Enable SMB2 connections to domain controllers

Contributors

Beginning in ONTAP 9.1, you can enable SMB version 2.0 to connect to a domain controller. Doing so is necessary if you have disabled SMB 1.0 on domain controllers. Beginning in ONTAP 9.2, SMB2 is enabled by default.

About this task

The smb2-enabled-for-dc-connections command option enables the system default for the release of ONTAP you are using. The system default for ONTAP 9.1 is enabled for SMB 1.0 and disabled for SMB 2.0. The system default for ONTAP 9.2 is enabled for SMB 1.0 and enabled for SMB 2.0. If the domain controller cannot negotiate SMB 2.0 initially, it uses SMB 1.0.

SMB 1.0 can be disabled from ONTAP to a domain controller. In ONTAP 9.1, if SMB 1.0 has been disabled, SMB 2.0 must be enabled in order to communicate with a domain controller.

Note

If -smb1-enabled-for-dc-connections is set to false while -smb1-enabled is set to true, ONTAP denies SMB 1.0 connections as the client, but continues to accept inbound SMB 1.0 connections as the server. See the topic, Enabling and disabling SMB versions in this guide.

Steps
  1. Before changing SMB security settings, verify which SMB versions are enabled: vserver cifs security show

  2. Scroll down the list to see the SMB versions.

  3. Perform the appropriate command, using the smb2-enabled-for-dc-connections option.

    If you want SMB2 to be…​ Enter the command…​

    Enabled

    vserver cifs security modify -vserver vserver_name -smb2-enabled-for-dc-connections true

    Disabled

    vserver cifs security modify -vserver vserver_name -smb2-enabled-for-dc-connections false

Related information