Module netapp_ontap.models.cifs_service_security

Copyright © 2022 NetApp Inc. All rights reserved.


class CifsServiceSecuritySchema (*, only: Union[Sequence[str], Set[str]] = None, exclude: Union[Sequence[str], Set[str]] = (), many: bool = False, context: Dict = None, load_only: Union[Sequence[str], Set[str]] = (), dump_only: Union[Sequence[str], Set[str]] = (), partial: Union[bool, Sequence[str], Set[str]] = False, unknown: str = None)

The fields of the CifsServiceSecurity object


  • netapp_ontap.resource.ResourceSchema
  • marshmallow.schema.Schema
  • marshmallow.base.SchemaABC

Class variables

aes_netlogon_enabled GET POST PATCH

Specifies whether or not an AES session key is enabled for the Netlogon channel.

encrypt_dc_connection GET POST PATCH

Specifies whether encryption is required for domain controller connections.

kdc_encryption GET POST PATCH

Specifies whether AES-128 and AES-256 encryption is enabled for all Kerberos-based communication with the Active Directory KDC. To take advantage of the strongest security with Kerberos-based communication, AES-256 and AES-128 encryption can be enabled on the CIFS server. Kerberos-related communication for CIFS is used during CIFS server creation on the SVM, as well as during the SMB session setup phase. The CIFS server supports the following encryption types for Kerberos communication:


When the CIFS server is created, the domain controller creates a computer machine account in Active Directory. After a newly created machine account authenticates, the KDC and the CIFS server negotiates encryption types. At this time, the KDC becomes aware of the encryption capabilities of the particular machine account and uses those capabilities in subsequent communication with the CIFS server. In addition to negotiating encryption types during CIFS server creation, the encryption types are renegotiated when a machine account password is reset.

ldap_referral_enabled GET POST PATCH

Specifies whether or not LDAP referral chasing is enabled for AD LDAP connections.

lm_compatibility_level GET

It is CIFS server minimum security level, also known as the LMCompatibilityLevel. The minimum security level is the minimum level of the security tokens that the CIFS server accepts from SMB clients. The available values are:

  • lm_ntlm_ntlmv2_krb Accepts LM, NTLM, NTLMv2 and Kerberos
  • ntlm_ntlmv2_krb Accepts NTLM, NTLMv2 and Kerberos
  • ntlmv2_krb Accepts NTLMv2 and Kerberos
  • krb Accepts Kerberos only

Valid choices:

  • lm_ntlm_ntlmv2_krb
  • ntlm_ntlmv2_krb
  • ntlmv2_krb
  • krb
restrict_anonymous GET POST PATCH

Specifies what level of access an anonymous user is granted. An anonymous user (also known as a "null user") can list or enumerate certain types of system information from Windows hosts on the network, including user names and details, account policies, and share names. Access for the anonymous user can be controlled by specifying one of three access restriction settings. The available values are:

  • no_restriction - No access restriction for an anonymous user.
  • no_enumeration - Enumeration is restricted for an anonymous user.
  • no_access - All access is restricted for an anonymous user.

Valid choices:

  • no_restriction
  • no_enumeration
  • no_access
session_security GET POST PATCH

Specifies client session security for AD LDAP connections. The available values are:

  • none - No Signing or Sealing.
  • sign - Sign LDAP traffic.
  • seal - Seal and Sign LDAP traffic

Valid choices:

  • none
  • sign
  • seal
smb_encryption GET POST PATCH

Specifies whether encryption is required for incoming CIFS traffic.

smb_signing GET POST PATCH

Specifies whether signing is required for incoming CIFS traffic. SMB signing helps to ensure that network traffic between the CIFS server and the client is not compromised.

try_ldap_channel_binding GET POST PATCH

Specifies whether or not channel binding is attempted in the case of TLS/LDAPS.

use_ldaps GET POST PATCH

Specifies whether or not to use use LDAPS for secure Active Directory LDAP connections by using the TLS/SSL protocols.

use_start_tls GET POST PATCH

Specifies whether or not to use SSL/TLS for allowing secure LDAP communication with Active Directory LDAP servers.