IBM Support

SMB2 Support for IBM i 7.2

Question & Answer


Question

How do the SMB versions work on IBM i 7.2?

Answer

SMB2 support was added to IBM i 7.2 with PTFs.  SMB2 support was added for both NetServer (the server that handles drive mapping to the IBM i) and QNTC (the SMB client on the IBM i that provides access from the IBM i to other SMB servers like Windows).  The IBM i does not provide SMB2 support for 7.1 and older OS versions of the IBM i.


SMB2 support for 7.2 NetServer
Note:  This technote only pertains to IBM i 7.2.

The 7.2 PTFs that originally added the SMB2 support for NetServer were MF63692, MF64295, and MF64401.  We recommend applying the latest NetServer PTFs because there were many NetServer problems fixed by the latest supersede PTFs.
The control of which version(s) of SMB NetServer supports can be controlled by calling the NetServer QZLSMAINT utility to set the SMB flags.  Changing the SMB versions requires restarting NetServer in order to assure you are using the desired SMB version.  
A good starting point is to see what the flags are presently set to. 
To view the SMB flags, run the following command:
CALL QZLSMAINT PARM('40' '0')
Running this command before restarting NetServer produces a spool file showing old flags (what the NetServer is presently using) and new flags (what the NetServer uses after it is restarted).

If the QZLSMAINT utility has not been called before to change the SMB version, the resulting spool file should show the following:
    OLD FLAGS            
    0000000000000000    
    NEW FLAGS            
    0000000000000000    
When all the flags are set to zeros, NetServer is using the default SMB version for your operating system version. At 7.2 this means that SMB version 1 (SMB1) is being used exclusively with no support for SMB2.

To allow both SMB1 and SMB2, run the following command:
CALL QZLSMAINT PARM('40' '1' '0X400')
Running this command will produce a spool file with the following flags:
    OLD FLAGS            
    0000000000000000    
    NEW FLAGS            
    0000000000000400 
After restarting NetServer and running command CALL QZLSMAINT PARM('40' '0'), the flags in the spool file will show:
    OLD FLAGS            
    0000000000000400    
    NEW FLAGS            
    0000000000000400 
NetServer would now support both SMB1 and SMB2.
If SMB1 and SMB2 are allowed and the decision is make to only allow SMB2, run the following command:
CALL QZLSMAINT PARM('40' '1' '0X100')
Running this command will produce a spool file with the following flags:
   OLD FLAGS       
   0000000000000400
   NEW FLAGS       
   0000000000000500
After restarting NetServer and running command CALL QZLSMAINT PARM('40' '0'), the spool file will show the following flags:
   OLD FLAGS       
   0000000000000500
   NEW FLAGS       
   0000000000000500
NetServer would now only support SMB2.
A alternative method to only allow SMB2 would be to run the following two commands:
Note: The first of the two QZLSMAINT commands set NetServer back to the default which would allow only SMB1 support.
CALL QZLSMAINT PARM('40' '3')
CALL QZLSMAINT PARM('40' '1' '0X500')
Calling CALL QZLSMAINT PARM('40' '0') after running these two commands and restarting NetServer will show the following flags:
   OLD FLAGS       
   0000000000000500
   NEW FLAGS       
   0000000000000500
To go back to the 7.2 default which provided only SMB1 support, run the following command as shown in the alternative above:
CALL QZLSMAINT PARM('40' '3')
After restarting NetServer, the flags in the spool file will show the default flags which allow only SMB1 support:
   OLD FLAGS       
   0000000000000000
   NEW FLAGS       
   0000000000000000
As a alternative, if NetServer is set to allow both SMB1 and SMB2, you can run the following command:
CALL QZLSMAINT PARM('40' '2' '0X400')
Notice the value '2' instead of '1' (which was used previously when enabling SMB2) is used to remove the SMB2 support.
 
As shown above, using the QZLSMAINT utility can display, add, or subtract values from the flags or set the flags back to all zeros.  Whenever this utility is called, it produces a spool file showing the current state of the SMB flags. 
Here is an example scenario of how the QZLSMAINT utility might be used:
Run the command CALL QZLSMAINT PARM('40' '0') and review the spool file it produces.  It shows that the flags are all zeros and you now want to add SMB2 support (so that NetServer supports both SMB1 and SMB2).  Running CALL QZLSMAINT PARM('40' '1' '0X400') will add 400 to the NEW FLAGS.  The QPCSMPRT spool file shows:
   OLD FLAGS            
   0000000000000000    
   NEW FLAGS            
   0000000000000400    
These flags indicate that NetServer is presently only allowing SMB1 support but after a restart, it will also allow SMB2.  If you were to dump the flags after restarting NetServer then the old and new flags would both show a value of 400.
To extend this example further, if your flags are set at 400 and you now want to disable the use of SMB1 for NetServer, you can run CALL QZLSMAINT PARM('40' '1' '0X100') which adds 100 to the flags.  This would produce a spool file showing flags:
   OLD FLAGS            
   0000000000000400    
   NEW FLAGS            
   0000000000000500
After restarting NetServer only SMB2 will be allowed and the flags will show 500 for both the old and new flags.   
 
Setting the flags to any value other then what is shown above may produce unpredictable results.

SMB2 support for QNTC

The original PTF to add QNTC SMB2 support is SI64984.  Again we recommend applying the latest superseding PTF as it will include fixes for problems not included in the original PTF. This PTF requires an IPL to activate.  After the PTF or a supersede has been applied and the IBM i IPLed, SMB2 will be used by default on QNTC connections.  To change or control which version of SMB is used by QNTC, this can be done by adding a system environment variable.
To allow QNTC to use SMB2 by default and to fall back to using SMB1 if SMB2 is not available on the device QNTC is connecting to, either do not create the environment variable or create the environment variable and set it to zero: 
ADDENVVAR ENVVAR(QIBM_ZLC_SMB_VERS) VALUE(0) LEVEL(*SYS)
To force QNTC to use only SMB1: 
ADDENVVAR ENVVAR(QIBM_ZLC_SMB_VERS) VALUE(1) LEVEL(*SYS)
To force QNTC to use only SMB2: 
ADDENVVAR ENVVAR(QIBM_ZLC_SMB_VERS) VALUE(2) LEVEL(*SYS)
You may add this variable before or after IPLing the system to activate the PTF.  If it is added after the PTF is activated, QNTC will continue to use SMB2 in any jobs that started before the environment variable was set.
If you need to have a particular job use a different version of SMB than the default, you can set the environment variable in that job PRIOR to making the connection through QNTC.  Because the SMB version is negotiated upon the initial connection, setting the environment variable after that connection was made from a job would not likely have any effect.                                                                                                      

[{"Product":{"code":"SWG60","label":"IBM i"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"Integrated File System","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.2.0;7.2","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}},{"Product":{"code":"SSTS2D","label":"IBM i 7.3"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSC5L9","label":"IBM i 7.2"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSC52E","label":"IBM i 7.1"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
05 January 2021

UID

nas8N1022198