Secure SaMBa Authentication Under Solaris 10
Abstract
IBM created a proprietary file sharing protocol under DOS referred to as SMB. This was adopted by Microsoft, and it later became referred to as CIFS. Open Source developers took a portion of the file sharing suite an implemented it under a product called SaMBa. Solaris 10 ships with an installation of SaMBa to allow for rudimentary SMB and CIFS cfile sharing. Simple SaMBa Enabling under Solaris 10 was noted in a previous article. Signing SaMBa Packets Under Solaris 10 was noted in a later article. This article discusses using a more secure NTLMv2 Authentication Protocol, rather than the old LAN Manager hash.
Problem
Authentication is the first step in deciding whether access will be given to a network resource for a user. The original LAN Manager software uses an easy to crack hash for authentication, which can be easily determined over a network using a "sniffer", while NTLMv2 is more difficult to crack. This level of authentication should be disabled, to reduce the hacking vectors against the SaMBa server.
Solution:
The process of disabling LM (LAN Manager) Authentication to always force NTLMv2 (Windows NT LAN Manager Version 2) Authentication in SaMBa is as described below.
SaMBa can be easily secured from the Service Management facility.
Abstract
IBM created a proprietary file sharing protocol under DOS referred to as SMB. This was adopted by Microsoft, and it later became referred to as CIFS. Open Source developers took a portion of the file sharing suite an implemented it under a product called SaMBa. Solaris 10 ships with an installation of SaMBa to allow for rudimentary SMB and CIFS cfile sharing. Simple SaMBa Enabling under Solaris 10 was noted in a previous article. Signing SaMBa Packets Under Solaris 10 was noted in a later article. This article discusses using a more secure NTLMv2 Authentication Protocol, rather than the old LAN Manager hash.
Problem
Authentication is the first step in deciding whether access will be given to a network resource for a user. The original LAN Manager software uses an easy to crack hash for authentication, which can be easily determined over a network using a "sniffer", while NTLMv2 is more difficult to crack. This level of authentication should be disabled, to reduce the hacking vectors against the SaMBa server.
Solution:
The process of disabling LM (LAN Manager) Authentication to always force NTLMv2 (Windows NT LAN Manager Version 2) Authentication in SaMBa is as described below.
sun1234/root# cp -p /etc/sfw/smb.conf /etc/sfw/smb.conf.20170814Correct in the "Global" section and review the smb.conf file
sun1234/root# ls -alid /etc/sfw/smb*
956139 -r--r--r-- 1 root root 10453 Sep 2 2014 /etc/sfw/smb.conf
959534 -r--r--r-- 1 root root 10453 Sep 2 2014 /etc/sfw/smb.conf.20170815
956138 -rw-r--r-- 1 root root 10086 Apr 28 2011 /etc/sfw/smb.conf.ad
956137 -rw-r--r-- 1 root root 10089 Feb 19 2013 /etc/sfw/smb.conf.ges
sun1234/root# more /etc/sfw/smb.conf
...
[global]
...
# Disable LANMAN Authentication In SambaEnable the changes:
# Add the following line in the smb.conf's global section:
lanman auth = No
sun1234/root# svcs sambaConclusions:
STATE STIME FMRI
online 14:31:56 svc:/network/samba:default
sun1593/root# svcadm disable svc:/network/samba:default
sun1593/root# svcs samba
STATE STIME FMRI
disabled 17:54:55 svc:/network/samba:default
sun1593/root# svcs enable svc:/network/samba:default
sun1593/root# svcs samba
STATE STIME FMRI
online 17:54:59 svc:/network/samba:default
SaMBa can be easily secured from the Service Management facility.