Thanks for that information. I understand that XP and 2003 uses smb1. If I enable smb signing, that should prevent smb1 connection to the SVM, correct?

or cifs modify / cifs options modify and disable smb1

Hi,

 

in CDOT,  I run

 

cifs modify -vserver <svm name>

 

it does not show an option to disable smb1

Good catch... You can disable 2 and 3 but only from advanced or higher privilege.. no smb 1 in there though.  The link to TR-4100 from the above reference is http://www.netapp.com/us/media/tr-4100.pdf

 

Judging by the fact that NetApp created a solution to make sure SMB1 will still work, I guess NetApp left it to the Windows environment to decide if they will eliminate SMB1 or not. Security engineers may not like this. lol

SMB signing can prevent smb1, but looks like a patch fixes that.  http://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=803058

---

@scottgelb wrote:

TR 4100 covers this really well.. a really nice reference.  See page 6.

---

Page 7 is more interesting as it details conditions when LIF migration is really non-disruptive. It seems that SMB 2 or 3 alone does not gurantee it; there are situations when session may be lost.

 

I wonder if Windows is using durable handles by default (and in which versions). I could not find any explanation, but then I am not really Windows guy.

This is what it says in page 7

In order for the LIF migrate to be nondisruptive, the SMB 2.x and 3.0 connections must establish and maintain a durable handle to the open file handle. When a LIF is migrated between nodes, those SMB 2.x and 3.0 clients with durable handle connections have their handles put into a temporary “disconnected” state. In order for the file handles to remain open, the client applications need to reconnect to the “disconnected” file handles

 

 

All this tells me is that I cannot guarantee to my managers that there will be no outage in CIFS. You are right, I am not sure how to identify that "durable handle".