I am doing some checking on OneFS 8.2 SMB3 encryption. Currently at the global and per-access-zone level I can:
At the Access Zone level I can set defaults for new shares:
On any share I can set:
What I am finding is that with 'Reject Unencrypted Access' set globally, the setting on an Access Zone overrides this (which is expected). If I have this set to 'Yes' on the Access Zone, attempts to connect to a share from a Windows Server 2008 R2 client (which is not capable of SMB3 encryption) are rejected, regardless of whether the share has 'Smb3 Encryption Enabled' set to Yes or No.
If I have 'Reject Unencrypted Access' set to No on the Access Zone, the Windows Server 2008 R2 client can connect to the share, regardless of whether the share has 'Smb3 Encryption Enabled' set to Yes or No.
As it happens I can also see from tcpdump that when I use a client that does support SMB3 encryption, the data packets are SMB3 encrypted regardless of whether the share has 'Smb3 Encryption Enabled' set to Yes or No. I guess that in the negotiation both end points agree that they are capable of SMB3 encryption.
This is not very intuitive. It means that if I want to guarantee that access to a share is encrypted, it must be in an Access Zone with 'Reject Unencrypted Access' set to Yes. It also means that on any Access Zone with 'Reject Unencrypted Access' set to No, it makes little difference whether the share has 'Smb3 Encryption Enabled' set to Yes or No; the data will be encrypted if the client is capable, and unencrypted access is permitted if the client does not support SMB3 encryption.
This blog post by trimbm does not say different:
Basically it says that the older OS can only access unencrypted shares if the cluster (or Access Zone) permits it. What it doesn't say is that if the cluster permits unencrypted connections, it permits unencrypted access to shares that have 'Smb3 Encryption Enabled'. What seems seriously missing is a share-level 'Reject Unencrypted Access'.
Here is the link to Isilon OneFS 8.2.2 CLI Administration Guide & if you look on page 215 it explains a little more how the restrictions work at the different levels. https://dell.to/37ZutGi
Please let us know if you have any other questions.
I agree that the document is factually correct, I just think that it is perhaps missing a couple of warnings. It describes the available settings accurately but it doesn't say anything about the effects.
In the section 'Enforce SMBv3 encryption' it could be clearer that unless --reject-unencrypted-access is set to Yes on the Access Zone, then access to a share may or may not use encryption, regardless of the settings of --support-smb3-encryption.
It could also make clearer that setting --reject-unecrypted-access globally to Yes is not effective in an Access Zone unless the setting for the Access Zone is also changed from the default 'No' to 'Yes', as the Access Zone setting (whether explicit or defaulted) overrides the global setting.
NL400 can only go to OneFS 8.1.2 and it has SMB3 encryption support.
2.4 SMB encryption
2.4.1 Feature introduction
OneFS 8.1.1 and above provide SMB encryption to secure access to data over untrusted networks by
providing over the wire encryption between the client and PowerScale cluster. It is an on-wire data encryption
which prevents an attacker from tampering with any data packet in transit without needing an extra
SMB encryption can be used by any clients which support SMB3 encryption from Windows Server 2012,
2012R2, 2016, Windows Client 8, and Windows 10 and does not require any extra infrastructure
management. PowerScale can also be configured to allow accepting or rejecting the old clients that lack the
SMB encryption support access.