Monday, August 14, 2017

Signing SaMBa Under Solaris 10

Signing SaMBa under Solaris 10
Abstract:
IBM created a proprietary file sharing protocol under DOS referred to as SMB. This was adopted by Microsoft, and it later became referred to as CIFS. Open Source developers took a portion of the file sharing suite an implemented it under a product called SaMBa. Solaris 10 ships with an installation of SaMBa to allow for rudimentary SMB and CIFS cfile sharing. Simple SaMBa Enabling under Solaris 10 was noted in a previous article. This article discussing signing.


Problem:
SMB protocol is subject to "man in the middle" attacks. Newer versions of Microsoft Windows offer different levels of packet signing and ultimately packet encryption. In order to maintain compatibility, Packets can have Signing enabled.

Solution:
The process for enabling signing is below.
sun1234/root# cp -p /etc/sfw/smb.conf /etc/sfw/smb.conf.20170814
sun1234/root# ls -alid /etc/sfw/smb*
 956139 -r--r--r-- 1 root root 10453 Sep  2 2014 /etc/sfw/smb.conf
 959534 -r--r--r-- 1 root root 10453 Sep  2 2014 /etc/sfw/smb.conf.20170814
 956138 -rw-r--r-- 1 root root 10086 Apr 28 2011 /etc/sfw/smb.conf.ad
 956137 -rw-r--r-- 1 root root 10089 Feb 19 2013 /etc/sfw/smb.conf.ges


Correct and review the smb.conf file
sun1234/root# more /etc/sfw/smb.conf
...
[global]
...
# Configure SMB signing for Samba
#
# Configure Samba to enable or require SMB signing as appropriate.
# To enable SMB signing, put the following in the Samba config file,
# typically smb.conf, in the global section:
;  server signing = auto
# To require SMB signing, put the following in the Samba config file,
# typically smb.conf, in the global section:
   server signing = mandatory
Enable the changes:
sun1234/root# svcs samba
STATE          STIME    FMRI
online         Apr_27   svc:/network/samba:default
sun1593/root# svcadm disable svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
online*        14:31:20 svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
disabled       14:31:25 svc:/network/samba:default
sun1593/root# svcs enable svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
online         14:31:56 svc:/network/samba:default
Conclusions:
SaMBa can be easily secured from the Service Management facility.
Posted by at
Labels: , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)