vserver cifs security show
Display CIFS security settings
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The vserver cifs security show
command displays information about CIFS server security settings.
Parameters
- {
[-fields <fieldname>,…]
-
If you specify the -fields parameter, the command only displays the fields that you specify.
- |
[-instance ]
} -
If you specify the
-instance
parameter, the command displays detailed information about all fields. [-vserver <vserver name>]
- Vserver-
This parameter specifies the name of the Vserver whose CIFS security settings you want to display.
[-kerberos-clock-skew <integer>]
- Maximum Allowed Kerberos Clock Skew-
If this parameter is specified, the command displays information only about the security settings that match the specified Kerberos ticket clock skew.
[-kerberos-ticket-age <integer>]
- Kerberos Ticket Lifetime-
If this parameter is specified, the command displays information only about the security settings that match the specified Kerberos ticket age.
[-kerberos-renew-age <integer>]
- Maximum Kerberos Ticket Renewal Days-
If this parameter is specified, the command displays information only about the security settings that match the specified Kerberos renewal age.
[-kerberos-kdc-timeout <integer>]
- Timeout for Kerberos KDC Connections (Secs)-
If this parameter is specified, the command displays information only about the security settings that match the specified Kerberos KDC timeout.
[-realm <text>]
- Kerberos Realm-
If this parameter is specified, the command displays information only about the security settings that match the specified Kerberos realm.
[-kdc-ip <text>,…]
- KDC IP Address-
If this parameter is specified, the command displays information only about the security settings that match the specified KDC IP address.
[-kdc-name <text>,…]
- KDC Name-
If this parameter is specified, the command displays information only about the security settings that match the specified KDC name.
[-site <text>,…]
- KDC Site-
If this parameter is specified, the command displays information only about the security settings that match the specified Windows site.
[-is-signing-required {true|false}]
- Require Signing for Incoming CIFS Traffic-
This parameter specifies whether signing is required for incoming CIFS traffic. If this parameter is specified, the command displays information only about the security settings that match the specified value for is-signing-required.
[-is-password-complexity-required {true|false}]
- Require Password Complexity for Local User Accounts-
If this parameter is set to
true
, the command displays CIFS security configuration information only for CIFS servers where password complexity for local user accounts is required. If set tofalse
, the command displays security configuration information for CIFS servers where password complexity for local user accounts is not required. [-use-start-tls-for-ad-ldap {true|false}]
- Use start_tls for AD LDAP Connections-
If this parameter is set to
true
, the command displays CIFS security configuration information only for CIFS servers where Start TLS is used for communication with the AD LDAP Server. If set tofalse
, the command displays CIFS security configuration information only for CIFS servers where Start TLS is not used for communication with the AD LDAP Server. [-is-aes-encryption-enabled {true|false}]
- Is AES-128 and AES-256 Encryption for Kerberos Enabled-
If this parameter is set to
true
, the command displays CIFS security configuration information only for CIFS servers where AES-128 and AES-256 encryption types for Kerberos are enabled. If set tofalse
, the command displays security configuration information for CIFS servers where AES-128 and AES-256 encryption types for Kerberos are disabled. [-lm-compatibility-level {lm-ntlm-ntlmv2-krb|ntlm-ntlmv2-krb|ntlmv2-krb|krb}]
- LM Compatibility Level-
If this parameter is specified, the command displays information only about the security settings that match the specified LM compatibility level.
[-is-smb-encryption-required {true|false}]
- Require SMB Encryption for Incoming CIFS Traffic-
If this parameter is set to
true
, the command displays CIFS security configuration information only for CIFS servers where SMB encryption is required. If set tofalse
, the command displays security configuration information for CIFS servers where SMB encryption is not required. [-session-security-for-ad-ldap {none|sign|seal}]
- Client Session Security-
If this parameter is set to
seal
, the command displays CIFS security configuration information only for CIFS servers where both signing and sealing are required for LDAP communications. If set tosign
, the command displays security configuration information for CIFS servers where only signing is required for LDAP communications. If set tonone
, the command displays security configuration information for CIFS servers where no security is required for LDAP communications. [-smb1-enabled-for-dc-connections {false|true|system-default}]
- (DEPRECATED)-SMB1 Enabled for DC Connections-
If this parameter is set to
true
, the command displays CIFS security configuration information only for CIFS servers where SMB1 is enabled for use with connections to domain controllers. If set tofalse
, the command displays security configuration information for CIFS servers where SMB1 is not enabled for use with connections to domain controllers. If set tosystem-default
, the command displays security configuration information for CIFS servers where the system-default setting (SMB1 enabled) is used for connections to domain controllers.This parameter is deprecated because the SMB1 protocol is obsolete and considered insecure. It might be removed in a future release. [-smb2-enabled-for-dc-connections {false|true|system-default}]
- SMB2 Enabled for DC Connections-
If this parameter is set to
true
, the command displays CIFS security configuration information only for CIFS servers where SMB2 is enabled for use with connections to domain controllers. If set tofalse
, the command displays security configuration information for CIFS servers where SMB2 is not enabled for use with connections to domain controllers. If set tosystem-default
, the command displays security configuration information for CIFS servers where the system-default setting (SMB2 enabled) is used for connections to domain controllers. [-referral-enabled-for-ad-ldap {true|false}]
- LDAP Referral Chasing Enabled For AD LDAP Connections-
If this parameter is set to
true
, the command displays CIFS security configuration information only for CIFS servers where LDAP referral is enabled for AD LDAP connections. If set tofalse
, the command displays security configuration information for CIFS servers where LDAP referral is not enabled for AD LDAP connections. [-use-ldaps-for-ad-ldap {true|false}]
- Use LDAPS for Secure Active Directory LDAP Connections-
If this parameter is set to
true
, the command displays CIFS security configuration information only for CIFS servers where LDAPS is used for communication with the AD LDAP Server. If set tofalse
, the command displays CIFS security configuration information only for CIFS servers where LDAPS is not used for communication with the AD LDAP Server. [-encryption-required-for-dc-connections {true|false}]
- Encryption is required for DC Connection-
If this parameter is set to
true
, the command displays CIFS security configuration information only for CIFS servers where encryption is required for use with connections to domain controllers. If set tofalse
, the command displays security configuration information for CIFS servers where encryption is not required for use with connections to domain controllers. [-aes-enabled-for-netlogon-channel {true|false}]
- AES session key enabled for NetLogon channel-
If this parameter is set to
true
, the command displays CIFS security configuration information only for CIFS servers where AES session key is used for Netlogon secure channel. If set tofalse
, the command displays CIFS security configuration information only for CIFS servers where AES session key is not used for Netlogon secure channel. [-try-channel-binding-for-ad-ldap {true|false}]
- Try Channel Binding For AD LDAP Connections-
If this parameter is set to
true
, the command displays CIFS security configuration information only for CIFS servers where channel binding is tried for AD LDAP connections. If set tofalse
, the command displays CIFS security configuration information only for CIFS servers where channel binding is not tried for AD LDAP connections.
Examples
The following example displays CIFS server security settings.
cluster1::> vserver cifs security show Vserver: vs1 Kerberos Clock Skew: 3 minutes Kerberos Ticket Age: 8 hours Kerberos Renewal Age: 7 days Kerberos KDC Timeout: 3 seconds Is Signing Required: true Is Password Complexity Required: true Use start_tls For AD LDAP connection: false Is AES Encryption Enabled: false LM Compatibility Level: krb Is SMB Encryption Required: false Client Session Security: none SMB1 Enabled For DC Connections: system-default SMB2 Enabled For DC Connections: system-default LDAP Referral Chasing Enabled For AD LDAP Connections: false Use LDAPS for AD LDAP Connections: true Encryption required For DC Connections: false AES session key enabled for NetLogon channel: false Try Channel Binding For AD LDAP Connections: true
The following example displays the Kerberos clock skew for all Vservers.
cluster1::> vserver cifs security show -fields kerberos-clock-skew vserver kerberos-clock-skew ------- ------------------- vs1 5