Monday, August 14, 2017

Secure SaMBa Authentication Under Solaris 10

Secure SaMBa Authentication Under Solaris 10
Abstract
IBM created a proprietary file sharing protocol under DOS referred to as SMB. This was adopted by Microsoft, and it later became referred to as CIFS. Open Source developers took a portion of the file sharing suite an implemented it under a product called SaMBa. Solaris 10 ships with an installation of SaMBa to allow for rudimentary SMB and CIFS cfile sharing. Simple SaMBa Enabling under Solaris 10 was noted in a previous article. Signing SaMBa Packets Under Solaris 10 was noted in a later article. This article discusses using a more secure NTLMv2 Authentication Protocol, rather than the old LAN Manager hash.
Problem
Authentication is the first step in deciding whether access will be given to a network resource for a user. The original LAN Manager software uses an easy to crack hash for authentication, which can be easily determined over a network using a "sniffer", while NTLMv2 is more difficult to crack. This level of authentication should be disabled, to reduce the hacking vectors against the SaMBa server.
Solution:
The process of disabling LM (LAN Manager) Authentication to always force NTLMv2 (Windows NT LAN Manager Version 2) Authentication in SaMBa is as described below.
sun1234/root# cp -p /etc/sfw/smb.conf /etc/sfw/smb.conf.20170814
sun1234/root# ls -alid /etc/sfw/smb*
 956139 -r--r--r-- 1 root root 10453 Sep  2 2014 /etc/sfw/smb.conf
 959534 -r--r--r-- 1 root root 10453 Sep  2 2014 /etc/sfw/smb.conf.20170815
 956138 -rw-r--r-- 1 root root 10086 Apr 28 2011 /etc/sfw/smb.conf.ad
 956137 -rw-r--r-- 1 root root 10089 Feb 19 2013 /etc/sfw/smb.conf.ges
Correct in the "Global" section and review the smb.conf file
sun1234/root# more /etc/sfw/smb.conf
...
[global]
...
# Disable LANMAN Authentication In Samba
# Add the following line in the smb.conf's global section:
   lanman auth = No
Enable the changes:
sun1234/root# svcs samba
STATE          STIME    FMRI
online         14:31:56 svc:/network/samba:default
sun1593/root# svcadm disable svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
disabled       17:54:55 svc:/network/samba:default
sun1593/root# svcs enable svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
online         17:54:59 svc:/network/samba:default
Conclusions:
SaMBa can be easily secured from the Service Management facility.

Signing SaMBa Under Solaris 10

Signing SaMBa under Solaris 10
Abstract:
IBM created a proprietary file sharing protocol under DOS referred to as SMB. This was adopted by Microsoft, and it later became referred to as CIFS. Open Source developers took a portion of the file sharing suite an implemented it under a product called SaMBa. Solaris 10 ships with an installation of SaMBa to allow for rudimentary SMB and CIFS cfile sharing. Simple SaMBa Enabling under Solaris 10 was noted in a previous article. This article discussing signing.


Problem:
SMB protocol is subject to "man in the middle" attacks. Newer versions of Microsoft Windows offer different levels of packet signing and ultimately packet encryption. In order to maintain compatibility, Packets can have Signing enabled.

Solution:
The process for enabling signing is below.
sun1234/root# cp -p /etc/sfw/smb.conf /etc/sfw/smb.conf.20170814
sun1234/root# ls -alid /etc/sfw/smb*
 956139 -r--r--r-- 1 root root 10453 Sep  2 2014 /etc/sfw/smb.conf
 959534 -r--r--r-- 1 root root 10453 Sep  2 2014 /etc/sfw/smb.conf.20170814
 956138 -rw-r--r-- 1 root root 10086 Apr 28 2011 /etc/sfw/smb.conf.ad
 956137 -rw-r--r-- 1 root root 10089 Feb 19 2013 /etc/sfw/smb.conf.ges


Correct and review the smb.conf file
sun1234/root# more /etc/sfw/smb.conf
...
[global]
...
# Configure SMB signing for Samba
#
# Configure Samba to enable or require SMB signing as appropriate.
# To enable SMB signing, put the following in the Samba config file,
# typically smb.conf, in the global section:
;  server signing = auto
# To require SMB signing, put the following in the Samba config file,
# typically smb.conf, in the global section:
   server signing = mandatory
Enable the changes:
sun1234/root# svcs samba
STATE          STIME    FMRI
online         Apr_27   svc:/network/samba:default
sun1593/root# svcadm disable svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
online*        14:31:20 svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
disabled       14:31:25 svc:/network/samba:default
sun1593/root# svcs enable svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
online         14:31:56 svc:/network/samba:default
Conclusions:
SaMBa can be easily secured from the Service Management facility.

Thursday, April 6, 2017

Running Oracle Linux as a Logical Domain on SPARC

Running Oracle Linux as a Logical Domain on SPARC

Abstract:

With the purchase of Cray SuperServer division and their StarFire platform, Sun Microsystems introduced Physical Domains to their server line. With the introduction of the UltraSPARC T1, Sun Microsystems introduced Logical Domains and offered support for the first release of "third party" Ubuntu Linux on SPARC. Fujitsu introduced their own Linux under their SPARC platforms. Since the purchase of Sun Microsystems by Oracle, the introduction of Oracle Linux has been made.

[Courtesy: Oracle Virtualization Blog]

Presenter:

Jeff Savit
Product Management Senior Manager
Oracle Corporation

Linux in an LDom

Jeff recently published a blog about a simple installation of Oracle Linux in an LDom, with 4 cores (32 vCPU threads) and 32 Gigabytes of RAM where the virtual disk was in a ZFS dataset. Some of the highlights included steps in loading Oracle Linux in an Oracle SPARC Logical Domain.


Preparing an LDom

Solaris 11 acts as the Control Domain in an Oracle VM for SPARC environment. From the Primary or Control Domain, a Logical Domain was configured with cpu, memory, disk, dvd, and virtual nic.
primary # ldm add-domain ols                                     
primary # ldm set-core 4 ols
                                    
primary # ldm set-mem 32g ols
                                   
primary # zfs create rpool/export/home/ldoms/ols
                
primary # mkfile -n 32g /ldoms/ols/disk0.img
                    
primary # ldm add-vdsdev
/ldoms/ols/disk0.img \                  
 olsroot@primary-vds0
                                           
primary # ldm add-vdisk boot olsroot@primary-vds0 ols
           
primary # ldm add-vdsdev \
                                      
 /export/home/OL-SPARC/OL-201703262026-R6-U7-sparc-dvd.iso \
    
 oliso@primary-vds0
                                             
primary # ldm add-vdisk iso oliso@primary-vds0 ols
              
primary # ldm add-vnet pvid=123 eth0 primary-vsw0 ols
           
primary # ldm set-variable auto-boot\?=false ols
                
The Domain "ols" is assigned 4x Cores (32 vCPU threads) with 32 Gig RAM. Jeff created a ZFS filesystem in the root pool, to simplify snapshots and cloning future images. A data file to act as the root disk of the Linux instance is created, served to guests, and added to the "ols" instance. An Oracle Linux installation ISO was also served to guests and added as a disk to Guest "ols" (although, serving as read-only would allow for multiple simultaneous installations.) A virtual network card was added on VLAN 123 to Guest "ols" and attached to the primary virtual switch. With "auto-boot" disabled, an OK prompt in a virtual OpenBoot instance will appear on binding and start of the Logical Domain.


Starting the LDom

Solaris 11 acts as a Service Domain in an Oracle VM for SPARC environment. The Console for Guest Logical Domains are available from a Service Domain, the Primary Domain normally "serves" a virtual console. A virtual console is not available until a iis bound to a domain.
primary# ldm bind ols                                           
primary# ldm start ols               
                           

primary# ldm list                                               
NAME      STATE  FLAGS  CONS VCPU MEMORY UTIL NORM UPTIME       
primary   active -n-cv- UART 16   32G    0.5% 0.5% 69d 10h 45m  

ols       active -n---- 5000 8    32G   
0.5% 0.5%  1d  1h  5m   
Normally, the virtual console ports start their numbering from 5000 and increment.

Acquiring Virtual Console

The first virtual console for guests start at 5000, the second virtual console assigned would be 5001, etc. Telnet to the localhost console port assigned to the Guest Domain will provide access to the SPARC OpenBoot
primary# telnet localhost 5000                                     
...                                                                
SPARC T5-2, No Keyboard                                            
Copyright (c) 1998, 2016, Oracle and/or its affiliates. All rights reserved.
OpenBoot 4.38.6, 32.0000 GB memory available, Serial #xxxxxxxx.    
Ethernet address 0:14:4f:f8:96:25, Host ID: xxxxxxxx.              
{0} ok
                                                            

Media bound to the domain can now be booted from the ok prompt.

Boot Oracle Linux from ISO

The available device aliases can be listed and an attempt to boot from the  installation media.

{0} ok devalias                                                                 
boot                     /virtual-devices@100/channel-devices@200/disk@0        
iso                      /virtual-devices@100/channel-devices@200/disk@1        
eth0                     /virtual-devices@100/channel-devices@200/network@0     
net                      /virtual-devices@100/channel-devices@200/network@      
disk                     /virtual-devices@100/channel-devices@200/disk@1        
virtual-console          /virtual-devices/console@1                             
name                     aliases                                                
{0} ok boot iso                                                                 
Boot device: /virtual-devices@100/channel-devices@200/disk@1  File and args:    
                                                                                
                             GRUB Welcome to GRUB!                              
                          GNU GRUB  version 2.02~beta3                          
 +----------------------------------------------------------------------------+ 
 |*Install linux using text mode (use DHCP)                                   | 
 | Install linux using VNC (graphical) mode (use DHCP)                        | 
 | Rescue mode (use DHCP)                                                     | 
 |                                                                            | 
 |                                                                            | 
 |                                                                            | 
 +----------------------------------------------------------------------------+ 
      Use the ^ and v keys to select which entry is highlighted.                
      Press enter to boot the selected OS, `e' to edit the commands             
      before booting or `c' for a command-line.                                 
      The highlighted entry will be executed automatically in 0s.               

In Conclusion:

Oracle Linux is now a viable platform under SPARC. The SPARC Silicon in Software, such as the DAX Query Accelerators, Decompression Engines, Crypto Engines, etc. are made fully available by the Solaris 11 based Oracle VM for SPARC instance. The Linux Guest Domains can be live migrated just like any Solaris 10 or Solaris 11 Guest Domains.




Thursday, February 2, 2017

Oracle Linux on SPARC Arrives!

 
[SPARC M7 Die with Floor Plan]

Oracle Linux on SPARC Arrives!

Abstract:

Sun Microsystems had long hosted multiple processors in their workstation and server platforms, dating back Motorola 68000, Intel x86, SPARC, and re-introducing Intel again. Sun had mostly run SunOS, rebranding as Solaris with the investment of AT&T SVR4, and occasionally running multiple OS derivatives under various appliances. Today, Oracle is bringing Oracle Linux is becoming as an official supported platform under SPARC.

[Courtesy: Oracle Exadata SL6 SPARC Linux Presentation]

Presenter:

Juan Loaiza
Senior Vice President
Oracle Corporation

[Courtesy: Oracle Exadata SL6 SPARC Linux Presentation]

Major Points

Linux is supported on a new SPARC Exadata platform. There were two presentation covered.

[Courtesy: Oracle Database Exadata SL6 SPARC Linux Presentation]

SPARC M7

The worlds fastest General Processor with Software in Silicon breakthroughs.

[Courtesy: Oracle Database Exadata SL6 SPARC Linux Presentation]

DAX

32 Database Accelerators added on the M7 Silicon are available under Linux.

[Courtesy: Oracle Database Exadata SL6 SPARC Linux Presentation]

Decompression

32 Decompression Engines added on the M7 Silicon are available under Linux.

[Courtesy: Oracle Database Exadata SL6 SPARC Linux Presentation]

Security in Silicon

Buffer Overflow Attacks eliminated under Linux.

[Courtesy: Oracle Database Exadata SL6 SPARC Linux Presentation]

Intel Replaced with Faster SPARC

With the Exadata SPARC Linux platform, the slower Intel nodes are replaced with a higher speed SPARC node. The cost is the same.

Conclusions:

Oracle not only offers the fastest databases, SPARC as the fastest General Purpose CPU, and now a popular Linux Operating System to supplement the Solaris Operating System.



Oracle Solaris & SPARC Platform Update for Feb 2017

Abstract:

Oracle had acquired Sun Microsystems almost a decade ago. Continued investment had occurred in the Systems and Platform products. SPARC had moved to become the fastest processor on the market 2 years back, Solaris is now moving to agile Continuous Delivery Model to increase cadence, and the SPARC cadence will continue to maintain best-in-class performance.

Presenter:

John  Fowler
Executive Vice President of Systems
Oracle Corporations

High Level Points:

Four Take Away points were provided by Mr. Fowler.

SPARC Performance Prior Oracle

Before Oracle's acquisition of Sun, SPARC platform performance was lagging in the industry, but Oracle investment had brought it to the pinnacle of the market in a short number of years.

SPARC Performance Today

Oracle is the leading the market in Systems Performance, both in general purpose computing, as well as embedded accelerators to quicken performance of business critical and security applications. Oracle intends on keeping this performance lead.


Solaris Agile Continuous Improvement

Solaris had traditionally been under a Waterfall type of Major Release Cycle. Solaris is being migrated to an  Agile Continuous Improvement cycle, where features & benefits will be introduced continuously, without the risk of large monolithic release cycles.

Oracle SPARC & Solaris Platform Roadmap

With the adoption of the new Agile Continuous Delivery model for Solaris, the roadmap changes, without much significance, except support continuing to later dates, decades from today.
This overview was excellent, prepping customers before the on-site visits.

Solaris 12 Features

Not explicitly mentioned in the presentation, but Solaris 12 features will be folded into Solaris 11 updates. During an on-site meeting with an engineer, K-Splice should be coming to Solaris 11. This was a big feature expected in Solaris 12, so patching would no longer would require a reboot under Solaris.

Conclusions:

Oracle continues the decades long progression of Sun Microsystems managing the Educational Facilities, the Engineering Facilities, individual Enterprises, and ultimately The Internet. The cadence for processors had increased and now the cadence for Solaris features is poised to accelerate.