VNX: How to enable/disable SMB Signing (User Correctable)


   Article Number:     496200                                   Article Version: 3     Article Type:    How To 




VNX1 Series,VNX2 Series





There are 3 places to set SMB signing on a VNX CIFS Server:   

  •         Data mover parameter cifs.smbsigning     
  •         CIFS Server's GPOs     
  •         Data mover registry     
    The parameter which controls SMB Signing on the data mover is cifs.smbsigning.   
      $ server_param server_2 -facility cifs -info smbsigning       
        server_2 :       
        name                    = smbsigning       
        facility_name           = cifs       
        default_value           = 1       
        current_value           = 1       
        configured_value        =       
        user_action             = restart Service       
        change_effective        = restart Service       
        range                   = (0,1)       
        description             = Controls SMB signing on the data mover
      The documentation explains the behavior of the parameter as below:   
      0 = Disable SMB signing. The Data Mover overrides any SMB signing GPO that is set for the domain. SMB signing must also be disabled on Windows Server 2003 clients.         
          1 = Enable SMB signing. The SMB signing relies on the GPO, if defined. When the GPO is not defined, it relies on the CIFS server Registry that is present on the Data Mover. GPOs override the CIFS server Registry settings.
      The default setting for cifs.smbsigning is 1.     
      As per the definition, if cifs.smbsigning=1 then the SMB Signing settings are taken from the GPO settings of the CIFS Server. Use the below command to review the CIFS Server's effective GPO settings:   
      server_security server_2 -i -p gpo server=<cifs_server_name>   
      The names of the GPO settings associated with SMB Signing are the below:   
      Digitally sign client communications (always)     
      Digitally sign client communications (if server agrees)     
      Digitally sign server communications (always)     
      Digitally sign server communications (if client agrees)   
      For example:   
      $ server_security server_2 -i -p gpo server=testcifs | grep "Digitally sign"       
        Digitally sign client communications (always): Not defined       
        Digitally sign client communications (if server agrees): Not defined       
        Digitally sign server communications (always): Not defined       
        Digitally sign server communications (if client agrees): Not defined
      If cifs.smbsigning=1 and SMB Signing settings are "Not defined" in GPO, the registry entries are checked. Engage support to check and change the registry entries.   






For more information on SMB Signing settings on the VNX, see documentation "Configuring and Managing CIFS on VNX":   
    For more information on SMB Signing, see the below Microsoft article: