HPE Community
Operating System - HP-UX
1824170 Members
2470 Online
109669 Solutions
New Discussion юеВ

Windows SFU vs. Samba CIFS

 
SOLVED
Go to solution
Luis Toro
Regular Advisor

тАО10-04-2004 08:41 AM

тАО10-04-2004 08:41 AM

Windows SFU vs. Samba CIFS

Hi,
We have Samba running on several HPUX servers. During a recent migration, several Samba users were migrated to an external network, and they could not use Samba anymore because of some firewall rules (note that I am not well versed in firewalls and rules, etc...). In any event, my firewall guy is telling me that the reason they can't use Samba is due to the connections its making over ports 139 (which I was aware) and 445 (which I was not aware). So he's recommending using NFS, using Windows SFU. We got it to work, but authentication seems to be an issue (ie., no one-for-one, Windows account to UNIX account mapping). In searching the forum, Samba seems to be preferred, but I was hoping for some info on the ports it uses (and if they indeed should be restricted), and if SFU provides the type of granular mapping/access that Samba provides. It seems to me I can either risk some kind of attack by not restricting the port(s) at the firewall level, or have open access at the NFS level.

Thanks
0 Kudos
Reply
8 REPLIES 8
Sundar_7
Honored Contributor

тАО10-04-2004 08:57 AM

тАО10-04-2004 08:57 AM

Re: Windows SFU vs. Samba CIFS

Hi Luis,

Are you using server-level security mode for the SAMBA server ?

If the CIFS server is configured to use server-level security, it keeps a connection open to the password server for as long your client is connected to share. This connection uses port number 445.

Try configuring the Samba server to use domain-level security. I can tell you that it doesnt not keep the connection on port 445 open for as long the client is connected to the share. But I dont know if domain level security uses port 445 at all. Domain-level security is supposed to authenticate the users via a secure RPC channel just like any other Windows PDC.

Not going to hurt for sure. But to use domain-level security, you must join the domain using smbpasswd command. (or net command depending on the Samba version you re using)

- Sundar
Learn What to do ,How to do and more importantly When to do ?
Reply
Luis Toro
Regular Advisor

тАО10-05-2004 01:34 AM

тАО10-05-2004 01:34 AM

Re: Windows SFU vs. Samba CIFS

Thanks for the reply Sundar.

I do not have accessto the remote server to verify if its using domain or server level security. However, I do know that our local servers running Samba are using domain level security. Would that port connection (445) show up in a netstat -a ?
0 Kudos
Reply
Sundar_7
Honored Contributor

тАО10-05-2004 03:21 AM

тАО10-05-2004 03:21 AM

Re: Windows SFU vs. Samba CIFS

Luis,

I was not talking about the remote server. Domain/server level security is set in the SAMBA/CIFS server.

# grep security /etc/opt/samba/smb.conf

Refer the output of above command.

As I said above in my last post, I am not sure if there will still be a connection using port 445 when CIFS is operating in domain-level security mode.

But, yes there will be a socket with the following domain addresses

: :445

- Sundar.
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО10-05-2004 03:40 AM

тАО10-05-2004 03:40 AM

Re: Windows SFU vs. Samba CIFS

Windows file server needs open ports as well. The port numbers are merely different.

Samba is a more robust product and its quite possible to use ipfilter firewall to only allow remote connections to the Samba/CIFS server from authorized hosts.

I've run into issues where log files fill up with spurious samba log in attempts and its important to address this issue.

The firewall guy is right, you have to open up the ports to get access. Openning up the port is not a significant security hazard, especially if you limit the external ip addresses allowed to connect. Most firewalls permit this.

A VPN would also solve this problem.

I have to manage one box exposed to the Internet on Windows and it costs me sleep. I'd much rather manage a HP-UX or Linux box in such a role. Security is more straightforward and reliable.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Luis Toro
Regular Advisor

тАО10-05-2004 03:40 AM

тАО10-05-2004 03:40 AM

Re: Windows SFU vs. Samba CIFS

Sundar,

The remote server is the Samba server with the problem; there are several Samba servers, the local ones that I administer have domain security. The problematic one I have no access. In any event, I accessed a Samba share on a UNIX server I administer, and I did see the UNIX server open up a connection on port 445 to a domain controller (it was only open briefly). It seems the connection was made to a Windows domain controller in another data center. Is there a way to control, or direct the Samba/CIFS server to a specific DC ? In speaking with the NT group, they're saying that the reason for the connection to the remote DC was because that was the first DC to respond to the authentication call.
0 Kudos
Reply
Sundar_7
Honored Contributor

тАО10-05-2004 03:46 AM

тАО10-05-2004 03:46 AM

Solution

Re: Windows SFU vs. Samba CIFS

Luis,

Yes, it is possible to redirect the authentication to specific DC.

# grep -i "password server" /etc/opt/samba/smb.conf

Probably you have "*" defined as the password list. If the CIFS server is operating in domain-level security mode and if the password server list is "*", then it makes some kind of RPC broadcast requests (just like any other M$ server). Your NT folks were right in that your CIFS server will make the connection to the first DC that responds to your broadcast.

You can hardcode the password server list in the smb.conf file.

# vi /etc/opt/samba/smb.conf
password server = server1 server2 server3
#

# stopsmb
# startsmb

Now when the users connect to the CIFS server, CIFS server will authenticate the users against server1 first.

Hope this helps

- Sundar
Learn What to do ,How to do and more importantly When to do ?
Reply
Luis Toro
Regular Advisor

тАО10-05-2004 03:49 AM

тАО10-05-2004 03:49 AM

Re: Windows SFU vs. Samba CIFS

Thanks Sundar and Steve.

You been a great help (my Samba guy is on vacation...but I'm not sure he could have answered my questions).
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

тАО10-05-2004 03:57 AM

тАО10-05-2004 03:57 AM

Re: Windows SFU vs. Samba CIFS

I would think VPN would be a good idea anyway unless these external networks are still within a firewalled WAN (which, unless you're running firewalls within firewalls, it doesn't sound like is the case from your description). Unless I've managed to miss finding relevant documentation to the contrary, there's no built-in data encryption available for NFS or SMB.
--
Jeff Traigle
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.