Update 2020-06-28: This is no longer required on macOS 10.15 Catalina.

Update 2017-02-09: Added details on how to disable signing on a mac that is serving SMB shares.



Update 2017-01-27: Added details on how to verify signing is on/off.



Update 2016-11-29: Added the instructions to reverse the change, for those that have issues with SMB servers requiring signing.



Update 2016-10-05: After a comment suggesting that it wasn’t working on macOS Sierra, I tested it on a fresh Sierra installation and got similar performance improvements. It works.

The Issue

After recently upgrading to OS X 10.11.5, I noticed some SMB file transfers were taking a lot longer than usual. Instead of the normal 100MB/sec transfer speeds I typically see between my Macbook Pro and my Synology NAS on a gigabit (wired) network, I was seeing something closer to 30MB/sec.

Turns out I’m not the only one with this issue. Searching Google for “10.11.5 slow smb” returns pages full of results of people reporting the same issue. Most of them say “switch to AFP and the problem goes away.” That’s nice but I specifically use SMB because I have a share that’s accessed by Linux, Mac, and Windows - and so SMB is the right solution to keep file naming consistent.

The issue seems to come down to Apple’s SMB forcing default enabling of “client signing” which ruins performance.

One smart person (or conspiracy theorist) guesses that this was a change made by Apple based on the Badlock SMB issue in order to mitigate Man-In-The-Middle attacks. Regardless of the reason, it’s a really shitty thing to do to break transfer speeds on a well used protocol without at least acknowledging the problem or suggesting workarounds.

Checking Status of Signing on an SMB Connection

With your share mounted - execute the following command from a Terminal:

smbutil statshares -a

You should get a list of fields for each share you have currently connected. Here are some values to pay attention to:

SMB_VERSION - which SMB protocol version is active.

SIGNING_SUPPORTED - this means the server side supports signing, it does NOT mean signing is on.

SIGNING_ON - if “true” then signing is actually on for this connection.

The Fix (Client)

Buried in one thread on the Apple Discussion Forum is a suggestion to use the /etc/nsmb.conf file to disable client signing on the client end.

[default] signing_required=no

After unmounting & remounting the SMB share, I verified this returns transfer speeds to normal.

You can do this in one single command as follows:

printf "[default]

signing_required=no

" | sudo tee /etc/nsmb.conf >/dev/null

Then unmount and remount any SMB shares.

The Fix (Server)

If your mac is hosting SMB shares, you’ll need to disable it on that end too.

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server SigningRequired -bool FALSE sudo /usr/libexec/smb-sync-preferences

Implications

Client signing does provide additional security, but who’s kidding who - nobody should be running SMB over the internet or on any untrusted network in the first place.

When Won’t This Work?

If your server is set to require SMB signing from clients, then this change will break SMB connectivity, and you will have to either reverse the change or change your SMB server settings. This article covers how to change settings on an macOS server but there are many other types of systems out there capable of serving SMB that all have different configurations.

Reversing The Change (Client)

If the fix is causing other issues or lack of SMB connectivity, and you need to reverse it - simply delete the /etc/nsmb.conf file with this command:

sudo rm /etc/nsmb.conf

By default the file does not exist on a fresh install of OS X/macOS.

Reversing The Change (Server)

To turn signing back on for an SMB server run: