# Manage SMB using the CLI Using the CLI, you can manage the SMB-W: * [Show the SMB cluster](#show-the-smb-cluster) * [Show the SMB domain configuration](#show-smb-domain-cfg) * [Add an SMB cluster](#create-smb-cluster) * [Update the SMB cluster](#update-smb-cluster) * [Check the status of SMB cluster readiness](#check-status-smb-host-readiness) * [Join an SMB cluster in Active Directory](#join-smb-cluster-in-a-d) * [Delete an SMB cluster](#delete-an-smb-cluster) * [Add or remove SMB cluster containers](#add-or-remove-smb-cluster-hosts) * [Configure trusted domains](#configure-trusted-domains) * [List SMB shares](#list-smb-shares) * [Add an SMB share](#add-an-smb-share) * [Update SMB shares](#update-smb-shares) * [Control SMB share user-lists](#control-smb-share-user-lists) * [Remove SMB shares](#remove-smb-shares) * [Control SMB access based on hosts' IP/name](#control-smb-access-based-on-hosts) {% hint style="info" %} The CLI refers to the feature as SMB, but it applies to SMB-W only. Support for the legacy SMB implementation has been removed. {% endhint %} ## Show the SMB cluster **Command:** `weka smb cluster` Use this command to view information about the SMB cluster managed by the WEKA system. ## Show the SMB domain configuration **Command:** `weka smb domain` Use this command to view information about the SMB domain configuration. ## Add an SMB cluster **Command:** `weka smb cluster add` Use the following command line to create a new SMB cluster to be managed by the WEKA system: `weka smb cluster add

[--domain-netbios-name domain-netbios-name] [--idmap-backend idmap-backend] [--default-domain-mapping-from-id default-domain-mapping-from-id] [--default-domain-mapping-to-id default-domain-mapping-to-id] [--joined-domain-mapping-from-id joined-domain-mapping-from-id] [--joined-domain-mapping-to-id joined-domain-mapping-to-id] [--encryption encryption] [--smb-conf-extra smb-conf-extra] [--container-ids container-ids]... [--smb-ips-pool smb-ips-pool]... [--smb-ips-range smb-ips-range]...[--symlink symlink]` **Parameters**

Name	Value	Default
`netbios-name`*	NetBIOS name for the SMB cluster must be 1-15 characters long, using only alphanumeric characters (A-Z, 0-9) and hyphens (-). Names are case-insensitive, cannot start with a hyphen, and must be unique within the network. Spaces and special characters are not allowed. This will be the name of the Active Directory computer object and the hostname part of the FQDN.
`domain`*	The Active Directory domain to which the SMB cluster will be joined.
`config-fs-name`*	The predefined filesystem for storing persistent cluster-wide protocol configurations. Ensure the filesystem exists; if not, create it. For details, see #dedicated-filesystem-requirement-for-persistent-protocol-configurations
`domain-netbios-name`	Domain NetBIOS name.	The first part of the `domain` parameter
`idmap-backend`	The ID mapping method to use. Possible values: `rfc2307` or `rid`	`rfc2307`
`default-domain-mapping-from-id`	The first ID of the range for the default AD ID mapping (for trusted domains that have no defined range).	4290000001
`default-domain-mapping-to-id`	The last ID of the range for the default AD ID mapping (for trusted domains that have no defined range).	4291000000
`joined-domain-mapping-from-id`	The first ID of the range for the main AD ID mapping.	0
`joined-domain-mapping-to-id`	The last ID of the range for the main AD ID mapping.	4290000000
`encryption`	The global encryption policy to use: `enabled` - enables encryption negotiation but doesn't turn it on automatically for supported sessions and share connections. `desired` - enables encryption negotiation and turns on data encryption on supported sessions and share connections. `required` - enforces data encryption on sessions and share connections. Clients that do not support encryption will be denied access to the server.	`enabled`
`smb-conf-extra`	Additional SMB configuration parameters. Specify one or more key=value pairs to extend the SMB service configuration. When defining multiple entries, separate each pair using the literal `\n`. Example: `--smb-conf-extra "key1=value1\nkey2=value2\nkey3=value3"`
`container-ids`	The container IDs of the containers with a frontend process to serve the SMB service. Minimum of 3 containers.
`smb-ips-pool`	A pool of virtual IPs, used as floating IPs for the SMB cluster to provide HA to clients. These IPs must be unique; do not assign these IPs to any host on the network. Format: comma-separated IP addresses.
`smb-ips-range`	A range of virtual IPs, used as floating IPs for the SMB cluster to provide HA to clients. These IPs must be unique; do not assign these IPs to any host on the network. Format: `A.B.C.D-E` Example: `10.10.0.1-100`
`symlink`	Determines if symbolic links are allowed in the SMB cluster. `on`: Enables symbolic links. Use with caution, as it can introduce security risks by exposing data across shares. `off`: Disables symbolic links, enhancing security by preventing link-based vulnerabilities. Important: If a symbolic link in one share points to a file system in another share, users in the first share can access the data in the second share. Ensure you understand the security implications before enabling this option. Only applicable for SMB-W clusters.	`Off`

### Guidelines for configuring an SMB cluster * **Enable High Availability (HA):** * Ensure all floating IPs reside on the same subnet to enable IP takeover for HA. * **Floating IP requirements:** * Floating IPs must not be used by any other applications, servers, or WEKA components, including: * WEKA system management nodes * WEKA system IO nodes * WEKA system NFS floating IPs * In all-cloud installations, where listing SMB floating IPs is restricted by cloud provider network limitations, access the SMB service via the primary addresses of the cluster nodes. * **Configure SMB floating IPs:** * Use the `--smb-ips` parameter to specify the virtual IPs exposed by the SMB cluster. * Clients must connect through one of these virtual IPs to ensure automatic reconnection if an SMB container fails. * **Customizing SMB library options:** * If global options for the SMB library need adjustment, contact the [Customer Success Team](https://docs.weka.io/support/getting-support-for-your-weka-system). **Example command:**\ In this example, an SMB cluster named `wekaSMB` is created using containers 0-4, within the domain `mydomain`. The cluster is configured with virtual IPs ranging from 1.1.1.1 to 1.1.1.5. {% code overflow="wrap" %} ```bash weka smb cluster create wekaSMB mydomain --container-ids 0,1,2,3,4 --smb-ips-pool 1.1.1.1,1.1.1.2 --smb-ips-range 1.1.1.3-5 ``` {% endcode %} ## Update the SMB cluster **Command:** `weka smb cluster update` Use the following command line to update an existing SMB cluster: `weka smb cluster update [--encryption encryption] [--smb-ips-pool smb-ips-pool]... [--smb-ips-range smb-ips-range]...[--symlink symlink]` **Parameters**

Name	Value
`encryption`	The global encryption policy to use: `enabled`: enables encryption negotiation but doesn't turn it on automatically for supported sessions and share connections. `desired`: enables encryption negotiation and turns on data encryption on supported sessions and share connections. `required`: enforces data encryption on sessions and share connections. Clients that do not support encryption are denied access to the server.
`smb-ips-pool`	A pool of virtual IPs, used as floating IPs for the SMB cluster to provide HA to clients. These IPs must be unique; do not assign these IPs to any host on the network. Format: comma-separated IP addresses.
`smb-ips-range`	A range of public IPs is used as floating IPs to provide high availability for the SMB cluster to serve the SMB clients. These IPs must be unique; do not assign these IPs to any host on the network. Format: `A.B.C.D-E` Example: `10.10.0.1-100`
`symlink`	Determines if symbolic links are allowed in the SMB cluster. `on`: Enables symbolic links. Use with caution, as it can introduce security risks by exposing data across shares. `off`: Disables symbolic links, enhancing security by preventing link-based vulnerabilities. Important: If a symbolic link in one share points to a file system in another share, users in the first share can access the data in the second share. Ensure you understand the security implications before enabling this option. Only applicable for SMB-W clusters.

## Check the status of SMB cluster readiness **Command:** `weka smb cluster status` The SMB cluster is comprised of three to eight SMB containers. Use this command to check the status of the SMB containers that are part of the SMB cluster. Once all the SMB containers are prepared and ready, it is possible to join an SMB cluster to an Active Directory domain. ## Join an SMB cluster in Active Directory **Command:** `weka smb domain join` Use the following command line to join the SMB cluster to an Active Directory domain: `weka smb domain join [--server server] [--create-computer create-computer]` {% hint style="info" %} Ensure the AD servers are resolvable to all WEKA servers. This resolution enables the WEKA servers to join the AD domain. {% endhint %} **Parameters** | Name | Value | | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `username`\* | Name of an AD user with permission to add a server to the domain. | | `password`\* | The password of the AD user. This password is not retained or cached. | | `server` |

Specifies the remote domain controller for SMB-W domain join commands.
WEKA automatically identifies an AD Domain Controller server (from /etc/resolv.conf) based on the AD domain name.
You do not need to set the server name. In some cases, specify the AD server if required.
See #resolve-the-a-d-domain-controllers.

| | `create-computer` |

Creates an SMB cluster computer account in AD under a specified OU.
The default is the "Computers" container in AD.

| To join an existing SMB cluster to another Active Directory domain, leave the current Active Directory using the following command line: `weka smb domain leave ` On completion of this operation, it is possible to join the SMB cluster to another Active Directory domain. ## Remove an SMB cluster **Command:** `weka smb cluster remove` Use this command to remove an SMB cluster managed by the WEKA system. Removing an existing SMB cluster managed by the WEKA system does not delete the backend WEKA filesystems but removes the SMB share exposures of these filesystems. ## Add or remove SMB cluster containers **Command:** `weka smb cluster container add` **Command:** `weka smb cluster container remove` Use these commands to add or remove containers from the SMB cluster. `weka smb cluster container add [--container-id container-id]...` `weka smb cluster container remove [--container-id container-id]...` {% hint style="info" %} This operation might take some time to complete. During that time, SMB IOs are stalled. {% endhint %} **Parameters**

Name	Value
`container-ids`*	Container IDs of containers with a frontend process to serve the SMB service. Specify a comma-separated list with a minimum of 3 containers.

## Configure trusted domains ### List trusted domains **Command:** `weka smb cluster trusted-domains` Use this command to list all the configured trusted domains and their ID ranges. ### Add trusted domains **Command:** `weka smb cluster trusted-domains add` Use the following command line to add an SMB trusted domain: `weka smb cluster trusted-domains add

` **Parameters**

Name	Value
`domain-name`*	The name of the domain to add.
`from-id`*	The first ID of the range for the domain ID mapping. The range cannot overlap with other domains.
`to-id`*	The last ID of the range for the domain ID mapping. The range cannot overlap with other domains

### Remove trusted domains **Command:** `weka smb cluster trusted-domains remove` Use the following command line to remove an SMB-trusted domain: `weka smb cluster trusted-domains remove ` **Parameters**

Name	Value
`domain-id`*	The internal ID of the domain to remove

{% hint style="info" %} **SMB-W cluster restart and verification** The commands `weka smb cluster trusted-domains add` and `weka smb cluster trusted-domains remove` (and the related APIs) trigger a background restart of the SMB-W cluster. This restart is necessary for the changes to take effect. To confirm that the cluster has resumed normal operation following the restart, run the command: `weka smb cluster status` This command provides the current status of the SMB-W cluster and ensures that it is operational. {% endhint %} ## List SMB shares **Command:** `weka smb share` Use this command to list all existing SMB shares. ## Add an SMB share **Command:** `weka smb share add` Use the following command line to add a new share to be exposed by SMB.\ Ensure the SMB cluster is joined to the Active Directory. For details, see [#join-smb-cluster-in-a-d](#join-smb-cluster-in-a-d "mention"). {% code overflow="wrap" %} ``` weka smb share add

[--description description] [--internal-path internal-path] [--file-create-mask file-create-mask] [--directory-create-mask directory-create-mask] [--acl acl] [--map-acls map-acls] [--case-sensitivity case-sensitivity] [--obs-direct obs-direct] [--encryption encryption] [--read-only read-only] [--user-list-type user-list-type] [--allow-guest-access allow-guest-access] [--enable-ADS enable-ADS] [--hidden hidden] [--vfs-zerocopy-read vfs-zerocopy-read] [--users users]... ``` {% endcode %} {% hint style="info" %} The mount mode for the SMB share is `readcache` and cannot be modified. {% endhint %} **Parameters**

Name	Value	Default
`share-name`*	A unique name of the share to add to the filesystem. The share name must adhere to the following rules: Alphanumeric characters: A-Z, a-z, 0-9. Maximum length: 80 characters. Allowed special characters: hyphens (`-`) and underscores (`_`). Prohibited special characters: space ( ), backslash (`\`), slash (/), colon (`:`), semicolon (`;`). Prohibited control characters: 0x00 through 0x1F. No reserved names: Avoid using reserved names such as CON, PRN, AUX, NUL, COM1, LPT1. They may cause conflicts. SMB-W: Do not create the same share name with different case insensitivity.
`fs-name`*	Valid name of the filesystem to share. A filesystem with Required Authentication set to ON cannot be used for SMB share.
`description`	The description of the share received in remote views.
`internal-path`	The internal valid path within the filesystem (relative to its root) which will be exposed.	.
`file-create-mask`	POSIX permissions for the file created through the SMB share. Numeric (octal) notation.	0744
`directory-create-mask`	POSIX permissions for directories created through the SMB share. Numeric (octal) notation. SMB-W: the specified string must be greater or equal to 0600.	0755
`acl`	Enable Windows ACLs on the share (translated to POSIX). Supports up to 16 ACLs per file, depending on the available space in the Extended Attribute (xattr). For details, see #filesystem-extended-attributes-considerations Possible values: `on`, `off` For a MAC client, if `acl` is `off`, set `enable-ADS` to `off`.	`off`
`map-acls`	Specifies the type of access control to use for the share. Options include POSIX, Windows, or Hybrid. Hybrid ACL allows seamless interoperability between POSIX and Windows systems by exchanging permissions based on timestamps. Regardless of the system it originated from, the most recent permission takes precedence.	`POSIX`
`case-sensitivity`	Enables or disables case sensitivity for the specified SMB share. When enabled, the share distinguishes between files with the same name but different capitalization.	`on`
`obs-direct`	A special mount option to bypass the time-based policies. For details, see Broken link Possible values: `on`, `off`	`off`
`encryption`	The share encryption policy. `cluster_default:` The share encryption policy follows the global SMB cluster setting. `desired`: If negotiation is enabled globally, it turns on data encryption for this share for clients that support encryption. `required`: Enforces encryption for the shares. Clients that do not support encryption are denied when accessing the share.	`cluster_default`
`read-only`	Sets the share as read-only. Users cannot create or modify files in this share. Possible values: `on`, `off`	`off`
`user-list-type`	The type of initial permissions list for `users`. Possible values: `read_only`: List of users who have been denied write access to the share, regardless of the `read-only` setting. `read_write`: List of users given write access to the share, regardless of the `read-only` setting. `valid` : List of users that are allowed to log in to this share (empty list = all users are allowed) `invalid`: List of users that are not allowed to log in to this share
`allow-guest-access`	Allows connecting to the SMB service without a password. Permissions are as the `nobody` user account permissions. Possible values: `on`, `off`	`off`
`enable-ADS`	Enables using Alternate Data Streams (ADS) on a specified SMB share. Possible values: `yes`, `no` macOS clients: If ACLs are disabled (`acl=off`), set `enable-ADS` to `off`. Windows clients: When enabled, ADS data is stored in the file’s extended attributes (XAttr), which consumes XAttr space.	`on`
`hidden`	Sets the share as non-browsable. It will be accessible for mounting and IOs but not discoverable by SMB clients. Possible values: `on`, `off`	`off`
`vfs-zerocopy-read`	If supported, enable zero-copy reads. This allows data to transfer directly from disk to application memory without intermediate copying, reducing CPU usage and latency and enhancing throughput and efficiency for large file access. Possible values: `on`, `off`.	`on`
`users`	A list of users to use with the `user-list-type` list. Format: Domain short name followed by group name, for example `WEKAAD\internalShareUsers` Possible values: Up to 8 users/groups for all lists combined per share.	Empty list

### Guidelines for adding an SMB share * **Adding SMB shares:** * Example commands: ```bash weka smb share add rootShare default weka smb share add internalShare default --internal-path some/dir --description "Exposed share" ``` The first command creates a root SMB share for the `default` filesystem. The second command creates an internal SMB share for the `default` filesystem with a specified subdirectory and description. * **Custom SMB library options:** For configuring SMB shares with specific library options, contact the Customer Success Team. * **Setting share permissions:** After adding an SMB share, configure POSIX permissions to grant SMB users access.\ **Examples:** * Grant full access: ```bash mount -t wekafs smbw-fs /mnt/smbw chmod 777 /mnt/smbw umount /mnt/smbw ``` * Assign group ownership: ```bash mount -t wekafs smbw-fs /mnt/smbw chown :smb-group /mnt/smbw umount /mnt/smbw ``` For more details, see [#filesystem-permissions-and-access-rights-configuration](https://docs.weka.io/additional-protocols/smb-support/..#filesystem-permissions-and-access-rights-configuration "mention"). ## Update SMB shares **Command:** `weka smb share update` Use the following command line to update an existing share: `weka smb share update [--encryption encryption] [--read-only read-only] [--allow-guest-access allow-guest-access] [--hidden hidden]` **Parameters**

Name	Value
`share-id`*	A valid share ID to update.
`encryption`	The share encryption policy. `cluster_default:` The share encryption policy follows the global SMB cluster setting. `desired`: If negotiation is enabled globally, it turns on data encryption for this share for clients that support encryption. `required`: Enforces encryption for the shares. Clients that do not support encryption are denied when accessing the share. If the global option is `disabled`, access is restricted to these shares for all clients.
`read-only`	Sets the share as read-only. Users cannot create or modify files in this share. Possible values: `on`, `off`
`allow-guest-access`	Allows connecting to the SMB service without a password. Permissions are as the `nobody` user account permissions. Possible values: `on`, `off`
`hidden`	Sets the share as non-browsable. It will be accessible for mounting and IOs but not discoverable by SMB clients. Possible values: `on`, `off`

## **Control SMB share user-lists** **Command:** `weka smb share list show` Use this command to view the various user-list settings. **Command:** `weka smb share list add` Use the following command line to add users to a share user-list: `weka smb share list add

<--users users>...` **Parameters**

Name	Value
`share-id`*	The ID of the share to update.
`user-list-type`*	The type of permissions list for `users`: `read_only`: list of users that do not get write access to the SMB share, regardless of the `read-only` setting. `read_write`: list of users get write access to the SMB share, regardless of the `read-only` setting. `valid`: list of users allowed to log in to this SMB share service (an empty list means all users are allowed). `invalid`: list of users that are not allowed to log in to this share SMB service.
`users`*	A comma-separated list of users to add to the `user-list-type` list. Can use the `@` notation to allow groups of users. For example, `root, Jack, @domain\admins.` You can set up to 8 users/groups for all lists combined per share.

*** **Command:** `weka smb share list remove` Use the following command line to remove users from a share user-list: `weka smb share list remove

<--users users>...` **Parameters**

Name	Value
`share-id`*	The ID of the share to be updated.
`user-list-type`*	The type of permissions list for `users`: `read_only`: list of users that do not get write access to the SMB share, regardless of the `read-only` setting. `read_write`: list of users get write access to the SMB share, regardless of the `read-only` setting. `valid`: list of users allowed to log in to this SMB share service (an empty list means all users are allowed). `invalid`: list of users not allowed to log in to this SMB share service.
`users`*	A comma-separated list of users to remove from the `user-list-type` list. Can use the `@` notation to allow groups of users, e.g. `root, Jack, @domain\admins.` You can set up to 8 users/groups for all lists combined per share.

*** **Command:** `weka smb share list reset` Use the following command line to remove all users from a share user-list: `weka smb share list reset

` **Parameters**

Name Value

share-id* The ID of the share to be updated

user-list-type* The type of permissions list to reset:

read_only: list of users that do not get write access to the SMB share, regardless of the read-only setting.

read_write: list of users get write access to the SMB share, regardless of the read-only setting.

valid: list of users allowed to log in to this SMB share service (an empty list means all users are allowed).

invalid: list of users not allowed to log in to this SMB share service.

Name	Value
`share-id`*	The ID of the share to be updated
`user-list-type`*	The type of permissions list to reset: `read_only`: list of users that do not get write access to the SMB share, regardless of the `read-only` setting. `read_write`: list of users get write access to the SMB share, regardless of the `read-only` setting. `valid`: list of users allowed to log in to this SMB share service (an empty list means all users are allowed). `invalid`: list of users not allowed to log in to this SMB share service.

## Remove SMB shares **Command:** `weka smb share remove` Use the following command line to remove a share exposed to SMB: `weka smb share remove ` **Parameters**

Name	Value
`share-id`*	The ID of the share to remove.

{% hint style="success" %} **Example:** The following is an example of removing an SMB share defined as ID 1: `weka smb share remove 1` {% endhint %} ## Control SMB access based on hosts' IP/name You can control which hosts are permitted to access the SMB share. The maximum number of share host access definitions across all shares is 1024. {% hint style="info" %} SMB-W supports access based on the host IP addresses (but not host names). {% endhint %} **Command:** `weka smb share host-access list` Use this command to view the various host access settings. **Command:** `weka smb share host-access add` Use the following command line to add a host to the allow/deny list: `weka smb share host-access add <--ips ips> <--hosts hosts>` **Parameters**

Name	Value
`share-id`*	The ID of the share to update. Mandatory for the share-level command.
`mode`*	The access mode of the host. Possible values: `allow`, `deny`
`ips`	A comma-separated list of host IP addresses to allow or deny. Must provide at least one of the IP addresses. Format example for multiple IPs: `192.` `192.168.` `192.168.1` `192.168.1.1/24` `192.168.1.2, 192.168.1.2`
`hosts`	Host names to allow/deny. You must provide at least one of the hostnames Separate host names with spaces. In SMB-W, use the `ips` parameter instead of `hosts`.

**Command:** `weka smb share host-access remove` Use the following command line to remove hosts from the allow or deny list. `weka smb share host-access remove ` **Parameters**

Name Value

share-id* The ID of the share to update.
Mandatory for the share-level command.

hosts*

A list of hostnames you want to remove from access.

Separate host names with spaces.
Use the IP addresses displayed under the HOST column when running the corresponding list command.

**Command:** `weka smb share host-access reset` Use the following command line to remove all hosts from the allow or deny list: `weka smb share host-access reset ` **Parameters**

Name Value

share-id* The ID of the share to update.
Mandatory for the share-level command.

mode*

The specified access mode will remove all associated hosts from the list.

Possible values: allow, deny.

[^1]: **Control characters** are non-printable characters used to manage the flow of text and commands, such as starting a new line, triggering alerts, or formatting text. They do not represent visible symbols and are typically not allowed in filenames or share names.