Table of ContentsView in Frames

Enabling or disabling required SMB signing for incoming SMB traffic

You can enforce the requirement for clients to sign SMB messages by enabling required SMB signing. If enabled, Data ONTAP accepts SMB messages only if they have valid signatures. If you want to permit SMB signing, but not require it, you can disable required SMB signing.

About this task

By default, required SMB signing is disabled. You can enable or disable required SMB signing at any time.
Note: SMB signing is not disabled by default under the following circumstance:
  1. Required SMB signing is enabled and the cluster is reverted to a version of Data ONTAP that does not support SMB signing.
  2. The cluster is subsequently upgraded to a version of Data ONTAP that supports SMB signing.

    Under these circumstances, the SMB signing configuration originally configured on a supported version of Data ONTAP is retained through reversion and subsequent upgrade.

Steps

  1. Perform one of the following actions:
    If you want required SMB signing to be... Enter the command...
    Enabled vserver cifs security modify -vserver vserver_name -is-signing-required true
    Disabled vserver cifs security modify -vserver vserver_name -is-signing-required false
  2. Verify that required SMB signing is enabled or disabled by determining if the value in the Is Signing Required field in the output from the following command is set to the desired value: vserver cifs security show -vserver vserver_name -fields is-signing-required

Example

The following example enables required SMB signing for Storage Virtual Machine (SVM, formerly known as Vserver) vs1:

cluster1::> vserver cifs security modify -vserver vs1 -is-signing-required true

cluster1::> vserver cifs security show -vserver vs1 -fields is-signing-required
vserver  is-signing-required
-------- -------------------
vs1      true