• October 16, 2019, 01:25:30 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Pages: 1 [2] 3 4 5

Author Topic: Vote to reinstate anonymous shares while having access controlled folders  (Read 40172 times)

jolley

  • Guest

Well you can define anonymous and passworded shares in the DNS..
But try to access an anonymous share from XP where the XP Account name is NOT in the DNS-323 user list.

You will be prompted for credentials...

Yes that is the only thing I haven't tried.

I have tried to access an anonymous share from Ubuntu where the account name is not in the user list and it works without prompting for credentials.
Logged

gunrunnerjohn

  • Level 11 Member
  • *
  • Posts: 2717

They commented to me some time ago, apparently the last word.  Some mumbo-jumbo about changing SAMBA and problems with the old access methods. 
Logged
Microsoft MVP - Windows Desktop Experience
Remember: Data you don't have two copies of is data you don't care about!
PS: RAID of any level is NOT a second copy.

Rodent

  • Level 3 Member
  • ***
  • Posts: 136

They commented to me some time ago, apparently the last word.  Some mumbo-jumbo about changing SAMBA and problems with the old access methods. 

Well all I can say is that there are plenty and I mean plenty of other devices out there that all use a UNIX kernel that can do the job, why are D-link having so much trouble providing the what I would say is the core security of this type of device?

I have small kids that use this device to watch movies, I also have documents and other contents that I do not want my kids to have access to, but my kids a too young to know what or how to enter a user name and password.

This is no light matter for me and when the function that I require when I brought this device are removed with a firmware upgrade and D-link are not responding to the numerous request on there own forum than maybe its time I move to another device that will do the job.

I have herd of firmware updates the give you enhancements but not to many that destroy a product for you!

Rodney
Logged

gunrunnerjohn

  • Level 11 Member
  • *
  • Posts: 2717

Well, most Windows systems will remember a name/password for a network resource, so it's still possible for your kids to use it.  Just create a share for their folder with a unique name/password.

Logged
Microsoft MVP - Windows Desktop Experience
Remember: Data you don't have two copies of is data you don't care about!
PS: RAID of any level is NOT a second copy.

Rodent

  • Level 3 Member
  • ***
  • Posts: 136

Well, most Windows systems will remember a name/password for a network resource, so it's still possible for your kids to use it.  Just create a share for their folder with a unique name/password.

Computers are not the problem, media devices like WDTV Live and Mobile media player that you have to use on screen keyboards for are the problem because they don't remember user names and passwords and getting children to use them is just not going to happen as for myself I would rather not have to enter that information in every time I want to watch a movie, and yes I could use a simple user name and password lets say name: a and password: b but than whats the point of having a user name and password.
Logged

Buhric

  • Level 3 Member
  • ***
  • Posts: 191

well for WDTVLive... there is an option for it to remember passwords and autologin...

but this still does not excuse D-Link....
Logged

jolley

  • Guest

They commented to me some time ago, apparently the last word.  Some mumbo-jumbo about changing SAMBA and problems with the old access methods. 

As Samba is used on both Linux and Windows, I wiould guess there must be a different implementation if the shares work correctly on Ubuntu but not on Windows.
Logged

D-Link Multimedia

  • Poweruser
  • Level 7 Member
  • **
  • Posts: 1066
    • D-link Systems, Inc.

Ok let me try and explain the nature of this change to the best of my ability and the reason why we can not change it back to the previous usage case.

Samba plays the top layer of the middleware for Linux account/access rights management. Samba does not change the actual permissions of the file/folder itself but instead maintains its own ruleset by referring to Linux permissions but not actually modifying them.

Microsoft has changed the way that CIFS/SMB authenticate and in order to work correctly we had to make modifications to our devices samba settings as well. As far as we 'know' no other vendor is offering an 'open' mode and a 'security' mode of samba working simultaneously. Generally a folder can be assigned with two access rights, R.W or RO. If a user can R/W a folder it would be strange if they also have a RO access to the folder but Samba CAN achieve this by creating a new sharename to the same path. You have seen this in our firmware by creating network permissions and a new share being created with something like Volume_1_1.

We would try 'maintaining' Linux permissions but this complicates things a bit more for both us and the user. On top of that for example if you wanted to setup permissioning for 3 users, A, B and C who belong to group "Allaccount", and whom have R/W access to Volume_1. If you wanted to say that only user C has RO access to Volume_1 that would be no problem using Linux permissions however if you have 2 accounts B, and C you wanted as RO there would be a problem because only one owner is allowed per folder. Example,

dr-xrwxrwx    6 a        allaccou     4096 Nov 20 14:05 Volume_1

Believe me when I say that we are working on a viable solution to the best of our abilities but at the same time we MUST maintain proper interoperability with Windows since that is the majority market of our user base.
Logged

Buhric

  • Level 3 Member
  • ***
  • Posts: 191

On top of that for example if you wanted to setup permissioning for 3 users, A, B and C who belong to group "Allaccount", and whom have R/W access to Volume_1. If you wanted to say that only user C has RO access to Volume_1 that would be no problem using Linux permissions however if you have 2 accounts B, and C you wanted as RO there would be a problem because only one owner is allowed per folder.
Man... you lost me in there...

This is what I understood from your example:
Users A, B, C are part of group "All Accounts"
grp "All Accounts" has R/W access to Volume_1

Now if we want to have just user C with RO (Read Only) access to Volume_1 --> its doable
but if user B and C with RO access to Volume_1 --> Not possible ??
Why?
And in what pratical reason would someone give R/W access to all the folders to everyone to then restrict some users to the same folder?

Logged

djarmani

  • Level 1 Member
  • *
  • Posts: 2

Yes please, I would like this back too :)

A friend of mine who also has a DNS-323 said he also agrees, so that's another two for your list ;)
Logged

gunrunnerjohn

  • Level 11 Member
  • *
  • Posts: 2717

As far as we 'know' no other vendor is offering an 'open' mode and a 'security' mode of samba working simultaneously.
Well, that's not really correct.  My Synology DS209 allows that configuration, and it works as expected, and how the DNS-323/321 used to work.
Logged
Microsoft MVP - Windows Desktop Experience
Remember: Data you don't have two copies of is data you don't care about!
PS: RAID of any level is NOT a second copy.

clj45

  • Level 1 Member
  • *
  • Posts: 1

You have my vote!

I would like to be able to upgrade from firmware 1.7, please.
Logged

D-Link Multimedia

  • Poweruser
  • Level 7 Member
  • **
  • Posts: 1066
    • D-link Systems, Inc.

Well, that's not really correct.  My Synology DS209 allows that configuration, and it works as expected, and how the DNS-323/321 used to work.

Incoming Copy and Paste from Wikipedia
Quote from: Wikipedia
Starting with Windows Vista, and also with Windows Server 2008, both LM and NTLM are deprecated by default. NTLM is still supported for inbound authentication, but for outbound authentication a newer version of NTLM, called NTLMv2, is sent by default instead. Prior versions of Windows (back as far as Windows NT 4.0 Service Pack 4) could be configured to behave this way, but it was not the default. Technically speaking, the computer will accept LM for inbound authentication but by default neither Windows Vista nor Windows Server 2008 store the LM hash. Therefore, there is no way for them to authenticate an inbound LM response - typical error message is System error 86 has occurred. The specified network password is not correct. You can control the authentication behavior, starting with Windows NT 4.0 Service Pack 4, using the LMCompatibilityLevel registry setting, shown in Group Policy as Network Security:LAN Manager Authentication Level. The default value for LMCompatibilityLevel in Windows Vista, Windows 7 and Windows Server 2008 is 3, or Send NTLMv2 Response Only.

Windows Vista and Windows 7 require NTLMv2 for authentication on NAS devices. The way that our old design and probably the current design on your DS209 is that it does not properly support NTLMv2 unless the samba mode is changed. Unless we can find a straight forward change that doesn't require us asking users to change their NTLM value in their registry, we need to keep the samba mode where it is at. This issue has been highlighted and reviewed multiple times with engineering. I hope I am wrong and this can be cured by some simple flag in a config file and still do proper authentication but as of right now this is change is strictly to play nice with Win Vista and Win7.
Logged

gunrunnerjohn

  • Level 11 Member
  • *
  • Posts: 2717

I'm sorry, but why can't you solve it with at least the option?  Clearly, it's not that difficult to configure Vista or Windows 7 and disable NTLMv2.

http://www.windowsreference.com/windows-7/unable-to-access-network-share-on-macos-x-from-windows-7/

And by the way, Network Security: LAN Manager Authentication Level in my Windows 7 is still at the default for Windows 7, which is "Not Defined", so the statement that there's "no way" clearly seems incorrect, because it's working with the Synology DS209.  That setting should be forcing NTLMv2 if your previous post is correct...


Logged
Microsoft MVP - Windows Desktop Experience
Remember: Data you don't have two copies of is data you don't care about!
PS: RAID of any level is NOT a second copy.

D-Link Multimedia

  • Poweruser
  • Level 7 Member
  • **
  • Posts: 1066
    • D-link Systems, Inc.

I'm sorry, but why can't you solve it with at least the option?  Clearly, it's not that difficult to configure Vista or Windows 7 and disable NTLMv2.

http://www.windowsreference.com/windows-7/unable-to-access-network-share-on-macos-x-from-windows-7/

And by the way, Network Security: LAN Manager Authentication Level in my Windows 7 is still at the default for Windows 7, which is "Not Defined", so the statement that there's "no way" clearly seems incorrect, because it's working with the Synology DS209.  That setting should be forcing NTLMv2 if your previous post is correct...




Yeah....telling consumers to change their NTLM level plain isn't going to happen. As manufacturers you have to figure out how to do it without the consumer tinkering around. While you as a technical person may be perfectly fine with doing these changes, it is not acceptable to many others. Also, unless you're quoting me from some random place, where did I say "no way"?  As stated, the topic has been highlighted and discussed and when we have a solution that is acceptable to us, changes will be made.
Logged
Pages: 1 [2] 3 4 5