HP CIFS Client A.01.09 Administrator's Guide, August 2003
CIFS Security and Authentication
Introduction
Chapter 338
Introduction
One of the important characteristics of the CIFS file-sharing protocol is its
security model. Before a user on a CIFS client can access the mountpoint of
a CIFS server, the user must be authenticated by the server (the user must
login to the server). Four login methods are available, they are explained in
the following pages. Restrictions at the file or directory level on the server’s
filesystem are also enforced by the server.
In contrast, NFS relies solely upon file and directory level permissions on
the server’s filesystem, in conjunction with the user’s UNIX uid.
Authentication Protocols
The CIFS Client supports two authentication protocols. These protocols
are configured on a global or server specific basis in the CIFS Client
configuration file (/etc/opt/cifsclient/cifscient.cfg) by the system
administrator:
• Windows NT LanManager (NTLM)
NTLM is a challenge-response strategy protocol. The server sends a
challenge key to the client which the client returns to the server
encrypted with the user’s password. The server decrypts the key and
authenticates the user. No semblance of the user’s password is
transmitted over the network.
• Kerberos
Kerberos is a distributed authentication service that allows a client
running on behalf of a user to prove its identity to an application
server without sending data across the network that might allow an
attacker to subsequently impersonate the user. Kerberos is a secure,
industry standard authentication protocol. It provides significant
improvements over the NTLM protocol.