IBM Support

IBM i NetServer SMB protocol version control guide

How To


Summary

This document explains how IBM i administrators can view and control the SMB protocol versions used by IBM i NetServer. While current IBM i releases default to SMBv3 during negotiation, administrators may still need to restrict SMBv1 or SMBv2 to meet security or compliance requirements.

Objective

Help IBM i administrators view and manage their IBM i NetServer SMB protocol version

Environment

IBM i v720 and newer.

This document has been updated to highlight currently supported releases (IBM i v74, v75, v76).

 

Steps

Currently supported IBM i releases will default to SMBv3 during client/server negotiation and so, no configuration change is needed unless the IBM i administrator wishes to block clients attempting to negotiate SMBv1 or SMBv2 protocols. Modern Windows security policies will generally prevent the client from using SMBv1 protocol. 

Important: SMB3 and SMB2 Relationship on IBM i
On IBM i, SMB3 is implemented as a superset of SMB2. As a result:

  • SMB2 must remain enabled
  • There is no flag to disable SMB2 while allowing SMB3
  • Requiring encryption (*REQUIRED) is the only supported way to effectively force SMB3-only clients

To disable SMBv1 and SMBv2 (unencrypted) protocols on v740 and newer releases, IBM i administrators can set NetServer option Encrypt connections to *REQUIRED through the GO NETS CL tool under option "9. Change Attributes" (Change NetServer Attributes).

New Navigator for i also allows setting that option:
image-20221206165044-3

 

The remainder of this document is primarily intended for pre-v740 releases. 

Display the current NetServer SMB protocol version with command:

===> CALL QZLSMAINT PARM('40' '0')

This program call creates a QPCSMPRT spooled file. In the spooled file, view OLD FLAGS and NEW FLAGS. The "OLD FLAGS" values are what NetServer is presently using and the "NEW FLAGS" value is what NetServer uses the next time it is started.  For example,

image-20191030125208-1
 

There are 6 possible values related to SMB usage:

0000000000000000 -  Protocol version is negotiated and defaults for the OS version will be used (See "Default versions" below)
0000000000000080 -  Disables SMBv2
0000000000000100 -  Disables SMBv1
0000000000000400 -  Enables SMBv2 for 7.2 (7.3 and later do this by default)
0000000000000500 -  Combination of x100 and x400.  Allow SMBv2 and higher only


0000000000001000 -  Disables SMBv3 (specific to IBM i 7.4 and 7.5)
0000000000001080 -  Disables SMBv2 and SMBv3 (specific to IBM i 7.4 and 7.5)

Note:  7.2 provides support for SMBv1 and SMBv2. 7.3 provides support for SMBv1 and SMBv2.  7.4 provides support for SMBv1, SMBv2, and SMBv3.  7.1 and earlier versions support SMBv1 only (so these flags have no impact or meaning for those releases).
 
Default versions for each release:
 
7.2 = SMBv1 
7.3 = SMBv2
7.4 and above = SMBv3
 
Change SMB version settings by using CALL QZLSMAINT:

It is recommended to make the configuration change while NetServer is not active.
Whenever NetServer SMB protocol level changes are made, it might be necessary to remap drives or reboot client PCs for the client to use the new settings.
 
Considering the following example command:  CALL QZLSMAINT PARM('40' '1' '0x400')
The second parameter values can be any of the following:
‘1’ sets the bits on that are defined by the following value
‘2’ sets the bits off that are defined by following value
‘3’ reinitializes the flags to all zeros - Do not use unless directed by IBM i Support.
 

Commands are cumulative. For example, these two executions:

===> CALL QZLSMAINT PARM('40' '1' '0x400')  +  ===> CALL QZLSMAINT PARM('40' '1' '0x100')

…leaves you with:

NEW FLAGS        0000000000000500
===> CALL QZLSMAINT PARM('40' '2' '0x500')

…the ‘2’ sets the bits off for the value 500 (0101 0000 0000) and leaves you back at default settings (all 0’s).

 
===> CALL QZLSMAINT PARM('40' '3')
…re-initializes the flags to all zeros regardless of the existing value. Do not use unless directed by IBM i Support.
 
NOTE:  7.2 provides support for SMBv1 and SMBv2 (with PTFs). 7.3 provides support for SMBv1 and SMBv2.  7.4 provides support for SMBv1, SMBv2, and SMBv3.
 
Note:  Minimum Authority requirements for QZLSMAINT are:  *IOSYSCFG  *ALLOBJ  *SERVICE

Additional Information

If Windows 10 clients receive the following error mapping to IBM i 7.2 or later:
image-20190710103603-3
 
...set the NetServer SMB protocol version control flags to x500 so that SMBv1 protocol is disabled.  Note that IBM i NetServer will still accept an SMBv1 "Negotiate Protocol Request" frame, but the "Negotiate Protocol Response" (and the rest of the connection) will be SMB2.
 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CLSAA2","label":"Integrated File System-\u003ENetServer"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]

Document Information

Modified date:
26 January 2026

UID

ibm10958915

Page Feedback