DSM-G600, DNS-3xx and NSA-220 Hack Forum

LaverneR · 2008-12-05 22:08:59

In searching other posts it appears that you need both the user and password to be the same on the DNS-323 as on Windows XP for SMB to connect (without Windows XP asking for a password when trying to connect to the share). This is in a setup where I have restricted access to just a single user for this share.

For my primary user account, this works properly.

However, if I set the password on other Windows XP accounts to be the same as my primary user account, then they can also connect without being asked for a password, even though I haven't set them up as users on the DNS-323.

I find this strange and a bit weaker security than I would prefer. Do I have something configured wrong? (I have installed fun_plug and have played with it a bit, but I think everything is as it should be.)

Also, when I try to connect to the DNS-323 shares from a Windows XP account with a different password, then it asks me for the password (with a default GUEST user) in a popup, and if I enter the password for my primary user account, it succeeds. Shouldn't it also be asking for both correct user and password?

Thanks for your help.

mig · 2008-12-05 23:05:19

Samba is the software used by the DNS-323 to make the linux file system accessible to windows OS PC
There is a configuration file /etc/samba/smb.conf which setup up the options to determine the behavior of Samba
Samba has several security modes, see http://us6.samba.org/samba/docs/man/Sam … #id2552069

The behavior you are seeing is consistent with the Samba operation mode of
security = SHARE
which is the default setup by Dlink.

To change this security mode you need to modify the smb.conf file to contain
security = USER
then you will get the behavour you desire

Please, not that once you "hand edit" the smb.conf file, it will become incompatible with
the web GUI.

There are may posts about this issue (and other modification you can make to the smb.conf)
http://dns323.kood.org/forum/t1675-user … es%3F.html
just search the forum for "smb.conf"

Also note http://dns323.kood.org/forum/t1232-wher … ed%3F.html
to preserve you smb.conf changes after reboot.

LaverneR · 2008-12-05 23:26:43

Thank you for your extensive reply. That's exactly what I was looking for but couldn't quite find it. As I see it, the Web GUI appears to be misrepresenting the SHARE operation mode by allowing you to restrict directory shares by user, but then not changing the operation mode to USER.

mig · 2008-12-06 11:48:14

Share level security is not a very robust (from a security standpoint) Samba mode.

Cent OS 5 documentation wrote:
19.7.2. Share-Level Security

With share-level security, the server accepts only a password without an explicit username from the client. The server expects a password for each share, independent of the username. There have been recent reports that Microsoft Windows clients have compatibility issues with share-level security servers. Samba developers strongly discourage use of share-level security.

Above quote from http://www.centos.org/docs/5/html/Deplo … modes.html

Thankfully, with fun_plug and a "restart samba" script this limitation can be easily worked around.

DSM-G600, DNS-3xx and NSA-220 Hack Forum

Announcement

#1 2008-12-05 22:08:59

why is SMB authenticating to unknown users with just password?

#2 2008-12-05 23:05:19

Re: why is SMB authenticating to unknown users with just password?

#3 2008-12-05 23:26:43

Re: why is SMB authenticating to unknown users with just password?

#4 2008-12-06 11:48:14

Re: why is SMB authenticating to unknown users with just password?

Cent OS 5 documentation wrote:

Board footer