An authorized user can use the
33.Xr sharectl 8
34command to set global values
35for these properties in SMF.
36.Pp
37The following list describes the properties:
38.Bl -tag -width x
39.It Sy ads_site
40.Pp
41Specifies the site configured in DNS to look up Active Directory information.
42Sites provide a mechanism to partition or delegate administration and policy
43management, which are typically used in large or complex domains.
44.Pp
45The value should not be set if you do not have a local Active Directory site.
46By default, no value is set.
47.It Sy autohome_map
48.Pp
49Specifies the full path for the SMD autohome map file,
50.Pa smbautohome .
51The default path is
52.Pa /etc .
53.It Sy bypass_traverse_checking
54.Pp
55When set, allows the SMB server to bypass ACL
56.Dq traverse
57checks.
58The default value is
59.Ql true ,
60for Windows compatibility.
61If this parameter is
62.Ql false ,
63ACL checks require that
64.Dq traverse
65.Pq directory execute
66is granted on every directory
67above the directory the SMB client tries to access.
68Windows shares are normally setup with the higher level
69directories not specifically granting such access.
70.It Sy disposition
71.Pp
72A value that controls whether to disconnect the share or proceed if the map
73command fails.
74The disposition property only has meaning when the map property
75has been set.
76Otherwise it will have no effect.
77.Bd -literal -offset 2n
78disposition = [ continue | terminate ]
79.Ed
80.Bl -tag -width terminate
81.It Sy continue
82Proceed with share connection if the map command fails.
83This is the default in the event that disposition is not specified.
84.It Sy terminate
85Disconnect the share if the map command fails.
86.El
87.It Sy ddns_enable
88.Pp
89Enables or disables dynamic DNS updates.
90A value of
91.Ql true
92enables dynamic updates, while a value of
93.Ql false
94disables dynamic updates.
95By default, the value is
96.Ql false .
97.It Sy encrypt
98.Pp
99Controls SMB3 Encryption.
100For requests on a particular share, the server's
101behavior is controlled by the stricter of this option and the per-share
102.Dq encrypt
103option.
104.Pp
105When set to
106.Ql disabled ,
107the server will not ask clients to encrypt requests.
108Note that this setting does not actually disable encryption, but leaves the
109decision about whether to encrypt up to the client and/or the per-share options.
110When set to
111.Ql enabled ,
112the server will ask clients to encrypt requests,
113but will not require that they do so.
114Any message that can be encrypted will be encrypted.
115When set to
116.Ql required ,
117the server will deny access to or disconnect
118any client that does not support encryption or fails to encrypt requests
119that they should.
120.Pp
121In other words, the
122.Ql enabled
123behavior is that any message that
124.Em can
125be encrypted
126.Em should
127be encrypted, while the
128.Ql required
129behavior is that any message that
130.Em can
131be encrypted
132.Em must
133be encrypted.
134.It Sy encrypt_ciphers
135.Pp
136Specifies a list of enabled SMB 3.1.1 encryption ciphers.
137This property is only used when encryption is
138.Ql enabled
139.Po
140see
141.Sy encrypt
142property
143.Pc
144and negotiated SMB dialect is 3.1.1 or higher
145.Po
146see
147.Sy max_protocol
148property
149.Pc .
150Otherwise it is ignored.
151.Pp
152When the property is set, a list of comma separated ciphers should be specified,
153or the value
154.Ql all
155should be used instead to enable all supported ciphers.
156When the property is empty, it is equivalent to value
157.Ql all
158\(em all supported ciphers are enabled.
159.Pp
160The list of ciphers should contain these values:
161.Bl -tag -width "aes128-ccm"
162.It Sy aes128-ccm
163AES-128-CCM cipher is enabled.
164It is the only cipher used for SMB 3.0.2 dialect.
165.It Sy aes128-gcm
166AES-128-GCM cipher is enabled.
167.It Sy aes256-ccm
168AES-256-CCM cipher is enabled.
169.It Sy aes256-gcm
170AES-256-GCM cipher is enabled.
171.It Sy all
172All ciphers are enabled.
173.El
174.It Sy ipv6_enable
175.Pp
176Enables IPv6 Internet protocol support within the CIFS Service.
177Valid values are
178.Ql true
179and
180.Ql false .
181The default value is
182.Ql false .
183.It Sy keep_alive
184.Pp
185Specifies the number of seconds before an idle SMB connection is dropped by the
186illumos CIFS server.
187If set to
188.Ql 0 ,
189idle connections are not dropped.
190Valid values are
191.Ql 0
192and from
193.Ql 20
194seconds and above.
195The default value is
196.Ql 0 .
197.It Sy lmauth_level
198Specifies the LAN Manager (LM) authentication level.
199The LM compatibility level
200controls the type of user authentication to use in workgroup mode or domain
201mode.
202The default value is 4.
203.Pp
204The following describes the behavior at each level.
205.Bl -tag -width "1"
206.It Sy 2
207In Windows workgroup mode, the illumos CIFS server accepts LM, NTLM, LMv2, and
208NTLMv2 requests.
209In domain mode, the SMB redirector on the illumos CIFS server
210sends NTLM requests.
211.It Sy 3
212In Windows workgroup mode, the illumos CIFS server accepts LM, NTLM, LMv2, and
213NTLMv2 requests.
214In domain mode, the SMB redirector on the illumos CIFS server
215sends LMv2 and NTLMv2 requests.
216.It Sy 4
217In Windows workgroup mode, the illumos CIFS server accepts NTLM, LMv2, and
218NTLMv2 requests.
219In domain mode, the SMB redirector on the illumos CIFS server
220sends LMv2 and NTLMv2 requests.
221.It Sy 5
222In Windows workgroup mode, the illumos CIFS server accepts LMv2 and NTLMv2
223requests.
224In domain mode, the SMB redirector on the illumos CIFS server sends
225LMv2 and NTLMv2 requests.
226.El
227.It Sy map
228.Pp
229The value is a command to be executed when connecting to the share.
230The command
231can take the following arguments, which will be substituted when the command is
232exec'd as described below:
233.Bl -tag -width "xx"
234.It Sy % Ns Sy U
235Windows username.
236.It Sy % Ns Sy D
237Name of the domain or workgroup of
238.Sy % Ns Sy U .
239.It Sy %h
240The server hostname.
241.It Sy %M
242The client hostname, or
243.Dq ""
244if not available.
245.It Sy %L
246The server NetBIOS name.
247.It Sy %m
248The client NetBIOS name, or
249.Dq ""
250if not available.
251This option is only valid for NetBIOS connections (port 139).
252.It Sy % Ns Sy I
253The IP address of the client machine.
254.It Sy %i
255The local IP address to which the client is connected.
256.It Sy %S
257The name of the share.
258.It Sy % Ns Sy P
259The root directory of the share.
260.It Sy %u
261The UID of the Unix user.
262.El
263.It Sy max_protocol
264.Pp
265Specifies the maximum SMB protocol level that the SMB service
266should allow clients to negotiate.
267The default value is
268.Ql 3.11 .
269Valid settings include:
270.Ql 1 ,
271.Ql 2.1 ,
272.Ql 3.0 ,
273.Ql 3.02 ,
274.Ql 3.11 .
275.It Sy min_protocol
276.Pp
277Specifies the minimum SMB protocol level that the SMB service
278should allow clients to negotiate.
279The default value is
280.Ql 1 .
281Valid settings include:
282.Ql 1 ,
283.Ql 2.1 ,
284.Ql 3.0 .
285.It Sy max_workers
286.Pp
287Specifies the maximum number of worker threads that will be launched to process
288incoming CIFS requests.
289The SMB
290.Sy max_mpx
291value, which indicates to a
292client the maximum number of outstanding SMB requests that it may have pending
293on the server, is derived from the
294.Sy max_workers
295value.
296To ensure compatibility with older versions of Windows the lower 8-bits of
297.Sy max_mpx
298must not be zero.
299If the lower byte of
300.Sy max_workers
301is zero,
302.Ql 64
303is added to the value.
304Thus the minimum value is
305.Ql 64
306and the default value, which appears in
307.Xr sharectl 8
308as
309.Ql 1024 ,
310is
311.Ql 1088 .
312.It Sy netbios_scope
313.Pp
314Specifies the NetBIOS scope identifier, which identifies logical NetBIOS
315networks that are on the same physical network.
316When you specify a NetBIOS
317scope identifier, the server filters the number of machines that are listed in
318the browser display to make it easier to find other hosts.
319The value is a text string that represents a domain name.
320By default, no value is set.
321.It Sy oplock_enable
322.Pp
323Controls whether
324.Dq oplocks
325may be granted by the SMB server.
326The term
327.Dq oplock
328is short for
329.Dq opportunistic lock ,
330which is the legacy name for cache delegations in SMB.
331By default, oplocks are enabled.
332Note that if oplocks are disabled, file I/O performance may be severely reduced.
333.It Sy pdc
334.Pp
335Specifies the preferred IP address for the domain controller.
336This property is
337sometimes used when there are multiple domain controllers to indicate which one
338is preferred.
339If the specified domain controller responds, it is chosen even if
340the other domain controllers are also available.
341By default, no value is set.
342.It Sy restrict_anonymous
343.Pp
344Disables anonymous access to
345.Sy IPC$ ,
346which requires that the client be authenticated to get access to MSRPC
347services through
348.Sy IPC$ .
349A value of
350.Ql true
351disables anonymous access to
352.Sy IPC$ ,
353while a value of
354.Ql false
355enables anonymous access.
356.It Sy short_names
357.Pp
358Enables the use of
359.Dq short names
360by SMB clients.
361The default value is
362.Ql false
363because modern SMB clients do not need short names, and
364using short names has some performance cost while listing directories
365and opening or renaming files.
366.It Sy signing_enabled
367.Pp
368Enables SMB signing.
369When signing is enabled but not required it is possible
370for clients to connect regardless of whether or not the client supports SMB
371signing.
372If a packet has been signed, the signature will be verified.
373If a
374packet has not been signed it will be accepted without signature verification.
375Valid values are
376.Ql true
377and
378.Ql false .
379The default value is
380.Ql true .
381.It Sy signing_required
382.Pp
383When SMB signing is required, all packets must be signed or they will be
384rejected, and clients that do not support signing will be unable to connect to
385the server.
386The
387.Sy signing_required
388setting is only taken into account when
389.Sy signing_enabled
390is
391.Ql true .
392Valid values are
393.Ql true
394and
395.Ql false .
396The default value is
397.Ql true .
398.It Sy system_comment
399.Pp
400Specifies an optional description for the system, which is a text string.
401This
402property value might appear in various places, such as Network Neighborhood or
403Network Places on Windows clients.
404By default, no value is set.
405.It Sy traverse_mounts
406.Pp
407The
408.Sy traverse_mounts
409setting determines how the SMB server
410presents sub-mounts underneath an SMB share.
411When
412.Sy traverse_mounts
413is
414.Ql true
415(the default), sub-mounts are presented to SMB clients
416like any other subdirectory.
417When
418.Sy traverse_mounts
419is
420.Ql false ,
421sub-mounts are not shown to SMB clients.
422.It Sy unmap
423.Pp
424The value is a command to be executed when disconnecting the share.
425The command can take the same substitutions listed on the
426.Sy map
427property.
428.It Sy wins_exclude
429.Pp
430Specifies a comma-separated list of network interfaces that should not be
431registered with WINS.
432NetBIOS host announcements are made on excluded interfaces.
433By default, no value is set.
434.It Sy wins_server_1
435.Pp
436Specifies the IP address of the primary WINS server.
437By default, no value is set.
438.It Sy wins_server_2
439.Pp
440Specifies the IP address of the secondary WINS server.
441By default, no value is set.
442.El
443.Sh INTERFACE STABILITY
444Uncommitted
445.Sh SEE ALSO
446.Xr attributes 7 ,
447.Xr smf 7 ,
448.Xr sharectl 8 ,
449.Xr smbadm 8 ,
450.Xr smbd 8 ,
451.Xr smbstat 8
452