Manualshelf

HP CIFS Client A.02.02.03 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
21222324252627282930
3 CIFS Security and Authentication
This chapter provides a description for CIFS Security and Authentication Methods using Windows
NT LanManager (NTLM), NTLMv2 and Kerberos. It contains the following sections:
“Introduction” (page 22).
“User Login Procedures” (page 23).
“Introduction To Kerberos” (page 24).
“Using Kerberos with the HP CIFS Client” (page 24).
“CIFS Client Kerberos Authentication Policies” (page 26).
“Packet Signing” (page 27).
Introduction
One of the important characteristics of the CIFS file-sharing protocol is its security model. Before
a user on a CIFS client can access the mountpoint of a CIFS server, the user must be authenticated
by the server (the user must login to the server). Four login methods are available; they are explained
in the following pages. Restrictions at the file or directory level on the server's filesystem are also
enforced by the server.
Authentication Methods
The HP CIFS Client supports two authentication protocols. These protocols are configured on a
global or server specific basis in the CIFS Client configuration file by the system administrator:
Windows NT LanManager (NTLM) and NTLMv2 NTLM is a challenge-response protocol. The
server sends a challenge key to the client which the client returns to the server encrypted with
the user's password. The server performs the same encryption and verifies that the client's
request matches. No semblance of the user's password is transmitted over the network. The
HP CIFS Client supports NTLM and NTLM version 2 (NTLMv2). NTLMv2 uses the same
challenge-response protocol, but it additionally provides more sophisticated encryption
algorithms than NTLM, and hence better password protection.
Kerberos Kerberos is a distributed authentication service that allows a client running on behalf
of a user to prove its identity to an application server without sending data across the network
that might allow an attacker to subsequently impersonate the user. Kerberos is a secure,
industry standard authentication protocol that provides significant improvements over the NTLM
protocol.
Configuration Settings For Authentication
The configuration parameters authenticationMethod and ntlmEncryptionVersion are
specified globally, in the server section of the HP CIFS Client configuration file. They can also be
set in the user-defined or server-specific section of the configuration file, see the Server-Specific
configuration section below. These parameters are used to select which mechanisms are used by
the CIFS Client to authenticate users to CIFS servers.
Legal entries for the authenticationMethod parameter are ntlm or kerberos.The default
value of this parameter is ntlm. If you wish to use Kerberos, the configuration setting is:
authenticationMethod = kerberos;
In this case, the CIFS Client requests the use of Kerberos when negotiating an initial connection
with the CIFS Server. If the server's response is affirmative, only Kerberos is used for authenticating
users to this server; otherwise NTLM is used. If the NTLM protocol is used, the CIFS Client determines
which NTLM version to use based on the ntlmEncryptionVersion configuration.
22 CIFS Security and Authentication