Enable or disable required SMB signing for incoming SMB traffic
-
PDF of this doc site
- Cluster administration
-
Volume administration
- Logical storage management with the CLI
-
NAS storage management
- Configure NFS with the CLI
- Manage NFS with the CLI
-
Manage SMB with the CLI
- Manage file access using SMB
- Security and data encryption
- Data protection and disaster recovery
Collection of separate PDF docs
Creating your file...
You can enforce the requirement for clients to sign SMB messages by enabling required SMB signing. If enabled, ONTAP accepts SMB messages only if they have valid signatures. If you want to permit SMB signing, but not require it, you can disable required SMB signing.
By default, required SMB signing is disabled. You can enable or disable required SMB signing at any time.
SMB signing is not disabled by default under the following circumstances:
|
When you set up a storage virtual machine (SVM) disaster recovery relationship, the value that you select for the -identity-preserve
option of the snapmirror create
command determines the configuration details that are replicated in the destination SVM.
If you set the -identity-preserve
option to true
(ID-preserve), the SMB signing security setting is replicated to the destination.
If you set the -identity-preserve
option to false
(non-ID-preserve), the SMB signing security setting is not replicated to the destination. In this case, the CIFS server security settings on the destination are set to the default values. If you have enabled required SMB signing on the source SVM, you must manually enable required SMB signing on the destination SVM.
-
Perform one of the following actions:
If you want required SMB signing to be… Enter the command… Enabled
vserver cifs security modify -vserver vserver_name -is-signing-required true
Disabled
vserver cifs security modify -vserver vserver_name -is-signing-required false
-
Verify that required SMB signing is enabled or disabled by determining whether the value in the
Is Signing Required
field in the output of the following command is set to the desired value:vserver cifs security show -vserver vserver_name -fields is-signing-required
The following example enables required SMB signing for SVM vs1:
cluster1::> vserver cifs security modify -vserver vs1 -is-signing-required true cluster1::> vserver cifs security show -vserver vs1 -fields is-signing-required vserver is-signing-required -------- ------------------- vs1 true
Changes to the encryption settings take effect for new connections. Existing connections are unaffected. |