HP CIFS Server 3.0g Administrator's Guide verison A.02.03.01

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software

151

152

153

154

155

156

157

158

159

160

The value0x00080000 means to permit only NTLMv2 session security. If either

theNtlmMinClientSec or NtlmMinServerSec option is set to 0x00080000, the connection

fails if NTLMv2 session security is not negotiated.

You can also use the Lightweight Directory Access Protocol (LDAP) for authentication. To prevent

plain text password transfer with LDAP directories, you can configure Secure Socket Layer (SSL)

on your systems and enable HP CIFS Server with SSL. For detailed information on how to enable

SSL communication over LDAP, see Chapter 6 “LDAP Integration Support”.

The HP CIFS Server accepts the highly secure Kerberos tickets for Windows 2000 Active Directory

configurations.

Protecting Sensitive Configuration Files

The default permissions for HP CIFS Server configuration files have been carefully selected to

ensure security while providing appropriate accessibility. However, you need also to protect

these configuration files from unauthorized access. Be especially careful if you decide to locate

them in alternative directories.

Table 6-1describes a list of commonly used configuration files and their default locations. There

are also many smb.conf configuration parameters which permit alternate locations for these

files and many parameters that result in additional configuration files or scripts controlling

run-time actions not mentioned here.

Configuration File

Table 10-1 Configuration Files

DescriptionFile

Master configuration file

/etc/opt/samba/smb.conf

Log files

/var/opt/samba/log.*

Database files containing important internal run-time

information

/var/opt/samba/locks/*.tdb

Data files containing system name and addresses

/var/opt/samba/locks/*.dat

Master daemon process ID files used for starting,

stopping, and clustering scripts

/var/opt/samba/locks/*.pid

Database files containg important internal run-time

information

/var/opt/samba/private/*.tdb

Data file containing user name and password

information

/var/opt/samba/private/smbpasswd

Data file containing user name and password

information

/var/opt/samba/private/passdb.tdb

You need to be aware that the smbpasswd -w command stores the LDAP administrator's user

and password in the /var/opt/samba/private/secrets.tdb file in plain text.

Using %m Name Replacement Macro With Caution

The NetBIOS name of remote clients is substituted into the "%m" macro wherever it occurs in the

smb.confconfiguration file. The use of contrived NetBIOS names may result in Samba using a

file path outside of the intended Samba directories. This can be used to cause Samba to append

data to important system files, which in turn can be used to compromise security on the server.

An immediate fix is to edit your smb.conf configuration file and remove all occurrences of the

macro "%m". Depending on the requirements of each site, other smb.confmacros may be suitable

replacements.

Security Protection Methods 151