More Open progress toward MPE source
3000 tips for autoload, net stats and more

Samba breaches vs. features: UX vs. MPE

HP released a new security patch last week to block a back door in the HP-UX Samba software, one of many that surface for HP's Unix environment. The vulnerability in versions A.02.03.04 and vA.02.04 running on HP-UX B.11.11, B.11.23, or B.11.31 could let a remote user gain unauthorized access to an Integrity or PA-RISC Unix server.

HP has a software update available for download to block the breach. Meanwhile, the HP 3000 user who's employing Samba for file and printer sharing isn't affected by this vulnerability. The most recent Samba/iX is 3.0.22, one of the final projects released by the HP labs. Samba has been installed with any MPE/iX release newer than 6.0, and patches for Samba/iX to lift it up the 3.0.2 version are available for free download from the HP IT Response Center Web site. There's even a SWAT Samba administration tool that runs with Samba/iX. If you're unfamiliar with how SWAT makes Samba an even better tool, has a SWAT primer online.

Samba has helped the HP 3000 join the standard networks of many heterogenous shops in the decade-plus it's been available. But the MPE/iX version is behind the current HP-UX release. This is a tradeoff for companies using Samba -- run it on the Unix servers and apply security patches, or use the HP 3000s and enjoy the security-by-design, but with fewer features and no bug fixes.

The 3000 version is not very many months out of date. In October of last year, the 3.0.37 version emerged for the community to add security patches. But the patches are aimed at more Unix-like environments, such as the Apple OSX, HP's HP-UX, as well as Linux.

The latest public release of Samba for the non-3000 world is version 3.4. The feature set that the 3000 version is frozen in includes these features, new in 2006 and ported in 2007:

  • Encrypted password mechanisms
  • A new password database back-end (since Samba's password databases are different from the MPE HPUID.PUB.SYS user database)
  • The account management tools sambpasswd and pdbedit
  • An enhanced "net" command which now works "just like those on Windows and DOS systems." (If you don't know what DOS stands for, grab the oldest IT worker you know and ask.)
  • But an official port for Samba on the 3000 is not linked at the page. HP did the work on the last release, but it hasn't been re-integrated with the releases of the worldwide organization. Now that the group has moved onward to 3.4, the interest must be generated by HP 3000 porting advocates.

    Choosing to use Samba under HP-UX eliminates the questions of whether the release is bug-fixed. The security breaches for Unix-based servers are an every-week occurrence. Sendmail versions 8.9.3 and 8.11.1 have been hit with a Denial of Service vulnerability, which HP has patched with an update.

    Inin 2007 HP wrote a white paper on bringing Samba from the 3.0.22 MPE/iX version to full compliance with the latest release. The paper says that it gives the techniques to

    1. Refresh a new version of Samba on MPE/iX,
    2. Apply future patches released by the Samba organization and
    3. Quickly fix defects in Samba/iX