Author Topic: Solution-Two options: How can I make NAS device stay Online?  (Read 5818 times)

pigdog

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1008
    • View Profile
Re: Solution: How can I make NAS device stay Online?
« Reply #15 on: July 14, 2009, 05:52:13 pm »
DNS Password - Reload Router Test.

Code: [Select]
Systems involved: 1 Core/Hybrid, 1 MD & 1 DNS-323 NAS equipped with 2 HDD's (1-TB & 1-500GB).

Test Case 1:  No username/password on DND-323 or on Device Tree Windows Share-Volume views.

Device template -File Server #1837
This device controlled via - Core
IP Address and MAC Address assigned.
Registered: No
Serial Number - ip address.
Description - NAS

Device template - Windows Share #1768
This device controlled via - NAS
Registered: No
PK_Users - Use LMCE's directory structure
Share Name - Volume_#
Filesystem - cifs
Free Disk Space in MBytes - XXXXX
Serial Number - MAC address\Volume_#
Auto-assign to parents room - checked.
Readonly - checked
Online - checked



On Core/Hybrid & MD

main menu Media> Video "LinuxMCE Video File : Title" displayed.  Selected movie plays.



On Core/MD <CTRL/ALT> <F1>  Login
ping -qnc 1 -W 1 192.168.80.xxx &> /dev/null
echo "$?"

Returned "0" - can ping NAS.

(Side note: <CTRL><F7> back to main menu on MD screen refresh slow - Core fine)



On Core via menu Advanced> Quick Reload

On Core/MD - Orbiter screen refreshes. MD runs detection scripts.
NAS can be ping'd.
Check Online status for share volumes - checked.  Media plays.



Test Case 2:  Username/Password programmed on DNS-323.

DNS-323 volume shares set to read/write.  DNS-323 sets oplocks & maparchive = yes automatically when programming users.
Windows shares #1768
- Username/Password - programmed.
- Password Required - checked.
- Online - not checked.

On Core/MD
- Returned "0" - can ping NAS.

Media> Video - NO listings.

Went into Windows shares
- Use Automatically - checked> save.



On Core via menu Advanced> Quick Reload
- Media> Video - NO listings.



Rebooted systems.  When Core running Kinit powered up DNS-323. 
- Received CIFS VFS: Error connecting to socket.  Aborting operation
-          CIFS VFS: cifs_mount failed w/return code = -111
- Returned "0" - can ping NAS.
- Media> Video - NO listings.



On Core did smbclient -U username%password --list=//192.168.80.XXX --grepable
- Domain=[LINUXMCE] OS=[UNIX] Server=[Samba 3.0.24]
- Server requested LANMAN password (share-level security) but 'client lanman auth' is diabled
- tree connect failed: SUCCESS - 0



Then I tried this.

From the website:
http://www.mail-archive.com/ubuntu-bugs@lists.ubuntu.com/msg884832.html

"I didn't remember that share-level security was restricted to lanman
password authentication, but now that I see that, this failure to
connect makes sense. It is not accidental that the client refuses to
negotiate security in such a situation; I still believe this is the
correct default for libsmbclient to use in hardy*, because enabling weak
authentication in the client doesn't just make it possible to use older
servers, it also makes it possible for a man-in-the-middle attacker to
trick your client into using weak authentication when trying to talk to
a newer server, compromising other passwords in the process.

As a workaround, users who need to access security=share servers can add
'client lanman auth = yes' to the [global] section of
/etc/samba/smb.conf on their hardy client systems, to enable negotiation
of this weak authentication protocol."

*In our instance - Intrepid.

So I added the "client lanman auth = yes" to smb.conf, issued a service samba restart and everything now works.



On Core did smbclient -U username%password --list=//192.168.80.XXX --grepable
- Domain=[LINUXMCE] OS=[UNIX] Server=[Samba 3.0.24]
                - Disk|Volume_2|
- Disk[web_page]Enter Our Web Page Setting
- Printer|lp|USB Printer
- Disk|Volume_1|
- IPC|IPC$|IPC Service (DNS-323)
- Domain=[LINUXMCE} OS=[UNIX] Server=[Samba 3.0.24]
- Server|NAS-1|DNS-323
- Workgroup|LINUXMCE|



On Core via menu Advanced> Quick Reload

On Core/MD - Orbiter screen refreshes. MD runs detection scripts.
NAS can be ping'd.
Check Online status for share volumes - checked.  Media plays.



Use Automatically - in Windows Share make no impact if checked or unchecked.  By default is unchecked.


There is presently two options on the DNS-323 firmware version 1.07.
      - Don't use username/password - no authentication required.
      - Use username/password with smb.conf parameter.

jimmejames

  • Guru
  • ****
  • Posts: 183
    • View Profile
Re: Solution-Two options: How can I make NAS device stay Online?
« Reply #16 on: July 14, 2009, 07:43:52 pm »
Sorry- been planning my wedding... Fiancé still believes it is more important than lmce

pigdog

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1008
    • View Profile
Re: Solution-Two options: How can I make NAS device stay Online?
« Reply #17 on: July 14, 2009, 08:11:08 pm »
Yeah,  my wife has no sense of humour when it comes to "are you at that damn thing AGAIN!".

I just smile, nod dutifully and say 'Yes dear.'

colinjones

  • Alumni
  • LinuxMCE God
  • *
  • Posts: 3003
    • View Profile
Re: Solution-Two options: How can I make NAS device stay Online?
« Reply #18 on: July 15, 2009, 12:38:36 am »
Well done! Now all you need to do is work out a patch for the project that fixes this for such NAS's and doesn't break it for SMB shares that don't use that security option, and submit it!

pigdog

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1008
    • View Profile
Re: Solution-Two options: How can I make NAS device stay Online?
« Reply #19 on: July 15, 2009, 04:25:01 am »
Hi colinjones,

I wish I had the skill set to do that (work out a patch) but I don't.

tschak909

  • LinuxMCE God
  • ****
  • Posts: 5501
  • DOES work for LinuxMCE.
    • View Profile
Re: Solution-Two options: How can I make NAS device stay Online?
« Reply #20 on: July 15, 2009, 07:30:15 am »
colinjones, this is WHY we actually are supposed to make device templates for specific NASes that don't behave properly.

-Thom

colinjones

  • Alumni
  • LinuxMCE God
  • *
  • Posts: 3003
    • View Profile
Re: Solution-Two options: How can I make NAS device stay Online?
« Reply #21 on: July 15, 2009, 08:33:44 am »
colinjones, this is WHY we actually are supposed to make device templates for specific NASes that don't behave properly.

-Thom

Thom - you can hardly expect me to create a new template for a NAS I don't own, for an issue I can neither reproduce nor that I understand the specifics of?!

tschak909

  • LinuxMCE God
  • ****
  • Posts: 5501
  • DOES work for LinuxMCE.
    • View Profile
Re: Solution-Two options: How can I make NAS device stay Online?
« Reply #22 on: July 15, 2009, 10:03:08 am »
nope, not expecting _you_ to..

but this is literally how you solve these problems. It also allows for custom PnP configuration to take place (i.e. sending web page requests to automatically configure the device, etc.)

Look at the Buffalo and Maxtor NAS templates to get an idea.

-Thom

colinjones

  • Alumni
  • LinuxMCE God
  • *
  • Posts: 3003
    • View Profile
Re: Solution-Two options: How can I make NAS device stay Online?
« Reply #23 on: July 15, 2009, 03:32:59 pm »
Thom - hmm never thought of the sending/GETting web pages approach, that's interesting (more generally), was thinking more along the lines of pushing a share/server-specific config file change to the samba conf

... hmm not sure, that approach would be cooler, but perhaps changing the samba conf for specific shares would be lower impact... (to other devices also accessing the same share)


pigdog... can you detail more specifically what changes exactly you made to make it work?

pigdog

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1008
    • View Profile
Re: Solution-Two options: How can I make NAS device stay Online?
« Reply #24 on: July 15, 2009, 04:45:32 pm »
Hi colinjones,

The first thing I had to do was upgrade my DNS-323 to the latest firmware version of 1.07

With no username/password on the DNS-323 the default templates of Device template -File Server #1837 and Device template - Windows Share #1768 works fine - no changes.
              
                - device can be ping'd.

                Device template -File Server #1837
      This device controlled via - Core
      IP Address and MAC Address assigned.
      Registered: No
      Serial Number - ip address.
      Description - NAS

      Device template - Windows Share #1768
      This device controlled via - NAS
      Registered: No
      PK_Users - Use LinuxMCE's directory structure
      Share Name - Volume_#
      Filesystem - cifs
      Free Disk Space in MBytes - XXXXX
      Serial Number - MAC address\Volume_#
      Auto-assign to parents room - checked.
      Readonly - checked
      Online - checked

With a username/password on the DNS-323 the default templates of Device template -File Server #1837 and Device template - Windows Share #1768 (with username/password programmed plus password required -checked) the /etc/samba/smb.conf file needs 'client lanman auth = yes' added to the [global] section (needs service samba restart).

                Device template -File Server #1837
      This device controlled via - Core
      IP Address and MAC Address assigned.
      Registered: No
      Serial Number - ip address.
      Description - NAS

      Device template - Windows Share #1768
      This device controlled via - NAS
      Registered: No
      PK_Users - Use LinuxMCE's directory structure
      Share Name - Volume_#
      Filesystem - cifs
      Free Disk Space in MBytes - XXXXX
      Serial Number - MAC address\Volume_#
      Auto-assign to parents room - checked.
      Username/Password - programmed.
           Password Required - checked.
                Readonly - checked
      Online - checked

Without adding the change to smb.conf the device can be ping'd but never gets checked as online.

So, in a nutshell DNS-323 version 1.07 - no username/password - no changes.  With username/password, password required-checked - need change to smb.conf (needs service samba restart).

Cheers.
« Last Edit: July 15, 2009, 08:37:13 pm by pigdog »

colinjones

  • Alumni
  • LinuxMCE God
  • *
  • Posts: 3003
    • View Profile
Re: Solution-Two options: How can I make NAS device stay Online?
« Reply #25 on: July 15, 2009, 11:12:24 pm »
I don't suppose anyone else reading this, with 0810 and using Windows shares on a Windows machine and/or another NAS, and/or using this NAS and the earlier firmware, could test adding this line to the config, rebooting and determining whether it effects their access to the shares? If there is no impact, then it may just be better to add this line of config more generally to 0810..

pigdog

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1008
    • View Profile
Re: Solution-Two options: How can I make NAS device stay Online?
« Reply #26 on: July 15, 2009, 11:41:19 pm »
Hi colinjones,

From reading the original bug report, to me, (but who am I anyway?), it sounds like they are more concerned with network security stuff.

Quote stuff...

In the end, the explanation for being unable to connect to servers using share-level security is very straightforward.

If I configure a samba server here for security=share and connect with smbclient, I see the following:

$ smbclient //borges/pub
Password:
Domain=[DNSG] OS=[Unix] Server=[Samba 3.0.30]
Server not using user level security and no password supplied.
Server requested LANMAN password (share-level security) but 'client use lanman
auth' is disabled
tree connect failed: SUCCESS - 0
$

The use of lanman authentication has been disabled on both client and server in Ubuntu 8.04 because it's substantially weaker that NTLM passwords, and therefore more vulnerable to decryption attacks of the network traffic.  To be precise, the man page for smb.conf says:

          This parameter determines whether  or  not  smbclient(8)  and  other samba  client  tools  will attempt to authenticate itself to servers using the weaker LANMAN password  hash.  
          If  disabled,  only  server which  support  NT  password  hashes  (e.g.  Windows NT/2000, Samba, etc... but not Windows 95/98) will be able to be connected from  the Samba client.

          The  LANMAN  encrypted  response is easily broken, due to it’s case-insensitive nature, and the choice  of  algorithm.  Clients  without Windows 95/98 servers are advised to disable this option.

          Disabling  this  option  will also disable the client plaintext auth option

I didn't remember that share-level security was restricted to lanman password authentication, but now that I see that, this failure to connect makes sense.  It is not accidental that the client refuses to
negotiate security in such a situation; I still believe this is the correct default for libsmbclient to use in hardy, because enabling weak authentication in the client doesn't just make it possible to use older
servers, it also makes it possible for a man-in-the-middle attacker to trick your client into using weak authentication when trying to talk to a newer server, compromising other passwords in the process.

As a workaround, users who need to access security=share servers can add 'client lanman auth = yes' to the [global] section of /etc/samba/smb.conf on their hardy client systems, to enable negotiation of this weak authentication protocol.

For nautilus/gvfs, there definitely should be a better feedback mechanism about this problem, so that users get some indication of why the connection has failed.

... unQuote stuff.

My NAS is inside my little network and not exposed to the outside world.  I would hate to assume (ass u me) but probably most everyone else's is too?

Those wanting to expose themselves outside have to know when to keep their overcoats buttoned.

Either that, or you get stuck with adding another check box to the template that say's "Authenticate Using LANMAN password".

How many options do you want to start sticking in templates?  Beats me!  From my experience I know it's a slippery slope.

How many options do you end up with to make something more flexible, or how many device specific templates do you create?

You guys know the answers and consequences better than I do.
« Last Edit: July 15, 2009, 11:52:35 pm by pigdog »

colinjones

  • Alumni
  • LinuxMCE God
  • *
  • Posts: 3003
    • View Profile
Re: Solution-Two options: How can I make NAS device stay Online?
« Reply #27 on: July 16, 2009, 03:47:37 am »
pigdog - I would say that as LMCE is the smb client, enabling this option doesn't make the network any more or less secure, whether or not the NAS is exposed. It is the NAS itself that is the security issue, so whether LMCE allows this weaker security or not isn't going to reduce security, security is already reduced by the existance of the NAS which only allows this lesser security method.... its bowing to the lowest common denominator, but I think LMCE should enable this for maximum pnp-ability!

pigdog

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1008
    • View Profile
Re: Solution-Two options: How can I make NAS device stay Online?
« Reply #28 on: July 16, 2009, 04:00:45 pm »
Hi colinjones,

Just adding the 'client lanman auth = yes' string to smb.conf would avoid having to make any changes to templates.

Again, thanks for your help in sorting out the DNS NAS problem.

Zaerc

  • Alumni
  • LinuxMCE God
  • *
  • Posts: 2256
  • Department of Redundancy Department.
    • View Profile
Re: Solution-Two options: How can I make NAS device stay Online?
« Reply #29 on: July 16, 2009, 06:25:50 pm »
I don't think it would be wise to sacrifice security merely because some NAS vendor refuses to enter the 21th century.
"Change is inevitable. Progress is optional."
-- Anonymous