NetApp

ONTAP SMB Encryption and LDAPS Hardening Runbook

Published May 25, 2026 | 10 min read

Scope

This runbook combines two common hardening changes: requiring SMB encryption for CIFS traffic and enabling secure LDAP behavior for name-service integration. NetApp documents CIFS security settings in vserver cifs security modify, including -is-smb-encryption-required: vserver cifs security modify. NetApp also documents LDAP client creation with LDAPS options in vserver services name-service ldap client create: LDAP client create.

Prechecks

vserver cifs security show -vserver svm_cifs01
vserver cifs show -vserver svm_cifs01
vserver services name-service ldap client show -vserver svm_cifs01
security certificate show
vserver services name-service ns-switch show -vserver svm_cifs01

Confirm:

Area	Requirement
SMB clients	Support SMB encryption if it will be required
Application access	Owners approve any legacy client impact
Certificates	Correct CA chain installed for LDAPS or StartTLS
LDAP servers	Reachable and configured for secure bind
Rollback	Previous CIFS and LDAP settings captured

CLI Process: SMB Encryption

Show current setting:

vserver cifs security show -vserver svm_cifs01 -fields is-smb-encryption-required

Require encryption:

vserver cifs security modify \
  -vserver svm_cifs01 \
  -is-smb-encryption-required true

Validate:

vserver cifs security show -vserver svm_cifs01
cifs session show -vserver svm_cifs01

CLI Process: LDAPS

Create or update an LDAP client configuration with secure settings according to your directory standard:

vserver services name-service ldap client create \
  -vserver svm_cifs01 \
  -client-config corp_ldaps \
  -ldap-servers ldap01.example.com,ldap02.example.com \
  -ad-domain example.com \
  -ldaps-enabled true

Apply it:

vserver services name-service ldap create \
  -vserver svm_cifs01 \
  -client-config corp_ldaps

Validate name lookup and authentication behavior with application owners.

REST API Process

Discover CIFS security state:

curl -k -u admin:'<password>' \
  "https://cluster.example.com/api/protocols/cifs/services?svm.name=svm_cifs01&fields=svm,name,enabled,security"

Patch SMB security where supported by your ONTAP release:

curl -k -u admin:'<password>' \
  -X PATCH \
  "https://cluster.example.com/api/protocols/cifs/services/<cifs_service_uuid>" \
  -H "Content-Type: application/json" \
  -d '{ "security": { "smb_encryption": true } }'

Discover LDAP configuration:

curl -k -u admin:'<password>' \
  "https://cluster.example.com/api/name-services/ldap?svm.name=svm_cifs01&fields=*"

If your release does not expose the exact hardening field through native REST, use CLI for the change and REST for evidence. Security automation should be release-tested before production use.

Best Practices

Test legacy SMB clients before requiring encryption.
Use change windows for broad CIFS security changes.
Validate certificate trust before enabling LDAPS.
Keep a rollback command ready, but do not leave insecure settings enabled without an exception.
Capture session and client evidence after the change.

Backout

vserver cifs security modify -vserver svm_cifs01 -is-smb-encryption-required false

For LDAPS, restore the previous LDAP client configuration captured during prechecks.