1. Oracle ZFS Storage Appliance Administration Guide, Release OS8.8.x
  2. Appliance Services
  3. Configuring Services
  4. SMB Configuration
  5. SMB Service Properties

SMB Service Properties

Changing service properties is documented in Setting Service Properties (BUI) and Setting Service Properties (CLI).

  • Minimum supported version - Choose the minimum version of SMB that Oracle ZFS Storage Appliance supports.

  • Maximum supported version - Choose the maximum version of SMB that the appliance supports.

  • System comment - Meaningful text string.

  • Idle Session timeout - Timeout setting for session inactivity.

  • Preferred domain controller - The preferred domain controller to use when joining an Active Directory domain. If this controller is not available, Active Directory will rely on DNS SRV records and the Active Directory site to locate an appropriate domain controller. For more information, see Active Directory Configuration.

  • Active Directory site - The site to use when joining an Active Directory domain. A site is a logical collection of machines which are all connected with high bandwidth, low latency network links. When this property is configured and the preferred domain controller is not specified, joining an Active Directory domain will prefer domain controllers located in this site over external domain controllers.

  • Maximum # of server threads - The maximum number of simultaneous server threads (workers). Default is 1024.

  • Enable Dynamic DNS - Choose whether the appliance will use Dynamic DNS to update DNS records in the Active Directory domain. Default is off.

  • Enable oplocks - Choose whether the appliance will grant opportunistic locks to SMB clients. This will improve performance for most clients. Default is on. The SMB server grants an oplock to a client process so that the client can cache data while the lock is in place. When the server revokes the oplock, the client flushes its cached data to the server.

  • Restrict anonymous access to share list - If this option is enabled, clients must authenticate to the SMB service before receiving a list of shares. If disabled, anonymous clients may access the list of shares.

  • Primary WINS server - Primary WINS address configured in the TCP/IP setup.

  • Secondary WINS server - Secondary WINS address configured in the TCP/IP setup.

  • Excluded IP addresses from WINS - IP addresses excluded from registration with WINS.

  • LAN Manager compatibility level - Authentication modes supported (LM, NTLM, LMv2, NTLMv2). For more information on the supported authentication modes within each compatibility level, consult the Oracle Solaris Information Library for smb. NTLMv2 is the recommended minimum security level to avoid publicly known security vulnerabilities.

  • SMB signing enabled - Enables interoperability with SMB clients using the SMB signing feature. If a packet has been signed, the signature will be verified. If a packet has not been signed it will be accepted without signature verification (if SMB signing is not required, see below).

  • SMB signing required - When SMB signing is required, all SMB packets must be signed or they will be rejected, and clients that do not support signing will be unable to connect to the server.

  • Ignore zero VC - When an SMB client establishes a new connection, it may request that the appliance clean up all previous connections and file locks from this client by specifying a Virtual Circuit (VC) number of zero. This protocol artifact however, does not respect network address translation (NAT) for clients or multiple DNS entries assigned to the same host. In combination, zero VC requests between masked or redundant network locations may result in unrelated active connections being reset. By default, zero VC requests are honored to prevent stale file locking, however if SMB sessions are being disconnected in error, ignoring zero VC requests may resolve the issue.

  • Share visibility - Use this property to set the access-based enumeration (ABE) policy for displaying available shares to clients. Valid values are Full and Restricted. While Full allows full access, Restricted limits access to only shares that the client is allowed to see. Access to shares is determined by the SMB exceptions and the share's ACL. This property is set to Full by default.

  • NetBIOS enable - Enables or disables all NetBIOS services. A value of true (default) enables NetBIOS name (UDP port 137), datagram (UDP port 138), and session (TCP port 139) services, and enables locating the domain controller via NetBIOS-based discovery, while a value of false disables all of them.

  • Encrypt data access - Enables the SMB server to require that clients encrypt data on all new sessions. This enforcement can be bypassed if the server allows unencrypted access. This configures SMB encryption at the global level, and the default value is false. See also "Reject unencrypted access."

  • Reject unencrypted access - Rejects unencrypted access when either global-level encryption or share-level encryption is enabled. The default value is true. When set to false, unencrypted access is allowed. Do not set this property to false unless security implications are understood. Allowing unencrypted access might be acceptable when a deployment scenario requires support to down-level clients that do not support encryption.

  • Enable multi-channel - Enables or disables SMB3 multi-channel support. When set to true, the default, the SMB server accepts multi-channel paths between the SMB server and client. Disabling multi-channel support could be beneficial for some firewall configurations. Use the multichannel_exclude property to specify physical interfaces that are not to be used for SMB multi-channel. Private and deprecated interfaces are automatically excluded.

  • Explicit netgroups - If this property is false (default), the system applies heuristics to distinguish netgroups from hostnames in share access lists. Depending on the names in the access list and the responsiveness of DNS, these heuristics can result in a slow or unresponsive SMB service. If this property is true, netgroups are tagged (see section SMB Protocol Share Mode Exceptions) to distinguish them from hostnames, so the heuristics are no longer needed; specifically, no DNS lookups are performed to process netgroups. When setting this property to true, all netgroup names in a share access list must be prefixed with the % character in the CLI or they must use the Netgroup exception type for the BUI. The preferred method to change this property, from either true to false, or false to true, is to use the "Netgroup editing workflow." This applies the setting to all netgroup names in a share access list. For information about workflows, see Maintenance Workflows.

  • Maximum machine account password age - Specifies the number of days, from 1 to 999, until the next Active Directory computer account password change. This property is applicable only when Oracle ZFS Storage Appliance is joined to an Active Directory domain. To disable this property in the BUI, select Disable periodic password change. To disable in the CLI, set the property to 0. This property is disabled by default.

    It is recommended to set the value to 30 days. Values lower than this can increase replication efforts and affect domain controllers. Significantly increasing the value or disabling the property gives an attacker more time to undertake a brute-force password-guessing attack against one of the machine accounts.