BetterSamba

The samba server on the device is pretty crippled for a few reasons:

  • No ability to authenticate against another server
  • No fine-grained access control via the web interface (e.g. write-only dropboxes, etc)

There are a few ways to get around this. One option is to edit the firmware /etc/samba/smb.conf. Really, you need to keep an edited copy on the hard disk, and write a fun_plug script to copy the new version to ramdisk after the machine boots, then restart the samba server (and thus re-read the config file). You may also perform small edits to the file without a fun_plug by use of export and import config. This can be used to make the bundled samba config include another config placed on the harddrive. The format of the exported configs are done several files stacked together separated by newline followed by ';'. The samba config is truncated to a fixed number of lines when reimporting, but it's possible to edit the file and possible add “include = /mnt/HD_a2/smbconfig”.

Some side notes to the above paragraph (based on information from the Forums): The device keeps a master smb.default file in NVRAM that it copies over into the ramdisk at every boot (to etc/samba/smb.conf), so any direct changes to this file won't survive a boot (hence the need for a fun_plug scipt to copy the modified smb.conf file from the harddrive after every boot). The import/export config allows one to modify the master smb.default in NVRAM. If you go down this route and use the import/export config, be very careful as you could seriously damage your unit! Alternatively if you have a well working smb.conf you may as well copy it into NVRAM and do away with the script (you don't need to use the import/export, you can directly mount the NVRAM, see below in the How to Make the DNS Work With a Domain Part)

Another option is to install the debian bootstrap, and use that version of samba (this is probably the better option, since debian's smb server will probably be newer than the firmware version). Again, you're going to have to have a fun_plug script that disables the embedded samba before running the debian initrc and starting debian's samba server.

Not much of a howto just yet, but as I get it set up I'll drop in step-by-step instructions for both methods, with some sample configurations for making samba work well. Hopefully I'll demonstrate how to make samba auth against Active Directory/LDAP so that real system administrators would see how to use the DNS-323 for something useful – like seamless home directory storage for their network!

How to Make the DNS-323 Work with a Domain

Note: This was tested using 1.0.4 beta firmware. Note: Tested using 1.0.6 work!

Steps to get domain authentication working:

  1. edit the smb.default file (on the dns323)
mount -t minix /dev/mtdblock0 /sys/mtd1
mount -t minix /dev/mtdblock1 /sys/mtd2
#EDIT both copies of smb.default
vi /sys/mtd[12]/smb.default
Change the line "security = SHARE" to "security = DOMAIN"
#
sync
umount /sys/mtd1 /sys/mtd2
#
  1. You will need a secrets.tdb file from another linux box that you have used to join the domain (on a test Linux box)
    1. shutdown samba on your test linux box.
    2. move all the files from /etc/samba to a safe location
    3. create a new smb.conf with the following entries
  [ global ]
  workgroup = MYNTorADDOMAIN
  netbios name = dns323
  security = DOMAIN
  1. Join the domain
  net join
  1. scp -p /etc/samba/secrets.tdb dns323:/mnt/HD_a2/fun_plug.d/etc/secrets.tdb
  2. Move the good samba bits back in to place on your test samba box.
  3. Setup the DNS323 to use the secrets.tdb file - create a new startup script:
cd /mnt/HD_a2/fun_plug.d/start
touch samba-1.0.4-domain.sh
chmod 755 samba-1.0.4-domain.sh
vi samba-1.0.4-domain.sh
#!/bin/sh
smbd_start() {
      cp -p ${ETCDIR}/samba/secrets.tdb /tmp/samba/secrets.tdb
      killall smbd
      /usr/bin/smbd -D
}
smbd_stop() {
  killall smbd
}
smbd_status() {
  echo
}
case "$1" in
  stop)
      smbd_stop
      ;;
  restart)
      smbd_stop
      sleep 1
      smbd_start
      ;;
  status)
      smbd_status
      ;;
  start|'')
      smbd_start
      ;;
  *)
      echo "Usage: $0 start|stop|restart|status"
      ;;
esac
  1. reboot the dns323 from the webpage

Note: Don't make any mistakes, or you could brick your unit!

How to Make the DNS-323 Work with UNC Paths

A UNC path looks like \\servername\sharename, and there's a problem accessing network shares on the DNS-323 through UNC paths if the share requires a user name and password: Windows will prompt you with a login box that doesn't allow to specify a username (the username is greyed out).

You could make users that have the same username and password as your Windows account. But that would seriously compromise your password security since the DNS-323 only allows a maximum of 8 characters and doesn't allow special characters. To solve this problem D-Link tells you to map network drives to the device and specify a username and password that way. Alternatively, in Windows XP and Vista each user can store a single username and password to use for connections to a DNS323 in Control Panel > User Accounts > Manage Your Network Passwords. Some “Home” versions of Windows deliberately forget such stored passwords each time the machine is rebooted.

If you need to use different passwords to access different shares on the DNS323, or just don't want Windows to store the password, then this howto shows a not-so-hacky way to enable you to access your D-Link with UNC paths providing you with a login box that enables you to specify a username and password.

Be sure to edit the file with a text editor that will NOT introduce CR+LF newlines (such as Notepad and Word) when editing your DNS-323 configuration file: if there's CR+LF newlines in your configuration file, you will SURELY brick your unit. To be safe, use a text editor that introduces only LF newlines, such as any old text editor on a UNIX-based system. To be even safer, WRITE A SCRIPT for FFP that automatically replaces the contents of /etc/samba/smb.conf with another file already stored on your hard drive.

  • Make sure your firmware is version 1.03/1.04 (Not tested with other firmwares)
  • From within the D-Link web admin: Save your Configuration Settings
  • Edit the saved file with a Linux compatible text editor (Like Notepad++)
  • Under [global] change:
    security = SHARE

    to

    security = USER
  • Save the file and load it back up onto the DNS-323 (Using 'Load Configuration Settings')
  • You're done!

Some Side Notes:

Since the root path of the DNS-323 isn't secured, accessing it will trigger Windows to access the resource anonymously. Accessing a secured resource after this will result in an error telling you you're not allowed to access the resource with multiple login sessions. (You're already logged in with that anonymous account.) To work around this problem make sure to access the secured share directly after Windows starts up. like:

//nas/my_secured_resource/

Prevent Anonymous Access

The more secure solution would be to edit the share setting in smb.conf, unfortunatly I dont se how this could be done in the same way. I use my own smb.conf and copies it to /etc/samba/ using fun_plug

# fun_plug part
if [ -r "${FUNPLUGDIR}/etc/smb.conf" ]; then
	cp ${FUNPLUGDIR}/etc/smb.conf /etc/samba >>${LOGFILE}
	exec smb restart >>${LOGFILE}
else
    echo "*  ${FUNPLUGDIR}/etc/smb.conf: File not found"
fi
# smb.conf changes (started out with dlinks original).
hosts allow = 192.168.1. 
security = USER
# I use groups and dont want other non members to access files.
create mask = 0770
directory mask  = 0770
force create mode = 0770
force directory mode = 0770
# the most share settings
[ Lagring ]
comment = 
path = /mnt/HD_a2/smb
valid users = 
read only = no
guest ok = no # this prevents anonymous access

[ Admin ] #one user only share, to access fun_plug 
comment =
path = /mnt/HD_a2
valid users = sysadm
read only = no
guest ok = no
  • The web admin seems to crash when modifying users after you've done this hack. I'm not sure if this is due to the hack.

How to Make the Windows 'Archive' Bit Work

Both DNS-323 firmware 1.03 and 1.04 have the problem that the Windows archive bit is not handled correctly (it is always set). Some backup programs don't like this.

The problem is that /etc/smb.conf contains the line

force create mode = 0777

Solution is to delete the line. But after the next reboot it is there again :-( This is why you need funplug and a sambafix.sh file in the funplug.d/start directory. It gets executed at each boot and it contains the following:

# Restart Samba with my configuration
cp /mnt/Volume_1/etc/samba/smb.conf /etc/samba/smb.conf
smb restart

The full procedure is:

  1. Copy the original /etc/samba/smb.conf somewhere (e.g. such as /mnt/Volume_1/etc/samba/smb.conf)and edit it to your liking
  2. Create a /mnt/Volume_1/funplug.d/start/sambafix.sh file as shown above
  3. Set the execute bit with: chmod u+x sambafix.sh
  4. Reboot

For Fonz funplug Version 0.5

Place the sambafix.sh script in ffp/start.

For D-Link firmware 1.05 and RAID 1 (mirrored) drives, the line in sambafix.sh needs to be cp /mnt/HD_a2/etc/samba/smb.conf /etc/samba/smb.conf.

To Make the Windows Read Only Bit Work

Add map readonly = yes to your custom smb.conf.

How To Create A Recycle Bin

In a message posted in the DNS323 forum, jrbilodeau wrote; ….here is what i did to get it working perfectly.

  • Open a telnet session (I use putty) and type;

cp /etc/samba/smb.conf /ffp/smb.conf

chmod 777 /ffp/smb.conf

In Windows Explorer navigate to the ffp folder on Volume_1 and open up the smb.conf file with a linux friendly text editor (I use notepad++).

Under the [ global ] section I added the following lines

vfs object = recycle
recycle:repository = .recycle
recycle:directory_mode = 0777
recycle:subdir_mode = 0777
recycle:keeptree = Yes
recycle:versions = Yes
recycle:touch = No
recycle:touch_mtime = No
recycle:maxsize = 0
recycle:exclude = *.tmp,*.temp, ~$*, *.~??
recycle:exclude_dir = /.recycle
msdfs root = no

Save it then add the following lines to fun_plug

# Restart Samba with my configuration
cp /ffp/smb.conf /etc/samba/smb.conf
smb restart

Restart you dns323

Note 1: I tested this before applying it to the funplug in case something didn`t go right I could simply reboot and go back to the original smb.conf file I suggest you do the same.

Note 2: The 'recycle:keeptree = Yes' tells samba to maintain the same directory tree structure where the files were from. For example, if you deleted/overwrite a file /dir_a/subdir_b/file_overwritten, your .recycle directory will look like : /mnt/HD-a2/.recycle/dir_a/subdir_b/file_overwritten. If you change 'recycle:keeptree = No, every directory will have a .recycle, that will be ugly. Depending on how secure you want the recycle files be, change directory mode as needed.

Additional information regarding Samba's recycle bin can be found at Linuxtopia

What's Next?

I hope this way of hacking (using the configuration file) allows for some other nice hacks that don't involve using mod_plug hacks. I think it's a cleaner way to do things. If someone knows a way to secure the root path of the DNS-323 that would be nice since it would prevent Windows from logging in anonymously! (See above the Preventing Anonymous Access part)


Navigation

Personal Tools