[Advanced] SMB Settings


../../../_images/jcifs_samba.png

JCIFS is an Open Source client library that implements the CIFS/SMB networking protocol in Java. CIFS and Samba are file sharing protocols, which are used by the Microsoft Windows platform.

The fields' descriptions are taken from the jcifs documentation.

Note

To add a trusted certificate to the Genius Server, refer to the [Advanced] Certificate section.

SMB Protocol Implementation

  • SMB protocol implementation: the smb protocol to be used. Possible values are jcifs (default), smbj, jni and auto.

Note

JNI will work only on Windows, starting with Windows 2012. It is recommended to use jni if possible for SMB2, SMB3 and Kerberos support. For Windows Server 2016 it is highly advised to use jni, since jcifs supports only SMB1 which is deactivated by default on Windows Server 2016. For Linux installations or Windows Server 2008 or older, JNI is not selectable.

Hint

Choosing the auto setting will result in JCIFS for Windows Server 2008 and JNI for newer Windows Server versions.

Override JCIFS Samba default properties

  • Override configuration enabled: if checked, the JCIFS/SMB module is enabled.

Available JCIFS Properties

  • Netbios wins: IP address of the WINS server. It is required only when you access hosts on different subnets and it is recommended when a WINS server is provided.

  • Netbios broadcast address: address of the local network broadcast. Users must set an address for certain network configurations since the default 255.255.255.255 network may throw a "Network is unreachable" IOException. For example if the local host IP address is 192.168.1.15, the broadcast address should be 192.168.1.255.

  • Netbios scope: a character string appended to a NetBIOS name of a host that identifies the host as belonging to a specific group. This is extremely rare but NetBIOS provides a "scope ID" to be used to conceal groups of machines in the same network. Ask your network administrator if the scope ID is used. If it is, users must set it using this property, otherwise name queries fail.

  • Samba client local address: IP address of the local interface. If it is different from the default one, the client should bind to it. For example if the client must be used over a dial-up connection, specify the IP address of the PPP interface using this property.

  • Netbios local address IP address of the local interface. If it is different from the default one, the client should bind to it for name queries.

  • Netbios LM Hosts: path to an LM hosts file containing a map of IP addresses to hostnames. The format of this file is identical to the one of the Windows LM hosts. For further details, refer to Setting Name Resoultion Properties,

  • Disable Plain Text Passwords: if checked, plain text password is not used because it is disabled by default. To enable JCIFS to use plain text password, this property must be set as unchecked.

  • Encoding: the locale character encoding of the target server. If it does not correspond to MS-DOS Latin-1, users must modify it in order to reflect the proper encoding feature (e.g. Cp866 for Russian). Otherwise, share names, passwords, and in some cases file and directory names that contain non ASCII characters may not be handled properly. See this list of Supported Encodings. By default this property is Cp860 which is MS-DOS Latin1.

  • Samba use Extended Security: it is checked by default, but it must be unchecked for Samba 3.0.x because old Samba versions do not support raw NTLMSSP and JCIFS does not support SPNEGO.

Less Commonly Used JCIFS Properties

  • Resolve Order: a list of name resolution method identifiers -separated by a comma- that specify methods to use and in what order hostnames must be resolved. The default order of the possible identifiers is: LMHOSTS, WINS, BCAST, and DNS. For further details, refer to Setting Name Resoultion Properties.

  • Log level: an integer number that specifies the verbosity of log messages. The more the value is higher, the more it is verbose:

    • 0: neither log messages are printed, nor critical exceptions.

    • 1: the default level. Only critical messages are logged.

    • 2: heightened log messages suitable for logging while loading.

    • 3: log messages about almost everything.

    • N: debugging log messages only.


  • Attribute Expiration Period: file attributes are cached for the defined milliseconds. The default number is 5000. It greatly improves the performance because it eliminates redundant calls to the server. Sometimes two separate instances of SmbFiles, which point to the same resource, may produce different results in an awkward situation (e.g. s1.canRead() may return true even though s2.delete() has been called immediately before). For a maximum degree of reliability, set the Attribute expiration to 0.

  • Samba client response Timeout: the period of time in milliseconds during which the client waits for a response from the server. The default value is 30000. Under poor network conditions, users can increase this value as well as jcifs.smb.client.soTimeout.

  • Samba client socket Timeout: a period of time -in milliseconds- after which, if any activity is being performed, sockets are closed to prevent the client from holding server resources unnecessarily. By default, it is 35000ms.

  • Netbios cache Policy: a property used to control for how many seconds names are cached. The default is 30 seconds, 0 is no caching, and -1 is forever. When a NetBIOS name is resolved with the NbtAddress class, it is cached to reduce redundant name queries.

  • Netbios hostname: the hostname of Netbios. This property forces port 139 instead of the default port 445. Normally, a CIFS client connected to port 139 must present its own NetBIOS name to the server. JCIFS dynamically generates a name (e.g. JCIFS35_177_E6) for this purpose. However, users may want to set for this property a name(e.g. PROD_FEED3) for specific reasons such as server accounting purposes.

  • Samba client list Size: the size of data buffer -in bytes. The default size is 65535 bytes. On higher network latencies, a value that is below MTU (e.g. 1200) has a better performance. A command that may be individually tuned is the TRANS2_FIND_FIRST/NEXT2 operation. It is provoked by the list() method of SmbFile (but not for smb://, smb://workgroup/, or smb://server/ URLs).

  • Samba client list Count: a property which tunes the TRANS2_FIND_FIRST/NEXT2 operation. It controls the maximum number of directory and file entries that should be returned at every request. By default it is 200. On higher network latencies, a lower value (e.g. 15) has a better performance.

  • Samba client local port: a particular local port used for socket communications. If a firewall requires the source port as a specific value, this property can be set (e.g. lport=5139). This has no effect on the remote port which is invariably 139.

  • Netbios socket Timeout: a period of time -in milliseconds- after which, if any activity is being performed, datagram sockets for nameservice queries are closed to prevent the client from holding server resources unnecessarily. The default is 5000.

  • Netbios local port: a particular local port used for socket communications. If a firewall requires the source port as a specific value, this property can be set (e.g. lport=5137). This has no effect on the remote port which is invariably 137.

  • Netbios retry Count: number of times a name query is attempted if any answer is received. In case of adverse network conditions, users may wish to increase this value. However failed name queries take retry values from Count and retry duration in milliseconds. The default value is 2. The jcifs.netbios.retryTimeout should be increased.

  • Netbios retry Timeout: client's time of waiting -in milliseconds- for a response to a name query. By default, it is 3000ms.

  • JCIFS http domain Controller: DNS hostname or IP address of a server used to authenticate HTTP clients with the NtlmSsp class (use by NtlmHttpFilter and NetworkExplorer). If the jcifs.smb.client.domain 0x1C NetBIOS group name is not specified, it is queried by the IP address for development purposes. For that reason, users do not have to specify a real domain controller. DCE/RPC NETLOGON is not supported. For further information, refer to jCIFS NTLM HTTP Authentication Support.

  • JCIFS http basic Realm: the realm for basic authentication. By default, it is set to 'JCIFS'.

  • JCIFS http enable Basic: if checked, the basic authentication over HTTPS is enabled.

  • JCIFS http insecure Basic: if checked, the basic authentication over plain HTTP is enabled. This configuration passes user credentials in plain text over the network. It cannot be used in environment where security is required.

  • Samba LM Compatibility: this client can perform NTLMv2 with and without NTLMSSP as well as NTLMv1. The default lmCompatibility level is 3, and it indicates that NTLMv2 should be favored (although prior to JCIFS 1.3.0, NTLMv1 was the default). Levels of security are:

    • 0,1: it sends LM and NTLM responses.

    • 2: it only sends the NTLM response. It is securer than Levels 0 and 1 as it eliminates the cryptographically-weak LM response.

    • 3,4,5: it sends LMv2 and NTLMv2 data. NTLMv2 session security is also negotiated if the server supports it. It corresponds to the default behavior in 1.3.0 or later versions.

These values mirror the ones used for the Windows registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. For a technical description of these authentication mechanisms, see The NTLM Authentication Protocol. For older versions of Samba (3.0.x) the value must be set to 0, since they do not support raw NTLMSSP and JCIFS does not support SPNEGO.

  • Samba client SSN Limit: the maximun number of sessions that can be open over the same transport. If the limit is reached, new redundant transports are open to accommodate more sessions. If this value is set to 1, a new transport is created for each session. The default value is 250. A too high value may result in "ERRSVR/90: Too many Uids active on this session".

  • Samba client signing Preferred: if checked, the JCIFS client negotiates SMB signing with a server that requires it. If the server does not require SMB signing but supports it, set this property to true. Signing is required by default with Windows 2003. At the moment, NTLM HTTP authentication cannot use the signing since password hashes are required to generate the signing key, which is known only to the client (Internet Exploiter). Implement the NETLOGON RPC to fully support signing with NTLM HTTP authentication. DCE/RPC NETLOGON is not supported.

  • JCIFS http loadBalance: if checked (by default it is checked), the filter rotates through the list of domain controllers when a user authenticates. If a jcifs.smb.client.domain property is specified (and the domain controller is not specified), the NtlmHttpFilter queries for domain controllers by name. The jcifs.netbios.lookupRespLimit property can be also used to limit the number of domain controllers.

  • Netbios lookup Response Limit: the range of servers which returned by a name query. The 0x1C NetBIOS name query returns a list of domain controllers. The servers at the top of this list is the favored one. The default value is 5. It means that the top 5 domain controllers are used.

  • Samba client logon Share: the shared name against which SmbSession.logon() users can authenticate. The default value is IPC$. To create a simple group based access control for the NtlmHttpFilter or other applications that use SmbSession.logon(), users must change the default value.

  • Samba client DFS disabled: if checked, domain based DFS referrals is disabled. The default value is false. This property is important in non-domain environments where domain-based DFS referrals- that normally run when JCIFS first tries to resolve a path- have a timeout set, which causes a long startup delay (e.g. run JCIFS only on the local machine without a network, as well as on a laptop).

  • Samba client DFS TTL: the time- in seconds- after which DFS topology information is cached. The default value is 300 seconds (although the trusted domains list is cached for 10 times jcifs.smb.client.dfs.ttl).

  • Samba client DFS strict View: how JCIFS behaves if it fails to enumerate DFS roots but succeeds to enumerate shares. By default, this value is set to false to indicate that JCIFS should return the share list even if the DFS root enumeration fails. If this value is set to true and if DFS information cannot be successfully retrieved (e.g. an SmbAuthException due to insufficient access) an exception is thrown .

Hint

Do not forget to click on Save to save the changes. When everything in the config tool is configured, the Genius Server needs to be restarted. To test the configuration press <Test> and choose Connection test, enter the required values and press Connection Test.