Skip to end of metadata
Go to start of metadata

It has been observed that OSX versions above 10.11.5 made changes to the default SMB client configuration, which may negatively affect performance. The client-side change affects multiple NAS vendors/solultions. This article describes a solution to imrpove the performance when using BrickstorOS.

In summary, a security feature known as Signing is now enabled on OSX by default, and is a useful feature if the client accesses SMB shares via the internet. This feature is meant to protect communications between client and server by eliminating the chance of a man-in-the-middle attack. In other words it eliminates the space where an opportunity exists for someone to "pretend" that they are the server or that they are the client (spoofing). This default settting was likely introduced as a response to the BADLOCK SMB vulnerability.

While signing is a valuable feature on Internet-connected SMB systems, very rarely will normal users of BrickstorOS have systems directly on the Internet, and generally everything is encapsulated inside of secured networks behind firewalls and other barriers from the Internet. In these instances networks are typically private, with private addressing and are far less susceptible to such issues. Therefore signing becomes less meaningful. Because signing introduces a significant performance penalty users may opt to disable SMB signing. On BrickstorOS today SMB signing is disabled by default, but we have observed instances where it is not, which may be due to upgrades from previous versions where it was not disabled, or explicit enablement at some point in time, etc. Follow the directions below if you wish to to disable Client and Server Side SMB signing.

Step-by-step guide

Client-Side:

To disable signing, changes on both client and SAN are required. First, the following file should be created on OSX: `/etc/nsmb.conf` with these contents:

[default]
signing_required=no

The change on the client will need to be made as root, and a reboot must follow to inform system about this configuration change.

Server-Side:

The change on the SAN is done via the command line, either ssh or directly via console. This change, once made, will not revert on reboot, it will be persistent.

To check if signing is already disabled run this command:

# sharectl get -p signing_enabled -p signing_required smb


If both of these values are not set to false: signing_enabled, and signing_required, change them to false with the following command:

# sharectl set -p signing_enabled=false -p signing_required=false smb


After a change is made, it is necessary to restart SMB server, which will result in active sessions being dropped. This is required for them to re-connect without signing enabled.

To restart SMB server run the following command:

# svcadm restart smb/server

For additional information about this article and signing in particular, please contact RackTop Systems Support.