protocol cifs smb signing enable
Enables SMB signing. By default, RiOS SMB signing is disabled.
Syntax
[no] protocol cifs smb signing enable
Parameters
None
Usage
When sharing files, Windows provides the ability to sign CIFS messages to prevent man-in-the-middle attacks. Each CIFS message has a unique signature which prevents the message from being tampered with. This security feature is called SMB signing. For detailed information about configuring SMB signing, including the necessary steps for Windows, see the SteelHead User Guide.
Prerequisites
• With RiOS SMB signing enabled, SteelHeads sign the traffic between the client and the client-side SteelHead and between the server and the server-side SteelHead. The traffic is not signed between the SteelHeads, but the SteelHeads implement their own integrity mechanisms. For maximum security, We recommend that you use IPsec encryption to secure the traffic between the SteelHeads.
• RiOS SMB signing requires joining a Windows domain. Setting the correct time zone is vital for joining a domain. The most common reason for failing to join a domain is a significant difference in the system time on the Windows domain controller and the SteelHead.
Basic Steps
1. Identify the full domain name, which must be the same as DNS. You need to specify this name if you join the server-side SteelHead to the domain.
2. Identify the short (NetBIOS) domain name (press Ctrl+Alt+Del on any member server). You need to specify the short name when the SteelHead joins the domain if it does not match the left-most portion of the fully-qualified domain name.
3. Make sure that the primary or auxiliary interface for the server-side SteelHead is routed to the DNS and the domain controller.
4. Verify the DNS settings:
– You must be able to ping the server-side SteelHead, by name, from a CIFS server joined to the same domain that the server-side SteelHead will join. If you cannot, create an entry in the DNS server for the server-side SteelHead.
– You must be able to ping the domain controller, by name, whose domain the server-side SteelHead will join. To verify your domain run the
show domain and
show dns settings.
5. If you configured SMB signing in delegation mode, set up the domain controller and SPN. For detailed information, see the SteelHead User Guide.
6. If you configured SMB signing in delegation mode, grant the user access to delegate CIFS service in Windows. You must perform the following procedure for every server on which you want to enable RiOS SMB signing. For detailed information, see the SteelHead User Guide.
7. If you configured SMB signing in delegation mode, add delegate users on the SteelHead.
8. Enable SMB signing on the server-side SteelHeads.
For detailed procedures, see the SteelHead User Guide.
Example
amnesiac (config) # protocol cifs smb signing enable
Product
SteelHead, SteelHead-v, SteelHead-c
Related Commands