This Technote describes how to switch the IBM i NetServer from the default of using SMB2 to using SMB and vice versa, and also describes how to determine which version of SMB the NetServer is using. The information in this TechNote is for use on OS 730 only. It should not be used for OS 720.
IBM i NetServer was enhanced at OS 730 to include Server Message Block Version 2 (SMB2) and SMB2 is the default that is negotiated with IBM i NetServer clients at 730. However, SMB2 can be disabled, in which case NetServer will revert to using the older SMB version. The information in this TechNote is for use on OS 730 only. It should not be used for OS 720.
Resolving The Problem
*** NOTE *** In the following CALLs to QZLSMAINT, a space must be included between each parameter in the PARM section.
Do not use PARM('40''1''0x80')
Do use PARM('40' '1' '0x80')
Do not use PARM('40''3')
Do use PARM('40' '3')
The following steps will disable SMB2 for both Printer and File shares.
a. Stop NetServer: ENDTCPSVR SERVER(*NETSVR)
b. Disable NetServer SMB2: CALL QZLSMAINT PARM('40' '1' '0x80')
c. Start NetServer: STRTCPSVR SERVER(*NETSVR)
d. NetServer clients (user PCs) that were mapped using SMB2 protocol will need to reboot their PC because of Windows security precautions.
e. If strange results are seen in either OLD FLAGS or NEW FLAGS after taking the steps above, then reset the flags by running the following: CALL QZLSMAINT PARM('40' '3')
SMB2 can be re-enabled using the same steps as above, but replacing the command in step b with the following command:
CALL QZLSMAINT PARM('40' '2' '0x80')
In either case above, a QPCSMPRT spooled file is created, and can be found using the WRKSPLF SELECT(*CURRENT) command. Use Option 5 to Display the spooled file. Look at the sections titled OLD FLAGS and NEW FLAGS. OLD FLAGS will contain the value that was in effect before running the CALL to QZLSMAINT. NEW FLAGS will contain the value that is in effect after running the CALL to QZLSMAINT.
If SMB2 is turned off (disabled), then you will see an 8, as shown in the NEW FLAGS value here:
If anything other than an 8 is displayed in this position, then SMB2 is (or, in the case of OLD FLAGS, was previously) in use.
To determine whether NetServer is using SMB2 (the shipped default) or whether it is using SMB, execute:
CALL PGM(QZLSMAINT) PARM('40''0')
Display the resulting "QPCSMPRT" spooled file. If SMB2 is turned off (disabled), you will see an 8 in both the OLD FLAGS and NEW FLAGS, as shown here:
If anything other than an 8 is displayed in this position, then SMB2 is in use.
Be aware that even if SMB2 is enabled, some clients might default to using SMB (the Samba smbclient, for example) and will not use SMB2 unless the client is specifically set to do so. IBM can not provide instructions on how to set or check what version of SMB a client computer is using. For information on how to do so, contact whoever supports the Operating System running on that client computer.
To reset all of the flags back to zeros and have (the default), again stop the NetServer then call the command:
CALL QZLSMAINT PARM ('40' '3')
When you view the QPCSMPRT spooled files the new flags should all be zeros.
To set the NetServer to only allow SMB2 and reject SMB1 and CIFS negotiations, end the NetServer then call the commands:
CALL QZLSMAINT PARM('40' '3')
CALL QZLSMAINT PARM('40' '1' '0X100')
This will produce two spooled files, in the first one the old flags will be whatever they were previously set to and the new flags will be zero. The second will have old flags of zeros and new flags 0000000000000100.
Also, a TRCCNN, collected on the IBM i, will show whether a client is using SMB2 or SMB. To collect a TRCCNN, please follow instructions provided in IBM Technote N1012803 How To Collect SMB LIC and TRCCNN Traces For a Single IP Address.
For assistance in reviewing TRCCNN output, contact IBM i Support.
NOTE: The NetServer service flags that are used to configure SMB behavior at OS 720 and above, do not (and were never intended to) get reset at OS upgrade time.
The flags themselves are stored in the NetServer configuration file (/qibm/userdata/os400/NetServer/QAZLSCFG). That file is not changed at upgrade time unless there is an update to a new format.
The flags are designed to be forward compatible so that flag values set at a prior release either alter the server behavior in the same way, or they are ignored at the new release level.
There are currently at least 10 bits defined and in use in the flags and each hexadecimal bit represents a server behavior change of some sort. Some of these are used for SMB version configuration and some are used for other purposes. Zeroing out the flags on upgrade could have unintended consequences if they were being used to change the behavior of a function that is not related to the supported SMB levels. Resetting the flags back to a zero value will always restore the NetServer behavior back to the shipped defaults, but that might not, in many cases, be the desired behavior.