IBM i NetServer & QNTC
File sharing over network is not new to any one of us. Windows uses Server Message Block ( SMB ) protocol to read, create and update files on remote systems. IBM i provides SMB support using NetServer & QNTC. NetServer enables file sharing on the IBM i. Using NetServer Windows' clients can map shared directories on IBM i server as a mapped network drive. At the same time IBM i client can access files on Windows using QNTC.
IBM i and Windows operating systems support different versions of SMB. Table 1 list SMB versions on IBM i and Windows operating systems. For a successful connection between client and server, both parties should support common SMB versions. The connection uses the highest common protocol level that both sides support.
|IBM i 7.4||X||X||X|
|IBM i 7.3||X||X|
|IBM i 7.2||X||1X|
|IBM i 7.1 and below||X|
|Windows Server 2019, Windows Server 2016||X|
Windows 10 , Windows 8.1, Windows Server 2012 R2
|Windows 8 , Windows Server 2012||X|
Windows Vista SP1 & later, Windows Server 20008, Windows Server 2008 R2
Windows 2000 , Windows XP , Windows Server 2003
Windows Server 2003 R2
Table 1 : SMB versions on IBM i and Windows operating systems.
1X : NetServer SMB2 supported via PTF MF63692,MF64295,MF64401. QNTC SMB2 supported via PTF SI64984
SMB Default Versions
|IBM i Release||SMB Default Versions|
|IBM i 7.1 & below||SMB1|
|IBM i 7.2||SMB1|
|IBM i 7.3||SMB2|
|IBM i 7.4||SMB3|
|Table 2 : IBM i SMB default versions|
SBM Security & Performance
SMB1 vulnerabilities were exploited by ransomware like WannaCry and Petya to perform remote code execution on Windows machines. For improved security and performance , organizations should consider adopting SMB3 and disable SMB1. IBM i is not affected by this vulnerability, but to protect Windows file servers you must disable SMB1. US-CERT recommends blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.
SMB version 3.0 provides reduced latency when accessing data over wide area networks (WAN) and in high latency network. Unlike SMB2 or SMB1, it supports encrypted connection between client and server to protect sessions from eavesdropping attacks. PTF SI70746 is required to setup encrypted connection using SMB3.
Windows SMB version 2.0 disable guest account access to a remote server even if the remote server requests guest credentials. Guest logins are vulnerable to man-in-the-middle attacks as it does not support standard security features such as signing and encryption. Disable NetServer guest support or else windows client cannot map drives to IBM i NetServer shares using guest access when the NetServer is using SMB 2.0
IBM i with improper or no object level security and with NetServer guest support would allow any user to connect to root share and gain access to not just objects in directories but also in libraries. So do not share root file system.
On i5/OS V5R4 and beyond IBM i release, SMB signing should be enabled on IBM i NetServer to avoid tampering of packets and man in the middle attacks against IBM i. But with SMB1, enabling signing significantly decreases performance, especially when going across a WAN. Also NetServer guest support does not support SMB signing.
Changing SMB Versions
IBM i NetServer SMB protocol version can be changed by calling QZLSMAINT program to set the SMB flags. It is highly recommended to end NetServer before changing SMB flags. Changing SMB versions during active sessions can cause client errors to occur during those sessions. Change of flag becomes effectively immediately but in order to ensure that all sessions are using the desired SMB version a restart of NetServer is required. Client PC should remap drive or reboot their PCs to begin using the new SMB settings.
IBM i Release Upgrade & SMB version
IBM i 7.4 supports SMB3 but there is no current flag combination to force IBM i NetServer to only negotiate SMB3. During IBM i release upgrade , SMB configuration done at IBM i 7.2 and above are not changed unless the file /qibm/userdata/os400/NetServer/QAZLSCFG is updated to a new format. Should you require SMB3 to be used , you can force clients by requiring encrypted connections in the NetServer configuration. If this is not possible then at least set SMB flags to allow SMB2 and above.
Related: - Read more about the IBMi
April 28, 2021 |
April 14, 2021 | AS400/IBMi
Join our mailing list to receive the latest news and updates from our team.