NAME
nsmb.conf —
configuration file for SMB
requests
DESCRIPTION
The nsmb.conf file contains information
about the computers and shares or mount points for the SMB network
protocol.
The configuration hierarchy is made up of several sections, each section containing a few or several lines of parameters and their assigned values. Each of these sections must begin with a section name enclosed within square brackets, similar to:
The end of each section is marked by either the start of a new section, or by the abrupt ending of the file, commonly referred to as the EOF. Each section may contain zero or more parameters such as:
where key represents a parameter name, and value would be the parameter's assigned value.
The SMB library uses the following information for section names:
A)- [
default] B)- [SERVER]
C)- [SERVER:SHARE]
Possible keywords may include:
| Keyword | Section | Default Comment | |
| A B C Values | |||
| addr | - + - | DNS name or IP address of server | |
| nbtimeout | + + - | 1s | Timeout for resolving a NetBIOS name |
| minauth | + + - | NTLMv2 | Minimum authentication level allowed |
| port445 | + + - | both | How to use SMB TCP/UDP ports |
| streams | + + + | yes | Use NTFS Streams if server supported |
| soft | + + + | no | Force all mounts to be soft |
| notify_off | + + + | no | Turn off using notifications |
| kloglevel | + - - | 0 | Turn on smb kernel logging |
| protocol_vers_map | + - - | 7 | Bitmap of SMB Versions that are enabled |
| signing_required | + - - | no | Turn on smb client signing |
| signing_req_vers | + - - | 6 | Bitmap of SMB Versions that have signing required |
| validate_neg_off | + - - | no | Turn off using validate negotiate |
| max_resp_timeout | + + - | 30s | Max time to wait for any response from server |
| submounts_off | + + + | no | Turn off using submounts |
| dir_cache_async_cnt | + + - | 10 | Max async queries to fill dir cache |
| dir_cache_max | + + - | 60s | Max time to cache for a dir |
| dir_cache_min | + + - | 30s | Min time to cache for a dir |
| max_dirs_cached | + + - | Varies | Varies from 200-300 depending on RAM amount |
| max_cached_per_dir | + + - | Varies | Varies from 2000-10000 depending on RAM amount |
| netBIOS_before_DNS | + + + | no | Try NetBIOS resolution before DNS resolution |
| mc_on | + - - | yes | Turn on SMB multichannel (allow more than one channel per session) |
| mc_prefer_wired | + - - | no | Prefer wired NIC's over wireless in multichannel mode |
| encrypt_cipher_map | + - - | 15 | Bitmap of SMB 3.1.1 encryption algorithms that are enabled |
| force_sess_encrypt | + - - | no | Force session encryption for all mounts |
| force_share_encrypt | + - - | no | Force share encryption for all mounts |
The minimum authentication level can be one of:
kerberos- Kerberos - NTLMv2, NTLM, LM, and plain-text password authentication are not attempted.
ntlmv2- NTLMv2 - Kerberos authentication is attempted if a Kerberos token can be obtained, otherwise NTLMv2 authentication is attempted; if the server doesn't support encrypted passwords, the authentication fails.
ntlm- NTLM - Kerberos authentication is attempted if a Kerberos token can be obtained, otherwise NTLMv2 authentication is attempted and, if that fails, NTLMv1 authentication is attempted, with zeroes in the LM hash; if the server doesn't support encrypted passwords, the authentication fails.
lm- LM - Kerberos authentication is attempted if a Kerberos token can be obtained, otherwise NTLMv2 authentication is attempted and, if that fails, NTLMv1 authentication is attempted, including the LM hash; if the server doesn't support encrypted passwords, the authentication fails.
none- none - The same as
lmexcept that, if the server doesn't support encrypted passwords, plain-text passwords are used. Required for servers that don't support extended security.
(Note: "NetBIOS" as used below means "NetBIOS over TCP/IP.")
"How to use SMB TCP/UDP ports" can be one of:
both- Attempt to connect via port 445. If that is unsuccessful, try to connect via NetBIOS.
netbios_only- Do not attempt to connect via port 445.
no_netbios- Attempt to connect via port 445. If that is unsuccessful, do not try to connect via NetBIOS.
"Bitmap of SMB Versions that are enabled" can be one of:
7 == 0111- SMB 1/2/3 should be enabled
6 == 0110- SMB 2/3 should be enabled
4 == 0100- SMB 3 should be enabled
"Bitmap of SMB Versions that have signing required" can be one of:
7- Signing required for SMB 1/2/3.
6- Signing required for SMB 2/3.
4- Signing required for SMB 3.
"Bitmap of SMB 3.1.1 encryption algorithms that are enabled" can be one of:
15 == 1111- AES-256-GCM/AES-256-CCM/AES-128-GCM/AES-128-CCM should be enabled
7 == 0111- AES-256-CCM/AES-128-GCM/AES-128-CCM should be enabled
3 == 0011- AES-128-GCM/AES-128-CCM should be enabled
1 == 0001- AES-128-CCM should be enabled
FILES
- /etc/nsmb.conf
- The global configuration file.
- ~/Library/Preferences/nsmb.conf
- The user's configuration file, conflicts will be overwritten by the global file.
EXAMPLES
What follows is a sample configuration file which may, or may not match your environment:
# Configuration file for example.com [default] minauth=ntlmv2 streams=yes soft=yes notify_off=yes [WINXP] addr=windowsXP.apple.com
All lines which begin with the
‘#’ character are comments and will
not be parsed. The “default” section
specifies that only Kerberos and NTLMv2 authentication should be attempted;
NTLM authentication should not be attempted if NTLMv2 authentication fails,
and plain-text authentication should not be attempted if the server doesn't
support encrypted passwords.
SEE ALSO
AUTHORS
This manual page was originally written by Sergey Osokin ⟨osa@FreeBSD.org⟩ and Tom Rhodes ⟨trhodes@FreeBSD.org⟩.