How to Troubleshoot SMB Signing Issues Seen on Windows SMB3 Clients Upon Updating Supported SMB Dialect on the Server.
(Doc ID 2205106.1)
Last updated on SEPTEMBER 30, 2022
Applies to:Oracle ZFS Backup Appliance ZS5-4 - Version All Versions and later
Oracle ZFS Storage Appliance Racked System ZS7-2 Mid-Range - Version All Versions and later
Oracle ZFS Storage Appliance Racked System ZS7-2 High-End - Version All Versions and later
Oracle ZFS Storage ZS7-2 High End TAA Compliant - Version All Versions and later
Oracle ZFS Storage Appliance Racked System ZS7-2 for PCA/CatC - Version All Versions and later
7000 Appliance OS (Fishworks)
This document provides a procedure to resolve problems with SMB signing on Windows SMB3 clients.
This usually manifests as an inability to access already mapped shares. The errors seen are "Invalid Signature" or "an extended error has occurred".
There is a known client-side SMB signing issue seen on Windows8 and Window2012 as documented by Microsoft here: https://support.microsoft.com/en-us/kb/2756452.
"When a Windows 8 RTM or Windows Server 2012 RTM-based client computer attempts to reconnect to a server which has been upgraded from SMB 2.1 to SMB 3.0 while the client held a mapped share, you might see a failure to reconnect.
You may get different error messages depending on how you are accessing the file server. "
This issue was fixed in windows 2012R2 and later clients. But it looks like it could still be manifested on Windows2012R2 clients by following the steps below.
Note: The issue can be reproduced against Windows and Solaris server using windows 2012R2 client.
1. On windows 2012R2 client, map a share hosted by SMB3 server.
2. On the SMB server, update the supported SMB dialect from SMB3 to SMB2.
Note: Windows server does not allow to update a specific dialect; so to simulate the use case, you would need to reassign IP of one of the interfaces on SMB3 server to SMB2.1 server and disable the interface on SMB3 server.
3. On windows 2012R2 client, close the connection to the SMB3 server using TCPview tool.
4. On windows 2012R2 client, try to map the same share using the same command used in step(1). The share map will fail and in the trace you would see the SMB server returns ACCESS_DENIED error for VALIDATE_NEGOTIATE_INFO.
It looks like terminating a connection abruptly using TCPView, the SMB client re-director still uses the stale SMB3 user session information for new connections. It might be that the client is using the incorrect signing key or signing algorithm to map a share over SMB2.1 connection in step(4).
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document