HP CIFS Server Administrator's Guide Version A.03.01.01 (5900-1282, May 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software

131

132

133

134

135

136

137

138

139

140

on your systems and enable HP CIFS Server with SSL. For detailed information on how to enable

SSL communication over LDAP, see “LDAP Integration Support” (page 78).

The HP CIFS Server accepts the highly secure Kerberos tickets for Windows 2000 Active Directory

configurations.

Protecting Sensitive Configuration Files

The default permissions for HP CIFS Server configuration files have been carefully selected to ensure

security while providing appropriate accessibility. However, you need also to protect these

configuration files from unauthorized access. Be especially careful if you decide to locate them in

alternative directories.

Table 6-1describes a list of commonly used configuration files and their default locations. There

are also many smb.conf configuration parameters which permit alternate locations for these files

and many parameters that result in additional configuration files or scripts controlling run-time

actions not mentioned here.

Configuration File

Table 16 Configuration Files

DescriptionFile

Master configuration file/etc/opt/samba/smb.conf

Log files/var/opt/samba/log.*

Database files containing important internal run-time

information

/var/opt/samba/locks/*.tdb

Data files containing system name and addresses/var/opt/samba/locks/*.dat

Master daemon process ID files used for starting, stopping,

and clustering scripts

/var/opt/samba/locks/*.pid

Database files containg important internal run-time

information

/var/opt/samba/private/*.tdb

Data file containing user name and password information/var/opt/samba/private/smbpasswd

Data file containing user name and password information/var/opt/samba/private/passdb.tdb

You need to be aware that the smbpasswd -w command stores the LDAP administrator's user

and password in the /var/opt/samba/private/secrets.tdb file in plain text.

Using %m Name Replacement Macro With Caution

The NetBIOS name of remote clients is substituted into the "%m" macro wherever it occurs in the

smb.confconfiguration file. The use of contrived NetBIOS names may result in Samba using a

file path outside of the intended Samba directories. This can be used to cause Samba to append

data to important system files, which in turn can be used to compromise security on the server.

An immediate fix is to edit your smb.conf configuration file and remove all occurrences of the

macro "%m". Depending on the requirements of each site, other smb.confmacros may be suitable

replacements.

The log file option is the most vulnerable to this redefinition problem. The sample configuration

file contains the path,/var/opt/samba/log.%m. Using this default path does not create a

vulnerability unless there happens to exist a subdirectory in /var/opt/samba which starts with

the prefix "log.".

If you choose to maintain the use of the "%m" macro in thelog file option, you should use the

default value, /var/opt/samba/log.%m.

Security Protection Methods 135