NSMB.CONF(5) File Formats Manual NSMB.CONF(5)
NAME
nsmb.conf – configuration file for SMB requests
DESCRIPTION
The nsmb.conf file contains information about the computers and shares or
mount points for the SMB network protocol.
The configuration hierarchy is made up of several sections, each section
containing a few or several lines of parameters and their assigned
values. Each of these sections must begin with a section name enclosed
within square brackets, similar to:
[section_name]
The end of each section is marked by either the start of a new section,
or by the abrupt ending of the file, commonly referred to as the EOF.
Each section may contain zero or more parameters such as:
[section_name]
key=value
where key represents a parameter name, and value would be the parameter's
assigned value.
The SMB library uses the following information for section names:
A) [default]
B) [SERVER]
C) [SERVER:SHARE]
Possible keywords may include:
Keyword Section Default Comment
A B C Values
addr - + - DNS name or IP
address of server
nbtimeout + + - 1s Timeout for
resolving a NetBIOS
name
minauth + + - NTLMv2 Minimum
authentication
level allowed
port445 + + - both How to use SMB
TCP/UDP ports
streams + + + yes Use NTFS Streams if
server supported
soft + + + no Force all mounts to
be soft
notify_off + + + no Turn off using
notifications
kloglevel + - - 0 Turn on smb kernel
logging
protocol_vers_map + + - 7 Bitmap of SMB
Versions that are
enabled
signing_required + + - no Turn on smb client
signing
signing_alg_map + + - 3 Bitmap of SMB 3.1.1
signing algorithms
that are enabled
signing_req_vers + + - 6 Bitmap of SMB
Versions that have
signing required
validate_neg_off + + - no Turn off using
validate negotiate
max_resp_timeout + + - 30s Max time to wait
for any response
from server
submounts_off + + + no Turn off using
submounts
dir_cache_async_cnt + + - 10 Max async queries
to fill dir cache
dir_cache_max + + - 60s Max time to cache
for a dir
dir_cache_min + + - 30s Min time to cache
for a dir
max_dirs_cached + + - Varies Varies from 200-300
depending on RAM
amount
max_cached_per_dir + + - Varies Varies from
2000-10000
depending on RAM
amount
netBIOS_before_DNS + + + no Try NetBIOS
resolution before
DNS resolution
mc_on + + - yes Turn on SMB
multichannel (allow
more than one
channel per
session)
mc_max_channels + + - 9 Max channels
between client and
server
mc_srvr_rss_channels + + - 4 Max RSS channels
per server
interface
mc_clnt_rss_channels + + - 4 Max RSS channels
per client
interface
mc_prefer_wired + + - no Prefer wired NIC's
over wireless in
multichannel mode
encrypt_cipher_map + + - 15 Bitmap of SMB 3.1.1
encryption
algorithms that are
enabled
force_sess_encrypt + + - no Force session
encryption
force_share_encrypt + + - no Force share
encryption
connect_to_sharedisk + - - yes Allow connection to
a server in disk
share mode
comp_algorithms_map + + - 0 Bitmap of
compression
algorithms that are
enabled
comp_chaining_disable + + - no Disable chained
compression
comp_io_threshold + + - 4096 Min IO size to use
compression (4096 -
1048576)
comp_chunk_len + + - 256KB Chained write chunk
size for processing
comp_max_fail_cnt + + - 5 Max times write
compression can
fail before
disabling for that
file
comp_exclude_list + + - Comma separated
list of file
extensions to not
compress
comp_include_list + + - Comma seperated
list of file
extensions to
override default
exclusion list
The minimum authentication level can be one of:
kerberos Kerberos - NTLMv2, NTLM, LM, and plain-text password
authentication are not attempted.
ntlmv2 NTLMv2 - Kerberos authentication is attempted if a Kerberos
token can be obtained, otherwise NTLMv2 authentication is
attempted; if the server doesn't support encrypted
passwords, the authentication fails.
ntlm NTLM - Kerberos authentication is attempted if a Kerberos
token can be obtained, otherwise NTLMv2 authentication is
attempted and, if that fails, NTLMv1 authentication is
attempted, with zeroes in the LM hash; if the server
doesn't support encrypted passwords, the authentication
fails.
lm LM - Kerberos authentication is attempted if a Kerberos
token can be obtained, otherwise NTLMv2 authentication is
attempted and, if that fails, NTLMv1 authentication is
attempted, including the LM hash; if the server doesn't
support encrypted passwords, the authentication fails.
none none - The same as lm except that, if the server doesn't
support encrypted passwords, plain-text passwords are used.
Required for servers that don't support extended security.
(Note: "NetBIOS" as used below means "NetBIOS over TCP/IP.")
"How to use SMB TCP/UDP ports" can be one of:
both Attempt to connect via port 445. If that is
unsuccessful, try to connect via NetBIOS.
netbios_only Do not attempt to connect via port 445.
no_netbios Attempt to connect via port 445. If that is
unsuccessful, do not try to connect via NetBIOS.
"Bitmap of SMB Versions that are enabled" can be one of:
7 == 0111
SMB 1/2/3 should be enabled
6 == 0110
SMB 2/3 should be enabled
4 == 0100
SMB 3 should be enabled
"Bitmap of SMB Versions that have signing required" can be one of:
7 Signing required for SMB 1/2/3.
6 Signing required for SMB 2/3.
4 Signing required for SMB 3.
"Bitmap of SMB 3.1.1 signing algorithms that are enabled" can be one of:
3 == 0011
AES-128-GMAC/AES-128-CMAC should be enabled
1 == 0001
AES-128-CMAC should be enabled
"Bitmap of SMB 3.1.1 encryption algorithms that are enabled" can be one
of:
15 == 1111
AES-256-GCM/AES-256-CCM/AES-128-GCM/AES-128-CCM should be enabled
7 == 0111
AES-256-CCM/AES-128-GCM/AES-128-CCM should be enabled
3 == 0011
AES-128-GCM/AES-128-CCM should be enabled
1 == 0001
AES-128-CCM should be enabled
"Bitmap of SMB 3.1.1 compressions algorithms that are enabled" can be any
combination of (set to 0 to disable compression):
8 == 1000
PatternV1 should be enabled (only valid if chained compressions
are supported)
4 == 0100
LZ77+Huffman should be enabled.
2 == 0010
LZ77 should be enabled
1 == 0001
LZNT1 should be enabled
FILES
/etc/nsmb.conf The global configuration file.
~/Library/Preferences/nsmb.conf
The user's configuration file, conflicts will be
overwritten by the global file.
EXAMPLES
What follows is a sample configuration file which may, or may not match
your environment:
# Configuration file for example.com
[default]
minauth=ntlmv2
streams=yes
soft=yes
notify_off=yes
comp_exclude_list=foo,bar
[WIN11]
addr=windows11.apple.com
All lines which begin with the ‘#’ character are comments and will not be
parsed. The “default” section specifies that only Kerberos and NTLMv2
authentication should be attempted; NTLM authentication should not be
attempted if NTLMv2 authentication fails, and plain-text authentication
should not be attempted if the server doesn't support encrypted
passwords.
SEE ALSO
smbutil(1), mount_smbfs(8)
AUTHORS
This manual page was originally written by Sergey Osokin
⟨osa@FreeBSD.org⟩ and Tom Rhodes ⟨trhodes@FreeBSD.org⟩.
macOS 15.2 June 30, 2003 macOS 15.2