SMB Questions

Currently reading
SMB Questions

18
7
NAS
DS720+
Operating system
  1. macOS
Mobile operating system
  1. iOS
I have literally spent all day figuring out how to direct my Sonos acct to my audio folder on my NAS. It was a ton of trial and error and reading everything I could find on the internet. Finally got it working but have a few questions that I am hoping for some help with.

1. What is SMB? What does it stand for and why is it needed?
2. I had to downgrade my SMB Protocol to SMB1. I keep reading that this is a big threat for hacking into my system? How big of a risk to I run leaving my system with SMB1 enabled?
3.Through trial and error, I realized that my Sonos aunthentication only worked with my master admin password? I would prefer to not have this pass saved on multiple phones for the use of streaming music. What permissions do I need to enable to use this streaming acct with my general user authentication?

Sorry for all the ignorant questions but this is like learning a new language. Thanks in advance.

AG
 

fredbert

Moderator
NAS Support
Subscriber
1,700
692
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
SMB is the one of the common network file sharing protocols. It is sometimes referred to as CIFS. Server Message Block - Wikipedia

SMB v1 was the route for the WannaCry ransomware attack and most OS have moved away from v1 due to low security.

My HEOS setup supports SMB access to what it calls Network Shares. But it too is limited to SMB v1 plus the setup instructions sound to be similarly badly written.

My HEOS supports access to DLNA/UPNP media too so I setup Synology Media Server and keep my NAS on SMB v2.
 

fredbert

Moderator
NAS Support
Subscriber
1,700
692
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
General info on setting access permissions (use Control Panel -> User [or Group] -> Edit Permissions [and Applications, for Groups]:
  • Rights are granted on two level: the user itself and any group the user is a member.
  • The combined set of access rights is from these.
    • Note: for File Shares the Not Access level takes priority over Read-Write, which has priority over Read.
  • File Share permissions can be applied at both user and group level
  • Application access is applied at group level
  • Default group for new users is 'users' and it has little access.
    • Keep 'users' as it is so that you have a known baseline for new accounts.
    • I created a new group, e.g. 'family', and added my home users to it and then applied a standard set of access rights to it.
    • If you want a parents group that has access to more applications and File Shares then use a second group, e.g. 'parents', to augment the access of user accounts added to it.
    • You can also create role specific groups that have limited access, such as for guests, friends, and 'home' devices (I have one for Apple TV's Video Station).
  • I don't know which Application permission grants SMB/AFP/NFS access but the 'admin' group has a lot of rights and 'users' group doesn't. Try enabling one-by-one, starting with the most obvious (File Station, FTP, DSM...)
  • Use Control Panel -> Privileges to compare access rights between user and group accounts.

If you can avoid using SMB v1 then I would strongly recommend not enabling it.

If Sonos can't browse a DLNA/UPnP media server and select tracks for playback then you might still be able to use Audio Station and set the speakers to your Sonos (this works for my AVR, and HEOS amp and speaker). I see others on the Sonos community have used Logitech Media Server (which is being deprecated as a standalone Synology package but can be found in Docker).
 
18
7
NAS
DS720+
Operating system
  1. macOS
Mobile operating system
  1. iOS
SMB is the one of the common network file sharing protocols. It is sometimes referred to as CIFS. Server Message Block - Wikipedia

SMB v1 was the route for the WannaCry ransomware attack and most OS have moved away from v1 due to low security.

My HEOS setup supports SMB access to what it calls Network Shares. But it too is limited to SMB v1 plus the setup instructions sound to be similarly badly written.

My HEOS supports access to DLNA/UPNP media too so I setup Synology Media Server and keep my NAS on SMB v2.
This is great info. I also set up the Synology Media Server and I see all the airplay devices but they don't play. That sounds like it would be much safer option.

If I set up the firewall to block all incoming traffic from IP addresses out side of my home network, would that keep me safe with the SMB1 enabled?
 

fredbert

Moderator
NAS Support
Subscriber
1,700
692
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
If I set up the firewall to block all incoming traffic from IP addresses out side of my home network, would that keep me safe with the SMB1 enabled?
That depends on whether you have LAN devices that connect to the Internet and if they are at risk of malware. If they get infected then they might be a jumping off point from within your network.... all those well designed IOT devices etc.

There are a number of ways a LAN device can have connections to Internet devices and you have to be pretty specific with you Internet firewall policy to restrict outbound connections, not just inbound connections, to ensure that applications on LAN devices don't open high ports (call back) that allow inbound control and malware traffic.

I also set up the Synology Media Server and I see all the airplay devices but they don't play. That sounds like it would be much safer option.
Media Server permits devices to browse its menus and stream the media via DLNA/UPnP. If Sonos (or the app) has builtin support for this then it can directly request and stream this music. If Sonos doesn't have this then you can still use another application that has its own library (or can read DLNA media servers) and then stream to selected speakers. I think Sonos can be used as a DLNA speaker in this situation*: my HEOS can use its app to create multi-room groups and then Audio Station can select one of the grouped speakers and the music is streamed to all.

*I run AirConnect in Docker that provides Airplay 1 to DLNA streaming for DLNA speakers and I used the Sonos latency settings for my HEOS speakers. So Sonos should be stream-able [new word alert] directly in AS.

Note: Audio Station in DSM 6 does not play with Airplay 2. I think I saw that Airplay 2 will be supported by AS when DSM 7 is released. I hope.
 
18
7
NAS
DS720+
Operating system
  1. macOS
Mobile operating system
  1. iOS
Media Server permits devices to browse its menus and stream the media via DLNA/UPnP. If Sonos (or the app) has builtin support for this then it can directly request and stream this music. If Sonos doesn't have this then you can still use another application that has its own library (or can read DLNA media servers) and then stream to selected speakers. I think Sonos can be used as a DLNA speaker in this situation*: my HEOS can use its app to create multi-room groups and then Audio Station can select one of the grouped speakers and the music is streamed to all.

*I run AirConnect in Docker that provides Airplay 1 to DLNA streaming for DLNA speakers and I used the Sonos latency settings for my HEOS speakers. So Sonos should be stream-able [new word alert] directly in AS.

Note: Audio Station in DSM 6 does not play with Airplay 2. I think I saw that Airplay 2 will be supported by AS when DSM 7 is released. I hope.

It doesn't appear as though Sonos supports DLNA. I would rather just avoid using Sonos and avoid any extra holes in my security. I'll look up the HiFiCast and check that out. BUT there is a strong possibility that I put all this on hold until I can take the necessary time to learn Docker. Or pray for the release of DSM7.
 

fredbert

Moderator
NAS Support
Subscriber
1,700
692
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
After a bit of googling I finally found something that suggests using Audio Station and DS audio works. Plus the OP there is similarly sensible about not using SMB v1. The other posters there suggest alternatives: suck it up and run SMB v1 on you NAS; run a second NAS just for Sonos (to reduce the impact of the malware strike); use a Raspberry Pi for music serving as it is easier to reflash after the malware attack.

 

fredbert

Moderator
NAS Support
Subscriber
1,700
692
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
This is what I use to add Airplay 1 capability (or return it in the case of my AVR). You'll see there's a section about using this with Sonos.

And this is my guide for setting it up in Docker.
 
18
7
NAS
DS720+
Operating system
  1. macOS
Mobile operating system
  1. iOS
After a bit of googling I finally found something that suggests using Audio Station and DS audio works. Plus the OP there is similarly sensible about not using SMB v1. The other posters there suggest alternatives: suck it up and run SMB v1 on you NAS;

Interesting that this gentleman goes through the trouble to create a guest user account with read only access. Would the read only access prevent the wanna cry virus?
 

fredbert

Moderator
NAS Support
Subscriber
1,700
692
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Would the read only access prevent the wanna cry virus?
Many vulnerabilities are due to malformed packets that don't conform fully to the specification: the errors haven't been anticipated and processing the packet causes something that gets interpreted in a completely unexpected way. This is before user authentication happens.

Since many services are running with elevated, privileged access then the protocol error's uncaptured side-effect can gain high privilege, or cause lower-level access to shared resources (e.g. other processes' memory space).

Note that the SMBv1 vulnerabilities here state 'unauthorised user'... Microsoft Windows SMBv1 Multiple Vulnerabilities

That Sonos and Denon HEOS continue to only support SMB v1 shares is pretty irresponsible. I would suggest exhausting every other option before even thinking of enabling SMBv1 and even then I'd use a dedicated device solely for media (and a copy at that).

Keep up to date on security patching but don't expose yourself* to unnecessary risk by running antiquated services. Sometimes it's better to call it a day and accept being safe is better that convenience.

*especially on a chilly day :)
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top