Home > Storage > PowerScale (Isilon) > Industry Solutions and Verticals > Media and Entertainment > PowerScale OneFS: macOS Client Performance and User Experience Optimization > SMB signing
Packet signing increases the security of SMB connections by helping prevent man-in-the-middle attacks. Essentially, a digital signature attached to each packet helps the client system confirm that data has not been tampered with while in transit.
Packet signing is enabled by default in OneFS and is also the default behavior for SMB2 and SMB3 connections on macOS versions 10.11.5 through 10.13.3. Later versions of Apple’s documentation leave doubt as to when SMB signing is enabled. This archived KB article HT205926 states:
Packet signing for SMB 2 or SMB 3 connections turns on automatically when needed if the server offers it.
The extra overhead of packet signing can cause significant performance degradation on the latency-sensitive, high-performance workloads common to PowerScale OneFS. The security risks posed by man-in-the-middle attacks need to be assessed for each environment. When possible, it is recommended that these workflows take place on private, secure networks, and that packet signing is disabled on the macOS client.
Testing for this paper showed that SMB signing was automatically enabled on the macOS client when connecting to a native Apple file server. SMB signing did not get enabled automatically when connecting to PowerScale OneFS (which also offers SMB signing).
Given the inconsistent nature of the SMB signing behavior in macOS, it is recommended to manually disable the feature using the /etc/nsmb.conf file.
Apple outlines disabling SMB signing in the support article Turn off packet signing for SMB 2 and SMB 3 connections.
To disable SMB signing on macOS, add the following entry to /etc/nsmb.conf:
signing_required=no
After updating /etc/nsmb.conf, unmount and remount SMB shares from the macOS system for the changes to take effect.