Introduction

One of the important characteristics of the CIFS file-sharing protocol is its security model. Before a user on a CIFS client can access the mountpoint of a CIFS server, the user must be authenticated by the server (the user must login to the server). Four login methods are available, they are explained in the following pages. Restrictions at the file or directory level on the server’s filesystem are also enforced by the server.

In contrast, NFS relies solely upon file and directory level permissions on the server’s filesystem, in conjunction with the user’s UNIX uid.

Authentication Protocols

The CIFS Client supports two authentication protocols. These protocols are configured on a global or server specific basis in the CIFS Client configuration file (/etc/opt/cifsclient/cifscient.cfg) by the system administrator:

Windows NT LanManager (NTLM) NTLM is a challenge-response strategy protocol. The server sends a challenge key to the client which the client returns to the server encrypted with the user’s password. The server decrypts the key and authenticates the user. No semblance of the user’s password is transmitted over the network.
Kerberos Kerberos is a distributed authentication service that allows a client running on behalf of a user to prove its identity to an application server without sending data across the network that might allow an attacker to subsequently impersonate the user. Kerberos is a secure, industry standard authentication protocol. It provides significant improvements over the NTLM protocol.

Introduction

Technical documentation

» Table of Contents

» Glossary

» Index

Authentication Protocols