Server Message Block (SMB) client file system

The SMB client file system is based on the SMB protocol version 2.1 and version 3.0.2. You can use the SMB client file system to access files on an SMB server.

The SMB server is a server that runs Windows Server 2012 or Windows Server 2016 operating system. In each of these server operating system types, a directory can be exported as a share. This share can then be mounted on an AIX® logical partition by using the SMB client file system. By using the SMB client file system, you can access the shares on SMB servers as local file systems on the AIX logical partition. You can use the SMB client file system to create, delete, read, and write files and directories on the SMB server and also to modify the access duration to these files and directories. However, you cannot change the owner or access permission of these files and directories.

start of changeThe following SMB protocol 3.0.2 functions are available in the SMB client file system:
SMB 3.0.2 secure dialect negotiation

You can mount a share from the SMB server into the AIX virtual file system (VFS) by using SMB protocol version 3.0.2.

The SMB 3.0.2 dialect server provides secure dialect negotiation to protect against security risks. When the SMB 3.0.2 dialect is negotiated, the SMB client must send a mandatory signed request to validate the negotiation information.

SMB 3.0.2 signing
The SMB protocol 3.0.2 uses a more recent encryption algorithm for signing. Advanced Encryption Standard (AES)-cipher-based message authentication code (CMAC), AES-128-CMAC to ensure integrity of messages exchanged between the SMB client and the SMB server by signing the outgoing messages and by validating the incoming messages.
SMB 3.0.2 Encryption

SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on untrusted networks. SMB Encryption can be configured on a per share basis or for the entire file server, and it can be enabled for a variety of scenarios where data traverses untrusted networks.

end of change

Installing the SMB client file system

The SMB client file system in the AIX operating system requires Kerberos-based GSSAPI to start the user-authenticated session by using the SMB protocol version 2.1 or version 3.0.2. In the AIX operating system, the GSSAPI is provided by a Userspace Library in the IBM® Network Authentication Service (NAS) version 1.16.1.0, or later fileset. SMB version 3.0.2 uses AIX OpenSSL library for generating keys for signing and encryption. So, it is required to install 1.0.2.2002, or later version of the openssl.base fileset. These filesets are included in AIX Expansion Pack.

To install the SMB client file system on an AIX logical partition, complete the following steps:

  1. Go to the AIX Web Download Pack Programs web page and sign in by using your IBM ID and password.
  2. Select the SMB CLIENT Version 3.0.2 option and click Download.

    Your IBM credentials must be entitled to download the SMB client file system package. Otherwise, you cannot download the package.

  3. Install the smbc.rte package by using the installp command.

    When the smbc.rte package is installed, the device nsmbc0 is created. This device allows the mount command to establish a connection between the SMB server and the SMB client file system by using the SMB client protocol version 2.1 or version 3.0.2.

Mounting the SMB client file system as a local mount point

You can mount the SMB client file system by using the following command:
mount -v smbc -n windows_server/Kerberos_username/password_for_Kerberos_user    \
-o wrkgrp=workgroup,[[port=139|445],[signing=required|enabled],[pver=2.1|3.0.2|auto],  \
[encryption=desired|required|disabled],[secure_negotiate=desired|required|disabled]   \
share_point_to_mount_created_on_windows local_mount_point
For example,
mount -v smbc -n llm140.xyz.com/cec102usr1/Passw0rd    \
-o "wrkgrp=SMB_302.test,port=445,signing=required,encryption=required,    \
secure_negotiate=desired,pver=auto" /some_share /mnt
You can specify the following parameters with the -o flag of the mount command. The parameters must be separated only by a comma. Do not insert a space before or after a comma.
fmode
Sets a file or directory to octal mode for access permissions. The default value is 755.
uid
Assigns a user ID to files during the mount operation. The default value is root.
gid
Assigns a group ID to files during the mount operation. The default value is system.
wrkgrp
Specifies the workgroup to which the SMB server belongs. This parameter is mandatory to mount the SMB client file system.
port
Specifies the port number. Valid values are 445 and 139. The default value is 445. Port 139 is supported only when the specified server address is in the IPv4 format.
pver
Specifies the SMB protocol version that is used to communicate with the SMB server. The valid values are 2.1 or 3.0.2 and auto. When you specify the auto value, SMB protocol version 2.1 or version 3.0.2 is used based on the specified SMB server.
signing
Specifies whether the SMB client file system requires digital signature for communication. Valid values are enabled and required. When the signing parameter is set to enabled, the SMB client file system does not digitally sign the data packets unless the SMB server file system requires digital signatures for communication. When the signing parameter is set to required, the SMB client file system must digitally sign the data packets for communication. If you do not specify the value of the signing parameter using the mount command, a default value is used from the kernel tunable parameter values that are set by using the smbctune command.
secure_negotiate
Specifies whether the SMB client file system requires encryption. The valid values are desired, required, and disabled. If you do not specify this parameter in the mount command, a default value is used from the kernel tunable parameter values that are set by using the smbctune command.
encryption
Specifies whether the SMB client file system requires encryption. The valid values are desired, required, and disabled. If you do not specify this parameter in the mount command, a default value is used from the kernel tunable parameter values that are set by using the smbctune command.

Kerberos authentication for SMB client file system

To mount an SMB client file system, you must authenticate to the SMB server by providing a Kerberos username and a Kerberos password. This username and password are used to perform all necessary file operations on the SMB server. If you do not provide a password, you are prompted for a password through the standard AIX password prompt.
Note: The password that is used to mount the SMB client file system can be up to 255 character in length. The password can contain special characters.

When you run a file system command, such as a read command, on a file in the SMB client mount point, a request is sent to the SMB server to read the file. The authenticated session ID is also sent as part of this read request. The SMB server uses this session ID to determine whether the user is authenticated to the server and to perform a read operation on the file. Thus, the SMB server authorizes access to the file and controls whether an operation can be performed on the file.

The fmode option of the mount command allows the root user on the SMB client file system to control access to files on the SMB server before the SMB server is queried. If you do not specify a value for the fmode option, the fmode option uses the default value of 755. The following table explains how the fmode option works with various operations:

Table 1. Cases in which users are either allowed or denied access based on the specified access permissions of the files or directories on the SMB server
Case number User authenticated to SMB server User on the client system requesting write access Mount owner, group, and access mode File or directory owner in the SMB server, group, and access mode on the SMB server Access permission
Case 1 user1 user2
user1, staff,
rwxr-xr-x
user1, staff,
rwxrwxr-x
no
Case 2 user1 root
user1, staff,
rwxr-xr-x
user2, staff,
rwxr-xr-x
no
Case 3 user1 user1
user1, staff,
rwxr-xr-x
user2, staff,
rwxrwxr-x
yes
Case 4 user1 user1
user1, staff,
rwxr-xr-x
root, system,
rwx------
no
Case 5 user1 user1
user1, staff,
rwxr-xr-x
root, system,
rwxrwxrwx
yes

In Case 1, access to the file or directory is denied to user2 because the mount owner, group, and mode at the mount point on the SMB client did not provide write access to user2.

In Case 2, access to the file or directory is denied to the root user because, even though the root user has all access on the SMB client, the SMB server-authenticated user, user1, does not have access to the file on the SMB server.

In Case 3, user1 has access to the file or directory because user1 was the mount owner during the mount operation, and user1, a member of the group staff on the SMB server, had access to the file on the server.

In Case 4, access to the file or directory is denied to user1 because, even though user1 was the owner during the mount operation, the file is owned by the root user on the SMB server, and the group members and other users do not have any access permissions.

In Case 5, user1 has access to the file or directory because the specified access mode specifies all access permission to all group members and other users.

Note: On the mounted file system, the following characters cannot be used in the name of the file: backslash key (\), forward slash key (/), colon (:), asterisk (*), question mark (?), less than key (<), greater than key (>), and vertical bar key (|).

Stored passwords

The SMB client file system can store server name, username, and password credentials in the /etc/smbcred file to allow automatic retrieval of passwords when you mount the SMB client file system. You can view, add, change, and remove the credentials from the /etc/smbcred file by using the lssmbcred, mksmbcred, chsmbcred, and rmsmbcred commands that are located in the /usr/sbin/ directory. Passwords that are added to the /etc/smbcred file are encrypted. When you mount the SMB client file system without specifying a password, the /etc/smbcred file is searched for matching credentials. If a match is found, the stored password from the /etc/smbcred file is used. Otherwise, you are prompted for a password through the standard AIX password prompt.

Consider the following limitations about the stored passwords:
  • To retrieve stored passwords, the server naming convention must be consistent. For example, if the credentials are added by using an IP address rather than a hostname or a fully qualified domain name (FQDN), passwords can be retrieved only when you mount the SMB client file system by using IP address.
  • You must remove the credential entry from the /etc/filesystems file before you uninstall the smbc.rte fileset.

/etc/filesystems file support

The SMB client file system supports the /etc/filesystems file to allow automated mount operation of file systems during system startup operation. The /etc/filesystems file also provides access to stored server name, username, password, and configuration data when you mount a file system. When you add SMB client file system stanzas manually to the /etc/filesystems file, you must store the SMB client file system credentials in the /etc/smbcred file.

Example:
$cat /etc/filesystems
.....................
.....................
.....................

/mnt1:
dev = /fvt_share
vfs = smbc
mount = true
options = "wrkgrp=SMB_21.FVT" 
nodename = <servername>/<username>

/mnt:
dev = /fvt_share
vfs = smbc
mount = true
options = "wrkgrp=SMB_21.FVT,signing=required" 
nodename = <servername>/<username>