Print this page
12513 SMB 3.1.1 support for server
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man4/smb.4
+++ new/usr/src/man/man4/smb.4
1 1 '\" te
2 2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
3 3 .\" Copyright 2017, Nexenta Systems, Inc. All Rights Reserved.
4 +.\" Copyright 2020, RackTop Systems, Inc. All Rights Reserved.
4 5 .\" The contents of this file are subject to the terms of the
5 6 .\" Common Development and Distribution License (the "License").
6 7 .\" You may not use this file except in compliance with the License.
7 8 .\"
8 9 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 10 .\" or http://www.opensolaris.org/os/licensing.
10 11 .\" See the License for the specific language governing permissions
11 12 .\" and limitations under the License.
12 13 .\"
13 14 .\" When distributing Covered Code, include this CDDL HEADER in each
14 15 .\" file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 16 .\" If applicable, add the following below this CDDL HEADER, with the
16 17 .\" fields enclosed by brackets "[]" replaced with your own identifying
17 18 .\" information: Portions Copyright [yyyy] [name of copyright owner]
18 19 .\"
19 20 .TH SMB 4 "Apr 23, 2015"
20 21 .SH NAME
21 22 smb \- configuration properties for Solaris CIFS server
22 23 .SH DESCRIPTION
23 24 .LP
24 25 Behavior of the Solaris CIFS server is defined by property values that are
25 26 stored in the Service Management Facility, \fBsmf\fR(5).
26 27 .sp
27 28 .LP
28 29 An authorized user can use the \fBsharectl\fR(1M) command to set global values
29 30 for these properties in SMF.
30 31 .sp
31 32 .LP
32 33 The following list describes the properties:
33 34 .sp
34 35 .ne 2
35 36 .na
36 37 \fB\fBads_site\fR\fR
37 38 .ad
38 39 .sp .6
39 40 .RS 4n
40 41 Specifies the site configured in DNS to look up Active Directory information.
41 42 Sites provide a mechanism to partition or delegate administration and policy
42 43 management, which are typically used in large or complex domains.
43 44 .sp
44 45 The value should not be set if you do not have a local Active Directory site.
45 46 By default, no value is set.
46 47 .RE
47 48
48 49 .sp
49 50 .ne 2
50 51 .na
51 52 \fB\fBautohome_map\fR\fR
52 53 .ad
53 54 .sp .6
54 55 .RS 4n
55 56 Specifies the full path for the SMD autohome map file, \fBsmbautohome\fR. The
56 57 default path is \fB/etc\fR.
57 58 .RE
58 59
59 60 .sp
60 61 .ne 2
61 62 .na
62 63 \fB\fBbypass_traverse_checking\fR\fR
63 64 .ad
64 65 .sp .6
65 66 .RS 4n
66 67 When set, allows the SMB server to bypass ACL "traverse" checks.
67 68 The default value is \fBtrue\fR, for Windows compatibility.
68 69 If this parameter is \fBfalse\fR, ACL checks require that
69 70 "traverse" (directory execute) is granted on every directory
70 71 above the directory the SMB client tries to access.
71 72 Windows shares are normally setup with the higher level
72 73 directories not specifically granting such access.
73 74 .RE
74 75
75 76 .sp
76 77 .ne 2
77 78 .na
78 79 \fB\fBdisposition\fR\fR
79 80 .ad
80 81 .sp .6
81 82 .RS 4n
82 83 A value that controls whether to disconnect the share or proceed if the map
83 84 command fails. The disposition property only has meaning when the map property
84 85 has been set. Otherwise it will have no effect.
85 86 .sp
86 87 .in +2
87 88 .nf
88 89 disposition = [ continue | terminate ]
89 90 .fi
90 91 .in -2
91 92 .sp
92 93
93 94 .sp
94 95 .ne 2
95 96 .na
96 97 \fB\fBcontinue\fR\fR
97 98 .ad
98 99 .sp .6
99 100 .RS 4n
100 101 Proceed with share connection if the map command fails. This is the default in
101 102 the event that disposition is not specified.
102 103 .RE
103 104
104 105 .sp
105 106 .ne 2
106 107 .na
107 108 \fB\fBterminate\fR\fR
108 109 .ad
109 110 .sp .6
110 111 .RS 4n
111 112 Disconnect the share if the map command fails.
112 113 .RE
113 114
114 115 .RE
115 116
116 117 .sp
117 118 .ne 2
118 119 .na
119 120 \fB\fBddns_enable\fR\fR
120 121 .ad
121 122 .sp .6
122 123 .RS 4n
123 124 Enables or disables dynamic DNS updates. A value of \fBtrue\fR enables dynamic
124 125 updates, while a value of \fBfalse\fR disables dynamic updates. By default, the
125 126 value is \fBfalse\fR.
126 127 .RE
127 128
128 129 .sp
129 130 .ne 2
130 131 .na
131 132 \fB\fBencrypt\fR\fR
132 133 .ad
133 134 .sp .6
134 135 .RS 4n
135 136 Controls SMB3 Encryption. For requests on a particular share, the server's
136 137 behavior is controlled by the stricter of this option and the per-share
137 138 "encrypt" option.
138 139 .sp
139 140 When set to \fBdisabled\fR, the server will not ask clients to encrypt requests.
|
↓ open down ↓ |
126 lines elided |
↑ open up ↑ |
140 141 When set to \fBenabled\fR, the server will ask clients to encrypt requests,
141 142 but will not require that they do so. Any message that can be encrypted
142 143 will be encrypted.
143 144 When set to \fBrequired\fR, the server will deny access to or disconnect
144 145 any client that does not support encryption or fails to encrypt requests
145 146 that they should.
146 147 .sp
147 148 In other words, the \fBenabled\fR behavior is that any message that CAN
148 149 be encrypted SHOULD be encrypted, while the \fBrequired\fR behavior is that any
149 150 message that CAN be encrypted MUST be encrypted.
151 +.RE
152 +
153 +.sp
154 +.ne 2
155 +.na
156 +\fB\fBencrypt_cipher\fR\fR
157 +.ad
158 +.sp .6
159 +.RS 4n
160 +Specifies SMB 3.1.1 Encryption Cipher. This property is only used when
161 +encryption is On (see \fBencrypt\fR property) and negotiated SMB dialect
162 +is 3.1.1 or higher (see \fBmax_protocol\fR property). Otherwise it is ignored.
163 +If the property is not set the default encryption algorith is AES-128-GCM.
164 +.sp
165 +The property can be set to one of these values:
166 +.sp
167 +.ne 2
168 +.na
169 +\fBaes128-ccm\fR
170 +.ad
171 +.RS 13n
172 +AES-128-CCM. This is the only cipher used for SMB 3.0.2 dialect. It is
173 +deprecated by AES-128-GCM cipher.
174 +.RE
175 +
176 +.sp
177 +.ne 2
178 +.na
179 +\fBaes128-gcm\fR
180 +.ad
181 +.RS 13n
182 +AES-128-GCM. This is default cipher for SMB 3.1.1 dialect.
183 +.RE
184 +
150 185 .RE
151 186
152 187 .sp
153 188 .ne 2
154 189 .na
155 190 \fB\fBipv6_enable\fR\fR
156 191 .ad
157 192 .sp .6
158 193 .RS 4n
159 194 Enables IPv6 Internet protocol support within the CIFS Service. Valid values
160 195 are \fBtrue\fR and \fBfalse\fR. The default value is \fBfalse\fR.
161 196 .RE
162 197
163 198 .sp
164 199 .ne 2
165 200 .na
166 201 \fB\fBkeep_alive\fR\fR
167 202 .ad
168 203 .sp .6
169 204 .RS 4n
170 205 Specifies the number of seconds before an idle SMB connection is dropped by the
171 206 Solaris CIFS server. If set to 0, idle connections are not dropped. Valid
172 207 values are 0 and from 20 seconds and above. The default value is 0.
173 208 .RE
174 209
175 210 .sp
176 211 .ne 2
177 212 .na
178 213 \fB\fBlmauth_level\fR\fR
179 214 .ad
180 215 .sp .6
181 216 .RS 4n
182 217 Specifies the LAN Manager (LM) authentication level. The LM compatibility level
183 218 controls the type of user authentication to use in workgroup mode or domain
184 219 mode. The default value is 3.
185 220 .sp
186 221 The following describes the behavior at each level.
187 222 .sp
188 223 .ne 2
189 224 .na
190 225 \fB2\fR
191 226 .ad
192 227 .RS 13n
193 228 In Windows workgroup mode, the Solaris CIFS server accepts LM, NTLM, LMv2, and
194 229 NTLMv2 requests. In domain mode, the SMB redirector on the Solaris CIFS server
195 230 sends NTLM requests.
196 231 .RE
197 232
198 233 .sp
199 234 .ne 2
200 235 .na
201 236 \fB3\fR
202 237 .ad
203 238 .RS 13n
204 239 In Windows workgroup mode, the Solaris CIFS server accepts LM, NTLM, LMv2, and
205 240 NTLMv2 requests. In domain mode, the SMB redirector on the Solaris CIFS server
206 241 sends LMv2 and NTLMv2 requests.
207 242 .RE
208 243
209 244 .sp
210 245 .ne 2
211 246 .na
212 247 \fB4\fR
213 248 .ad
214 249 .RS 13n
215 250 In Windows workgroup mode, the Solaris CIFS server accepts NTLM, LMv2, and
216 251 NTLMv2 requests. In domain mode, the SMB redirector on the Solaris CIFS server
217 252 sends LMv2 and NTLMv2 requests.
218 253 .RE
219 254
220 255 .sp
221 256 .ne 2
222 257 .na
223 258 \fB5\fR
224 259 .ad
225 260 .RS 13n
226 261 In Windows workgroup mode, the Solaris CIFS server accepts LMv2 and NTLMv2
227 262 requests. In domain mode, the SMB redirector on the Solaris CIFS server sends
228 263 LMv2 and NTLMv2 requests.
229 264 .RE
230 265
231 266 .RE
232 267
233 268 .sp
234 269 .ne 2
235 270 .na
236 271 \fB\fBmap\fR\fR
237 272 .ad
238 273 .sp .6
239 274 .RS 4n
240 275 The value is a command to be executed when connecting to the share. The command
241 276 can take the following arguments, which will be substituted when the command is
242 277 exec'd as described below:
243 278 .sp
244 279 .ne 2
245 280 .na
246 281 \fB\fB%U\fR\fR
247 282 .ad
248 283 .sp .6
249 284 .RS 4n
250 285 Windows username.
251 286 .RE
252 287
253 288 .sp
254 289 .ne 2
255 290 .na
256 291 \fB\fB%D\fR\fR
257 292 .ad
258 293 .sp .6
259 294 .RS 4n
260 295 Name of the domain or workgroup of \fB%U\fR.
261 296 .RE
262 297
263 298 .sp
264 299 .ne 2
265 300 .na
266 301 \fB\fB%h\fR\fR
267 302 .ad
268 303 .sp .6
269 304 .RS 4n
270 305 The server hostname.
271 306 .RE
272 307
273 308 .sp
274 309 .ne 2
275 310 .na
276 311 \fB\fB%M\fR\fR
277 312 .ad
278 313 .sp .6
279 314 .RS 4n
280 315 The client hostname, or \fB""\fR if not available.
281 316 .RE
282 317
283 318 .sp
284 319 .ne 2
285 320 .na
286 321 \fB\fB%L\fR\fR
287 322 .ad
288 323 .sp .6
289 324 .RS 4n
290 325 The server NetBIOS name.
291 326 .RE
292 327
293 328 .sp
294 329 .ne 2
295 330 .na
296 331 \fB\fB%m\fR\fR
297 332 .ad
298 333 .sp .6
299 334 .RS 4n
300 335 The client NetBIOS name, or \fB""\fR if not available. This option is only
301 336 valid for NetBIOS connections (port 139).
302 337 .RE
303 338
304 339 .sp
305 340 .ne 2
306 341 .na
307 342 \fB\fB%I\fR\fR
308 343 .ad
309 344 .sp .6
310 345 .RS 4n
311 346 The IP address of the client machine.
312 347 .RE
313 348
314 349 .sp
315 350 .ne 2
316 351 .na
317 352 \fB\fB%i\fR\fR
318 353 .ad
319 354 .sp .6
320 355 .RS 4n
321 356 The local IP address to which the client is connected.
322 357 .RE
323 358
324 359 .sp
325 360 .ne 2
326 361 .na
327 362 \fB\fB%S\fR\fR
328 363 .ad
329 364 .sp .6
330 365 .RS 4n
331 366 The name of the share.
332 367 .RE
333 368
334 369 .sp
335 370 .ne 2
336 371 .na
337 372 \fB\fB%P\fR\fR
338 373 .ad
339 374 .sp .6
340 375 .RS 4n
341 376 The root directory of the share.
342 377 .RE
343 378
344 379 .sp
345 380 .ne 2
346 381 .na
347 382 \fB\fB%u\fR\fR
348 383 .ad
349 384 .sp .6
350 385 .RS 4n
351 386 The UID of the Unix user.
352 387 .RE
353 388
354 389 .RE
355 390
356 391 .sp
357 392 .ne 2
358 393 .na
359 394 \fB\fBmax_protocol\fR\fR
360 395 .ad
361 396 .sp .6
362 397 .RS 4n
363 398 Specifies the maximum SMB protocol level that the SMB service
364 399 should allow clients to negotiate. The default value is \fB2.1\fR.
365 400 Valid settings include: \fB1\fR, \fB2.1\fR, \fB3.0\fR
366 401 .RE
367 402
368 403 .sp
369 404 .ne 2
370 405 .na
371 406 \fB\fBmin_protocol\fR\fR
372 407 .ad
373 408 .sp .6
374 409 .RS 4n
375 410 Specifies the minimum SMB protocol level that the SMB service
376 411 should allow clients to negotiate. The default value is \fB1\fR.
377 412 Valid settings include: \fB1\fR, \fB2.1\fR, \fB3.0\fR
378 413 .RE
379 414
380 415 .sp
381 416 .ne 2
382 417 .na
383 418 \fB\fBmax_workers\fR\fR
384 419 .ad
385 420 .sp .6
386 421 .RS 4n
387 422 Specifies the maximum number of worker threads that will be launched to process
388 423 incoming CIFS requests. The SMB \fBmax_mpx\fR value, which indicates to a
389 424 client the maximum number of outstanding SMB requests that it may have pending
390 425 on the server, is derived from the \fBmax_workers\fR value. To ensure
391 426 compatibility with older versions of Windows the lower 8-bits of \fBmax_mpx\fR
392 427 must not be zero. If the lower byte of \fBmax_workers\fR is zero, \fB64\fR is
393 428 added to the value. Thus the minimum value is \fB64\fR and the default value,
394 429 which appears in \fBsharectl\fR(1M) as \fB1024\fR, is \fB1088\fR.
395 430 .RE
396 431
397 432 .sp
398 433 .ne 2
399 434 .na
400 435 \fB\fBnetbios_scope\fR\fR
401 436 .ad
402 437 .sp .6
403 438 .RS 4n
404 439 Specifies the NetBIOS scope identifier, which identifies logical NetBIOS
405 440 networks that are on the same physical network. When you specify a NetBIOS
406 441 scope identifier, the server filters the number of machines that are listed in
407 442 the browser display to make it easier to find other hosts. The value is a text
408 443 string that represents a domain name. By default, no value is set.
409 444 .RE
410 445
411 446 .sp
412 447 .ne 2
413 448 .na
414 449 \fB\fBoplock_enable\fR\fR
415 450 .ad
416 451 .sp .6
417 452 .RS 4n
418 453 Controls whether "oplocks" may be granted by the SMB server.
419 454 The term "oplock" is short for "opportunistic lock", which is
420 455 the legacy name for cache delegations in SMB.
421 456 By default, oplocks are enabled.
422 457 Note that if oplocks are disabled, file I/O perfrormance may be
423 458 severely reduced.
424 459 .RE
425 460
426 461 .sp
427 462 .ne 2
428 463 .na
429 464 \fB\fBpdc\fR\fR
430 465 .ad
431 466 .sp .6
432 467 .RS 4n
433 468 Specifies the preferred IP address for the domain controller. This property is
434 469 sometimes used when there are multiple domain controllers to indicate which one
435 470 is preferred. If the specified domain controller responds, it is chosen even if
436 471 the other domain controllers are also available. By default, no value is set.
437 472 .RE
438 473
439 474 .sp
440 475 .ne 2
441 476 .na
442 477 \fB\fBrestrict_anonymous\fR\fR
443 478 .ad
444 479 .sp .6
445 480 .RS 4n
446 481 Disables anonymous access to IPC$, which requires that the client be
447 482 authenticated to get access to MSRPC services through IPC$. A value of
448 483 \fBtrue\fR disables anonymous access to IPC$, while a value of \fBfalse\fR
449 484 enables anonymous access.
450 485 .RE
451 486
452 487 .sp
453 488 .ne 2
454 489 .na
455 490 \fB\fBsigning_enabled\fR\fR
456 491 .ad
457 492 .sp .6
458 493 .RS 4n
459 494 Enables SMB signing. When signing is enabled but not required it is possible
460 495 for clients to connect regardless of whether or not the client supports SMB
461 496 signing. If a packet has been signed, the signature will be verified. If a
462 497 packet has not been signed it will be accepted without signature verification.
463 498 Valid values are \fBtrue\fR and \fBfalse\fR. The default value is \fBfalse\fR.
464 499 .RE
465 500
466 501 .sp
467 502 .ne 2
468 503 .na
469 504 \fB\fBsigning_required\fR\fR
470 505 .ad
471 506 .sp .6
472 507 .RS 4n
473 508 When SMB signing is required, all packets must be signed or they will be
474 509 rejected, and clients that do not support signing will be unable to connect to
475 510 the server. The \fBsigning_required\fR setting is only taken into account when
476 511 \fBsigning_enabled\fR is \fBtrue\fR. Valid values are \fBtrue\fR and
477 512 \fBfalse\fR. The default value is \fBfalse\fR.
478 513 .RE
479 514
480 515 .sp
481 516 .ne 2
482 517 .na
483 518 \fB\fBsystem_comment\fR\fR
484 519 .ad
485 520 .sp .6
486 521 .RS 4n
487 522 Specifies an optional description for the system, which is a text string. This
488 523 property value might appear in various places, such as Network Neighborhood or
489 524 Network Places on Windows clients. By default, no value is set.
490 525 .RE
491 526
492 527 .sp
493 528 .ne 2
494 529 .na
495 530 \fB\fBtraverse_mounts\fR\fR
496 531 .ad
497 532 .sp .6
498 533 .RS 4n
499 534 The \fBtraverse_mounts\fR setting determines how the SMB server
500 535 presents sub-mounts underneath an SMB share. When \fBtraverse_mounts\fR
501 536 is \fBtrue\fR (the default), sub-mounts are presented to SMB clients
502 537 like any other subdirectory. When \fBtraverse_mounts\fR is \fBfalse\fR,
503 538 sub-mounts are not shown to SMB clients.
504 539 .RE
505 540
506 541 .sp
507 542 .ne 2
508 543 .na
509 544 \fB\fBunmap\fR\fR
510 545 .ad
511 546 .sp .6
512 547 .RS 4n
513 548 The value is a command to be executed when disconnecting the share. The command
514 549 can take the same substitutions listed on the \fBmap\fR property.
515 550 .RE
516 551
517 552 .sp
518 553 .ne 2
519 554 .na
520 555 \fB\fBwins_exclude\fR\fR
521 556 .ad
522 557 .sp .6
523 558 .RS 4n
524 559 Specifies a comma-separated list of network interfaces that should not be
525 560 registered with WINS. NetBIOS host announcements are made on excluded
526 561 interfaces.
527 562 .RE
528 563
529 564 .sp
530 565 .ne 2
531 566 .na
532 567 \fB\fBwins_server_1\fR\fR
533 568 .ad
534 569 .sp .6
535 570 .RS 4n
536 571 Specifies the IP address of the primary WINS server. By default, no value is
537 572 set.
538 573 .RE
539 574
540 575 .sp
541 576 .ne 2
542 577 .na
543 578 \fB\fBwins_server_2\fR\fR
544 579 .ad
545 580 .sp .6
546 581 .RS 4n
547 582 Specifies the IP address of the secondary WINS server. By default, no value is
548 583 set.
549 584 .RE
550 585
551 586 .SH ATTRIBUTES
552 587 .LP
553 588 See the \fBattributes\fR(5) man page for descriptions of the following
554 589 attributes:
555 590 .sp
556 591
557 592 .sp
558 593 .TS
559 594 box;
560 595 c | c
561 596 l | l .
562 597 ATTRIBUTE TYPE ATTRIBUTE VALUE
563 598 _
564 599 Interface Stability Uncommitted
565 600 .TE
566 601
567 602 .SH SEE ALSO
568 603 .LP
569 604 \fBsharectl\fR(1M), \fBsmbadm\fR(1M), \fBsmbd\fR(1M), \fBsmbstat\fR(1M),
570 605 \fBattributes\fR(5), \fBsmf\fR(5)
|
↓ open down ↓ |
411 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX