Skip to main content

Display information about SMB server security settings

Contributors netapp-ahibbard netapp-forry netapp-thomi
PDFs

You can display information about SMB server security settings on your storage virtual machines (SVMs). You can use this information to verify that the security settings are correct.

About this task

A displayed security setting can be the default value for that object or a non-default value that is configured either by using the ONTAP CLI or by using Active Directory group policy objects (GPOs).

Do not use the vserver cifs security show command for SMB servers in workgroup mode, because some of the options are not valid.

Step

  1. Perform one of the following actions:

    If you want display information about…​ Enter the command…​

    All security settings on a specified SVM

    vserver cifs security show -vserver vserver_name

    A specific security setting or settings on the SVM

    vserver cifs security show -vserver _vserver_name_ -fields [fieldname,...] You can enter -fields ? to determine what fields you can use.
Example

The following example shows all security settings for SVM vs1:

cluster1::> vserver cifs security show -vserver vs1

Vserver: vs1

                          Kerberos Clock Skew:        5 minutes
                          Kerberos Ticket Age:        10 hours
                         Kerberos Renewal Age:        7 days
                         Kerberos KDC Timeout:        3 seconds
                          Is Signing Required:        false
              Is Password Complexity Required:        true
         Use start_tls For AD LDAP connection:        false
                    Is AES Encryption Enabled:        false
                       LM Compatibility Level:        lm-ntlm-ntlmv2-krb
                   Is SMB Encryption Required:        false
                      Client Session Security:        none
              SMB1 Enabled for DC Connections:        false
              SMB2 Enabled for DC Connections:        system-default
LDAP Referral Enabled For AD LDAP connections:        false
             Use LDAPS for AD LDAP connection:        false
    Encryption is required for DC Connections:        false
 AES session key enabled for NetLogon channel:        false
  Try Channel Binding For AD LDAP Connections:        false

Note that the settings displayed depend on the running ONTAP version.

The following example shows the Kerberos clock skew for SVM vs1:

cluster1::> vserver cifs security show -vserver vs1 -fields kerberos-clock-skew

            vserver kerberos-clock-skew
            ------- -------------------
            vs1     5
Related information

Displaying information about GPO configurations