Samba Builtin/Entware: Public Shares / Windows 10

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4  Next
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 9596
Location: Netherlands

PostPosted: Wed Dec 01, 2021 8:05    Post subject: Reply with quote
https://svn.dd-wrt.com/changeset/47087

I think this was the only way to allow to access the shares without a login.

I can make a drop down box in the GUI but what should be in it?

I do not use samba have my dedicated QNAP Pro 453 with 4 * 8 TB Smile

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Sponsor
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 168
Location: Portugal

PostPosted: Wed Dec 01, 2021 12:39    Post subject: Reply with quote
Okay guys, I took time time to read the other thread and think about this, here are my two cents into the subject. Correct me at any point if I'm wrong!

kernel-panic69 wrote:
That setting was changed due to previous issues, if I am not mistaken. Everyone else has not had these issues because they likely have been following the bouncing ball of discussion in the forum about these issues...


Yeah I stumbled across this issue while thinking the issue was another thing. Our current facts:

It seems like Microsoft decided to "kill" guest access to shares:

- https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default

Quote:
In Windows 10, version 1709, (...) no longer allows the following actions:

Guest account access to a remote server


According to them this was done because:

1) "Guest logons do not support standard security features such as signing and encryption." > possibly breaking the SMB3 "standard"
2) "guest logons makes the client vulnerable to man-in-the-middle attacks that can expose sensitive data on the network"
3) "A malicious computer that impersonates a legitimate file server could allow users to connect as guests without their knowledge" > serious security issues.

- https://www.nodeum.io/howto/guest-access-in-smb2-disabled-by-default-in-windows-10
- https://www.claudiokuenzler.com/blog/879/windows-10-server-2016-access-samba-share-guest-account-analysis-workaround-event-31017

In Samba4 the default of "map to guest" is set to "never": https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
(This explain why it worked just fine from a Entware USB install)

macOS doesn't care about it (just tested).

So having a "bad user" default breaks the compatibility of DD-WRT's SMB with the Windows, therefore making the feature useless for most users - M$ error messages are cryptic as usual, it takes a while to figure out about that "Enable insecure guest logons" option.

SMB was broken for so long that nobody will even try to look for settings under Windows. People will just assume DD-WRT's SMB is broken "as usual" and move on to Entware (like I did Very Happy)

egc wrote:
https://svn.dd-wrt.com/changeset/47087

I think this was the only way to allow to access the shares without a login.

I can make a drop down box in the GUI but what should be in it?

I do not use samba have my dedicated QNAP Pro 453 with 4 * 8 TB Smile


I see two options here:

a) Bluntly change the parameter to "never" and remove public shares from dd-wrt cause they aren't supported by Windows. Probably will enrage everyone using macOS/Linux. Sad

b) Make it available but smart and useful for everyone:
1. Set "map to guest" to "never" as default;
2. Hide/disable all public sharing options by default from the UI:

3. Add a checkbox/radio in the Samba section that says "Enable public shares feature";
4. Whenever someone checks the checkbox do this:
4.1. Display the following message: "Enabling this feature breaks Windows 10 version 1709+ compatibility unless the 'Enable insecure guest logons' policy is enabled."
4.2. Change "map to guest" to "bad user"

This proposed solution would make it work for everyone: for Windows users that just want something to work out of the box AND for users who want public shares. The message will tell users exactly what happens if they enable the feature and how to deal with it under Windows / ignore it under macOS/Linux. Smile

Can someone else also give feedback into this solution?

Thank you and keep up the great work!

_________________
3x Netgear R7000 (v3.0-r48741); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).


Last edited by TCB13 on Wed Dec 01, 2021 17:24; edited 1 time in total
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12439
Location: Texas, USA

PostPosted: Wed Dec 01, 2021 16:23    Post subject: Reply with quote
I am absolutely thrilled that you double-quoted me for more emphasis (SIC). I think most people were using the insecure guest logons as a workaround on the windows side without knowing it or something. Getting Windows, MacOS, and Linux to seamlessly play together has always been a game of whack-a-mole. Anxiously awaiting the next thing that M$ breaks all to sh*t.
_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 168
Location: Portugal

PostPosted: Wed Dec 01, 2021 17:30    Post subject: Reply with quote
kernel-panic69 wrote:
I am absolutely thrilled that you double-quoted me for more emphasis (SIC). I think most people were using the insecure guest logons as a workaround on the windows side without knowing it or something. Getting Windows, MacOS, and Linux to seamlessly play together has always been a game of whack-a-mole. Anxiously awaiting the next thing that M$ breaks all to sh*t.


Ahaha double quote, my bad Laughing

M$ is always changing the rules of the game. I do understand why they've disabled public shares, specially in SMB3 where encryption is an assumed feature but its still a pain.

I guess for now by (b) suggestion would be the way to have the multi-platform support. Meanwhile I've decided to add the following to my startup:

Quote:
# Built in Samba - Fix SMB Windows
sed -i "/^map to guest/c\map to guest = never" /tmp/smb.conf
killall ksmbd.mountd
ksmbd.mountd -c /tmp/smb.conf -u /tmp/smb.db


This way I can still use the GUI to configure users and shares and have it working out of the box under Windows and macOS.

This method has the obvious caveat of having to reboot after changing Samba settings, but its better than the other options.

Thank you.

_________________
3x Netgear R7000 (v3.0-r48741); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 9596
Location: Netherlands

PostPosted: Wed Dec 01, 2021 18:40    Post subject: Reply with quote
I cannot do any sophisticated things at the moment as I am tied up and that would really need me to dig in and test etc.

I made a dropdown box which lets you choose "bad user" or "never" do not look at the text/translation
Everyone = bad user
Restricted= never

Everyone:
smbd.conf
Quote:
guest account = nobody
map to guest = bad user
smb passwd file = /var/samba/smbpasswd
private dir = /var/samba


Restricted:
Quote:
guest account = nobody
map to guest = never
smb passwd file = /var/samba/smbpasswd
private dir = /var/samba


I think you have got an R7000 attached the build, do not use it unless you know how to recover I cannot be held responsible for any mischief Smile.

It is experimental but runs on my EA6900 (which uses the same build) and my R6400v1 which uses an 128K build

Suggestions for better text/translation are more than welcome Smile



Naamloos.png
 Description:
 Filesize:  6.02 KB
 Viewed:  1102 Time(s)

Naamloos.png



47692-exp-K3_R7000.zip
 Description:

Download
 Filename:  47692-exp-K3_R7000.zip
 Filesize:  18.86 MB
 Downloaded:  56 Time(s)


_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 168
Location: Portugal

PostPosted: Wed Dec 01, 2021 19:35    Post subject: Reply with quote
egc wrote:
I cannot do any sophisticated things at the moment as I am tied up and that would really need me to dig in and test etc.

I made a dropdown box which lets you choose "bad user" or "never" do not look at the text/translation

Suggestions for better text/translation are more than welcome Smile


I just tested your fix and it works just fine! Smile



About the translations maybe it can be really "Map to guest" with "Bad User" and "Never". As long as the "Never" is the default option people will not mess it with. Advanced users will know what this does (probably).

Thank you.

_________________
3x Netgear R7000 (v3.0-r48741); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 9596
Location: Netherlands

PostPosted: Wed Dec 01, 2021 19:52    Post subject: Reply with quote
Good suggestion glad it is working.

Do a CTRL+F5 in the browser that will clear the "undefined"

Maybe I have time to morrow to speak to the Big Boss, and see if I can persuade him to add this Smile

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 168
Location: Portugal

PostPosted: Wed Dec 01, 2021 19:55    Post subject: Reply with quote
egc wrote:
Good suggestion glad it is working.

Do a CTRL+F5 in the browser that will clear the "undefined"

Maybe I have time to morrow to speak to the Big Boss, and see if I can persuade him to add this Smile


Glad to be helpful. Btw, according to https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html Samba supports the following options for "Map to guest":

- Never
- Bad User
- Bad Password
- Bad Uid

Maybe you can add all of them just in case anyone complains about this.

Thank you.

_________________
3x Netgear R7000 (v3.0-r48741); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12439
Location: Texas, USA

PostPosted: Wed Dec 01, 2021 20:43    Post subject: Reply with quote
Now we change the rules and see how many people wonder why their current configs are broken... *chuckles* At least this is all out in the open, so if they didn't know, it's their fault for not reading this thread! (SIC)
_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 168
Location: Portugal

PostPosted: Wed Dec 01, 2021 20:45    Post subject: Reply with quote
Well, I just changed the title of the thread to make it more helpful. If anyone rants I'll double quote them until they get it ahah Laughing
_________________
3x Netgear R7000 (v3.0-r48741); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 9596
Location: Netherlands

PostPosted: Thu Dec 02, 2021 10:00    Post subject: Reply with quote
Patch send upstream, I will let the head honcho decide about the text etc.

I have to return to my regular work (working on OpenVPN Smile )

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 3881

PostPosted: Thu Dec 02, 2021 10:12    Post subject: Reply with quote
Nice. Smile
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 168
Location: Portugal

PostPosted: Thu Dec 02, 2021 11:01    Post subject: Reply with quote
Great thank you!
_________________
3x Netgear R7000 (v3.0-r48741); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12439
Location: Texas, USA

PostPosted: Thu Dec 02, 2021 16:57    Post subject: Reply with quote
TCB13 wrote:
Well, I just changed the title of the thread to make it more helpful. If anyone rants I'll double quote them until they get it ahah Laughing



_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12439
Location: Texas, USA

PostPosted: Thu Dec 02, 2021 16:59    Post subject: Reply with quote
egc wrote:
Patch send upstream, I will let the head honcho decide about the text etc.

I have to return to my regular work (working on OpenVPN Smile )

blkt wrote:
Nice. Smile

x2. Still working on Android tethering being added when I feel like being cross-eyed.

_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
Goto page Previous  1, 2, 3, 4  Next Display posts from previous:    Page 2 of 4
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum