Secure SaMBa Authentication Under Solaris 10

Secure SaMBa Authentication Under Solaris 10
Abstract
IBM created a proprietary file sharing protocol under DOS referred to as SMB. This was adopted by Microsoft, and it later became referred to as CIFS. Open Source developers took a portion of the file sharing suite an implemented it under a product called SaMBa. Solaris 10 ships with an installation of SaMBa to allow for rudimentary SMB and CIFS cfile sharing. Simple SaMBa Enabling under Solaris 10 was noted in a previous article. Signing SaMBa Packets Under Solaris 10 was noted in a later article. This article discusses using a more secure NTLMv2 Authentication Protocol, rather than the old LAN Manager hash.

Problem
Authentication is the first step in deciding whether access will be given to a network resource for a user. The original LAN Manager software uses an easy to crack hash for authentication, which can be easily determined over a network using a "sniffer", while NTLMv2 is more difficult to crack. This level of authentication should be disabled, to reduce the hacking vectors against the SaMBa server.

Solution:
The process of disabling LM (LAN Manager) Authentication to always force NTLMv2 (Windows NT LAN Manager Version 2) Authentication in SaMBa is as described below.

sun1234/root# cp -p /etc/sfw/smb.conf /etc/sfw/smb.conf.20170814
sun1234/root# ls -alid /etc/sfw/smb*
 956139 -r--r--r-- 1 root root 10453 Sep  2 2014 /etc/sfw/smb.conf
 959534 -r--r--r-- 1 root root 10453 Sep  2 2014 /etc/sfw/smb.conf.20170815
 956138 -rw-r--r-- 1 root root 10086 Apr 28 2011 /etc/sfw/smb.conf.ad
 956137 -rw-r--r-- 1 root root 10089 Feb 19 2013 /etc/sfw/smb.conf.ges

Correct in the "Global" section and review the smb.conf file

sun1234/root# more /etc/sfw/smb.conf

...
[global]
...

# Disable LANMAN Authentication In Samba
# Add the following line in the smb.conf's global section:
   lanman auth = No

Enable the changes:

sun1234/root# svcs samba
STATE          STIME    FMRI
online         14:31:56 svc:/network/samba:default
sun1593/root# svcadm disable svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
disabled       17:54:55 svc:/network/samba:default
sun1593/root# svcs enable svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
online         17:54:59 svc:/network/samba:default

Conclusions:
SaMBa can be easily secured from the Service Management facility.

Signing SaMBa Under Solaris 10

Signing SaMBa under Solaris 10
Abstract:
IBM created a proprietary file sharing protocol under DOS referred to as SMB. This was adopted by Microsoft, and it later became referred to as CIFS. Open Source developers took a portion of the file sharing suite an implemented it under a product called SaMBa. Solaris 10 ships with an installation of SaMBa to allow for rudimentary SMB and CIFS cfile sharing. Simple SaMBa Enabling under Solaris 10 was noted in a previous article. This article discussing signing.

Problem:
SMB protocol is subject to "man in the middle" attacks. Newer versions of Microsoft Windows offer different levels of packet signing and ultimately packet encryption. In order to maintain compatibility, Packets can have Signing enabled.

Solution:
The process for enabling signing is below.

sun1234/root# cp -p /etc/sfw/smb.conf /etc/sfw/smb.conf.20170814
sun1234/root# ls -alid /etc/sfw/smb*
 956139 -r--r--r-- 1 root root 10453 Sep  2 2014 /etc/sfw/smb.conf
 959534 -r--r--r-- 1 root root 10453 Sep  2 2014 /etc/sfw/smb.conf.20170814
 956138 -rw-r--r-- 1 root root 10086 Apr 28 2011 /etc/sfw/smb.conf.ad
 956137 -rw-r--r-- 1 root root 10089 Feb 19 2013 /etc/sfw/smb.conf.ges

Correct and review the smb.conf file

sun1234/root# more /etc/sfw/smb.conf

...
[global]
...

# Configure SMB signing for Samba
#
# Configure Samba to enable or require SMB signing as appropriate.
# To enable SMB signing, put the following in the Samba config file,
# typically smb.conf, in the global section:
;  server signing = auto
# To require SMB signing, put the following in the Samba config file,
# typically smb.conf, in the global section:
   server signing = mandatory

Enable the changes:

sun1234/root# svcs samba
STATE          STIME    FMRI
online         Apr_27   svc:/network/samba:default
sun1593/root# svcadm disable svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
online*        14:31:20 svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
disabled       14:31:25 svc:/network/samba:default
sun1593/root# svcs enable svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
online         14:31:56 svc:/network/samba:default

Conclusions:
SaMBa can be easily secured from the Service Management facility.

Enabling SaMBa Under Solaris 10

Enabling SaMBa Under Solaris 10

Abstract:
IBM created a proprietary file sharing protocol under DOS referred to as SMB. This was adopted by Microsoft, and it later became referred to as CIFS. Open Source developers took a portion of the file sharing suite an implemented it under a product called SaMBa. Solaris 10 ships with an installation of SaMBa to allow for rudimentary SMB and CIFS cfile sharing.


Installation:
SaMBa is already installed with Solaris 10 Update 4 until Update 9. Creating a configuration file with a service start is all that is required. The Samba book from O'Reilly is an excellent resource in trying to understand all of the obtuse options available

Configuration:
Check to see if you are working with a fairly recent release of Solaris 10, with the SaMBa support.

sunv890/user$ svcs -a | grep samba
disabled       Jan_28   svc:/network/samba:default

If you try to enable SaMBa without the configuration file, the service will not function, but will reside in maintenance mode until repaired and restarted:

sunv890/root$ svcadm enable samba

sunv890/user$ svcs -a | grep samba
maintenance    10:23:47 svc:/network/samba:default

The Service Management Facility (SMF) will identify the failed service and log the problem.

SaMBa/user$ tail /var/adm/messages
Feb 11 14:08:46 sunv890 svc.startd[7]: [ID 652011 daemon.warning] svc:/network/samba:default: Method "/usr/sfw/sbin/smbd -D" failed with exit status 255. Feb 11 14:08:46 SaMBa svc.startd[7]: [ID 748625 daemon.error] network/samba:default failed: transitioned to maintenance (see 'svcs -xv' for details) 

Debugging is fairly simple - just look for the configuration file. In this example, there is none.

sunv890/user$ ls -al /etc/sfw/smb.conf
/etc/sfw/smb.conf: No such file or directory

Create a sample configuration file to share the temporary directory as writable, ensure SaMBa will be derived as a host name, install the configuration file. (Note, you can always substitute an IP Address for SaMBa.)

sunv890/user$ cat /etc/sfw/smb.conf
# Global parameters
[global]
workgroup =
netbios name = SaMBa
security = SHARE
local master = No
guest account = nobody
delete veto files = Yes
encrypt passwords = Yes
winbind uid = 10000-65000

# Configure Samba to enable or require SMB signing as appropriate.
# To enable SMB signing, put in Samba config global section
;  server signing = auto
# To require SMB signing, put in Samba config global section
   server signing = mandatory

# Disable LANMAN Authentication in Samba config global section
   lanman auth = No

[Temp]
comment = Temporary Share
path = /tmp
writeable = Yes
guest ok = Yes
preserve case = No

sunv890/root$ svcadm disable samba              

sunv890/root$ svcadm enable samba

sunnv890/user$ svcs samba
STATE          STIME    FMRI
online         14:17:01 svc:/network/samba:default

To test your installation, from a Windows platform, try to browse the temporary directory, or read a sample file which you know is in the directory.

Start -> Run -> \\sunv890\Temp
Start -> Run -> wordpad \\sunv890\Temp\smb.conf

Conclusion:
The SaMBa configuration under Solaris 10 is simple and managed well by the Service Management Facility infrastructure of Solaris 10.

Editor's Note: This blog article was published in 2011 and adjusted in 2017-08-14 to add Signing and Authentication enhancements to the default SaMBa configuration.