Skip to main content

Verify enabled SMB versions

Contributors netapp-aherbin netapp-dbagwell netapp-barbe mpittman-netapp
PDFs

Your ONTAP 9 release determines which SMB versions are enabled by default for connections with clients and domain controllers. You should verify that the SMB server supports the clients and functionality required in your environment.

About this task

For connections with both clients and domain controllers, you should enable SMB 2.0 and later whenever possible. For security reasons, you should avoid using SMB 1.0, and you should disable it if you have verified that it is not required in your environment.

Beginning with ONTAP 9.3, it is disabled by default on new SVMs.

Note

If -smb1-enabled-for-dc-connections is set to false while -smb1-enabled is set to true, ONTAP denies SMB 1.0 connections as the client, but continues to accept inbound SMB 1.0 connections as the server.

SMB management contains details about supported SMB versions and functionality.

Steps

  1. Set the privilege level to advanced:

    set -privilege advanced
    Cli
    Copy

  2. Verify which SMB versions are enabled:

    vserver cifs options show
    Cli
    Copy

    You can scroll down the list to view the SMB versions enabled for client connections, and if you are configuring an SMB server in an AD domain, for AD domain connections.

  3. Enable or disable the SMB protocol for client connections as required:

    • To enable an SMB version:

      vserver cifs options modify -vserver <vserver_name> -<smb_version> true
      Cli
      Copy

      Possible values for smb_version:

      • -smb1-enabled

      • -smb2-enabled

      • -smb3-enabled

      • -smb31-enabled

        The following command enables SMB 3.1 on SVM vs1.example.com: cluster1::*> vserver cifs options modify -vserver vs1.example.com -smb31-enabled true

    • To disable an SMB version:

      vserver cifs options modify -vserver <vserver_name> -<smb_version> false
      Cli
      Copy

  4. If your SMB server is in an Active Directory domain, enable or disable the SMB protocol for DC connections as required:

    • To enable an SMB version:

      vserver cifs security modify -vserver <vserver_name> -smb2-enabled-for-dc-connections true
      Cli
      Copy

    • To disable an SMB version:

      vserver cifs security modify -vserver <vserver_name> -smb2-enabled-for-dc-connections false
      Cli
      Copy

  5. Return to the admin privilege level:

    set -privilege admin
    Cli
    Copy