D-Link Forums
The Graveyard - Products No Longer Supported => D-Link Storage => DNS-323 => Topic started by: Rodent on February 22, 2010, 04:18:32 PM
-
I thought I would start up a voting topic just to see how many people want this feature back.
I am at a point of buying another NAS box that is not a DNS because of this issue.
Rodney
-
I'd vote for it to come back. :)
-
I'll vote yes ::)
-
me 2
-
Is this due to upgrading to 1.08 where you try to connect to the NAS and it asks for a password? I only noticed this after the upgrade.... Now, what in the world is the GUEST password. I had to reconfig the shares so it does not ask for the password.
-
1.07 and 1.08 changed the SAMBA permissions so that if any shares were password protected, you could not have a share that was anonymous and didn't require any password.
This was not the case in earlier versions, you could mix password protected shares and unprotected shares.
-
+1 for me
-
It better come back by tomorrow.
The DNS-323 is packed and will be returned to Best Buy tomorrow.
Does anyone at D-Link get this issue at all?
In any case, can't seem to handle massive transfers w/o dropping out - so I doubt that resolving the shares issue will keep me on board.
-
me to.
-
Am I missing something here? I too would vote if I had the problem, but I have 1.08 with anonymous shares and password protected shares working together.
???
Forgot to say using XP and Ubuntu on all clients.
-
I'd sure like to see the configuration where anonymous and passworded shares work together. Even D-Link admitted that was removed from the current version.
I think you're not actually doing that...
-
Am I missing something here? I too would vote if I had the problem, but I have 1.08 with anonymous shares and password protected shares working together.
Well you can define anonymous and passworded shares in the DNS..
But try to access an anonymous share from XP where the XP Account name is NOT in the DNS-323 user list.
You will be prompted for credentials...
-
That applies to Vista or Win7 too. :(
-
I vote yes
-
Is there a D-link person that can comment on the problem?
-
Well you can define anonymous and passworded shares in the DNS..
But try to access an anonymous share from XP where the XP Account name is NOT in the DNS-323 user list.
You will be prompted for credentials...
Yes that is the only thing I haven't tried.
I have tried to access an anonymous share from Ubuntu where the account name is not in the user list and it works without prompting for credentials.
-
They commented to me some time ago, apparently the last word. Some mumbo-jumbo about changing SAMBA and problems with the old access methods.
-
They commented to me some time ago, apparently the last word. Some mumbo-jumbo about changing SAMBA and problems with the old access methods.
Well all I can say is that there are plenty and I mean plenty of other devices out there that all use a UNIX kernel that can do the job, why are D-link having so much trouble providing the what I would say is the core security of this type of device?
I have small kids that use this device to watch movies, I also have documents and other contents that I do not want my kids to have access to, but my kids a too young to know what or how to enter a user name and password.
This is no light matter for me and when the function that I require when I brought this device are removed with a firmware upgrade and D-link are not responding to the numerous request on there own forum than maybe its time I move to another device that will do the job.
I have herd of firmware updates the give you enhancements but not to many that destroy a product for you!
Rodney
-
Well, most Windows systems will remember a name/password for a network resource, so it's still possible for your kids to use it. Just create a share for their folder with a unique name/password.
-
Well, most Windows systems will remember a name/password for a network resource, so it's still possible for your kids to use it. Just create a share for their folder with a unique name/password.
Computers are not the problem, media devices like WDTV Live and Mobile media player that you have to use on screen keyboards for are the problem because they don't remember user names and passwords and getting children to use them is just not going to happen as for myself I would rather not have to enter that information in every time I want to watch a movie, and yes I could use a simple user name and password lets say name: a and password: b but than whats the point of having a user name and password.
-
well for WDTVLive... there is an option for it to remember passwords and autologin...
but this still does not excuse D-Link....
-
They commented to me some time ago, apparently the last word. Some mumbo-jumbo about changing SAMBA and problems with the old access methods.
As Samba is used on both Linux and Windows, I wiould guess there must be a different implementation if the shares work correctly on Ubuntu but not on Windows.
-
Ok let me try and explain the nature of this change to the best of my ability and the reason why we can not change it back to the previous usage case.
Samba plays the top layer of the middleware for Linux account/access rights management. Samba does not change the actual permissions of the file/folder itself but instead maintains its own ruleset by referring to Linux permissions but not actually modifying them.
Microsoft has changed the way that CIFS/SMB authenticate and in order to work correctly we had to make modifications to our devices samba settings as well. As far as we 'know' no other vendor is offering an 'open' mode and a 'security' mode of samba working simultaneously. Generally a folder can be assigned with two access rights, R.W or RO. If a user can R/W a folder it would be strange if they also have a RO access to the folder but Samba CAN achieve this by creating a new sharename to the same path. You have seen this in our firmware by creating network permissions and a new share being created with something like Volume_1_1.
We would try 'maintaining' Linux permissions but this complicates things a bit more for both us and the user. On top of that for example if you wanted to setup permissioning for 3 users, A, B and C who belong to group "Allaccount", and whom have R/W access to Volume_1. If you wanted to say that only user C has RO access to Volume_1 that would be no problem using Linux permissions however if you have 2 accounts B, and C you wanted as RO there would be a problem because only one owner is allowed per folder. Example,
dr-xrwxrwx 6 a allaccou 4096 Nov 20 14:05 Volume_1
Believe me when I say that we are working on a viable solution to the best of our abilities but at the same time we MUST maintain proper interoperability with Windows since that is the majority market of our user base.
-
On top of that for example if you wanted to setup permissioning for 3 users, A, B and C who belong to group "Allaccount", and whom have R/W access to Volume_1. If you wanted to say that only user C has RO access to Volume_1 that would be no problem using Linux permissions however if you have 2 accounts B, and C you wanted as RO there would be a problem because only one owner is allowed per folder.
Man... you lost me in there...
This is what I understood from your example:
Users A, B, C are part of group "All Accounts"
grp "All Accounts" has R/W access to Volume_1
Now if we want to have just user C with RO (Read Only) access to Volume_1 --> its doable
but if user B and C with RO access to Volume_1 --> Not possible ??
Why?
And in what pratical reason would someone give R/W access to all the folders to everyone to then restrict some users to the same folder?
-
Yes please, I would like this back too :)
A friend of mine who also has a DNS-323 said he also agrees, so that's another two for your list ;)
-
As far as we 'know' no other vendor is offering an 'open' mode and a 'security' mode of samba working simultaneously.
Well, that's not really correct. My Synology DS209 allows that configuration, and it works as expected, and how the DNS-323/321 used to work.
-
You have my vote!
I would like to be able to upgrade from firmware 1.7, please.
-
Well, that's not really correct. My Synology DS209 allows that configuration, and it works as expected, and how the DNS-323/321 used to work.
Incoming Copy and Paste from Wikipedia
Starting with Windows Vista, and also with Windows Server 2008, both LM and NTLM are deprecated by default. NTLM is still supported for inbound authentication, but for outbound authentication a newer version of NTLM, called NTLMv2, is sent by default instead. Prior versions of Windows (back as far as Windows NT 4.0 Service Pack 4) could be configured to behave this way, but it was not the default. Technically speaking, the computer will accept LM for inbound authentication but by default neither Windows Vista nor Windows Server 2008 store the LM hash. Therefore, there is no way for them to authenticate an inbound LM response - typical error message is System error 86 has occurred. The specified network password is not correct. You can control the authentication behavior, starting with Windows NT 4.0 Service Pack 4, using the LMCompatibilityLevel registry setting, shown in Group Policy as Network Security:LAN Manager Authentication Level. The default value for LMCompatibilityLevel in Windows Vista, Windows 7 and Windows Server 2008 is 3, or Send NTLMv2 Response Only.
Windows Vista and Windows 7 require NTLMv2 for authentication on NAS devices. The way that our old design and probably the current design on your DS209 is that it does not properly support NTLMv2 unless the samba mode is changed. Unless we can find a straight forward change that doesn't require us asking users to change their NTLM value in their registry, we need to keep the samba mode where it is at. This issue has been highlighted and reviewed multiple times with engineering. I hope I am wrong and this can be cured by some simple flag in a config file and still do proper authentication but as of right now this is change is strictly to play nice with Win Vista and Win7.
-
I'm sorry, but why can't you solve it with at least the option? Clearly, it's not that difficult to configure Vista or Windows 7 and disable NTLMv2.
http://www.windowsreference.com/windows-7/unable-to-access-network-share-on-macos-x-from-windows-7/ (http://www.windowsreference.com/windows-7/unable-to-access-network-share-on-macos-x-from-windows-7/)
And by the way, Network Security: LAN Manager Authentication Level in my Windows 7 is still at the default for Windows 7, which is "Not Defined", so the statement that there's "no way" clearly seems incorrect, because it's working with the Synology DS209. That setting should be forcing NTLMv2 if your previous post is correct...
-
I'm sorry, but why can't you solve it with at least the option? Clearly, it's not that difficult to configure Vista or Windows 7 and disable NTLMv2.
http://www.windowsreference.com/windows-7/unable-to-access-network-share-on-macos-x-from-windows-7/ (http://www.windowsreference.com/windows-7/unable-to-access-network-share-on-macos-x-from-windows-7/)
And by the way, Network Security: LAN Manager Authentication Level in my Windows 7 is still at the default for Windows 7, which is "Not Defined", so the statement that there's "no way" clearly seems incorrect, because it's working with the Synology DS209. That setting should be forcing NTLMv2 if your previous post is correct...
Yeah....telling consumers to change their NTLM level plain isn't going to happen. As manufacturers you have to figure out how to do it without the consumer tinkering around. While you as a technical person may be perfectly fine with doing these changes, it is not acceptable to many others. Also, unless you're quoting me from some random place, where did I say "no way"? As stated, the topic has been highlighted and discussed and when we have a solution that is acceptable to us, changes will be made.
-
Yeah....telling consumers to change their NTLM level plain isn't going to happen. As manufacturers you have to figure out how to do it without the consumer tinkering around. While you as a technical person may be perfectly fine with doing these changes, it is not acceptable to many others. Also, unless you're quoting me from some random place, where did I say "no way"? As stated, the topic has been highlighted and discussed and when we have a solution that is acceptable to us, changes will be made.
Well, the "no way" was in response to this comment.Technically speaking, the computer will accept LM for inbound authentication but by default neither Windows Vista nor Windows Server 2008 store the LM hash. Therefore, there is no way for them to authenticate an inbound LM response - typical error message is System error 86 has occurred.
Clearly, this unit is running Linux, and it's managing to deal with Windows 7 in it's native form without any issues. I can't say what hacks have been made to SAMBA or other parts of the kernel by the manufacturer, but it is working. :)
Is there any way to have this be an option for folks that don't mind configuring this setting?
-
Well, the "no way" was in response to this comment.Clearly, this unit is running Linux, and it's managing to deal with Windows 7 in it's native form without any issues. I can't say what hacks have been made to SAMBA or other parts of the kernel by the manufacturer, but it is working. :)
Is there any way to have this be an option for folks that don't mind configuring this setting?
That is a Wikipedia quote and I think you took "no way" out of context considering it was only speaking to inbound LM responses.
I am not saying that it is impossible for there to be an option in the future but that is a decision we have to make internally. I am not apposed to anonymous shares but as OS's changes the manufacturers have to keep up with microsofts diabolical plans to make things harder. I will work with the engineers to see what other solutions we can come up with which can make both parties happy.
-
OK, I probably misunderstood what you were trying to convey there, I can accept that. :)
I think we're after the same thing, happiness. :D
I also do understand that this is not an "enterprise level" NAS, and we are perhaps expecting too much, but I guess the annoying part was that it used to work and then was removed. I think at the time I was using XP and Vista, and I had configured Vista to disable NTLMv2 responses for an even older NAS, I didn't realize that I was fixing something on this box as well. :)
-
I think at the time I was using XP and Vista, and I had configured Vista to disable NTLMv2 responses for an even older NAS, I didn't realize that I was fixing something on this box as well. :)
Yeah that is my main point. Techy users can get around it easily and may already have done it and not realised it. It's the moms and pops getting into the technical scene because they saw an ad and thought it appealed to them that we have to make sure we keep them away from those types of edits if possible.
Believe it or not I am not the bad guy here, I am trying to help!
-
I think at the time I was using XP and Vista, and I had configured Vista to disable NTLMv2 responses for an even older NAS, I didn't realize that I was fixing something on this box as well. :)
Well Actualy I've been runnign Windows 7 64bit Ultimate since I got the DNS-323 (RC1, now on Retail)
and my PC and Windows XP Pro SP3 on an other one.
And I know that on firmware v1.06 I was able to access "All users" shared folder without needing to enter any credentials. And it would even show up in "Network" (win7) and "My Network Places" (WinXP)
Now (v1.08) if the Windows user that is logged in is not in the DNS-323 user list... it will NOT show up in Network... but I can still access it by entering the IP address (\\192.168.1.200)
And I also checked my default entry for "Network Security: LAN Manager Authentication Level "
And it his at its default value of "Not Defined"...
And this is from a Clean install of Windows 7 Ultimate 64bit from a retail CD
-
I seemed to recall that as well, but I can't swear for certain. I thought this was working with Windows 7, maybe I was dreaming. I know I haven't done anything to the NTLMv2 configuration on either of the Windows 7 boxes.
-
yes please bring it back.
-
Ditto, please bring it back.
-
another yes vote
-
It would be good to make this configurable through web UI, as far as I understand it's not anything more than a simple Samba configuration change in smb.conf:
change
"security = USER"
to
"secuirty = SHARE"
-
Count me in!!! Even though I know how to make it works but keep explaining and fixing for my friend's are wasting my time. I also returned a few DNS-323 C1 because the fan won't stop and can't wait until the new firmware is released.
-
Add me to the vote count. I have some shares that are private that do require username/password, but I have other shares off my DNS-323 that are public and used to not require credentials to map the drive on Windows (7, Vista and XP). This changed with the 1.08 firmware. Please give this option back in 1.09.
Tom
-
Add me to the vote count. I have some shares that are private that do require username/password, but I have other shares off my DNS-323 that are public and used to not require credentials to map the drive on Windows (7, Vista and XP). This changed with the 1.08 firmware. Please give this option back in 1.09.
Tom
It wont be in 1.09, thats for sure. It could be a possibility in 1.10 but again these firmwares are not planned to mess with any samba stuff at this time.
-
It wont be in 1.09, thats for sure. It could be a possibility in 1.10 but again these firmwares are not planned to mess with any samba stuff at this time.
A previous poster offered the opinion that this is as simple as changing this option in the SAMBA configuration.
It would be good to make this configurable through web UI, as far as I understand it's not anything more than a simple Samba configuration change in smb.conf:
change
"security = USER"
to
"secuirty = SHARE"
If that's really the case, is it such a big deal to put this on the GUI so it could be selected for those that want the capability and are willing to accept the security issues that have been alluded to?
-
A previous poster offered the opinion that this is as simple as changing this option in the SAMBA configuration.
If that's really the case, is it such a big deal to put this on the GUI so it could be selected for those that want the capability and are willing to accept the security issues that have been alluded to?
I second that.......... ;D
As I mentioned in another post I think, a simple check box would do the trick and let the user decide, document it well and put all the warning you want around it but I think the consumer is yelling for it.
I know I am... ;D
R.
-
Obviously, if it's not that simple, that might explain it...
-
Obviously, if it's not that simple, that might explain it...
Of cause if it’s not that simple, but than if it’s not that simple a little explanation from D-Link could go a long way to curving there consumers anxiety.
-
Probably there are other tricks, but after I made that simple samba configuration change as I previously mentioned the network shares on my 1.08 box now works just like 1.07, I haven't changed it back ever since.
Of course there are drawbacks, that's why it's been changed in 1.08 at the first place, but for people who don't mind the drawbacks the old way of sharing actually works very well.
-
Can you remind me what the drawbacks are? Cheers.
-
Probably there are other tricks, but after I made that simple samba configuration change as I previously mentioned the network shares on my 1.08 box now works just like 1.07, I haven't changed it back ever since.
How did you get the change to stick through reboots?
-
I created a fun_plug start up script named smbfix.sh to make this samba configuration change persist after reboot. The script itself is quite simple:
#!/ffp/bin/sh
# PROVIDE: smbfix
# REQUIRE: LOGIN
sed -i 's/^security = USER/security = SHARE/g' /etc/samba/smb.conf
smb restart
For people who are not familiar with Unix scripting, what this script does is simply replacing "security = USER" to "security = SHARE" in smb.conf file, then restart samba.
To make this script work I have Fonz funplug 0.5 installed, after that really the only thing I have to do is to drop this script to /ffp/start, then make it executable (run "chmod +x smbfix.sh").
-
Can you remind me what the drawbacks are? Cheers.
I believe D-Link could provide a much better answer on this, after all they weighed all the pros and cons and then made the switch in 1.08.
For me the only drawback is if I'm using different user name/password on Windows and nas, to access the password protected folders on nas I have to map them as network drives first, otherwise I cannot access them directly as a different user. Not really a big deal to me, since I have root folder mapped by default.
If you are using same credential on Windows and nas then everything would be transparent, likely you won't notice any difference.
-
For me the only drawback is if I'm using different user name/password on Windows and nas, to access the password protected folders on nas I have to map them as network drives first, otherwise I cannot access them directly as a different user. Not really a big deal to me, since I have root folder mapped by default.
Can you clarify this? I have a space in all my Windows login names, so I can't use the same name on the NAS, Linux apparently doesn't allow any spaces in the name. Given that fact, I have a different user name for connecting to the NAS.
I don't may the network drives, I use network path specifications to access all the NAS boxes. Under what scenario do you see this being an issue? FWIW, it works fine now, but I just can't have anonymous shares with the password protected shares, that's all I'd like to change.
-
Here you can find a bit more explanation: http://wiki.dns323.info/howto:bettersamba#how_to_make_the_dns-323_work_with_unc_paths (http://wiki.dns323.info/howto:bettersamba#how_to_make_the_dns-323_work_with_unc_paths)
Please be ware this particular section is talking about 1.03/1.04 firmware, which still applies till 1.07, but apparently had been changed in 1.08. For a matter of fact to resolve this issue it's recommending same Samba configuration change as D-Link did in 1.08 (probably D-Link got this idea from this wiki ;D )
I didn't investigate more about this issue, one thing very obvious is in 1.07 style sharing while accessing Nas Windows asks password only, user name field is grayed out, I guess which means if you are not using the user name that Windows assumes then likely you won't be able to log in (unless you map it as a network drive). On the other hand if you have only one user configured on Nas then it's possible that you won't see this issue, for me since I have multiple user accounts configured on my DNS-323 with different privilege I guess that's why I'm seeing this issue in 1.07 style sharing. Again, it doesn't really bother me much.
I still believe it's a good idea to make it configurable through web UI, really everyone has different needs, and really it's just a simple samba configuration change (please, correct me if I'm wrong).
-
For me the only drawback is if I'm using different user name/password on Windows and nas, to access the password protected folders on nas I have to map them as network drives first, otherwise I cannot access them directly as a different user. Not really a big deal to me, since I have root folder mapped by default.
Hmm... That would be a problem for me, I don't map the drives by default, I access them using network paths.
I've solved this issue by relegating the DNS-323 and DNS-321 as backups with only one user accessing them. The main box for multiple users now is a Synology DS209, it allows public folders, spaces in the Windows login name, etc. Mixing anonymous and password protected shares work the same as a Windows SMB share with this box.
-
Why not adding a configuration in the NETWORK ACCESS page to choose which version of NTLM the user wants to use? You just have to explain the limitations of each version of NTLM and the user will choose.
-
I vote YES !
-
I still believe it's a good idea to make it configurable through web UI, really everyone has different needs, and really it's just a simple samba configuration change (please, correct me if I'm wrong).
The obvious question is, what exactly would I change in the SAMBA configuration file to fix this. :) Accessing the file isn't the issue, but I don't know exactly how to get back to the way it was...
-
me 2
-
There is of course one possible solution, have one DNS323 open for public consumption and one locked down. That's how I run mine. I do feel it should be a user decision, but there are ways around it.
-
I have a different solution. Buy a Synology, such as my DS209, and enjoy freely mixing protected and anonymous shares. :) This obviously can be done on a Linux based box. FWIW, I can do the same thing in every version of Windows, including Windows 7, so this is not a Windows limitation either.
-
This forum is turning in to a Synology advert! :)
You leave my little 323 alone. *Covers its ears*
-
You can run, but you can't hide! :D
-
they need to fix it... this thing is useless to me without it.
-
I tried this and it does not seem to work for mewent through it several time and am sure I did as you said... not sure what I'm missing.
I created a fun_plug start up script named smbfix.sh to make this samba configuration change persist after reboot. The script itself is quite simple:
#!/ffp/bin/sh
# PROVIDE: smbfix
# REQUIRE: LOGIN
sed -i 's/^security = USER/security = SHARE/g' /etc/samba/smb.conf
smb restart
For people who are not familiar with Unix scripting, what this script does is simply replacing "security = USER" to "security = SHARE" in smb.conf file, then restart samba.
To make this script work I have Fonz funplug 0.5 installed, after that really the only thing I have to do is to drop this script to /ffp/start, then make it executable (run "chmod +x smbfix.sh").
-
Make SURE you have created this with a Unix compatible editor that does NOT put CR/LF after each line.
-
Any news in this? I'm still running 1.07 because I have only one share (movies, pictures and music) with "all user" = RO and one local user in nas = RW to the same share only for update content. With this configuration there is no problem browsing without password prompts from any windows client (clean installations) or mediaplayers with smb/cifs support. Fw 1.08 and nothing works... >:(
-
How difficult can it be to just create another user that has access to it? My media streamer has it's own user account on the NAS and it uses that. I don't see what the fuss is about.
-
How difficult can it be to just create another user that has access to it? My media streamer has it's own user account on the NAS and it uses that. I don't see what the fuss is about.
Because I have a wife, young kids and maybe a player not so user friendly? I have another nas (etrayz, not so user friendly like dns-323, I love gui) and manage to fix this issue with winscp, changing access rights in linux file system, maybe it will work here also?
-
You can set permissions on the Xtreamer if you're in that camp :)
Great product, not so great company/forum moderators btw.
-
Bummer!!! Count me in on the "add this feature back" column. I upgraded my firmware to allow for an expansion to 2 TB drives, and now my folder and security structure is alll messed up. Please bring it back!
-
This issue needs to be fixed! >:( Put it back like fw 1.07 or at least let us choose easly in gui!!! >:( I have tried changing SECURITY to SHARE like suggested but can't get it to work like before. I MUST have anonymous access (read-only) without prompting for username/password and user access (read-write) for updating content on the same shares.
-
Bump!, I just moved up to 1.4 and I ran into this problem, any chance that the option will be in FW 1.5?
-
+1 vote as long as it does not cause security side effects.
And we don't want synology, thank you very much.