DSM-G600, DNS-3xx and NSA-220 Hack Forum

vedeja · 2008-04-20 10:41:01

Until now I have had no problem mapping the drive from either my XP or Vista machine. Yesterday I rebooted my DNS323 and suddenly both Windows refused to let me reconnect, saying access is denied. Telnet is OK, lighttpd too. I have configured network access through web config to allow ALL access to Volume_1. Now when I try to map the drive I get a username/password box but none of the users I have created in the 323 is working. (Before I was never prompted with this!) Please help out!

sjmac · 2008-04-20 23:28:13

I think with Samba (which the DNS323 is running) you have two sets of permissions, the permissions to connect to the share (which you have set in the Web UI to let everyone in), and then the permissions of the files on the disk.

Maybe something has changed the permissions of the files on the disk?

Can you telnet to one of the foders with files that you are trying to access and do

Code:

ls -l?

Then do

Code:

cd .. 
ls -l

If "everyone" doesn't have permission to get in to the folder and read the files then it doesn't matter what the admin UI says, you still won't get your files.

If that is the problem, then you can use chmod to make all files publically accessible.

vedeja · 2008-04-21 19:46:40

sjmac wrote:
If "everyone" doesn't have permission to get in to the folder and read the files then it doesn't matter what the admin UI says, you still won't get your files.

All the files and folders I am trying to access seem to be owned by "nobody". However, I can't really se how it should matter. I can't even MAP the drive from windows (samba).

fordem · 2008-04-21 19:57:43

Check your firewall - especially if you're using something that does automatic updates

vedeja · 2008-04-21 20:58:39

My LAN is behind the firewall of my WRT54G/DD-WRT. My PC's have the windows firewall on but inactivating them did not help. Panic is getting closer.

mig · 2008-04-21 21:30:31

vedeja wrote:
Panic is getting closer.

Don't panic! http://en.wikipedia.org/wiki/Don%27t_Pa … _Galaxy%29

First, what is the firmware version on your DNS-323?
Second, do you have fun_plug installed?

You seem to think the problem lies in the DNS-323, so we can check the configuration
of the Samba software running on the DNS-323. The Samba software provides file and
print services for various Microsoft Windows clients, but will need telnet enabled to
access the command line interface of the DNS-323.

Once we determine that Samba is setup correctly, we can look at your windows networking,
if you still can't connect, to see if the problem lies there.

Last edited by mig (2008-04-21 21:32:15)

vedeja · 2008-04-21 21:40:14

mig, right on. I love The Guide so I don't know what I was thinking.

My FW is 1.04 and I have funplug 0.4 running. I really appreciate your help checking samba cfg.

mig · 2008-04-21 21:53:03

O.K., lets start by confirming that Samba is running

The 'ps' command shows the processes running on a Linux system,

So, telnet to your DNS-323 and run the following command and post the results.

# / ps | grep smb

Next, we'll need to see the contents of your Samba configuration file, smb.conf.
Post the output of this file.

# / cat /etc/samba/smb.conf

How Linux savvy are you? Are these instructions too simplistic?
Also, have you made any customizations to the smb.conf file?

vedeja · 2008-04-21 22:04:25

# / ps | grep smb

returns:

1250 root smbd -D
1260 root smbd -D
10060 root grep smb

# / cat /etc/samba/smb.conf

yields:

[ global ]
interfaces = egiga0
unix charset = UTF8
workgroup = workgroup
netbios name = DNS-323
server string = DNS-323
hosts allow =
hosts deny =
security = SHARE
encrypt passwords = yes
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536
max xmit = 65535
create mask = 0777
directory mask = 0777
force create mode = 0777
force directory mode = 0777
load printers = Yes
printcap name = /usr/local/LPRng/etc/printcap
min print space = 2000
max print jobs = 1000
printing = lprng
print command = /usr/local/LPRng/bin/lpr -P%p -r %s
lpq command = /usr/local/LPRng/bin/lpq -P%p
lprm command = /usr/local/LPRng/bin/lprm -P%p %j
lppause command = /usr/local/LPRng/sbin/lpc hold %p %j
lpresume command = /usr/local/LPRng/sbin/lpc release %p %j
queuepause command = /usr/local/LPRng/sbin/lpc -P%p stop
queueresume command = /usr/local/LPRng/sbin/lpc -P%p start
use sendfile =yes

[ web_page ]
comment = Enter Our Web Page Setting
path = /mnt/web_page
valid users =
read only = yes
guest ok = yes

[printers]
path = /mnt/HD_a4/.lpd
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = No

[ Volume_1 ]
comment =
path = /mnt/HD_a2
valid users =
read only = no
guest ok = yes
oplocks = yes
map archive = yes

Your level of detail is no problem for me, but I'm a Linux nju-B.
I haven't made any customizations to the smb.conf!

mig · 2008-04-22 06:48:52

O.K. it looks like Samba IS running and your smb.conf looks fine.

A couple more things to check to see if name resolution is working...
run the following command on the DNS-323 and post the output

# / hostname

# /ifconfig -a

On a winXP box run the following command in a command prompt window
and post the output

c:\>ipconfig /all

c:\>nbtstat -c

For, the next two command, replace <dns-323-hostname> with the output of the
hostname command from your DNS-323 (from the smb.conf file this is probably "DNS-323")

c:\>ping <dns-323-hostname>

c:\>nbtstat -a <dns-323-hostname>

Another question, is the DNS-323 using a static or dynamic IP address assignment?

Last edited by mig (2008-04-22 09:32:37)

sjmac · 2008-04-22 09:22:12

can you also post the output from
ls -l /mnt/HD_a2

vedeja · 2008-04-22 17:27:57

/ # hostname
DNS-323

/ # ifconfig -a
egiga0 Link encap:Ethernet HWaddr 00:1C:F0:0E:A9:CA
inet addr:192.168.1.102 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1236057 errors:0 dropped:0 overruns:0 frame:0
TX packets:1928539 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:512
RX bytes:105393670 (100.5 MiB) TX bytes:2542690152 (2.3 GiB)
Interrupt:21

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

C:\>ipconfig -all

IP-konfiguration för Windows

Värddatornamn . . . . . . . . . . : JOSHUA-XI
Primärt DNS-suffix. . . . . . . . :
Nodtyp. . . . . . . . . . . . . . : Hybrid
IP-routning aktiverat . . . . . . : Nej
WINS-proxy aktiverat. . . . . . . : Nej

Ethernet-anslutning Anslutning till lokalt nätverk:

Anslutningsspecifika DNS-suffix . :
Beskrivning . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Fysisk adress . . . . . . . . . . : 00-13-D4-56-7B-D4
DHCP aktiverat. . . . . . . . . . : Ja
Autokonfiguration aktiverat . . . : Ja
Länklokal IPv6-adress . . . . . . : fe80::70df:43c4:719f:9e58%8(Standard)
IPv4-adress . . . . . . . . . . . : 192.168.1.100(Standard)
Nätmask . . . . . . . . . . . . . : 255.255.255.0
Lånet erhölls . . . . . . . . . . : den 22 april 2008 16:10:58
Lånet upphör. . . . . . . . . . . : den 23 april 2008 16:10:58
Standard-gateway. . . . . . . . . : 192.168.1.1
DHCP-server . . . . . . . . . . . : 192.168.1.1
IAID för DHCPv6 . . . . . . . . . : 201331668
DNS-servrar . . . . . . . . . . . : 195.67.199.21
195.67.199.22
195.67.199.23
NetBIOS över TCP/IP . . . . . . . : Aktiverat

C:\>nbtstat -c

Anslutning till lokalt nätverk:
Nod-IP-adress: [192.168.1.100] Scope-ID: []

Det finns inga namn i cachen

C:\>ping DNS-323

Skickar ping-signal till DNS-323 [192.168.1.102] med 32 byte data:

Svar från 192.168.1.102: byte=32 tid < 1 ms TTL=64
Svar från 192.168.1.102: byte=32 tid < 1 ms TTL=64
Svar från 192.168.1.102: byte=32 tid < 1 ms TTL=64
Svar från 192.168.1.102: byte=32 tid < 1 ms TTL=64

Ping-statistik för 192.168.1.102:
Paket: Skickade = 4, Mottagna = 4, Förlorade = 0 (0 %),
Ungefärlig överföringstid i millisekunder:
Lägsta = 0 ms, Högsta = 0 ms, Medel = 0 ms

C:\>nbtstat -a DNS-323

Anslutning till lokalt nätverk:
Nod-IP-adress: [192.168.1.100] Scope-ID: []

NetBIOS-namntabell för fjärrdator

Namn Typ Status
---------------------------------------------
DNS-323 <00> UNIK Registrerad
DNS-323 <03> UNIK Registrerad
DNS-323 <20> UNIK Registrerad
..__MSBROWSE__.<01> GRUPP Registrerad
WORKGROUP <1D> UNIK Registrerad
WORKGROUP <1E> GRUPP Registrerad
WORKGROUP <00> GRUPP Registrerad

MAC-adress = 00-00-00-00-00-00

sjmac:

/ # ls -l /mnt/HD_a2
drwx-w--w- 18 nobody 501 4096 Apr 11 22:51 Data
-rwxrwxrwx 1 nobody 501 1626 Dec 15 09:22 ctrl_fanspeed.sh
-rwxrwxrwx 1 nobody 501 1562 Mar 17 10:29 fun_plug
drwxrwx-w- 10 503 root 4096 Mar 5 18:39 fun_plug.d
-rw-rw-rw- 1 root root 121 Mar 20 14:20 htdigest.sh
drwxrwxrwt 2 root root 4096 Mar 20 13:55 tmp
drwxrwxrwx 4 nobody 501 4096 Feb 18 12:20 www

sjmac · 2008-04-22 17:56:11

sorry, then also
ls -l /mnt

Code:

/ # ls -l /mnt/HD_a2
drwx-w--w-   18 nobody   501          4096 Apr 11 22:51 Data

Permissions for Data look odd to me (rwx-w--w-) ?

vedeja · 2008-04-22 18:13:27

/ # ls -l /mnt
drwxrwx-w- 9 503 root 4096 Apr 20 11:17 HD_a2
drwxrwxrwx 4 root root 1024 Feb 8 14:35 HD_a4
drwxrwxrwx 3 root root 1024 Feb 8 15:35 HD_b4
drwxr-xr-x 2 root root 1024 Feb 16 2007 web_page

sjmac wrote:
Permissions for Data look odd to me (rwx-w--w-) ?

That is the folder I am trying to map to. On the other hand, when I try mapping the drive root (Volume_1) I have the same problem. Is Volume_1 a symlink (or such) for HD_a2 btw?

vedeja · 2008-04-22 18:17:17

Solved?

I did chmod 777 on my HD_a2 and the Data folder and now it works. Do you think changing permissions like that are OK? Secondly, who/what changed them in the first place?

sjmac · 2008-04-22 18:33:20

Yay!

There are a few people on the forum who have had to do that - search for chmod 777.

I don't know why they broke - did the files get created by one user, and then you changed the access to "Everybody"?

Or did you install some other software that might have affected this?

sjmac · 2008-04-22 18:51:50

By the way, did you
chmod -R 777 ......

The -R is important.

On the other hand, when I try mapping the drive root (Volume_1) I have the same problem. Is Volume_1 a symlink (or such) for HD_a2 btw?

Volume_1 is the Samba share name (the name that you see when you browse the computer across the network), and HD_a2 is the folder name (aka directory) on the disk where the files are stored - look at the output of the smb.conf file that you posted for mig, above.

HD_a2 is on the DNS323 is actually the second partition on first hard disk (hda).

try a simple chmod
chmod 777 /mnt/HD_a2
(no -R needed) to fix guest/Everyone access to /mnt/HD_a2

Last edited by sjmac (2008-04-22 18:53:26)

mig · 2008-04-22 19:03:01

vedeja wrote:
Is Volume_1 a symlink (or such) for HD_a2 btw?

No, the name of the share (how Samba presents your folder to the windows network)
is defined at the bottom of the smb.conf file

[ Volume_1 ]
comment =
path = /mnt/HD_a2
valid users =
read only = no
guest ok = yes
oplocks = yes
map archive = yes

these options mean the actual filesystem directory /mnt/HD_a2 (in the path option)
will be shared as Volume_1 (in the brackets)
and the other options lines will be in effect for this share

Last edited by mig (2008-04-22 19:03:50)

vedeja · 2008-04-22 19:13:19

Huge thanks go out to sjmac and mig for clarifying things and setting me on the right track. Frustratingly, everything is always so simple when you know the answer...

Now I will consider if I have the guts to upgrade to funplug 0.5

mig · 2008-04-22 19:23:40

vedeja, The Data subdirectory was created by user "nobody" and
group "501" wonder what user/group you are connecting as curently?

To further understand which user/group you are now accessing your
DNS-323 as, you could create a new (temporary) file in the data directory
through the window XP share, then telnet to the DNS-323 and
ls -l the /mnt/HD_a2/Data directory to view the user and group.

vedeja · 2008-04-22 19:30:52

mig wrote:
To further understand which user/group you are now accessing your
DNS-323 as, you could create a new (temporary) file in the data directory
through the window XP share, then telnet to the DNS-323 and
ls -l the /mnt/HD_a2/Data directory to view the user and group.

The newly created temp file got "nobody 501". To what group does 501 refer? I have no users or groups defined in the web gui but simply network access granted for ALL. Is this why I logon as "nobody"?

mig · 2008-04-22 20:54:15

In Linux filesystems the user and groups are numbers,
there are files that translate the numbers to human readable
names. These file are /etc/passwd and /etc/group

if you type # / ls -nl /mnt/HD_a2/Data you will see the
numeric user and group ids for the files.

There is a user name "nobody" in /etc/passwd, it is a generic low
privileged user and probably belongs to the group id
501, however there is no entry for 501 in the /etc/group
file, so the listing just shows the numeric.

You are probably connecting to the DNS-323 as nobody because
you allowed guest users (in the smb.conf file) and you are not
authenticating from your windows box. Perhaps you don't have
a user or password setup on your windows box?

Last edited by mig (2008-04-22 20:55:15)

5h4rk · 2008-04-26 12:25:42

Sorry for hijack the post, but I seem to have to same problem but I can't telnet to chmod HD-a2, what I can do? I can FTP in tho. Thanks.

sjmac · 2008-04-26 15:21:29

But you have a fun_plug script installed, so you can still telnet in is that right?

So what do you see if you type
ls -l /mnt

What about
ls -l /mnt/HD_a4

5h4rk · 2008-04-26 15:40:59

sjmac wrote:
But you have a fun_plug script installed, so you can still telnet in is that right?

So what do you see if you type
ls -l /mnt

What about
ls -l /mnt/HD_a4

No, I can't I think I stuffed something up:

I changed HD_a2 from 777 to 775 and
I deleted the account nobody from /etc/passwd and /etc/shadow

Now I can only FTP using the accounts set in the webinterface, I can't telnet and ssh neither.

DSM-G600, DNS-3xx and NSA-220 Hack Forum

Announcement

#1 2008-04-20 10:41:01

Access denied

#2 2008-04-20 23:28:13

Re: Access denied

Code:

Code:

#3 2008-04-21 19:46:40

Re: Access denied

sjmac wrote:

#4 2008-04-21 19:57:43

Re: Access denied

#5 2008-04-21 20:58:39

Re: Access denied

#6 2008-04-21 21:30:31

Re: Access denied

vedeja wrote:

#7 2008-04-21 21:40:14

Re: Access denied

#8 2008-04-21 21:53:03

Re: Access denied

#9 2008-04-21 22:04:25

Re: Access denied

#10 2008-04-22 06:48:52

Re: Access denied

#11 2008-04-22 09:22:12

Re: Access denied

#12 2008-04-22 17:27:57

Re: Access denied

#13 2008-04-22 17:56:11

Re: Access denied

Code:

#14 2008-04-22 18:13:27

Re: Access denied

sjmac wrote:

#15 2008-04-22 18:17:17

Re: Access denied

#16 2008-04-22 18:33:20

Re: Access denied

#17 2008-04-22 18:51:50

Re: Access denied

#18 2008-04-22 19:03:01

Re: Access denied

vedeja wrote:

#19 2008-04-22 19:13:19

Re: Access denied

#20 2008-04-22 19:23:40

Re: Access denied

#21 2008-04-22 19:30:52

Re: Access denied

mig wrote:

#22 2008-04-22 20:54:15

Re: Access denied

#23 2008-04-26 12:25:42

Re: Access denied

#24 2008-04-26 15:21:29

Re: Access denied

#25 2008-04-26 15:40:59

Re: Access denied

sjmac wrote:

Board footer