HP CIFS Server Administrator Guide Version A.03.01.03 (5900-2006, October 2011)
Table Of Contents
- HP CIFS Server Administrator Guide Version A.03.01.03
- Contents
- About this document
- 1 Introduction to the HP CIFS Server
- 2 Installing and configuring HP CIFS Server
- HP CIFS Server requirements and limitations
- Step 1: Installing HP CIFS Server software
- Step 2: Running the configuration script
- Step 3: Modify the configuration
- Step 4: Starting HP CIFS Server
- Other Samba configuration issues
- 3 Managing HP-UX file access permissions from Windows NT/XP/2000/Vista/Windows 7
- Introduction
- UNIX file permissions and POSIX ACLs
- Using the Windows NT Explorer GUI to create ACLs
- Using the Windows Vista Explorer GUI to create ACLs
- POSIX ACLs and Windows 2000, Windows XP, Windows Vista, and Windows 7 clients
- HP CIFS Server Directory ACLs and Windows 2000, Windows XP, Windows Vista, and Windows 7 clients
- In conclusion
- 4 Windows style domains
- Introduction
- Configure HP CIFS Server as a PDC
- Configure HP CIFS Server as a BDC
- Domain member server
- Create the Machine Trust Accounts
- Configure domain users
- Join a Windows client to a Samba domain
- Roaming profiles
- Configuring user logon scripts
- Home drive mapping support
- Trust relationships
- 5 Windows 2003 and Windows 2008 domains
- 6 LDAP integration support
- Overview
- Network environments
- Summary of installing and configuring
- Installing and configuring your Directory Server
- Installing LDAP-UX Client Services on an HP CIFS Server
- Configuring the LDAP-UX Client Services
- Enabling Secure Sockets Layer (SSL)
- Extending the Samba subschema into your Directory Server
- Migrating your data to the Directory Server
- Configuring the HP CIFS Server
- Creating Samba users in directory
- Management tools
- 7 Winbind support
- 8 Kerberos support
- 9 HP CIFS deployment models
- Introduction
- Samba Domain Model
- Windows Domain Model
- Unified Domain Model
- 10 Securing HP CIFS Server
- 11 Configuring HA HP CIFS
- 12 HP-UX configuration for HP CIFS
- 13 Tool reference
- Glossary
- Index
make an SMB connection to your host over a PPP interface called 'ppp0', he or she gets a TCP
connection refused reply.
Using a firewall
You can use a firewall to deny access to services that you do not want exposed outside your
network. This can be a very good protection method, although the methods mentioned above can
also be used in case the firewall is not active for some reasons.
When you set up a firewall, you need to know which TCP and UDP ports to allow. The HP CIFS
Server uses the following ports:
UDP/137 - used by nmbd
UDP/138 - used by nmbd
TCP/139 - used by smbd
TCP/445 - used by smbd
The port, 445, is important as you may not be aware of it with many older firewall setups, this
port was only added to the protocol in recent years.
Using an IPC$ Share-Based Denial
You can also use a more specific deny on the IPC$ share. This allows you to offer access to other
shares while denying access to a IPC$ share from potentially untrustworthy hosts.
For example, you can configure an IPC$ share as follows:
[ipc$]
hosts allow = 192.168.115.0/24 127.0.0.1
hosts deny = 0.0.0.0/0
This configuration tells the HP CIFS Server that it cannot accept IPC$ connections from anywhere
but the two places listed: a local host and a local subnet. Because the IPC$ share is the only share
that is always accessible anonymously, this provides some level of protection against attackers
that do not know a valid user name and password for your host.
If you use this method, then clients receive an access denied reply when they try to access the
IPC$ share. This means that those clients cannot browse shares and might also be unable to access
some other resources
Protecting sensitive information
This section describes the security methods you can use to protect sensitive information.
Encrypting authentication
You must set the encrypt password parameter to yes in the smb.conf file to ensure that
encryption is used on passwords when they transmit across the network during authentication.
The HP CIFS Server accepts LM,NTLM and NTLMv2 encryption authentication methods based on
client settings. NTLMv2 is the most secure. To useNTLMv2 authentication, you need to configure
the following client registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\C urrentControlSet\Control\Lsa]
"lmcompatibilitylevel"=dword:00000003
The value of 0x00000003 means to sendNTLMv2responses only.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"NtlmMinClientSec"=dword:00080000
The value0x00080000 means to permit only NTLMv2 session security. If either
theNtlmMinClientSec or NtlmMinServerSec option is set to 0x00080000, the connection
fails if NTLMv2 session security is not negotiated.
You can also use the Lightweight Directory Access Protocol (LDAP) for authentication. To prevent
plain text password transfer with LDAP directories, you can configure Secure Socket Layer (SSL)
134 Securing HP CIFS Server