Unfortunately no one can be told what fun_plug is - you have to see it for yourself.
You are not logged in.
Hi everyone,
I have been very hesitant to post this question for some time, as it is a considerable newb question that would likely get the RTFM, but hey, I've tried.
But since you all have encouraged me to consider SSH and even access from work to my DNS at home I really need to resolve this issue.
It could be very simple, but it has been a PITA for me.
This is all done via DNS GUI, which I can cope with a bit better. I do have it fun plugged. Not chrooted with debian yet. I have FTP access to the unit via fun plug and putty.
Starting off I have administrator as admin and password as XXXXXXX, can log in to unit to configure settings, and have all accounts allowed read and write to volume_1
Great, can access from laptops on LAN by logging in as admin and backup to it and use it just fine. It works well.
BUT it says - access to ALL to my Volume_1
If I try and add user say - john - password XXXXXX - with r/w access to volume_1/media (or in fact even to Volume_1) when I try and map network drive and dissect to \\192.168.0.100\Volume_1\media it asks for username and password, using John and XXXXXX it says not accepted.
It doesn't matter whether I give John access to Volume_1 either. Additionally I am stopping ALL access to volume_1 at the same time (is that the problem).
So what am I doing wrong here. ?? What simple process have I just not gotten?
I just want to feel my unit is restricted to different access points IF I decide to allow access over SSH through my router,
So there it is, help appreciated, if it is simple HOORAY, I bloody hope so.
Cheers
hastings69
Offline
Are you using Vista to access it? If you are, you either need to disable LLTD in the settings on Vista, or you need F/W 1.05 on the DNS and enable LLTD on the DNS. The new security authentication with Vista is not compatible with the DNS before F/W 1.05.
Offline
Thanks BQ
F/w 1.05 last week (after my reformat and backup change). LLTD enabled last week on DNS, don't know about vista LLTD settings (ie how to disable).
Yes have always used vista to access (probably a few months ago I tried same with XP laptop with no difference but could be imaging that I did it - no longer have XP), problem since day one, and tonight the same problem with LLTD as above enabled.
What do you think now? Cheers for the advice
Offline
bq041 wrote:
Are you using Vista to access it? If you are, you either need to disable LLTD in the settings on Vista, or you need F/W 1.05 on the DNS and enable LLTD on the DNS. The new security authentication with Vista is not compatible with the DNS before F/W 1.05.
?
From playing with the LLTD setting in the new (1.05) web UI it is my impression that it just enables me to turn off the LLTD feature that was on by default in firmware 1.04. That is, when I choose "Network Map" in the Vista Network Center, if LLTD is enabled I will see a few icons joined together, including a picture of a DNS-323, but if I disable LLTD in the web UI then I get an error message about "devices not responding".
Is there more to LLTD than that?
I have been able to connect from Vista to the DNS-323 using a username and password with and without LLTD enabled (in the DNS323 web UI) from my desktop.
Last edited by sjmac (2008-05-21 14:38:04)
Offline
This is something I've encountered in the past with OS X and samba, but I'm not sure if it's applicable to the samba server on the DNS-323. Sometimes samba doesn't like certain symbols in passwords and will deny access if they're used. If you're using symbols, try changing the password to just letters and numbers and see if it helps.
Last edited by raid123 (2008-05-21 23:27:13)
Offline
hastings69 - If you telnet or ssh in to your DNS-323, what do you get for
ls -l /mnt/HD_a2/media
Could it be that the user "john" doesn't have permission to access the files on the filesystem (even though he has access to the network share)?
Offline
sjmac - You are right, I was confusing 2 terms. What I meant was NTLMv2. The DNS does not support it, but it is the default on windows vista. It needs to be changed to LM security handshake.
hastings - sorry about the confusion. Anyway, I had hit or miss connections with Vista before seting the securities correctly. It would always work with no user/password (if the DNS was set that way) but as soon as a password was introduced, then it would not connect. Vista also remembers if a password is supposed to be used, so even if you have a user without a password, Vista will still want one. The setting for NTLM is in the local security policy on Vista, but getting there is different depending what version you have. I'm running Business and Ultimate, so it easy to get there. I set up one Home edition, but I do not recall how to get there, I'd have to look it up.
Offline
Thanks everyone, just woke up and am at work. I'll try this again tonight, I appreciate your help.
Few answers
1. sjmac - post answers tonight. then I'll chmod all the files again in case that is an issue as you have previously helped me to do with Mig
2. I do have a very old XP laptop (almost don't have anymore!) I could brush the cob webs off and try log in tonight also.
3. Maybe a complication - these laptops (Vista) are also joined to a domain from work, so in terms of NTLM, I don't know whether that has a link/problem, because I remember setting up keberos/NTLM settings with RPC over HTTPs for my exchange email, I really have little expertise in this area other than recognising that the letters NTLM go together . Group policy is fairly tight. And it isn't something I can mess too much with with respects to security changes in sometimes even local policy unless I want the laptop to remain off the domain......which isn't an easy or desirable option. But I can see what can be done.
4. I am using business vista
4. The password does not currently contain wierd symbols only numbers and letters.
Cheers
Hastings
Offline
See if you can do this on your Vista machines.
Open your start menu and click 'run'. In there, run secpol.msc If you have permission, great. If not, we're done. If it does load up, open 'local policies' and 'security settings'. Look for 'Network Security: LAN Manager authentication level'. If you set it to 'Send LM & NTLM - use NTLMv2 session if negotiated', you should still be able to use your domain at work and I know this setting will talk to the DNS, it is what I use.
Offline
Thanks bq041 - have changed from send NTLMv2 only to send LM & NTLM - use NTLMv2 session if negotiated.
Will try again tonight and post results.
Work computers haven't crashed around me and server sirens haven't gone off...... so its all good......
Offline
One other thing to remember. Right click on your 'my computer' icon and select 'map network drive' to map the drive on Vista. Before you hit 'finish', hit the link for logging on as another user and put in your info.
If you just hit finish and it prompts for a login and password, you get a 1 shot deal, it will not allow a change to the user name and doesn't always work.
Offline
bq041 wrote:
sjmac - You are right, I was confusing 2 terms. What I meant was NTLMv2. The DNS does not support it, but it is the default on windows vista. It needs to be changed to LM security handshake.
That was true with firmware 1.03, but not with 1.04 or 1.05 which use the newer Samba 3.0.x server. I haven't changed my Vista client at all, and it is happy to use username and passwords to connect to my DNS323 (currently firmware 1.05).
Last edited by sjmac (2008-05-22 12:06:08)
Offline
Hey and Thanks.
Just tested - WOW the permissions are actually working properly.... I have just gotten past what I have tried for a VERY long time.
I have only really changed the NTLM setting, otherwise all else is the same, different password at logon and reconnect.
Actually the other thing was I ruight clicked computer and added MAP NETWORK DRIVE rather than the icon on the taskbar at the top...?
I AM SO HAPPY, thanks for your advice and help, I think I can put this to bed,
Regards a very happy Hastings69. I am now going nuts adding folder specific permissions, what a novelty.
Offline
sjmac wrote:
That was true with firmware 1.03, but not with 1.04 or 1.05 which use the newer Samba 3.0.x server. I haven't changed my Vista client at all, and it is happy to use username and passwords to connect to my DNS323 (currently firmware 1.05).
I agree it was supposed to be fixed, but I think there are some bugs, still. I have 3 Vista machines running on the network and 2 of them will work with NTLMv2 no problems, but the 3rd still won't do it without LM being on. You will probably say it is a Vista issue on the computer, and I agree. It may not be the fault of the DNS, but it works fine once making the change. I really don't know why, but it was a simple solution.
Offline
Whoops,
Sorry everyone, I also changed one other thing....... I did chmod Volume_1 to try and get this problem sorted out..... and the outcome of this is...... my SSH connection won't allow connections as I have allowed everyone in the world to view the key files.
Permissions 0777 for '/ffp/etc/ssh/ssh_host_dsa_key' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
I can still telnet in (it asks for login, and I login as root and password), my own solution is to delete everything (not data) and re funplug it all. But I would be keen for an alternative.
I know what can be said about a "little amount of information is more dangerous than none....."
I realise now I just should have chmod "media and data" folders within Volume_1 not Volume _1 itself
I am fun plug 0.5, FW 1.05, Trying SSH, sort of trying with chroot debian etch, and backup from A to B each night. If I don't have to ruin all that hard work for yet another dumb permission problem that would be great (dumb on my part not the system.)
Thanks again
Hastings69
Offline
chmod -R 007 /ffp/etc/ssh
?
Offline
Thanks sjmac, didnt change anything unfotunately, I might just restart, given I want the files to be tight especially for connections. Here goes another Sunday!
Hastings69
Offline
I think you've got a pretty simple problem to solve there, but I made a silly mistake in my suggestion.
The error message is just complaining that all logged in users have permission to write data in your ssh folder. You just need to change it so that only you have that permission.
Do
chmod -R 700 /ffp/etc/ssh
(Note that the 7 is at the other end)
Here is some background on the slightly cryptic command:
http://www.tech-recipes.com/unix_tips697.html
And here is a fuller description of the command:
http://en.wikipedia.org/wiki/Chmod
Offline
Thanks sjmac.
And thanks for those links.
I decided to restart everything, going back to a simpler setup, ffp 0.5, SSH and backup. I was planning on playing around with access over web, but have decided (for today anyway to just leave this box hidden and secure, and continue to fiddle and learn on an ubuntu old box instead, makes mistakes there and then once I know more, come back to the DNS.
Reinstalling FFP and SSH and telnet didn't take very long (30mins). And those links helped as I had trouble removing some of the files that had permission problems when deleting for the reinstall.
I did try a chmod command in the mean time, and it to allow less access, I think from memory I had it at 600? maybe, but it didnt change anything.
Pity I didn't get it completely sorted but I appreciate your help and replies.
Regards
Offline