HP CIFS Client A.02.02 Administrator's Guide

CIFS Security and Authentication

Introduction

Chapter 3 43

Introduction

One of the important characteristics of the CIFS ﬁle-sharing protocol is its

security model. Before a user on a CIFS client can access the mountpoint of a

CIFS server, the user must be authenticated by the server (the user must

the following pages. Restrictions at the ﬁle or directory level on the server’s

ﬁlesystem are also enforced by the server.

Authentication Methods

The HP CIFS Client supports two authentication protocols. These

protocols are conﬁgured on a global or server speciﬁc basis in the CIFS

Client conﬁguration ﬁle by the system administrator:

• Windows NT LanManager (NTLM) and NTLMv2

NTLM is a challenge-response protocol. The server sends a challenge

key to the client which the client returns to the server encrypted

with the user’s password. The server performs the same encryption

and veriﬁes that the client’s request matches. No semblance of the

user’s password is transmitted over the network. The HP CIFS

Client supports NTLM and NTLM version 2 (NTLMv2). NTLMv2

uses the same challenge-response protocol, but it additionally

provides more sophisticated encryption algorithms than NTLM, and

hence better password protection.

• Kerberos

Kerberos is a distributed authentication service that allows a client

running on behalf of a user to prove its identity to an application

server without sending data across the network that might allow an

attacker to subsequently impersonate the user. Kerberos is a secure,

industry standard authentication protocol that provides signiﬁcant

improvements over the NTLM protocol.

Conﬁguration Settings For Authentication

The conﬁguration parameters authenticationMethod and

ntlmEncryptionVersion are speciﬁed globally, in the server section of

the HP CIFS Client conﬁguration ﬁle. They can also be set in the

user-deﬁned or server-speciﬁc section of the conﬁguration ﬁle, see the