Server Message Block (SMB) client file system

Edit online

The SMB client file system is based on the SMB protocol version 2.1 and version 3.0.2. You can use the SMB client file system to access files on an SMB server.

The SMB server is a server that runs Windows Server 2012, Windows Server 2016, or Windows Server 2019 operating system. In each of these server operating system types, a directory can be exported as a share. This share can then be mounted on an AIX® logical partition by using the SMB client file system. By using the SMB client file system, you can access the shares on SMB servers as local file systems on the AIX logical partition. You can use the SMB client file system to create, delete, read, and write files and directories on the SMB server and also to modify the access duration to these files and directories. However, you cannot change the owner or access permission of these files and directories.
Note: SMB client file system is not supported in WPAR partitions.
The following SMB protocol 3.0.2 functions are available in the SMB client file system:
SMB 3.0.2 secure dialect negotiation

You can mount a share from the SMB server into the AIX virtual file system (VFS) by using SMB protocol version 3.0.2.

The SMB 3.0.2 dialect server provides secure dialect negotiation to protect against security risks. When the SMB 3.0.2 dialect is negotiated, the SMB client must send a mandatory signed request to validate the negotiation information.

SMB 3.0.2 signing
The SMB protocol 3.0.2 uses a more recent encryption algorithm for signing. Advanced Encryption Standard (AES)-cipher-based message authentication code (CMAC), AES-128-CMAC to ensure integrity of messages that exchanged between the SMB client and the SMB server by signing the outgoing messages and by validating the incoming messages.
SMB 3.0.2 encryption

SMB encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on untrusted networks. SMB Encryption can be configured on a per share basis or for the entire file server, and it can be enabled for various scenarios where data traverses untrusted networks.

start of changeSMB 3.0.2 file name and directory name case-insensitivityend of change
start of changeSMB 3.0.2 client supports only case-insensitive file or directory names that are inline with the Windows-based SMB server. end of change
start of changeSMB 3.0.2 support for Unicode (or Universal Coded Character Set) Transformation Format 8-bit (UTF-8)end of change
start of changeSMB 3.0.2 supports UTF-8 code set and allows conversion of UTF-16 code set that is required by SMB server. Since the AIX operating system supports UTF-8 code set, textual data that is transmitted from or to AIX logical partitions is in UTF-8 format. The AIX SMB 3.0.2 client converts UTF-8 code set to UTF-16 code set before it sends textual data to the SMB server and converts UTF-16 code set to UTF-8 code set after it receives textual data from the SMB server.end of change
start of changeSMB 3.0.2 support for the Live Update operationend of change
start of changeSMB 3.0.2 supports the Live Update operation with limited functions. In an SMB 3.0.2 client, the Live Update operation is allowed only when no SMB shares are mounted; otherwise, the Live Update operation fails. Therefore, you must unmount all SMB shares before you start the Live Update operation and mount the SMB shares after the Live Update operation is completed. During the Live Update operation, the SMB shares must not be mounted. end of change
SMB 3.0.2 support for modifying service principal name
A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. By default, SPN is constructed automatically by the SMB client file system as cifs/<smbServerHostName>. You can modify the value of the default SPN when you mount the SMB client file system.

Installing the SMB client file system

The SMB client file system in the AIX operating system requires Kerberos-based GSSAPI to start the user-authenticated session by using the SMB protocol version 2.1 or version 3.0.2. In the AIX operating system, the GSSAPI is provided by a Userspace Library in the IBM® Network Authentication Service (NAS) version 1.16.1.0, or later fileset. SMB version 3.0.2 uses AIX OpenSSL library for generating keys for signing and encryption.

Therefore, you must install OpenSSL version 1.0.2.2002 of the openssl.base fileset for the following AIX operating system:
  • IBM AIX 7.3 with Technology Level 0
  • IBM AIX 7.2
  • IBM AIX 7.1

For IBM AIX 7.3 with Technology Level 1, and later, you must install OpenSSL version 3.0.5 of the openssl.base fileset. These filesets are included in the IBM AIX Expansion Pack and AIX Web Download Pack Programs.

To install the SMB client file system on an AIX logical partition, complete the following steps:

  1. Go to the AIX Web Download Pack Programs web page and sign in by using your IBMid and password.
  2. start of changeSelect the SMB CLIENT for AIX 3.0.2 option and click Continue. end of change
  3. start of changeSelect SMB Client filesets for AIX version 7.1, SMB Client filesets for AIX versions 7.2 till AIX version 7.3 TL0, or SMB Client filesets for AIX version 7.3 TL01 onwards as per your requirement and click Download.
    Note: Your IBM credentials must be entitled to download the SMB client file system package. Otherwise, you cannot download the package.
    end of change
  4. Install the smbc.rte package by using the installp command.

    When the smbc.rte package is installed, the device nsmbc0 is created. This device allows the mount command to establish a connection between the SMB server and the SMB client file system by using the SMB client protocol version 2.1 or version 3.0.2.

Mounting the SMB client file system as a local mount point

You can mount the SMB client file system by using the following command: 
mount -v smbc -n windows_server/Kerberos_username/password_for_Kerberos_user    \
-o wrkgrp=workgroup,[[port=139|445],[signing=required|enabled],[pver=2.1|3.0.2|auto],  \
[encryption=desired|required|disabled],[secure_negotiate=desired|required|disabled]   \
[spn=cifs/<smbServerHostName>] share_point_to_mount_created_on_windows local_mount_point
for example,
mount -v smbc -n llm140.xyz.com/cec102usr1/Passw0rd    \
-o "wrkgrp=SMB_302.test,port=445,signing=required,encryption=required,    \
secure_negotiate=desired,pver=auto,spn=cifs/llm140.xyz.com" /some_share /mnt

You can specify the following parameters with the -o flag of the mount command. The parameters must be separated only by a comma. Do not insert a space before or after a comma.

fmode
Sets a file or directory to octal mode for access permissions. The default value is 755.
uid
Assigns a user ID to files during the mount operation. The default value is root.
gid
Assigns a group ID to files during the mount operation. The default value is system.
wrkgrp
Specifies the workgroup to which the SMB server belongs. This parameter is mandatory to mount the SMB client file system.
port
Specifies the port number. Valid values are 445 and 139. The default value is 445. Port 139 is supported only when the specified server address is in the IPv4 format.
pver
Specifies the SMB protocol version that is used to communicate with the SMB server. The valid values are 2.1, 3.0.2, and auto. When you specify the auto value, SMB protocol version 2.1 or version 3.0.2 is used based on the specified SMB server.
signing
Specifies whether the SMB client file system requires a digital signature for communication. Valid values are enabled and required. When the signing parameter is set to enabled, the SMB client file system does not digitally sign the data packets unless the SMB server file system requires digital signatures for communication. When the signing parameter is set to required, the SMB client file system must digitally sign the data packets for communication. If you do not specify the value of the signing parameter by using the mount command, a default value is used from the kernel tunable parameter values that are set by using the smbctune command.
secure_negotiate
Specifies whether the SMB client file system requires a secure dialect negotiation capability. The valid values are desired, required, and disabled. If you do not specify this parameter in the mount command, a default value is used from the kernel tunable parameter values that are set by using the smbctune command.
encryption
Specifies whether the SMB client file system requires encryption. The valid values are desired, required, and disabled. If you do not specify this parameter in the mount command, a default value is used from the kernel tunable parameter values that are set by using the smbctune command.
spn
Specifies the service principal name (SPN) that must be used in the SMB client mount points. The format of the spn parameter is cifs/<smbServerHostName>, where smbServerHostName is the fully qualified domain name (FQDN) of the SMB server or the name that the Kerberos resolves as the SMB server. By default, SPN is constructed automatically by the SMB client file system as cifs/<smbServerHostName>.

Kerberos authentication for SMB client file system

To mount an SMB client file system, you must authenticate to the SMB server by providing a Kerberos username and a Kerberos password. This username and password are used to perform all necessary file operations on the SMB server. If you do not provide a password, you are prompted for a password through the standard AIX password prompt.
Note: The password that is used to mount the SMB client file system can be up to 255 characters in length. The password can contain special characters.

When you run a file system command, such as a read command, on a file in the SMB client mount point, a request is sent to the SMB server to read the file. The authenticated session ID is also sent as part of this read request. The SMB server uses this session ID to determine whether the user is authenticated to the server and to perform a read operation on the file. Thus, the SMB server authorizes access to the file and controls whether an operation can be performed on the file.

The fmode option of the mount command allows the root user on the SMB client file system to control access to files on the SMB server before the SMB server is queried. If you do not specify a value for the fmode option, the fmode option uses the default value of 755. The following table explains how the fmode option works with various operations:

Table 1. Cases in which users are either allowed or denied access based on the specified access permissions of the files or directories on the SMB server
Case number User authenticated to SMB server User on the client system that requests write access Mount owner, group, and access mode File or directory owner in the SMB server, group, and access mode on the SMB server Access permission
Case 1 user1 user2
user1, staff,
rwxr-xr-x
user1, staff,
rwxrwxr-x
 no
Case 2 user1 root
user1, staff,
rwxr-xr-x
user2, staff,
rwxr-xr-x
 no
Case 3 user1 user1
user1, staff,
rwxr-xr-x
user2, staff,
rwxrwxr-x
 yes
Case 4 user1 user1
user1, staff,
rwxr-xr-x
root, system,
rwx------
 no
Case 5 user1 user1
user1, staff,
rwxr-xr-x
root, system,
rwxrwxrwx
 yes

In Case 1, access to the file or directory is denied to user2 because the mount owner, group, and mode at the mount point on the SMB client did not provide write access to user2.

In Case 2, access to the file or directory is denied to the root user because, even though the root user has all access on the SMB client, the SMB server-authenticated user, user1, does not have access to the file on the SMB server.

In Case 3, user1 has access to the file or directory as user1 was the mount owner during the mount operation, and user1, a member of the group staff on the SMB server, had access to the file on the server.

In Case 4, access to the file or directory is denied to user1. Even though the user1 was the owner during the mount operation, the file is owned by the root user on the SMB server, and the group members and other users do not have any access permissions.

In Case 5, user1 has access to the file or directory because the specified access mode specifies all access permission to all group members and other users.

Note: On the mounted file system, the following characters cannot be used in the name of the file: backslash key (\), forward slash key (/), colon (:), asterisk (*), question mark (?), less than key (<), greater than key (>), and vertical bar key (|).

Stored passwords

The SMB client file system can store server name, username, and password credentials in the /etc/smbcred file to allow automatic retrieval of passwords when you mount the SMB client file system. You can view, add, change, and remove the credentials from the /etc/smbcred file by using the lssmbcred, mksmbcred, chsmbcred, and rmsmbcred commands that are located in the /usr/sbin/ directory. Passwords that are added to the /etc/smbcred file are encrypted. When you mount the SMB client file system without specifying a password, the /etc/smbcred file is searched for matching credentials. If a match is found, the stored password from the /etc/smbcred file is used. Otherwise, you are prompted for a password through the standard AIX password prompt.

Consider the following limitations about the stored passwords:
  • To retrieve stored passwords, the server naming convention must be consistent. For example, if the credentials are added by using an IP address rather than a hostname or a fully qualified domain name (FQDN), passwords can be retrieved only when you mount the SMB client file system by using IP address.
  • Remove the credential entry from the /etc/filesystems file before you uninstall the smbc.rte fileset.

/etc/filesystems file support

The SMB client file system supports the /etc/filesystems file to allow automated mount operation of file systems during system startup operation. The /etc/filesystems file also provides access to stored server name, username, password, and configuration data when you mount a file system.

start of changeTo manage the SMB client file system in the /etc/filesystems file, you can use the lssmbcmnt, mksmbcmnt, chsmbcmnt, and rmsmbcmnt commands. You can also add the SMB client file system entries manually. When you add SMB client file system entries manually to the /etc/filesystems file, you must store the SMB client file system credentials in the /etc/smbcred file.end of change

Example:
$cat /etc/filesystems
.....................
.....................
.....................

/mnt1:
dev = /fvt_share
vfs = smbc
mount = true
options = "wrkgrp=SMB_21.FVT" 
nodename = <servername>/<username>

/mnt:
dev = /fvt_share
vfs = smbc
mount = true
options = "wrkgrp=SMB_21.FVT,signing=required" 
nodename = <servername>/<username>
start of change

SMIT interface support

You can use the SMIT interface to perform the following tasks:
  • List the SMB client mount points.
  • Display the SMB client tunable parameters.
  • Configure the SMB client credentials.
  • Add or mount an SMB client file system.
  • Remove or unmount an SMB client file system.
  • Change an SMB client file system.
In the SMIT interface, go to Communications Applications and Services > SMB Client for AIX to access the SMB client file system options. You can also use the following SMIT fast path: 
smit smbc
end of change