Beiträge von crashtest

Zitat von tkaiser

This is Microsoft's position on guest logons: 'Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network.'

OK, we'll entertain this nonsense just one more time...
You know I'm actually perplexed about how to write this post, in a manner that is sufficiently complicated, so that you can understand it. But I'll give it the old college try - here goes.

First, if one wants perfect computing security, a standalone workstation in a locked room, might be the way to go. (But one might have to worry about the ghost of dearly departed Uncle Bob and hacking mice. ) Short of some solution like this, risks are involved. It's that simple.
(I'm off to a bad start already - this is not complex enough...)

MS's reference is about file servers in a production environment which are lucrative targets for hackers, along with MS's covering themselves from legal liability to the companies that purchase their products. (It's a lot like all the legal warnings one gets in the box, with anything that has an AC power plug.)
Again, good Lord "again", the security profile of a home LAN has next to nothing to do with that of an AD Domain or a data center. There are no "Man in the Middle attacks" in a home LAN. (But users might want to check their closets, for hackers, just to be sure. )

Along the same lines, I suppose you're aware that WPA2 has been hacked, right? (Rhetorical question, no need to answer.) So your solution to this would be, what?
"Turn off Wifi or it's data loss, data corruption, and exposure to malware?" OMG!
We both know, that's not going to happen. Users will use WiFI, provided by their routers, just like we will. The risk, while real, is still relatively small. It would take a very knowledgeable next door neighbor, or a hacker very close by, to get in.
In the bottom line, there is a trade-off between convenience and security and it's not the same for everyone - it's on a sliding scale.

The key to real data security is not about guarding music files, videos and pictures. It's about not having anything of value to a hacker, that is potentially damaging to the user, which is personal info, credit card details, medical info, etc., stored on the LAN.
(Note: With sufficient motivation, such as "data of real monetary value", a world class hack can blow past a consumer router.)
_________________________________________________________________________________________

Beginners might ask;
What can be done, in a home network, to enhance network security?

- Start with your router. It's your security gate keeper. Keep it up-to-date. If it's old, consider flashing it with DD-WRT or Open-WRT. If neither of the two are available for your older router, consider buying a new one. And while wireless encryption has never been truly secure, if used, WPA2 with AES is the strongest currently available. (WPA3 is just around the corner.)
- A Router behind a Router. In cases where an ISP provides and manages a router, put your router behind it. This dual layer can provide more protection.
- Clients. Keep clients up-to-date, along with their virus scanners and firewalls.
- Don't expose your OMV server to the internet, without doing a LOT of research and fully understanding the risks. In this case, if you do, the highest levels of security possible is a very good idea. (And that would mean SMB1 should not be used, root logon's should not be allowed, just to name a couple.)

**And the following bears special note because they're among the highest probable paths for malware to get into your LAN.**

- Web Browsers: Consider turning off Java and Active X and avoid known malware sites, using a blocker like Pi-hole.
- E-mail: Delete E-mail from unknown senders and be cautious about opening links in E-mail from any source. (Spoofing a sender address is easy.)

For beginners and intermediate users;
- Users might consider 100% backup on a second server, that only the root user can access. With hardened security, on a second server, and using versioned backup (filesystem snapshots or the rsnapshot plugin), your data would have a high level of loss protection.

But the most important recommendation for real data security:
- Try not to store sensitive data, that has worth to a hacker, on your LAN. Put it on USB thumb-drives and remove those drives when the info is not needed. Why? Because it's impossible to hack an "air gap".
_______________________________________________________________________________________

Zitat von tkaiser

Unfortunately you have no idea what you're talking about.

This is nearly hysterical in that, in this -> post, you were claiming poor USB performance for the Atomic Pi, as if it was gospel. And it was based on what? "Something you read on the internet somewhere." In the very next post, you recanted that position based on an anecdotal test of a friend, and admitted what you read "somewhere" must have been "rubbish".
Along similar lines, you've admitted to buying into the ZFS "Scrub of Death" nonsense as well. (I can only imagine the string of "dire warnings" posted as a result from that.) I can't help but wonder, how much of what you're spreading around is nothing more anecdotal stuff from a Google search. Anything on the net, even from reputable sources, requires both skepticism and judgement. (I've said this before, apparently to no avail...)

Zitat von tkaiser

Your 'New User Guide' lacks user management and authentication. New users following your guide are told to use guest logons.

This is a subject where, with an obvious challenge in dealing with other people, you have no idea what you're talking about. I've been an instructor and did more than a bit of technical writing back in the day. I know enough to know that New Users can't take a drink from a fire hose.

And you're either choosing to ignore, or didn't read, this pertinent statement toward the end of the Beginner setup:
Permissions to the shared folder created in this guide, and the SMB network share layered on top of it, are open. While these permission settings are OK for home environments, the server shouldn't be exposed to the Internet by forwarding port 80 or 443. As users gain knowledge and experience, they may want to selectively tighten up permissions on various shares. This is yet another case of "voluntary selective blindness".

Instead, I focused on backup which is a much more important concept for beginners to understand, in the early stages.

Along these lines, while you say you're trying trying to educate users, here's another item you seem to be completely oblivious to: People don't learn with a "hammer", while using crass and abrasive language. It doesn't work, you're wasting time, you've been told this several times before, yet you persist.
______________________________________________________________________________

You know, I've been in and around general IT for close to 40 years, and I still have files that go back to Window 3.1. I've worked as a field site admin, in a data center, and in other environ's steeped in networking, PC tech, file storage, etc. I've seen a few virus infections along the way. What I couldn't clean up was restored from backup. And while I took reasonable precautions in maintaining backup, I've never had anything near the data loss, data corruption, and exposure to malware, death and destruction, you scream about in red text all the time. Further, as it seems, most users don't have these problems either.

If this setup worked for awhile, then suddenly it didn't, there may be a hardware problem.

Again, for users who may happen onto this thread:

Regarding SMB1:
SMB1 was patched by MS years ago, on all supported Windows platforms at that time, to include Vista, with update 4013389 . Is it a good idea to use SMB1? Generally speaking, no, it's out of date and lacks many of the latest features. Are there hardware devices that require SMB1, which may be expensive or even irreplaceable? Yes. This is one of the reasons why SMB1 was patched. If needed, SMB1 can be used.

Regarding Guest Logons:
Microsoft disabled guest logon's in the Enterprise and Education editions of Windows 10 for a specific reason. Both editions, in the majority of cases, will be part of an AD domain where internal security risks, from a large number of users, are significantly higher. Guest Logon's are allowed in other Win10 editions.

In a peer-to-peer network, SMB share guest logon's (set "read only") may make sense, where the admin knows all users of the LAN. Guest logon's can be used to allow visitors and other lower privileged LAN users, read access to media shares. (But, for the sake of security, go the extra mile in the SMB shares' underlying Shared Folder, and set access for "Others" to "Read Only". SMB cannot override a folder permission setting.)

In the bottom line, threats to home networks are not internal. They come from outside sources, such as the internet. And while much could be said about securing home LAN's, this thread is already much longer than it should be.

(While it's way off topic.)

Despite common belief, there's no energy crisis and there never will be unless it's artificially induced. For now, the powers that be (all of them - Internationally) are fond of hydrocarbons and the economies that had sprung up around them.

MSR's have been around since the 60's. They're very safe nuclear reactors and their power source, "Thorium", is a byproduct of rare earth's mining. It's abundant, there's a vast mount of it in nature, and there are great mounds of Thorium in China. Thankfully, it's not water soluble which is another factor that adds to safety. Another benefit of MSR's is that they can utilize all the nuclear waste that currently exists - almost completely consuming it, getting rid of it altogether.

Will we see this old/new reactor tech used in our lifetimes, given the obvious ecological benefits? Probably not. Despite their claims of supporting "green initiatives", our politicians (all of them) want to play power games.

Short of wanting a lower electric bill, it's even arguable that there's no need to conserve power. Until oil supplies get tight, eventually they will, nothing will change. Until then, each and everyone of us are setting the cost of our power bill (and the taxes layered in it) at the ballot box.

Zitat von hp28190

So the question is: The i3 would be sufficient ?

For the core NAS function, a couple Dockers and a few add-on's, an i3 would be fine - more than enough. With the right amount of RAM and a VM that's not resource intensive, an i3 should be fine. If you want to run multiple VM's, or VM's with Desktops and that sort of thing, that would be another matter. In that case, something fast with more cores and RAM would be better.

Zitat von hp28190

3 Sata ports (extensible with an pci card)

The number of drives is up to you. I'm doing fine with 3 on my main server. I did flash an 8 port SAS card per this thread to upgrade an older commercial server.

Zitat von hp28190

- Use an SSD (120 GB or 60 GB depend on what I found) or an USB key (Some opinions are welcome to make the choice) for the system

Again, unless you're running multiple VM's and want to use the boot drive to store them, an SSD is a bit overkill for a boot drive. I've been running USB thumbdrives for years, on different boxes, without an issue. And since they're inexpensive you can clone them for OS backup, and you'll save an SATA port as well. (3 SATA ports for 3 data drives.) To set up a USB boot drive, along with setting up the flashmemory plugin - required for flash boot drives, this -> guide may be useful. There are general setup details in it as well.

Zitat von hp28190

- Save datas and computers on 2*2-3TB HDD in Raid1 (5400 RPM because the machine going to be in my living room next to my 3D printer)

RAID1? Why? Use Rsync and get real backup instead. (Also in the guide.)

Zitat von hp28190

- Run a Plex server ( 1 transcode operation ) (save and other heavy task will not run in the same time)
- Put Docker
- Put a Git server
- Put JDownloader

An i3 should handle 1 transcode, if it's not overloaded with VM's. In the absence of VM's, the rest should not be a problem.
_____________________________________________________________

While others may have different opinions, since it's free, I'd build and use the i3 if for nothing more than a test. As your knowledge of OMV evolves and you figure out more specifically what you want to do, you'll make a better decision about a platform change later on.

Zitat von Pol de Lepel

Guess what: it was worth a try, because it worked!

I did add the user "Lina" to the user with all the necessary permissions and I could login It is a bit slow, but now I have fixed the main problem.

Awesome. If you want to go back to the SMB share and set it to Public: No, it should still work and security would be tightened. All's well that ends well.
______________________________________________________________________

Edit - Now that you're familiar with adding users:

In Shared Folder permissions, "Others" shouldn't be set higher than Read. This would match "Guests Allowed" in the SMB share.
This is useful for media shares, where you may want to allow visitors Read access to your media.

With users created in OMV and for transparent access from Windows clients;
In a Shared Folder, setting Others to None and the Group Users to Read/Write, matches Public: No in the SMB share. This will keep certain data shares private, from those who are not in the users group.

Zitat von Morne

a full Video of the hole process of starting the server full setup with shares

I'm not sure of all the videos in @TechnoDadLife 's inventory, but a New User setup guide can be found -> here.

First, I'll state up front, I have no experience with this kind of error.
With that said, did you see the first line of the first screen shot? Kernel Bug at /build/-----/linux-4.19.28/drivers/ata/sat.....?

Do you have OS backup from a time when all functioned? If the answer is "yes", I'd restore the backup. If the answer is "no", I'd consider setting your current boot drive aside and rebuilding. It's a guess, but I'm of the belief that this might not be fixable. Further, I'd be reluctant to work on the pool with an OS that may be corrupt.

For users who may be reading this - there's a huge difference in security requirements, between peer-to-peer LANs and a Domain.
(Setting aside being able to use older peripherals:)

When might SMB Guest logon's make sense? With media shares, specifically with Music and Video.

I live in a remote location, with zero Television reception and two or three radio stations. When I provide a wifi key to a visitor (meaning I trust them), an SMB share that allows Guest logon's but is set to "read only", allows my visitor to enjoy a show or some music without my getting involved. With write list = myusername , set in extra parameters, I can bypass the read only parameter and edit shares easily.

Zitat von wolf8auer

I can't wait to get my new SBC and start to play with UnionFS again!

Well, I have to caveat what I've said here. While my experiences have been very good, they are anecdotal and apply to just a few sets of hardware. Full backup is always a good idea - I'd go so far as to say "crucial". With backup, users are free to try new storage methods and advanced file systems without the need to worry.

RE the above - TL:DR:

I'll ask you one simple question - do you own a Windows 10 PC? If you don't, enough has been said.
You're reading things on the internet and expressing an opinion on subjects, without experience or context.

If you don't "get it", and don't know how to work with beginners and forum contributors, without getting overly excited and injecting emotion into it, further discourse is pointless.

Zitat von tkaiser

Unbelievable. There's a reason that ransomware like WannaCry was that efficient: this sick mentality to not think about security at all and to leave well known security holes wide open or even sabotaging vendor's efforts to strengthen security (this does not apply to users having no clue but to situations where users seek help and then get the advice to weaken security in forums or 'guides' and 'tutorials').I was asking you why you advice something insane.

MS has patched the Wanna Cry vulnerability in SMB1, with update 4013389, years ago. It's not the gaping security hole you're claiming it is. Why? As @votdev has already mentioned, there's a lot of hardware out there that requires SMB1. (Scanners, large format printers, etc.) When it comes to a peer to peer LAN at home, or in a small business, there are no hackers waiting, in the middle, to do a "Man in the middle attack". (If someone with malicious intent is inside a SOHO peer to peer LAN, it's already over.) But there's no point in talking about these remote scenarios, with a near vanishing level of probability.

It's pretty simple, actually. Windows 10 is not going away. In fact, whether we like it or not, Win10 market share will increase over time. If a user can't get into OMV, from a Windows 10, it's already over. Security won't matter - they'll simply move on to something else that "works", regardless of whether it's secure or not. (OR) Perhaps it makes to sense to find out what works, on the way to figuring out what the problem is.

So why not take it down a notch or two and eliminate the injections of emotion and drama, along with attacks on contributors using words like "stupid", "insane", "sick", etc.? This thread is about getting a user connected to OMV. It's not a place to vent.

Zitat von ExRaspberry

But more important would be the power consumption as it's an 24/7 system.

Let me guess, you're in the EU, right?

Zitat von ExRaspberry

The Atomic Pi sounds quite nice (especially what you get for the price!) - but I don't have the time nor the knowledge to struggle with USB3 issues...

Based on Frank's tests, in the link above, if you use an external enclosure or adapter that uses the JMS578 USB3 chip set, you should get good performance.
With the WD elements USB drive, I don't know. I looked for some of the tech details but there are more than a few models of "WD Elements". Some are 2.5" and others 3.5". I didn't find anything on the chip set they use and I wouldn't be surprised at all to find that the interface is proprietary.

Zitat von wolf8auer

So I would be really interested in the combination of UnionFS and SnapRAID.

The combination, when setup with a just a few details observed for the use case, is outstanding. It's superior to RAID5. In fact the only feature RAID5 has over a SNAPRAID+UnionFS is higher (parallel) read and write throughput. Higher I/O may be good in a production environment, but it's not really necessary for a small LAN server. Also, it's RAID5's parallel reads and writes that cause problems with USB connected drives which are, by definition, "serial" connections. USB can't provide equal bandwidth to all drives. With SNAPRAID+UnionFS, this is not a problem.

One of SNAPRAID's features that I appreciate the most is data integrity and preservation or, as it's commonly referred to, "bit-rot" protection. CoW filesystems provide bit-rot protection, but ZFS and BTRFS require some form of a RAID1 equivalent to implement it. (There's a way to achieve it in ZFS, with a filesystem setting of Copies=2, but that's a side note.)
In any case, true bit-rot protection comes from duplicate files with checksums. A "scrub" checks files against their checksums and overwrites a bad file (one that doesn't match it's checksum) with the good second copy (the file that does match it's check sum). Otherwise, without the second file, all that could be done would be to report an unrepairable error.

Two files means, 2X the disk space is required for data intergrity, hence the RAID1 or mirror equivalent. If 2TB is to be protected, it takes 4TB of disk space. SNAPRAID, on the other hand, does the same job using a content file and 1 parity disk to (safely) protect up to 3 data disks. Instead of a 50% loss of space, it's 33% to protect 2 data disks, or 25% to protect 3. So, for bit-rot, it's more space efficient.
________________________________

These topics are not really complicated, but writing them up in a way that makes them seem simple can be.

Zitat von tkaiser

And what is your advice then? Simply setting up a user/password on OMV or doing something stupid and allowing guest logons?

Come on - this is not productive. Let's get the user connected, then worry about security.
The reason why MS pushed out the guest logon change, for the Enterprise and Education editions only, is that both are usually in AD domains. A workgroup, peer to peer on a small LAN, is another matter.
____________________________________________________

@Pol de Lepel
With the above in mind, you do have admin access to this Laptop, right? It's not a work laptop, is it?

First - with OMV's permissions already set wide open, I don't think this is going to help, but it's worth a try:

Using the same username and password you're using to log onto the Win10 Laptop, setup an identical username and password in OMV, under Access Rights Managment, User (The username and password must be an exact match to the Laptop, cap's and all.).

Set the Samba share to "Guests allowed". Browseable should be green (on)

Under, Access Rights Management, Shared Folders, select a folder and click the ACL button. In the Popup you'd want the Group to be Users with at least Read/Write. The rest can be left as is.

________________________________

Also, when accessing the server in Windows Explorer use the server's IP address instead of the name.

_____________________________________________________________________

Second - from the Win10 How - To:
Did you try the Domain Connected Windows 10 Clients and Servers? (You'd need admin access to make this change.)
Try Level 3 and see what happens.

The video will get you started. I've been giving some thought to writing up a guide to provide an overview of what SNAPRAID is, the basics of how it works, and the automation of maintenance tasks. In addition, mergerfs has a few considerations that would be worth knowing before setting it up.

For instance, video storage is the 400lb gorilla in the room:
A video data store has the potential to be massive. If the NAS is intended for a large collection of video files, the default policy "Existing Path, Most Free Space" should be changed to "Most Free Space". The Most Free Space policy will distribute files evenly among all drives, maintaining equal free space among member drives.
On the other hand, if storage is mostly Video, the default policy "Existing Path, Most Free Space" will likely fill one drive to capacity. (The first directive "Existing Path", will direct files to where the shared folder "Videos" exists.)

The down side to the "Most Free Space" policy is, with even distribution of files among all drives in an overlayfs fashion, you're more committed to using mergerfs.
If there's a balance between Video and all other files, "Existing Path, Most Free Space" makes sense because files are consolidated according to data types set forth by the user when shared folders are set up. (Video, Documents, Pictures, etc.) The "Existing Path, Most Free Space" policy makes it easier to deal with problems, move data, or even back out of mergerfs altogether.

Zitat von Morne

Looking at the guide now.

Great!

And if you want to pool drives together, consider using the UnionFS plugin (which is mergerfs). SNAPRAID+UnionFS will provide an array that's similar to RAID 5, but with superior capabilities for protecting and recovering data. I'd really like to see the SNAPRAID+UnionFS combo catch on. It's one of the safer ways to deal with a collection of drives, that's also friendly to USB.

If you're interested, there are a number of mergerfs threads on the forum.

@ExRaspberry There's been a new finding, RE the Atomic PI and USB performance, that you may be interested in. -> Post

I'm going to buy one. Even if doesn't work out as a NAS backup of last resort, there's plenty of other uses for it. The navigation sensor alone, and it's excellent spec's, easily justifies the price (IMO).

As far as the Atomic Pi being a real product with long term availability, few if any of the SBC's are. Among the numerous models out there, there's no apparent rhyme or reason behind their production runs. OEM's make them, until they don't.

But when it comes to software support; X86 platforms (Atomic PI and the Udoo X86, as examples) can use OS offerings from multiple sources, well after their production runs have been discontinued.
__________________

The results from Frank's test, versus others, underscore why I'm skeptical of loosely correlated, anecdotal tests found in an internet search. These results usually apply to only one use case, and a small set of devices. I'm guilty of the doing the same for personal use, but I don't publish numbers with the implication that they universally apply.

In any case, I sincerely appreciate the record being set straight.

Since you're running an R-PI, I'm going to assume that you added the appropriate tag (4.2.2-1_armhf) to the tag field. If not, ARM devices won't work with most X86 dockers.

While nothing jumps out with a look, the error appears network related. I'm going to assume that your routers network is 192.168.1.0/24? Did you use 192.168.1.0/24 in the subnet field?

Also, I'd recheck the interface name. There's a lot of room, in something that long, for a single error.
___________________________________________

You may have something else going on, that's not obvious, which might explain why the previous Pi-Hole install began to fail.

- In setting OMV up, it's important to run a hash on the image you downloaded. Slight corruption of the image can have odd effects, on an otherwise functional install.
- Generic SD-cards are bad news. They may pass an error test, but still do odd things to the OS. Use SanDisk or Samsung, a good card. Cheap cards may work for a time, then they don't. This is a lesson I've learned the hard way.
- The PS you're using may not have enough output or is otherwise "dirty" with noise and/or AC ripple. (And the latter can gradually get worse, over time, as one of the bridges begin to fail.)
This is especially true if you're trying to power an external USB hard drive through the R-PI, pushing the PS into an undervolt condition. PS issues are a major problem with SBC's in general. The little cubes and bricks supplied with SBC's, or those suggested by the SBC OEM, are usually more about "low cost" than clean output and safety for the device they're attached to.
- In setting up OMV, and as it should be with most server setups, it's best to use static IP addressing and a static DNS address. The less dependent you are on the processes of a consumer router, the better.
- When I bought R-PI's, since there's no other way to isolate a fault in the device itself, I bought two.
(While this may seem to be extreme, I'm conservative.)
___________________________________________

Since you have backup, consider rebuilding your second card in accordance with this guide, with the appropriate tests of the image and the SD-card. With a clean install, you could reinstall the Docker Plugin and try the How To again.

I know you may be frustrated by all of this but realize that the How-To is verified, each time I update it. Dozens to hundreds of users, have used it successfully. (The How-To, for ArmHF, has been verified by this user about a week ago.)
___________________________________________

In a closing note, it may be time to move on from the R-PI. When I came to realize what R-PI's are, novelty devices - nothing more, that's what I did. Any x86 platform would perform better and they're almost certain to be more reliable.