vserver cifs security modify

Contributors

Modify CIFS security settings

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The vserver cifs security modify command modifies CIFS server security settings.

Parameters

-vserver <vserver name> - Vserver

This parameter specifies the name of the Vserver whose CIFS security settings you want to modify.

[-kerberos-clock-skew <integer>] - Maximum Allowed Kerberos Clock Skew

This parameter specifies the maximum allowed Kerberos ticket clock skew in minutes. The default is 5 minutes.

[-kerberos-ticket-age <integer>] - Kerberos Ticket Lifetime

This parameter specifies the Kerberos ticket lifetime in hours. The default is 10 hours.

[-kerberos-renew-age <integer>] - Maximum Kerberos Ticket Renewal Days

This parameter specifies the maximum Kerberos ticket renewal lifetime in days. The default is 7 days.

[-kerberos-kdc-timeout <integer>] - Timeout for Kerberos KDC Connections (Secs)

This parameter specifies the timeout for sockets on KDCs after which all KDCs are marked as unreachable. The default is 3 seconds.

[-is-signing-required {true|false}] - Require Signing for Incoming CIFS Traffic

This parameter specifies whether signing is required for incoming CIFS traffic. The default is false .

[-is-password-complexity-required {true|false}] - Require Password Complexity for Local User Accounts

This parameter specifies whether password complexity is required for CIFS local users. If this parameter is set to true , password complexity is required. If the value is set to false , password complexity is not required. The default is true for CIFS servers.

[-use-start-tls-for-ad-ldap {true|false}] - Use start_tls for AD LDAP Connections

This parameter specifies whether to use Start TLS over AD LDAP connections. When enabled, the communication between the Data ONTAP LDAP Client and the LDAP Server will be encrypted using Start TLS. Start TLS is a mechanism to provide secure communication by using the TLS/SSL protocols. If you do not specify this parameter, the default is false .

[-is-aes-encryption-enabled {true|false}] - Is AES-128 and AES-256 Encryption for Kerberos Enabled

This parameter specifies whether to use Kerberos AES-128 and AES-256 encryption types for authentication. When enabled and depending on negotiation with the KDC service, it is possible for authentication operations to utilize these encryption types. If you do not specify this parameter, the default is false .

[-lm-compatibility-level {lm-ntlm-ntlmv2-krb|ntlm-ntlmv2-krb|ntlmv2-krb|krb}] - LM Compatibility Level

This parameter specifies the LM compatibility level. The default is lm-ntlm-ntlmv2-krb (LM, NTLM, NTLMv2 and Kerberos).

[-is-smb-encryption-required {true|false}] - Require SMB Encryption for Incoming CIFS Traffic

This parameter specifies whether SMB encryption is required when accessing shares in the Vserver. When enabled and depending on negotiation during session setup, it is possible that data transfers between the client and the server are made secure by encrypting the SMB traffic. If you do not specify this parameter, the default is false .

[-session-security-for-ad-ldap {none|sign|seal}] - Client Session Security

This parameter specifies the level of security to be used for LDAP communications. If you do not specify this parameter, the default is none .

LDAP Client Session Security can be one of the following:

  • none - No Signing or Sealing.

  • sign - Sign LDAP traffic.

  • seal - Seal and Sign LDAP traffic.

[-smb1-enabled-for-dc-connections {false|true|system-default}] - SMB1 Enabled for DC Connections

This parameter specifies whether SMB1 is enabled for use with connections to domain controllers. If you do not specify this parameter, the default is system-default .

SMB1 Enabled For DC Connections can be one of the following:

  • false - SMB1 is not enabled.

  • true - SMB1 is enabled.

  • system-default - This sets the option to whatever is the default for the release of Data ONTAP that is running. For this release it is: SMB1 is enabled.

[-smb2-enabled-for-dc-connections {false|true|system-default}] - SMB2 Enabled for DC Connections

This parameter specifies whether SMB2 is enabled for use with connections to domain controllers. If you do not specify this parameter, the default is system-default .

SMB2 Enabled For DC Connections can be one of the following:

  • false - SMB2 is not enabled.

  • true - SMB2 is enabled.

  • system-default - This sets the option to whatever is the default for the release of Data ONTAP that is running. For this release it is: SMB2 is enabled.

Examples

The following example makes the following changes: the Kerberos clock skew is set to 3 minutes, the Kerberos ticket lifetime to 8 hours and it makes signing required for Vserver "vs1".

cluster1::> vserver cifs security modify -vserver vs1 -kerberos-clock-skew 3 -kerberos-ticket-age 8 -is-signing-required true
cluster1::> vserver cifs security show
Vserver: vs1
Kerberos Clock Skew:               3 minutes
                    Kerberos Ticket Age:               8 hours
                   Kerberos Renewal Age:               7 days
                   Kerberos KDC Timeout:               3 seconds
                    Is Signing Required:            true
        Is Password Complexity Required:            true
   Use start_tls For AD LDAP connection:           false
              Is AES Encryption Enabled:           false
                 LM Compatibility Level:             krb
             Is SMB Encryption Required:           false
                Client Session Security:            none
        SMB1 Enabled For DC Connections:  system-default
        SMB2 Enabled For DC Connections:  system-default