Configuring SMB properties

Depending on the configuration of your SMB server, you might need to change the SMB settings in IBM® StoredIQ® Data Server to make the settings match.

About this task

Finding the most appropriate settings for making a CIFS volume work for your SMB server can be cumbersome. To help you with this task, a test tool is shipped with IBM StoredIQ that you can use to quickly test CIFS/SMB Share availability with different jcifs (SMB) properties without the need to stop and restart the deepfiler service. The tool and the predefined test properties files are in the /usr/local/siqsmb/tools/cifsTest/ directory on the data server. The tool performs the following tests against a given CIFS server for each set of jcifs properties that is available in the same directory as the tool:
  • Connect to the //CIFS_server/CIFS_share/initial_directory volume with the given credentials.
  • Test permission to list the files in the specified CIFS_share/initial_directory directory.
  • Test permission to create files under the specified CIFS_share share.
  • Test permission to read and write attributes of the files under the specified CIFS_share share.

Several predefined sets are shipped with the product. To test an additional set of jcifs properties, create a new properties file with the settings that you want to test in the directory where the tool is. The file must have the .properties extension.

To run the tool on the data server, you must be logged in to the data server as root. If you want to run the tool on another computer, copy the entire /usr/local/siqsmb/tools/cifsTest/ directory to that computer. If you want to run the tool on Windows, edit the cifsTest.bat command file and add the path to the java executable to the java -cp %_SIQCIFSTEST_CLASSPATH% flxsmb.tools.cifsTest %* command before you run the tool.

Complete these steps:
  1. Change to the directory where the tool is stored:
    cd /usr/local/siqsmb/tools/cifsTest/
  2. Run the tool:
    ./cifsTest.sh
  3. When prompted, provide the server hostname of the CIFS share, the login credential, the CIFS share name, and the initial directory like this:
    Please provide cifs server address: 198.51.100.12 
Please provide cifs server login credential - user name: dn\test01
                                   - password:
Please provide share name: share01
Please provide initial directory: dir01

The test results show which jcifs property settings work for the CIFS share. Test results are written to the cifsTest-logging.log file in the current directory.

You can change several tool settings by editing the log4j.properties file in the directory where the tool is stored:
  • Change the logging level.
  • Direct the output to the console, a log file, or both.
  • Specify the name of the log file.
  • Set the maximum log file size. A new file is written whenever the specified file size is exceeded.
  • Set the maximum number of log files to keep. When the defined number of log files is reached, the oldest file is discarded before a new one is created.

Procedure

To change the SMB settings on the data server to which you want to add the volume:

  1. Using an SSH tool, log in to the data server as root.
  2. Create a jcifs.properties file in the /usr/local/siqsmb folder by copying the original properties file. Use this command: 
    cp /usr/local/siqsmb/lib/jcifs.properties
 /usr/local/siqsmb/jcifs.properties

    The properties file contains a set of SMB properties that you can use to adjust your SMB configuration. For information about additional properties for further configuration, contact IBM Support.

    jcifs.smb.client.ipcSigningEnforced
    Determines whether client signing for interprocess communication (IPC) connections is enforced. The default value is true.

    This means that, although the data server is configured with signing not being required and not being supported, IPC connections to the SMB server still require signing by default. If the SMB server does not support signing for IPC connections, the data server cannot connect to that server during volume creation unless you set this property to false.

    Changed setting example: jcifs.smb.client.ipcSigningEnforced=false

    jcifs.smb.client.listCount
    Determines the maximum number of directories and files to be returned with each request of the TRANS2_FIND_FIRST/NEXT2 operation. The default value is 200.

    Depending on the characteristics of the files and directories on the SMB server, you might want to adjust this value for performance reasons. For example, on higher latency networks a lower value can result in better performance.

    Changed setting example: jcifs.smb.client.listCount=300

    jcifs.smb.client.signingPreferred
    Enables SMB signing if available. The default value is false.

    If the SMB server requires SMB signing, you must set this property to true to have the data server as a JCIFS client negotiate SMB signing with that SMB server. If the SMB server does not require SMB signing but supports it, you can set this property to true for signing to occur. Otherwise, SMB signing is disabled.

    Changed setting example: jcifs.smb.client.signingPreferred=true

    jcifs.smb.client.signingEnforced
    Determines whether client signing in general is enforced. The default value is false.
    If the SMB server does not require and does not support signing, setting this property to true causes the connection to the SMB server to fail. Set this property to true only if one of these security policies is set on the SMB server:
    • Microsoft network server: Digitally sign communication (always)
    • Microsoft network server: Digitally sign communication (if client agrees)

    Changed setting example: jcifs.smb.client.signingEnforced=true

    jcifs.smb.client.enableSMB2 (deprecated)
    Enables SMB2 support. The default value is true.

    Changed setting example: jcifs.smb.client.enableSMB2=false

    This setting is deprecated as of IBM StoredIQ 7.6.0.19.

    jcifs.smb.client.disableSMB1 (deprecated)
    Disables SMB1 support. The default value is false.

    Changed setting example: jcifs.smb.client.disableSMB1=true

    This setting is deprecated as of IBM StoredIQ 7.6.0.19.

    jcifs.smb.client.minVersion
    Determines the minimum protocol version that is to be used. The default value is SMB1 if this property is not set. Possible values are SMB1, SMB202, SMB210, SMB300, SMB302, and SMB311.

    Changed setting example: jcifs.smb.client.minVersion=SMB202

    jcifs.smb.client.minVersion interrelates with jcifs.smb.client.maxVersion as follows.
    jcifs.smb.client.minVersion jcifs.smb.client.maxVersion Behavior
    Explicitly set Not explicitly set; defaults to SMB210 IBM StoredIQ tries to connect to the SMB server by using the specified minimum SMB protocol version. If no connection can be established with this version, IBM StoredIQ retries to connect by using a higher SMB protocol version until the default maximum SMB protocol version is reached.

    Example: The minimum version is set to SMB202. The maximum version is not explicitly set and thus defaults to SMB210. IBM StoredIQ first tries to connect to the SMB server with SMB202. If this attempt fails, IBM StoredIQ uses SMB210 to connect to the SMB server.
    Not explicitly set; defaults to SMB1 Explicitly set IBM StoredIQ tries to connect to the SMB server by using the specified maximum SMB protocol version. If no connection can be established with this version, IBM StoredIQ retries to connect by using a lower SMB protocol version until the default minimum SMB protocol version is reached.

    Example: The minimum version is not explicitly set and thus defaults to SMB1. The maximum version is set to SMB202. IBM StoredIQ first tries to connect to the SMB server with SMB202. If this attempt fails, IBM StoredIQ uses SMB1 to connect to the SMB server.
    Not explicitly set; defaults to SMB1 Not explicitly set; defaults to SMB210 IBM StoredIQ tries to connect to the SMB server by using the specified maximum SMB protocol version. If no connection can be established with this version, IBM StoredIQ retries to connect by using a lower SMB protocol version until the default minimum SMB protocol version is reached.

    Example: The minimum version is not explicitly set and thus defaults to SMB1. The maximum version is not explicitly set and thus defaults to SMB210. IBM StoredIQ first tries to connect to the SMB server with SMB210. If this attempt fails, IBM StoredIQ tries to connect to the SMB server with SMB202. If this also fails, IBM StoredIQ uses SMB1.
    Explicitly set Explicitly set IBM StoredIQ tries to connect to the SMB server by using the specified maximum SMB protocol version. If no connection can be established with this version, IBM StoredIQ retries to connect by using a lower SMB protocol version until the specified minimum SMB protocol version is reached.
    jcifs.smb.client.maxVersion
    Determines the maximum protocol version that is to be used. The default value is SMB210 if this property is not set. Possible values are SMB1, SMB202, SMB210, SMB300, SMB302, and SMB311.

    Changed setting example: jcifs.smb.client.maxVersion=SMB210

    jcifs.smb.client.maxVersion interrelates with jcifs.smb.client.minVersion. See the interrelation table.

    jcifs.smb.client.dfs.disabled
    Disables Distributed File System (DFS) referrals. The default value is false.

    DFS allows for grouping shares on multiple servers logically and for linking shares transparently into a single hierarchical namespace. With DFS enabled, you can create CIFS primary volumes that point to a DFS namespace, which allows IBM StoredIQ to harvest data on group shares on multiple servers. For more information about configuring a CIFS volume for DFS, see the topic on creating CIFS primary volumes on the application stack or the data server.

    If you set this property to true, you cannot create CIFS volumes that use a DFS namespace as the share name.

    In non-domain environments, however, you might want to set this property to true to disable domain-based DFS referrals. Domain-based DFS referrals normally run when the data server as a JCIFS client first tries to resolve a path. In non-domain environments, these referrals time out causing a long startup delay.

    Changed setting example: jcifs.smb.client.dfs.disabled=true

    jcifs.smb.client.connTimeout
    Determines the connection timeout, that is the time period in milliseconds that the client waits to connect to a server. The default value is 35000.

    Changed setting example: jcifs.smb.client.connTimeout=70000

    jcifs.smb.client.soTimeout
    Determines the socket timeout, that is the time period in milliseconds after which sockets are closed if there is no activity. The default value is 35000.

    Changed setting example: jcifs.smb.client.soTimeout =70000

    jcifs.smb.client.responseTimeout
    Determines the timeout for SBM responses, that is the time period in milliseconds that the client waits for the server to respond to a request. The default value is 30000.

    Changed setting example: jcifs.smb.client.responseTimeout=60000

    jcifs.smb.client.sessionTimeout
    Determines the timeout for SMB sessions, that is the time period in milliseconds after which the session is closed if there is not activity. The default value is 35000.

    Changed setting example: jcifs.smb.client.sessionTimeout=70000

    jcifs.smb.client.ssnLimit
    Determines the maximum number of sessions on a single connection. When this limit is reached, new connections are opened to accommodate more sessions. If you set the value to 1, a new connection is created for each session. The default value is 250.

    Changed setting example: jcifs.smb.client.ssnLimit=200

    jcifs.smb.client.SendNTLMTargetName
    Determines whether the Service Principle Name (SPN) is sent to the SMB server. If SPN validation is required by the SMB server as part of the authentication process, this property should be set to true. Otherwise, no SMB session can be established because access is denied. The default value is true.

    Changed setting example: jcifs.smb.client.SendNTLMTargetName=false

  3. Edit the /usr/local/siqsmb/jcifs.properties file.
  4. Locate the property that you want to change, uncomment it, and set the appropriate value.
  5. Restart services using this command: service deepfiler restart
  6. Exit the data server.

Adding an SMB1 server as primary volume

In IBM StoredIQ, SMB1 and SMB2 are enabled by default, with the first choice being SMB2 connections. If the CIFS server that you add as a primary volume does not support SMB2, SMB1 is used. However, if the server supporting SMB1 only does also not provide client signing, you must disable IPC client signing on the data server on which the respective CIFS volume is defined by setting the jcifs.smb.client.ipcSigningEnforced property to false:
jcifs.smb.client.ipcSigningEnforced=false