Windows cannot access OPENMEDIAVAULT

  • @Pol de Lepel I created a guide with 10 screenshots hopefully demonstrating the few easy steps: [HOW-TO] Connect to OMV SMB shares with Windows 10


    Client OS was Windows 10 Enterprise with all updates applied but this shouldn't matter that much since the differences between different Win10 versions are just Enterprise fortunately having stopped the horribly stupid idea to allow guest logons (which is not needed anyway, with OMV it's that easy to create and maintain users/passwords that guest logon should be disabled anyway).

    • Offizieller Beitrag

    For users who may be reading this - there's a huge difference in security requirements, between peer-to-peer LANs and a Domain.
    (Setting aside being able to use older peripherals:)


    When might SMB Guest logon's make sense? With media shares, specifically with Music and Video.


    I live in a remote location, with zero Television reception and two or three radio stations. When I provide a wifi key to a visitor (meaning I trust them), an SMB share that allows Guest logon's but is set to "read only", allows my visitor to enjoy a show or some music without my getting involved. With write list = myusername , set in extra parameters, I can bypass the read only parameter and edit shares easily.

  • And what is your advice then? Simply setting up a user/password on OMV or doing something stupid and allowing guest logons?

    There is nothing important on the NAS for now. Still in testing phase. Of course I'll try to have a good protection later on. But first let's get it to work ;) I'll first have to learn how to walk, before I can run. Step by step :)
    But it is kind of you, you pointed out the insecurity's.


    @Pol de Lepel
    With the above in mind, you do have admin access to this Laptop, right? It's not a work laptop, is it?

    Of course! It is an old laptop from my parents in law, which they used for their company, but I did a factory reset so my wife could use it. So it is my wife's laptop. Her name is Lina and that is also the username I used to login. (You'll understand later why I call her by name) My wife has also the admin permissions on her laptop.



    Guess what: it was worth a try, because it worked! :D


    I did add the user "Lina" to the users in OMV with all the necessary permissions and I could login :) It is a bit slow, but now I have fixed the main problem. :)


    I already tried this some time ago, and I did follow completely the guide before asking on this thread. So this wasn't the problem.


    Let's be friends all together! ^^ I now there are dangers if you lower the security.
    I'm not a complete n00b (only a little bit. :saint: )

    @Pol de Lepel I created a guide with 10 screenshots hopefully demonstrating the few easy steps: [HOW-TO] Connect to OMV SMB shares with Windows 10


    Client OS was Windows 10 Enterprise with all updates applied but this shouldn't matter that much since the differences between different Win10 versions are just Enterprise fortunately having stopped the horribly stupid idea to allow guest logons (which is not needed anyway, with OMV it's that easy to create and maintain users/passwords that guest logon should be disabled anyway).

    I'll give it a look any way. But for now I can move on :D


  • For the people with the same problem: this is what solved my issue!

    • Offizieller Beitrag

    Guess what: it was worth a try, because it worked! :D


    I did add the user "Lina" to the user with all the necessary permissions and I could login :) It is a bit slow, but now I have fixed the main problem. :)

    Awesome. If you want to go back to the SMB share and set it to Public: No, it should still work and security would be tightened. All's well that ends well.
    ______________________________________________________________________


    Edit - Now that you're familiar with adding users:


    In Shared Folder permissions, "Others" shouldn't be set higher than Read. This would match "Guests Allowed" in the SMB share.
    This is useful for media shares, where you may want to allow visitors Read access to your media.


    With users created in OMV and for transparent access from Windows clients;
    In a Shared Folder, setting Others to None and the Group Users to Read/Write, matches Public: No in the SMB share. This will keep certain data shares private, from those who are not in the users group.

  • Now I did crank up security as you advised, and it is still working!
    Aso tried tuning samba for more speed, and the speed got much better.
    Thank you for everything :thumbup:

  • Now I did crank up security as you advised, and it is still working!

    Of course it's working since all this trial&error stuff like 'Set the Samba share to "Guests allowed"' first and then 'go back to the SMB share and set it to Public: No' was irrelevant in the first place and always only contributes to confusion.


    It's about understanding how Windows tries to authenticate against an SMB server (local user first, then guest logon as fallback) and the single change that got it working was creating an OMV user account with exactly same username and password as the local Windows user which is of course not necessary since Windows provides a tool called Credential Manager to store exactly these 'logon credentials needed for a specific server'.


    See in the terminal lower left how to diagnose such basic stuff and what difference simply adding the appropriate logon credentials to Credential Manager made:


    If only those gentleman constantly trying to convince others to weaken security for no reason would be able to understand/accept these basics...


    BTW: the common fashion to ignore this whole Windows SMB server authentication thing (local user first, then guest logon as fallback) is also the root cause of so much confusion around permission issues with Windows and Samba.

    • Offizieller Beitrag

    Again, for users who may happen onto this thread:


    Regarding SMB1:
    SMB1 was patched by MS years ago, on all supported Windows platforms at that time, to include Vista, with update 4013389 . Is it a good idea to use SMB1? Generally speaking, no, it's out of date and lacks many of the latest features. Are there hardware devices that require SMB1, which may be expensive or even irreplaceable? Yes. This is one of the reasons why SMB1 was patched. If needed, SMB1 can be used.


    Regarding Guest Logons:
    Microsoft disabled guest logon's in the Enterprise and Education editions of Windows 10 for a specific reason. Both editions, in the majority of cases, will be part of an AD domain where internal security risks, from a large number of users, are significantly higher. Guest Logon's are allowed in other Win10 editions.


    In a peer-to-peer network, SMB share guest logon's (set "read only") may make sense, where the admin knows all users of the LAN. Guest logon's can be used to allow visitors and other lower privileged LAN users, read access to media shares. (But, for the sake of security, go the extra mile in the SMB shares' underlying Shared Folder, and set access for "Others" to "Read Only". SMB cannot override a folder permission setting.)


    In the bottom line, threats to home networks are not internal. They come from outside sources, such as the internet. And while much could be said about securing home LAN's, this thread is already much longer than it should be.

  • Again, for users who may happen onto this thread (and especially for those gentlemen constantly giving bad advice and trying to weaken security everywhere):


    Using SMB1 these days is sick, using guest logons is sick as well. Today's networks aren't the same as the networks back then when SMB1 was specified and the idea of unauthenticated access AKA 'guest logons' was developed.


    This is Microsoft's position on SMB1: Stop using SMB1. Stop using SMB1 . STOP USING SMB1!


    This is Microsoft's position on guest logons: 'Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network.'

    SMB1 was patched by MS years ago, on all supported Windows platforms at that time, to include Vista, with update 4013389

    Unfortunately you have no idea what you're talking about. This patched only the SMB server component in several Windows versions which is of no relevance in this context here (OMV is the SMB server component). The Internet is full of stupid advice to reenable SMB1 on clients which allows for protocol downgrade attacks and as such stealing of passwords. This is of special relevance since for whatever reasons Windows tries to authenticate against SMB servers always with the local users logon credentials unless you used Credential Manager to specify logon credentials for a specific server.


    @crashtest: do your homework please and stop recommending/spreading BS. Your 'New User Guide' lacks user management and authentication. New users following your guide are told to use guest logons. This is sick in general and only introduces problems since for reasons you're obviously not able to understand since you have an old fashioned understanding of 'security' guest logons are about to be banned everywhere. Stop being part of the problem.


    It's that easy to add/manage users in OMV (thank you @votdev) and as soon as (Windows) users learn how authentication really works (once again: with Win10 it's Credential Manager that needs to be mentioned since for whatever reasons Microsoft doesn't allow any more to specify username/password directly when accessing an SMB server) the whole issue is resolved.

    • Offizieller Beitrag

    This is Microsoft's position on guest logons: 'Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network.'

    OK, we'll entertain this nonsense just one more time...
    You know I'm actually perplexed about how to write this post, in a manner that is sufficiently complicated, so that you can understand it. But I'll give it the old college try - here goes.


    First, if one wants perfect computing security, a standalone workstation in a locked room, might be the way to go. (But one might have to worry about the ghost of dearly departed Uncle Bob and hacking mice. :) ) Short of some solution like this, risks are involved. It's that simple.
    (I'm off to a bad start already - this is not complex enough...)


    MS's reference is about file servers in a production environment which are lucrative targets for hackers, along with MS's covering themselves from legal liability to the companies that purchase their products. (It's a lot like all the legal warnings one gets in the box, with anything that has an AC power plug.)
    Again, good Lord "again", the security profile of a home LAN has next to nothing to do with that of an AD Domain or a data center. There are no "Man in the Middle attacks" in a home LAN. (But users might want to check their closets, for hackers, just to be sure. :) )


    Along the same lines, I suppose you're aware that WPA2 has been hacked, right? (Rhetorical question, no need to answer.) So your solution to this would be, what?
    "Turn off Wifi or it's data loss, data corruption, and exposure to malware?" OMG!
    We both know, that's not going to happen. Users will use WiFI, provided by their routers, just like we will. The risk, while real, is still relatively small. It would take a very knowledgeable next door neighbor, or a hacker very close by, to get in.
    In the bottom line, there is a trade-off between convenience and security and it's not the same for everyone - it's on a sliding scale.


    The key to real data security is not about guarding music files, videos and pictures. It's about not having anything of value to a hacker, that is potentially damaging to the user, which is personal info, credit card details, medical info, etc., stored on the LAN.
    (Note: With sufficient motivation, such as "data of real monetary value", a world class hack can blow past a consumer router.)
    _________________________________________________________________________________________


    Beginners might ask;
    What can be done, in a home network, to enhance network security?


    - Start with your router. It's your security gate keeper. Keep it up-to-date. If it's old, consider flashing it with DD-WRT or Open-WRT. If neither of the two are available for your older router, consider buying a new one. And while wireless encryption has never been truly secure, if used, WPA2 with AES is the strongest currently available. (WPA3 is just around the corner.)
    - A Router behind a Router. In cases where an ISP provides and manages a router, put your router behind it. This dual layer can provide more protection.
    - Clients. Keep clients up-to-date, along with their virus scanners and firewalls.
    - Don't expose your OMV server to the internet, without doing a LOT of research and fully understanding the risks. In this case, if you do, the highest levels of security possible is a very good idea. (And that would mean SMB1 should not be used, root logon's should not be allowed, just to name a couple.)


    **And the following bears special note because they're among the highest probable paths for malware to get into your LAN.**


    - Web Browsers: Consider turning off Java and Active X and avoid known malware sites, using a blocker like Pi-hole.
    - E-mail: Delete E-mail from unknown senders and be cautious about opening links in E-mail from any source. (Spoofing a sender address is easy.)


    For beginners and intermediate users;
    - Users might consider 100% backup on a second server, that only the root user can access. With hardened security, on a second server, and using versioned backup (filesystem snapshots or the rsnapshot plugin), your data would have a high level of loss protection.


    But the most important recommendation for real data security:
    - Try not to store sensitive data, that has worth to a hacker, on your LAN. Put it on USB thumb-drives and remove those drives when the info is not needed. Why? Because it's impossible to hack an "air gap".
    _______________________________________________________________________________________


    Unfortunately you have no idea what you're talking about.

    This is nearly hysterical in that, in this -> post, you were claiming poor USB performance for the Atomic Pi, as if it was gospel. And it was based on what? "Something you read on the internet somewhere." In the very next post, you recanted that position based on an anecdotal test of a friend, and admitted what you read "somewhere" must have been "rubbish". :)
    Along similar lines, you've admitted to buying into the ZFS "Scrub of Death" nonsense as well. (I can only imagine the string of "dire warnings" posted as a result from that.) I can't help but wonder, how much of what you're spreading around is nothing more anecdotal stuff from a Google search. Anything on the net, even from reputable sources, requires both skepticism and judgement. (I've said this before, apparently to no avail...)

    Your 'New User Guide' lacks user management and authentication. New users following your guide are told to use guest logons.

    This is a subject where, with an obvious challenge in dealing with other people, you have no idea what you're talking about. I've been an instructor and did more than a bit of technical writing back in the day. I know enough to know that New Users can't take a drink from a fire hose.


    And you're either choosing to ignore, or didn't read, this pertinent statement toward the end of the Beginner setup:
    Permissions to the shared folder created in this guide, and the SMB network share layered on top of it, are open. While these permission settings are OK for home environments, the server shouldn't be exposed to the Internet by forwarding port 80 or 443. As users gain knowledge and experience, they may want to selectively tighten up permissions on various shares. This is yet another case of "voluntary selective blindness".


    Instead, I focused on backup which is a much more important concept for beginners to understand, in the early stages.


    Along these lines, while you say you're trying trying to educate users, here's another item you seem to be completely oblivious to: People don't learn with a "hammer", while using crass and abrasive language. It doesn't work, you're wasting time, you've been told this several times before, yet you persist.
    ______________________________________________________________________________


    You know, I've been in and around general IT for close to 40 years, and I still have files that go back to Window 3.1. I've worked as a field site admin, in a data center, and in other environ's steeped in networking, PC tech, file storage, etc. I've seen a few virus infections along the way. What I couldn't clean up was restored from backup. And while I took reasonable precautions in maintaining backup, I've never had anything near the data loss, data corruption, and exposure to malware, death and destruction, you scream about in red text all the time. Further, as it seems, most users don't have these problems either.

  • In the bottom line, there is a trade-off between convenience and security, it's not the same for everyone - it's on a sliding scale

    Great! Let's focus on that (ignoring all your other babbling)


    Let's start here (data 2 years old): https://blog.shodan.io/analyzing-post-wannacry-smb-exposure/

    • 2,306,820 SMB services available on the Internet at the moment
    • 42% allow Guest access
    • 96% support SMBv1

    That's the unfortunate reality: millions of SMB servers on the Internet, almost half of them allowing guest access. You can check situation today easily: https://www.shodan.io/search?query=smb (there exists censys.io and zoomeye.org too to scan for vulnerable stuff on the Internet).


    Let's look at one individual host as an example: https://archive.fo/EXkSz (the life version is https://www.shodan.io/host/45.66.41.126 but since this is a dynamic address contents will change). In the lower right you see that this machine on the Internet is a Samba box allowing guest access and hosting 11 Samba shares accessible to everyone on the Internet.


    Do you think this user did this by intention? I don't think so. It's most probably the result of whatever config error and following bad advice: Allowing guest logons.


    Wrt security it's about what happens in user's heads. It's important to establish good practices and raising awareness for bad practices and to ban them in the next step. Recommending guest logons as you and @geaves constantly do is such a really bad practice since

    • users might stick with this insecure configuration once they set everything up
    • it's not necessary in the first place and can resolve a lot of other issues. Adding users in OMV is that easy and due to good defaults (share settings this time) working with authentication is easy

    The difference between 'local network behind a firewall' and 'my OMV server exposed on the Internet' can be an attacked router (majority of routers with vendor firmwares is vulnerable by design). So adding this extra layer of protection and establishing authentication also everywhere in a LAN is simply just good practice and should be something every newbie learns as first step (and it's that easy even for Win10 users once 'Credential Manager' is known which should now be the case, right?)


    Please don't further reject reality and remain part of the problem. You spend too much time on the forum and writing tutorials establishing bad practice.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!