OA46044: SMB UNEXPECTED NETWORK ERROR OCCURRED

APAR status

Closed as documentation error.

Error description

The windows registry setting RequireSecuritySignature=1 results
in a hard failure trying to access exported resources by DFS/SMB
on zOS.

The zOS SMB server implementation does not support signing.

THe registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorks
tation\Parameters
  RequireSecuritySignature

must be set to x00000000

Local fix

Set RequireSecuritySignature to x00000000  and reboot the
workstation

Problem summary

****************************************************************
* USERS AFFECTED: All users of the z/OS Distributed File       *
*                 Service SMB Server.                          *
****************************************************************
* PROBLEM DESCRIPTION: A Windows client is unable to connect   *
*                      or access exported share resources if   *
*                      the environment is requiring SMB        *
*                      digital signing.                        *
****************************************************************
* RECOMMENDATION: UPDATE DOCUMENTATION                         *
****************************************************************
An update to the Distributed File Service SMB Administration
guide (SC23-6886-00) is being added.

Problem conclusion

The following section is being added in the SMB restrictions
section in Chapter 10. Accessing data

z/OS SMB implementation restriction for SMB Digital Signing

The zOS Distributed File Service SMB server does not support
server-side SMB digital signing. The determination whether to
use and enforce digital signing is performed during the initial
negotiation and session setup SMB transactions between the
supported clients, the z/OS DFS/SMB server and the Microsoft
Domain controllers if passthrough authentication is configured.

The result of an attempt to use digital signing will result in
unsuccessful session connection attempts or access failures
to the exported shares. These errors will be presented as
ACCESS denied or unexpected network errors to the client.

Refer to Microsoft documentation for detailed information and
how to set the value for this option. These options can be
set using the group policy editor secpol.msc or the regedit
Microsoft utility.

How to determine current settings:

The following describes the Group Policy settings and its
corresponding registry values that you can use to
determine the settings for client-side and
server-side digital signing.

Group Policy setting for client-side signing using secpol.msc
Microsoft network client: Digitally sign communications (if
                          server agrees)
Microsoft network client: Digitally sign communications (always)

Corresponding registry value for client-side signing using
regedit

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Lanmanworkstation\Parameters\Enablesecuritysignature
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Lanmanworkstation\Parameters\Requiresecuritysignature

Group Policy setting for server-side signing using secpol.msc
Microsoft network server: Digitally sign communications (if
                          server agrees)
Microsoft network server: Digitally sign communications (always)

Corresponding registry value for server-side signing using
regedit

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Lanmanserver\Parameters\Enablesecuritysignature
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Lanmanserver\Parameters\Requiresecuritysignature

Recommended  configuration for the z/OS SMB implementation:

On the Windows clients, ensure that the fields are set as
follows:

Microsoft network client: Digitally sign communications
                          (always) Disabled
Microsoft network client: Digitally sign communications
                          (if server agrees)
                          Either Enabled/Disabled

On the Windows 2008 server, ensure that the fields are set as
follows:

Microsoft network server: Digitally sign communications
                          (always) Disabled
Microsoft network server: Digitally sign communications
                          (if client agrees) Disabled

Temporary fix

Comments

APAR Information

APAR number
OA46044
Reported component name
DFS FILE SERVIC
Reported component ID
569694200
Reported release
410
Status
CLOSED DOC
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2014-09-15
Closed date
2014-11-26
Last modified date
2016-12-08

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

*Publications Referenced*
SC23688600

Fix information

Applicable component levels

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"410","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"410","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
08 December 2016

Tips

OA46044: SMB UNEXPECTED NETWORK ERROR OCCURRED

Subscribe

APAR status

Closed as documentation error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

Document Information

Share your feedback

Need support?