IBM Support

SMB2 Support for IBM i 7.2

Technote (FAQ)


Question

How does all this work?

Answer

PTFs to enable SMB2 support for IBM i 7.2 are now available.
There are three required NetServer PTFs and one required QNTC PTF.

The NetServer PTFS are: MF63692, MF63693, and MF63694.

The QNTC PTF is: SI64984.

Two of the PTFS are *DELAYED to apply at IPL time only, so plan an IPL to activate the SMB2 support.

Once the PTFs are applied, not all functionality is immediately available. Read about how this works and how to enable full functionality below.

If client PC has enabled: How it worked at IBM i 7.1 At IBM i 7.2 before SMB2 support has been added via PTF At IBM i 7.2 after SMB2 support has been added via PTF, at default settings At IBM i 7.2 after SMB2 support has been added via PTF, after enabling SMB2 negotiation via SMB1 At IBM i 7.2 after SMB2 support has been added via PTF, after disabling SMB2 negotiation
SMB1 only SMB1 is used.

SMB2 is not available.
SMB1 is used.

SMB2 is not available.
SMB1 is used because the client/server protocol negotiation only includes SMB1 dialects from the client. SMB1 is used because the client/server protocol negotiation only includes SMB1 dialects from the client. SMB1 is used because the client/server protocol negotiation only includes SMB1 dialects from the client.
SMB2 only (does not have SMB1 installed) SMB2 is not available on IBM i 7.1. The client will fail to connect. SMB2 is not available on IBM i 7.2 prior to application of the enabling PTFs. The client will fail to connect. SMB2 is available to Windows 8 and newer machines that have had the SMB1 feature uninstalled as it ships These clients will only use SMB2 requests.

Windows 7 clients will fail to connect because SMB version is always  negotiated with the server via SMB1 negotiation mechanisms.
SMB2 is used. Same as behavior with default settings.
 
SMB2 is available to Windows 8 and newer machines that have had the SMB1 feature uninstalled as it ships  These clients will only use SMB2 requests.
 
Windows 7 clients will fail to connect because SMB version is always  negotiated with the server via SMB1 negotiation mechanisms.
SMB2 and SMB1 installed with both enabled SMB1 is used.

SMB2 is not available.
SMB1 is used.

SMB2 is not available.
SMB1 is used.
 
Windows clients will negotiate an SMB1 connection via SMB1 negotiation mechanisms.
SMB2 is used.
 
Windows clients will negotiate an SMB2 connection via SMB1 negotiation mechanisms.
Same as behavior with default settings.
 
SMB1 is used.
 
Windows clients will negotiate an SMB1 connection via SMB1 negotiation mechanisms.

IBM i 7.3 works the same as on 7.2 (after SMB2 support has been added to 7.2 via PTF and SMB2 negotiation via SMB1 has been enabled). No PTFs are required to enable SMB2 at 7.3 because support was available at the base level on 7.3.

Note: SMB has mechanisms built in to negotiate the version. If SMB1 is supported by the client, the process starts there. There is a switch in the 7.2 PTF to determine whether the server offers SMB2 during that stage (IBM refers to this process as enabling SMB2 negotiation via SMB1). Once SMB2 negotiation via SMB1 is enabled, the process can then move on to an SMB2 protocol negotiate.

So, when we say that 'SMB2 negotiation is enabled via SMB1' that means simply that if SMB1 is installed and enabled on the client, then SMB1 will negotiate using SMB1. That negotiation will determine whether SMB1 or SMB2 is then used.

Windows 7 always negotiates with the server using the SMB1 negotiation mechanism.

The clients (Windows 8 and above) that allow removing SMB1 as a feature don't use the SMB1 path. They start directly with the SMB2 negotiate.

Although it is possible to disable SMB1 in Windows 7 with some sort of registry hack, doing so doesn't do anything to change the network flows. It just fills in the SMB1 dialects with bogus information to try to force SMB2 use. IBM does not support the process of disabling SMB1 in Windows 7. If assistance is desired doing that, then the user will need to contact Microsoft. Additionally, while disabling SMB1 in Windows 7 might work to force SMB2 use, IBM provides no support to make this environment work.

To enable SMB2 negotiation via SMB1 (for Windows clients with SMB1 installed), run the following command on the IBM i:    

   CALL QZLSMAINT PARM('40' '1' '0x400')      

If SMB2 negotiation needs to be disabled to restore server behavior to the default, run the following command:        

   CALL QZLSMAINT PARM('40' '2' '0x400')  

The information about the CALL to QZLSMAINT is also discussed in the cover letter for MF63694 (included in this document below).



The remainder of this Technote contains information about the required PTFS and also the cover letters for those PTFS.



The NetServer PTFS are: MF63692, MF63693, and MF63694.

The three PTFs are co-requisites of each other. MF63692 is a DELAYED PTF so an IPL is required to apply this group of three PTFs.

IBM i NetServer does not automatically support all functionality for SMB2 when the PTFs are applied.

Print sharing behaves differently for the SMB2 protocol and changes must be made in your environment to enable print sharing to work.

SMB2 negotiation via SMB1 is not automatically enabled - see Note earlier in this Technote for additional information about SMB2 negotiation via SMB1.


The PTF cover letters contain more details about the support.


Cover letter information for MF63692
-----------------------------------------------------------------------
|  ACTIVATION INSTRUCTIONS :                                          |
| -------------------------                                           |
|                                                                     |
|    None.                                                            |
|                                                                     |
| SPECIAL INSTRUCTIONS :                                              |
| ----------------------                                              |
|                                                                     |
|    ENDTCPSVR *NETSVR before applying or removing this PTF.          |
|    STRTCPSVR *NETSVR after applying or removing this PTF.           |
|                                                                     |
| DEFAULT INSTRUCTIONS :                                              |
| ----------------------                                              |
|    THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.                    |
-----------------------------------------------------------------------

Cover letter information for MF63693
-----------------------------------------------------------------------
| ACTIVATION INSTRUCTIONS :                                           |
| -------------------------                                           |
|                                                                     |
|    None.                                                            |
|                                                                     |
| SPECIAL INSTRUCTIONS :                                              |
| ----------------------                                              |
|                                                                     |
|    None.                                                            |
|                                                                     |
| DEFAULT INSTRUCTIONS :                                              |
| ----------------------                                              |
|    THIS IS A DELAYED PTF TO BE APPLIED AT IPL TIME.                 |
|                                                                     |
-----------------------------------------------------------------------

Cover letter information for MF63694
------------------------------------------------------------------------------
| DESCRIPTION OF PROBLEM FIXED FOR APAR 'MA46335' :                          |
| -------------------------------------------------                          |
|    One of the recommended remediations for recent vulnerabilities          |
|    in Microsoft Windows products is to disable the SMB1 protocol.          |
|    When SMB1 client support is disabled on IBM i NetServer clients,        |
|    mapped drive connections to the server fail.                            |
|                                                                            |
| CORRECTION FOR APAR 'MA46335' :                                            |
| -------------------------------                                            |
|    IBM i NetServer does not support the SMB Version 2 (SMB2)               |
|    protocol.  The client and server will be unable to negotiate a          |
|    common SMB protocol level, and the connection will fail if the          |
|    client disables SMB1.                                                   |
|                                                                            |
|    This PTF adds SMB2 protocol support to IBM i NetServer.  Clients        |
|    that use the SMB1 negotiate mechanism to choose the protocol            |
|    version that is used will continue to negotiate SMB1 until the          |
|    user takes steps in this cover letter to enable SMB2                    |
|    negotiation.  This is done to avoid unexpected behavior changes         |
|    for users until the impacts of switching to SMB2 can be                 |
|    considered.  Windows 8 and newer Windows clients with the "SMB          |
|    1.0/CIFS File Sharing Support" feature turned off will                  |
|    automatically connect to NetServer shared directory paths with          |
|    the SMB2 protocol.                                                      |
|                                                                            |
| CIRCUMVENTION FOR APAR 'MA46335' :                                         |
| ----------------------------------                                         |
|    None.                                                                   |
|                                                                            |
| ACTIVATION INSTRUCTIONS :                                                  |
| -------------------------                                                  |
|    None.                                                                   |
|                                                                            |
| SPECIAL INSTRUCTIONS :                                                     |
| ----------------------                                                     |
|    ENDTCPSVR *NETSVR before applying or removing this PTF.                 |
|    STRTCPSVR *NETSVR after applying or removing this PTF.                  |
|                                                                            |
|                                                                            |
|    *** Important compatibility note ***                                    |
|    The SMB2 protocol requires use of enhanced security negotiation when    |
|    making a connection to the server.  If clients have been configured     |
|    with the minimum NTLMSSP client session security policy set to include  |
|    'Require NTLMv2 Session Security', those clients will fail to connect   |
|    to NetServer with SMB2.  NetServer does not support NTLMv2 Session      |
|    Security, and the Windows SMB2 client will enforce the policy by        |
|    preventing the connection.                                              |
|                                                                            |
|                                                                            |
|    To enable SMB2 negotiation via SMB1 (for Windows clients with SMB1      |
|    installed), run the following command on the IBM i:                     |
|    CALL QZLSMAINT PARM('40' '1' '0x400')                                   |
|                                                                            |
|    If SMB2 negotiation needs to be disabled to restore server behavior to  |
|    the default, run the following command:                                 |
|    CALL QZLSMAINT PARM('40' '2' '0x400')                                   |
|                                                                            |
|                                                                            |
|    *** SMB2 Shared Printer Differences ***                                 |
|    SMB Version 2 (SMB2) has been added and will become the default SMB     |
|    version used by clients that support it after SMB2 negotiation is       |
|    enabled with the steps described above. The new protocol handles        |
|    printing differently, and printer functions will no longer work as they |
|    did when using SMB1. Documents can still be printed to shared printer   |
|    queues from Windows clients, but additional steps are required to       |
|    configure the printer.                                                  |
|                                                                            |
|    1. Open the Windows command prompt and use the NET USE command to map   |
|    the IBM i NetServer printer share to an unused local LPT printer port.  |
|    Example: NET USE LPTx \\server\printer_share (where x is a valid LPT    |
|    port number)                                                            |
|                                                                            |
|    2. Add the printer share as a local printer on the LPT port used in     |
|    step 1 with the correct printer driver for the shared printer.          |
|                                                                            |
|    Printers added in this way will allow spooling output to the network    |
|    printer share, but advanced queue management for the mapped printer is  |
|    not supported at this time.                                             |
|                                                                            |
| DEFAULT INSTRUCTIONS :                                                     |
| ----------------------                                                     |
|    THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.                           |
------------------------------------------------------------------------------



The QNTC file system PTF is: SI64984

SI64984 is a DELAYED PTF. An IPL is required to apply it.

When this PTF is applied QNTC will immediately be able to use the SMB2 protocol if that is what is preferred by the server.
Details of how to disable SMB1 for QNTC are documented in the PTF cover letter or in the Knowledge Center for
IBM i 7.3.


Cover letter info for SI64984
-----------------------------------------------------------------------
| DESCRIPTION OF PROBLEM FIXED FOR APAR SE67400 :                     |
| -----------------------------------------------                     |
|    One of the recommended remediations for recent vulnerabilities   |
|    in Microsoft Windows products is to disable the SMB1 protocol.   |
|    When SMB1 support is disabled on the servers, QNTC will fail to  |
|    connect to the servers.                                          |
|                                                                     |
| CORRECTION FOR APAR SE67400 :                                       |
| -----------------------------                                       |
|    IBM i QNTC does not support the SMB Version 2 (SMB2) protocol.   |
|    The client and server will be unable to negotiate a common SMB   |
|    protocol level, and the connection will fail if the server       |
|    disables SMB1.                                                   |
|                                                                     |
|    This PTF adds SMB2 protocol support to IBM i QNTC. QNTC will     |
|    choose the SMB protocol version to negotiate with the server by  |
|    environment variable QIBM_ZLC_SMB_VERS.                          |
|    When the environment variable does not exist or is set to "0",   |
|    the QNTC file system will negotiate a suitable protocol version  |
|    with the server.                                                 |
|    When the environment variable is set to "1", the QNTC file       |
|    system will only use the SMB1/CIFS protocol.                     |
|    When the environment variable is set to "2", the QNTC file       |
|    system will only use SMB2.                                       |
-----------------------------------------------------------------------

Cross reference information
Segment Product Component Platform Version Edition
Operating System IBM i 7.3
Operating System IBM i 7.2
Operating System IBM i 7.1

Document information

More support for: IBM i
Integrated File System

Software version: 7.2, 7.2.0

Operating system(s): IBM i

Reference #: N1022198

Modified date: 28 July 2017


Translate this page: