vserver cifs security modify
Modify CIFS security settings
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The vserver cifs security modify
command modifies CIFS server security settings.
Parameters
-vserver <vserver name>
- Vserver-
This parameter specifies the name of the Vserver whose CIFS security settings you want to modify.
[-kerberos-clock-skew <integer>]
- Maximum Allowed Kerberos Clock Skew-
This parameter specifies the maximum allowed Kerberos ticket clock skew in minutes. The default setting is 5 minutes.
[-kerberos-ticket-age <integer>]
- Kerberos Ticket Lifetime-
This parameter specifies the Kerberos ticket lifetime in hours. The default setting is 10 hours.
[-kerberos-renew-age <integer>]
- Maximum Kerberos Ticket Renewal Days-
This parameter specifies the maximum Kerberos ticket renewal lifetime in days. The default setting is 7 days.
[-kerberos-kdc-timeout <integer>]
- Timeout for Kerberos KDC Connections (Secs)-
This parameter specifies the timeout for sockets on KDCs after which all KDCs are marked as unreachable. The default setting is 3 seconds.
[-is-signing-required {true|false}]
- Require Signing for Incoming CIFS Traffic-
This parameter specifies whether signing is required for incoming CIFS traffic. The default setting is
false
. [-is-password-complexity-required {true|false}]
- Require Password Complexity for Local User Accounts-
This parameter specifies whether password complexity is required for CIFS local users. If this parameter is set to
true
, password complexity is required. If the value is set tofalse
, password complexity is not required. The default setting istrue
for CIFS servers. [-use-start-tls-for-ad-ldap {true|false}]
- Use start_tls for AD LDAP Connections-
This parameter specifies whether to use Start TLS over AD LDAP connections. When enabled, the communication between the ONTAP LDAP Client and the LDAP Server will be encrypted using Start TLS. Start TLS is a mechanism to provide secure communication by using the TLS/SSL protocols. The default setting is
false
.Ensure right certificates are installed for CIFS home domain and trusted domains. [-is-aes-encryption-enabled {true|false}]
- (DEPRECATED)-Is AES-128 and AES-256 Encryption for Kerberos Enabled-
This parameter specifies whether to use Kerberos AES-128 and AES-256 encryption types for authentication. When enabled, and depending on negotiation with the KDC service, it is possible for authentication operations to use these encryption types. The default setting is
true
.This parameter is deprecated and might be removed from a future release. [-lm-compatibility-level {lm-ntlm-ntlmv2-krb|ntlm-ntlmv2-krb|ntlmv2-krb|krb}]
- LM Compatibility Level-
This parameter specifies the LM compatibility level. The default setting is
lm-ntlm-ntlmv2-krb
(LM, NTLM, NTLMv2 and Kerberos). [-is-smb-encryption-required {true|false}]
- Require SMB Encryption for Incoming CIFS Traffic-
This parameter specifies whether SMB encryption is required when accessing shares in the Vserver. When enabled and depending on negotiation during session setup, it is possible that data transfers between the client and the server are made secure by encrypting the SMB traffic. The default setting is
false
. [-session-security-for-ad-ldap {none|sign|seal}]
- Client Session Security-
This parameter specifies the level of security to be used for LDAP communications. The default setting is
none
.LDAP Client Session Security can be one of the following:
-
none - No Signing or Sealing.
-
sign - Sign LDAP traffic.
-
seal - Seal and Sign LDAP traffic.
-
[-smb1-enabled-for-dc-connections {false|true|system-default}]
- (DEPRECATED)-SMB1 Enabled for DC Connections-
This parameter specifies whether SMB1 is enabled for use with connections to domain controllers. The default setting is
system-default
.SMB1 Enabled For DC Connections can be one of the following:
-
false - SMB1 is not enabled.
-
true - SMB1 is enabled.
-
system-default - This sets the option to whatever is the default for the release of ONTAP that is running. For this release it is: SMB1 is enabled.
This parameter is deprecated because the SMB1 protocol is obsolete and considered not secure. It might be removed in a future release. -
[-smb2-enabled-for-dc-connections {false|true|system-default}]
- SMB2 Enabled for DC Connections-
This parameter specifies whether SMB2 is enabled for use with connections to domain controllers. The default setting is
system-default
.SMB2 Enabled For DC Connections can be one of the following:
-
false - SMB2 is not enabled.
-
true - SMB2 is enabled.
-
system-default - This sets the option to whatever is the default for the release of ONTAP that is running. For this release it is: SMB2 is enabled.
-
[-referral-enabled-for-ad-ldap {true|false}]
- LDAP Referral Chasing Enabled For AD LDAP Connections-
This parameter specifies whether LDAP referral is enabled for AD LDAP connections. The default setting is
false
. [-use-ldaps-for-ad-ldap {true|false}]
- Use LDAPS for Secure Active Directory LDAP Connections-
This parameter specifies whether to use LDAPS over AD LDAP connections. When enabled, the communication between the ONTAP LDAP Client and the LDAP Server will be encrypted using LDAPS and port 636 will be used. LDAPS is a mechanism to provide secure communication by using the TLS/SSL protocols and port 636. The default setting is
false
.Ensure right certificates are installed for CIFS home domain and trusted domains. [-encryption-required-for-dc-connections {true|false}]
- Encryption is required for DC Connection-
This parameter specifies whether encryption is required for use with connections to domain controllers. The default setting is
false
.Encryption required For DC Connections can be one of the following:
-
false - Encryption is not required.
-
true - Encryption is required.
-
[-aes-enabled-for-netlogon-channel {true|false}]
- AES session key enabled for NetLogon channel-
This parameter specifies whether AES session key will be negotiated as part of the NetLogon secure channel establishment. The default setting is
true
. [-try-channel-binding-for-ad-ldap {true|false}]
- Try Channel Binding For AD LDAP Connections-
This parameter specifies whether channel binding will be tried for AD LDAP connections. The default setting is
true
. Channel binding will be tried only if-use-start-tls-for-ad-ldap
or-use-ldaps-for-ad-ldap
is enabled along with-session-security-for-ad-ldap
set to eithersign
orseal
. [-advertised-enc-types <CIFS Kerberos Encryption Type>,…]
- Encryption Types Advertised to Kerberos-
Encryption types advertised to Kerberos.The default setting is ` aes-256` ,` aes-128` ,` rc4` ,
des
.
Examples
The following example makes the following changes: the Kerberos clock skew is set to 3 minutes, the Kerberos ticket lifetime to 8 hours and it makes signing required for Vserver "vs1".
cluster1::> vserver cifs security modify -vserver vs1 -kerberos-clock-skew 3 -kerberos-ticket-age 8 -is-signing-required true cluster1::> vserver cifs security show Vserver: vs1 Kerberos Clock Skew: 3 minutes Kerberos Ticket Age: 8 hours Kerberos Renewal Age: 7 days Kerberos KDC Timeout: 3 seconds Is Signing Required: true Is Password Complexity Required: true Use start_tls For AD LDAP connection: false Is AES Encryption Enabled: true LM Compatibility Level: krb Is SMB Encryption Required: false Client Session Security: none SMB1 Enabled For DC Connections: system-default SMB2 Enabled For DC Connections: system-default LDAP Referral Chasing Enabled For AD LDAP Connections: false Use LDAPS for AD LDAP Connections: true Encryption required For DC Connections: false AES enabled for Netlogon channel: false Try Channel Binding For AD LDAP Connections: true Encryption Types Advertised to Kerberos: aes-256, aes-128, des, rc4