× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. December 2016

Re: 7.2 to 7.3 and IFS root

We've upgraded numerous systems to 7.3.
Many of them had root shared.
We've stopped all sharing of the root. Not because of 7.3 issues but
because there has been targeted ransomware to find a share that some
client has to root and then encrypt all files on your IBM i. We now only
share various subdirectories.

What the issue is at 7.3 is that IBM changed from SMB1 to SMB2. SMB1 is a
security joke. The problem with SBM2 is that if you open a share on a
Windows client to IBM i 7.3 your results may be sporadic. The issue there
is that Windows polls status at a much higher frequency than the specs and
this drives SMB2 support on IBM i bonkers. While it may be caused by
Microsoft apparently other OS's, (Windows included), does not have this
issue and serve up SMB2 rather nicely. I've opened up a ticket with IBM
and get the finger pointing. I found it quite easy to move all file
sharing to other platforms and abandon IBM i as a file sharer when they
adopt this attitude. Microsoft is the 800 pound gorilla when it comes to
this environment.
IBM's reacharound is to change some stuff so that your IBM i falls back to
serving up SMB1 instead. However they strongly discourage you from doing
so due to the inherent security risks.

http://www-01.ibm.com/support/docview.wss?uid=nas8N1021348
http://www-01.ibm.com/support/docview.wss?uid=nas8N1017682
http://www-01.ibm.com/support/docview.wss?uid=nas8N1019248

There is a hack to the Windows registry you can try. We did not have much
luck with it and the prospect of having to hack the registry throughout
our domain was not too appealing.

Also from the PMR:

As you know, SMB2 is new at OS 730 and it is the default that is
negotiated with IBM i NetServer clients. This is the only big NetServer
change since your previous OS where this was all working perfectly for
so long. However, the older version of SMB is still available to use.
The following command can be used to disable SMB2 support for IBM i
NetServer:

CALL QZLSMAINT PARM('40' '1' '0x80')

This will disable SMB2 for both Printer and File shares. To perform the
disablement, take the following steps:

a. Stop NetServer: ENDTCPSVR SERVER(*NETSVR)
b. Disable NetServer SMB2: CALL QZLSMAINT PARM('40' '1' '0x80')
c. Start NetServer: STRTCPSVR SERVER(*NETSVR)
d. NetServer client's (user PC) that were mapped using SMB2 protocol
will need to reboot their PC because of Windows security precautions.

If for some reason disabling SMB2 does not help alleviate the problem,
then SMB2 can be re-enabled using the same steps as above, but replacing
the command in step b with the following command:

CALL QZLSMAINT PARM('40' ' 2 ' '0x80')


Rob Berendt

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.