1.\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved. 2.\" Copyright 2017, Nexenta Systems, Inc. All Rights Reserved. 3.\" Copyright 2022, RackTop Systems, Inc. All Rights Reserved. 4.\" Copyright 2022 Jason King 5.\" Copyright 2023 Bill Sommerfeld 6.\" The contents of this file are subject to the terms of the 7.\" Common Development and Distribution License (the "License"). 8.\" You may not use this file except in compliance with the License. 9.\" 10.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 11.\" or http://www.opensolaris.org/os/licensing. 12.\" See the License for the specific language governing permissions 13.\" and limitations under the License. 14.\" 15.\" When distributing Covered Code, include this CDDL HEADER in each 16.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE. 17.\" If applicable, add the following below this CDDL HEADER, with the 18.\" fields enclosed by brackets "[]" replaced with your own identifying 19.\" information: Portions Copyright [yyyy] [name of copyright owner] 20.\" 21.Dd March 13, 2023 22.Dt SMB 5 23.Os 24.Sh NAME 25.Nm smb 26.Nd configuration properties for illumos CIFS server 27.Sh DESCRIPTION 28Behavior of the illumos CIFS server is defined by property values that are 29stored in the Service Management Facility, 30.Xr smf 7 . 31.Pp 32An authorized user can use the 33.Xr sharectl 8 34command to set global values 35for these properties in SMF. 36.Pp 37The following list describes the properties: 38.Bl -tag -width x 39.It Sy ads_site 40.Pp 41Specifies the site configured in DNS to look up Active Directory information. 42Sites provide a mechanism to partition or delegate administration and policy 43management, which are typically used in large or complex domains. 44.Pp 45The value should not be set if you do not have a local Active Directory site. 46By default, no value is set. 47.It Sy autohome_map 48.Pp 49Specifies the full path for the SMD autohome map file, 50.Pa smbautohome . 51The default path is 52.Pa /etc . 53.It Sy bypass_traverse_checking 54.Pp 55When set, allows the SMB server to bypass ACL 56.Dq traverse 57checks. 58The default value is 59.Ql true , 60for Windows compatibility. 61If this parameter is 62.Ql false , 63ACL checks require that 64.Dq traverse 65.Pq directory execute 66is granted on every directory 67above the directory the SMB client tries to access. 68Windows shares are normally setup with the higher level 69directories not specifically granting such access. 70.It Sy disposition 71.Pp 72A value that controls whether to disconnect the share or proceed if the map 73command fails. 74The disposition property only has meaning when the map property 75has been set. 76Otherwise it will have no effect. 77.Bd -literal -offset 2n 78disposition = [ continue | terminate ] 79.Ed 80.Bl -tag -width terminate 81.It Sy continue 82Proceed with share connection if the map command fails. 83This is the default in the event that disposition is not specified. 84.It Sy terminate 85Disconnect the share if the map command fails. 86.El 87.It Sy ddns_enable 88.Pp 89Enables or disables dynamic DNS updates. 90A value of 91.Ql true 92enables dynamic updates, while a value of 93.Ql false 94disables dynamic updates. 95By default, the value is 96.Ql false . 97.It Sy encrypt 98.Pp 99Controls SMB3 Encryption. 100For requests on a particular share, the server's 101behavior is controlled by the stricter of this option and the per-share 102.Dq encrypt 103option. 104.Pp 105When set to 106.Ql disabled , 107the server will not ask clients to encrypt requests. 108Note that this setting does not actually disable encryption, but leaves the 109decision about whether to encrypt up to the client and/or the per-share options. 110When set to 111.Ql enabled , 112the server will ask clients to encrypt requests, 113but will not require that they do so. 114Any message that can be encrypted will be encrypted. 115When set to 116.Ql required , 117the server will deny access to or disconnect 118any client that does not support encryption or fails to encrypt requests 119that they should. 120.Pp 121In other words, the 122.Ql enabled 123behavior is that any message that 124.Em can 125be encrypted 126.Em should 127be encrypted, while the 128.Ql required 129behavior is that any message that 130.Em can 131be encrypted 132.Em must 133be encrypted. 134.It Sy encrypt_ciphers 135.Pp 136Specifies a list of enabled SMB 3.1.1 encryption ciphers. 137This property is only used when encryption is 138.Ql enabled 139.Po 140see 141.Sy encrypt 142property 143.Pc 144and negotiated SMB dialect is 3.1.1 or higher 145.Po 146see 147.Sy max_protocol 148property 149.Pc . 150Otherwise it is ignored. 151.Pp 152When the property is set, a list of comma separated ciphers should be specified, 153or the value 154.Ql all 155should be used instead to enable all supported ciphers. 156When the property is empty, it is equivalent to value 157.Ql all 158\(em all supported ciphers are enabled. 159.Pp 160The list of ciphers should contain these values: 161.Bl -tag -width "aes128-ccm" 162.It Sy aes128-ccm 163AES-128-CCM cipher is enabled. 164It is the only cipher used for SMB 3.0.2 dialect. 165.It Sy aes128-gcm 166AES-128-GCM cipher is enabled. 167.It Sy all 168All ciphers are enabled. 169.El 170.It Sy ipv6_enable 171.Pp 172Enables IPv6 Internet protocol support within the CIFS Service. 173Valid values are 174.Ql true 175and 176.Ql false . 177The default value is 178.Ql false . 179.It Sy keep_alive 180.Pp 181Specifies the number of seconds before an idle SMB connection is dropped by the 182illumos CIFS server. 183If set to 184.Ql 0 , 185idle connections are not dropped. 186Valid values are 187.Ql 0 188and from 189.Ql 20 190seconds and above. 191The default value is 192.Ql 0 . 193.It Sy lmauth_level 194Specifies the LAN Manager (LM) authentication level. 195The LM compatibility level 196controls the type of user authentication to use in workgroup mode or domain 197mode. 198The default value is 4. 199.Pp 200The following describes the behavior at each level. 201.Bl -tag -width "1" 202.It Sy 2 203In Windows workgroup mode, the illumos CIFS server accepts LM, NTLM, LMv2, and 204NTLMv2 requests. 205In domain mode, the SMB redirector on the illumos CIFS server 206sends NTLM requests. 207.It Sy 3 208In Windows workgroup mode, the illumos CIFS server accepts LM, NTLM, LMv2, and 209NTLMv2 requests. 210In domain mode, the SMB redirector on the illumos CIFS server 211sends LMv2 and NTLMv2 requests. 212.It Sy 4 213In Windows workgroup mode, the illumos CIFS server accepts NTLM, LMv2, and 214NTLMv2 requests. 215In domain mode, the SMB redirector on the illumos CIFS server 216sends LMv2 and NTLMv2 requests. 217.It Sy 5 218In Windows workgroup mode, the illumos CIFS server accepts LMv2 and NTLMv2 219requests. 220In domain mode, the SMB redirector on the illumos CIFS server sends 221LMv2 and NTLMv2 requests. 222.El 223.It Sy map 224.Pp 225The value is a command to be executed when connecting to the share. 226The command 227can take the following arguments, which will be substituted when the command is 228exec'd as described below: 229.Bl -tag -width "xx" 230.It Sy % Ns Sy U 231Windows username. 232.It Sy % Ns Sy D 233Name of the domain or workgroup of 234.Sy % Ns Sy U . 235.It Sy %h 236The server hostname. 237.It Sy %M 238The client hostname, or 239.Dq "" 240if not available. 241.It Sy %L 242The server NetBIOS name. 243.It Sy %m 244The client NetBIOS name, or 245.Dq "" 246if not available. 247This option is only valid for NetBIOS connections (port 139). 248.It Sy % Ns Sy I 249The IP address of the client machine. 250.It Sy %i 251The local IP address to which the client is connected. 252.It Sy %S 253The name of the share. 254.It Sy % Ns Sy P 255The root directory of the share. 256.It Sy %u 257The UID of the Unix user. 258.El 259.It Sy max_protocol 260.Pp 261Specifies the maximum SMB protocol level that the SMB service 262should allow clients to negotiate. 263The default value is 264.Ql 3.11 . 265Valid settings include: 266.Ql 1 , 267.Ql 2.1 , 268.Ql 3.0 , 269.Ql 3.02 , 270.Ql 3.11 . 271.It Sy min_protocol 272.Pp 273Specifies the minimum SMB protocol level that the SMB service 274should allow clients to negotiate. 275The default value is 276.Ql 1 . 277Valid settings include: 278.Ql 1 , 279.Ql 2.1 , 280.Ql 3.0 . 281.It Sy max_workers 282.Pp 283Specifies the maximum number of worker threads that will be launched to process 284incoming CIFS requests. 285The SMB 286.Sy max_mpx 287value, which indicates to a 288client the maximum number of outstanding SMB requests that it may have pending 289on the server, is derived from the 290.Sy max_workers 291value. 292To ensure compatibility with older versions of Windows the lower 8-bits of 293.Sy max_mpx 294must not be zero. 295If the lower byte of 296.Sy max_workers 297is zero, 298.Ql 64 299is added to the value. 300Thus the minimum value is 301.Ql 64 302and the default value, which appears in 303.Xr sharectl 8 304as 305.Ql 1024 , 306is 307.Ql 1088 . 308.It Sy netbios_scope 309.Pp 310Specifies the NetBIOS scope identifier, which identifies logical NetBIOS 311networks that are on the same physical network. 312When you specify a NetBIOS 313scope identifier, the server filters the number of machines that are listed in 314the browser display to make it easier to find other hosts. 315The value is a text string that represents a domain name. 316By default, no value is set. 317.It Sy oplock_enable 318.Pp 319Controls whether 320.Dq oplocks 321may be granted by the SMB server. 322The term 323.Dq oplock 324is short for 325.Dq opportunistic lock , 326which is the legacy name for cache delegations in SMB. 327By default, oplocks are enabled. 328Note that if oplocks are disabled, file I/O performance may be severely reduced. 329.It Sy pdc 330.Pp 331Specifies the preferred IP address for the domain controller. 332This property is 333sometimes used when there are multiple domain controllers to indicate which one 334is preferred. 335If the specified domain controller responds, it is chosen even if 336the other domain controllers are also available. 337By default, no value is set. 338.It Sy restrict_anonymous 339.Pp 340Disables anonymous access to 341.Sy IPC$ , 342which requires that the client be authenticated to get access to MSRPC 343services through 344.Sy IPC$ . 345A value of 346.Ql true 347disables anonymous access to 348.Sy IPC$ , 349while a value of 350.Ql false 351enables anonymous access. 352.It Sy short_names 353.Pp 354Enables the use of 355.Dq short names 356by SMB clients. 357The default value is 358.Ql false 359because modern SMB clients do not need short names, and 360using short names has some performance cost while listing directories 361and opening or renaming files. 362.It Sy signing_enabled 363.Pp 364Enables SMB signing. 365When signing is enabled but not required it is possible 366for clients to connect regardless of whether or not the client supports SMB 367signing. 368If a packet has been signed, the signature will be verified. 369If a 370packet has not been signed it will be accepted without signature verification. 371Valid values are 372.Ql true 373and 374.Ql false . 375The default value is 376.Ql true . 377.It Sy signing_required 378.Pp 379When SMB signing is required, all packets must be signed or they will be 380rejected, and clients that do not support signing will be unable to connect to 381the server. 382The 383.Sy signing_required 384setting is only taken into account when 385.Sy signing_enabled 386is 387.Ql true . 388Valid values are 389.Ql true 390and 391.Ql false . 392The default value is 393.Ql true . 394.It Sy system_comment 395.Pp 396Specifies an optional description for the system, which is a text string. 397This 398property value might appear in various places, such as Network Neighborhood or 399Network Places on Windows clients. 400By default, no value is set. 401.It Sy traverse_mounts 402.Pp 403The 404.Sy traverse_mounts 405setting determines how the SMB server 406presents sub-mounts underneath an SMB share. 407When 408.Sy traverse_mounts 409is 410.Ql true 411(the default), sub-mounts are presented to SMB clients 412like any other subdirectory. 413When 414.Sy traverse_mounts 415is 416.Ql false , 417sub-mounts are not shown to SMB clients. 418.It Sy unmap 419.Pp 420The value is a command to be executed when disconnecting the share. 421The command can take the same substitutions listed on the 422.Sy map 423property. 424.It Sy wins_exclude 425.Pp 426Specifies a comma-separated list of network interfaces that should not be 427registered with WINS. 428NetBIOS host announcements are made on excluded interfaces. 429By default, no value is set. 430.It Sy wins_server_1 431.Pp 432Specifies the IP address of the primary WINS server. 433By default, no value is set. 434.It Sy wins_server_2 435.Pp 436Specifies the IP address of the secondary WINS server. 437By default, no value is set. 438.El 439.Sh INTERFACE STABILITY 440Uncommitted 441.Sh SEE ALSO 442.Xr attributes 7 , 443.Xr smf 7 , 444.Xr sharectl 8 , 445.Xr smbadm 8 , 446.Xr smbd 8 , 447.Xr smbstat 8 448