Secure SaMBa Authentication Under Solaris 10

Secure SaMBa Authentication Under Solaris 10
Abstract
IBM created a proprietary file sharing protocol under DOS referred to as SMB. This was adopted by Microsoft, and it later became referred to as CIFS. Open Source developers took a portion of the file sharing suite an implemented it under a product called SaMBa. Solaris 10 ships with an installation of SaMBa to allow for rudimentary SMB and CIFS cfile sharing. Simple SaMBa Enabling under Solaris 10 was noted in a previous article. Signing SaMBa Packets Under Solaris 10 was noted in a later article. This article discusses using a more secure NTLMv2 Authentication Protocol, rather than the old LAN Manager hash.

Problem
Authentication is the first step in deciding whether access will be given to a network resource for a user. The original LAN Manager software uses an easy to crack hash for authentication, which can be easily determined over a network using a "sniffer", while NTLMv2 is more difficult to crack. This level of authentication should be disabled, to reduce the hacking vectors against the SaMBa server.

Solution:
The process of disabling LM (LAN Manager) Authentication to always force NTLMv2 (Windows NT LAN Manager Version 2) Authentication in SaMBa is as described below.

sun1234/root# cp -p /etc/sfw/smb.conf /etc/sfw/smb.conf.20170814
sun1234/root# ls -alid /etc/sfw/smb*
 956139 -r--r--r-- 1 root root 10453 Sep  2 2014 /etc/sfw/smb.conf
 959534 -r--r--r-- 1 root root 10453 Sep  2 2014 /etc/sfw/smb.conf.20170815
 956138 -rw-r--r-- 1 root root 10086 Apr 28 2011 /etc/sfw/smb.conf.ad
 956137 -rw-r--r-- 1 root root 10089 Feb 19 2013 /etc/sfw/smb.conf.ges

Correct in the "Global" section and review the smb.conf file

sun1234/root# more /etc/sfw/smb.conf

...
[global]
...

# Disable LANMAN Authentication In Samba
# Add the following line in the smb.conf's global section:
   lanman auth = No

Enable the changes:

sun1234/root# svcs samba
STATE          STIME    FMRI
online         14:31:56 svc:/network/samba:default
sun1593/root# svcadm disable svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
disabled       17:54:55 svc:/network/samba:default
sun1593/root# svcs enable svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
online         17:54:59 svc:/network/samba:default

Conclusions:
SaMBa can be easily secured from the Service Management facility.

Signing SaMBa Under Solaris 10

Signing SaMBa under Solaris 10
Abstract:
IBM created a proprietary file sharing protocol under DOS referred to as SMB. This was adopted by Microsoft, and it later became referred to as CIFS. Open Source developers took a portion of the file sharing suite an implemented it under a product called SaMBa. Solaris 10 ships with an installation of SaMBa to allow for rudimentary SMB and CIFS cfile sharing. Simple SaMBa Enabling under Solaris 10 was noted in a previous article. This article discussing signing.

Problem:
SMB protocol is subject to "man in the middle" attacks. Newer versions of Microsoft Windows offer different levels of packet signing and ultimately packet encryption. In order to maintain compatibility, Packets can have Signing enabled.

Solution:
The process for enabling signing is below.

sun1234/root# cp -p /etc/sfw/smb.conf /etc/sfw/smb.conf.20170814
sun1234/root# ls -alid /etc/sfw/smb*
 956139 -r--r--r-- 1 root root 10453 Sep  2 2014 /etc/sfw/smb.conf
 959534 -r--r--r-- 1 root root 10453 Sep  2 2014 /etc/sfw/smb.conf.20170814
 956138 -rw-r--r-- 1 root root 10086 Apr 28 2011 /etc/sfw/smb.conf.ad
 956137 -rw-r--r-- 1 root root 10089 Feb 19 2013 /etc/sfw/smb.conf.ges

Correct and review the smb.conf file

sun1234/root# more /etc/sfw/smb.conf

...
[global]
...

# Configure SMB signing for Samba
#
# Configure Samba to enable or require SMB signing as appropriate.
# To enable SMB signing, put the following in the Samba config file,
# typically smb.conf, in the global section:
;  server signing = auto
# To require SMB signing, put the following in the Samba config file,
# typically smb.conf, in the global section:
   server signing = mandatory

Enable the changes:

sun1234/root# svcs samba
STATE          STIME    FMRI
online         Apr_27   svc:/network/samba:default
sun1593/root# svcadm disable svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
online*        14:31:20 svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
disabled       14:31:25 svc:/network/samba:default
sun1593/root# svcs enable svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
online         14:31:56 svc:/network/samba:default

Conclusions:
SaMBa can be easily secured from the Service Management facility.

More Work With ZFS

More Work With ZFS

The Last Time...

The last time ZFS was covered, an description of overall features were covered. How to use all of those features was uncovered. This post will try to cover some of the other features.

ZFS Sharing Overview

ZFS centralizes all directory sharing into a single command structure and removes the needs to manage arcane configuration files to deal with issue such as configuration, status, and persistency.

ZFS Sharing Protocols

The new ZFS suite offers protocol sharing of iSCSI, NFS as well as SMB(CIFS). There is a catch to this: the ZFS host must support a kernel implementations of the protocols - SMB(CIFS) is only supported under more recent releases of OpenSolaris and iSCSI is only supported under the Solaris families.

ZFS Sharing Stopping and Starting

ZFS uses a property to determine whether a filesystem mount is going to be shared or not.

To stop NFS sharing of a ZFS filesystem.

servera/root$ zfs set sharenfs=off u201

To start an NFS sharing of a ZFS filesystem.

servera/root$ zfs set sharenfs=on u201

Sharing Status

On the same server, one can check the "share" command to see what is being shared from all protocols, persistent or not. A listing of domestic sharing protocols that can be checked are in a configuration file on the sharing host

servera/admin$ cat /etc/dfs/fstypes
nfs NFS Utilities
autofs AUTOFS Utilities
cachefs CACHEFS Utilities

servera/admin$ share
- /u000 anon=60001,rw=servera "" - /u201 rw ""

On a foreign server, one can check to see what is being shared (via NFS protocol), persistent or not. A listing of foreign protocols that can be checked are in a configuration file on the remote host.

serverb/admin$ cat /etc/dfs/fstypes nfs NFS Utilities autofs AUTOFS Utilities cachefs CACHEFS Utilities

serverb/admin$ dfshares servera RESOURCE SERVER ACCESS TRANSPORT servera:/cdunix servera - - servera:/u201 servera - -

For the share and dfshares command, if no protocol is specified, then the "nfs" protocol is the default. A ZFS filesystem shared over NFS can be done using the "share" and "dfshares" command.

Sharing and Persistence

In most historic POSIX systems, there is a file referred to as "sharetab" (or some derivative of it) to review the sharing of filesystems. This is effective against any underlying filesystem (i.e. UFS, VxFS, ZFS, etc.) In the example below, cdunix is not on a ZFS filesystem.

servera/admin$ cat /etc/dfs/sharetab /u000 - nfs rw /u201 - nfs rw

If one is running a pure ZFS environment, persistence is held as a property. You can see the status of the ZFS file share through a ZFS command.

servera/admin$ zfs get sharenfs u201
NAME PROPERTY VALUE SOURCE
u201 sharenfs on local

Checking all shared protocols through ZFS is also possible, through parsing "all" properties option.

servera/admin$ zfs get all grep share
u201 sharenfs on default
u201 shareiscsi off default
u201 sharesmb off default

Checking the share status for all protocols from a foreign server is not as elegant. Individual protocols must be used, such as the "dfshares" command.