Authenticated samba shares for attached usb storage

[aetonsi]

Device Model

DGA ( DGA4132 ) AGTHP_2.2.0 Version Cobalt (18.3.k)

Gui Version

9.5.41-8a0d8c04

Description of the problem / feature requested

Having unauthenticated (guest) samba shares is a problem because of multiple reasons:

• sometimes it's not possible to change the local policies to allow the connection as guest, as reported in "content sharing" > "general status": "If Samba is not accessible in Windows 10, Configure the settings as per the URL - https://support.microsoft.com/en-us/help/4046019/guest-access-smb2-disabled-by-default-in-windows-10-server-2016"
• it's a security issue, as explained by microsoft
• it would be useful to have authentication for each connected drive, especially if you don't have full control over every single client in lan (for example, if you live with roommates) and you would like to have a "private" share

If i understand the openwrt docs correctly it should be possible to authenticate the samba shares without too much difficulty: https://openwrt.org/docs/guide-user/services/nas/samba_configuration So i think it would just be a matter of making it available in the web ui... I could obviously do it via ssh, but i think this feature could be useful for a lot of people, hence i'm reporting it.

Have a nice day

[FrancYescO]

did you already tried to enable it via SSH? as from 18+ firmware the smb deamon is totally different..

[aetonsi]

Hi, i tried following the openwrt tutorial linked, but obviously some samba package is already installed and clashes with the one in the tutorial:

Configuring samba36-server.
Collected errors:
 * resolve_conffiles: Existing conffile /etc/config/samba is different from the conffile in the new package. The new conffile will be placed at /etc/config/samba-opkg.

I also tried installing the luci gui and it installs

---

Still, I see that my samba share is defined in /var/etc/smb.conf, as follows:

[Generic_STORAGEDEVICE_1_1a87]
	path = /tmp/run/mountd/sda1
	read only = no
	guest ok = yes
	create mask = 0700
	directory mask = 0700

It would just be a matter of setting guest ok = no, adding the valid users clause, and adding the user with smbpasswd, i think... i just can't find the smbpasswd executable

[FrancYescO]

probably because there isn't.

from 2.1.0 (18+ firmwares) all is switched to NQE (SMB3 compatibility, so also the link to the win10 wiki is outdated and useless...), they just managed somehow to get the old uci configs compatible with it

[aetonsi]

yes, there is no smbpasswd, but if i install samba36-server, then there is:

root@modemtim:~# smbpasswd
Usage: smbpasswd [options] <username>

Options:
  -s            read password from stdin
  -a            add user
  -x            delete user

Still, i wouldn't know how to configure it since i don't know the current entire configuration of mounts and cifs share, and i wouldn't risk breaking even the current guest-only setup...

But i'm pretty sure it could be possible at this point, it's just necessary to have the sambaXX-server installed

[stuzzica]

aggiungere tramite la scheda gui samba la sezione ''autenticazione'' riguardante smbpasswd non si puo??

[stuzzica]

ho provato ma l'unica stringa che è valida è usando: smbpasswd -a root il resto non viene accettato perche va aggiunto l'eventuale account nel file /etc/password quindi come si fa ad aggiungere un USER??? oltre root?? e poi per impostare la password ho letto che va usato il termine: smbpasswd -U ma non esiste

[stuzzica]

primo passo va creato un USER nel file passwd che sta in etc e poi aggiunto questo USER tramite il comando smbpasswd

[FrancYescO]

Probably the samba conversion from the old firmware is not working, or at least the samba config file on my DGA4131 is relly different from one taken from DGA4131 (both with firmware 18.x)

the userauth section seems is already in there https://termbin.com/3phj ready to be used if you want to give it a try..

[Dark4Codrutz]

probably because there isn't.

from 2.1.0 (18+ firmwares) all is switched to NQE (SMB3 compatibility, so also the link to the win10 wiki is outdated and useless...), they just managed somehow to get the old uci configs compatible with it

I'm reviving this thread if I may.

Yes we have NQE now and it supports SMB dialect 3.1.1 which is a bonus given that samba36 from OpenWrt only supports dialect 2.0.2, at least I couldn't get it to work higher (check with Get-SmbConnection from PowerShell). Now on the issue of share management and permissions using nqe: I haven't been able to get it all the way but ideas are appreciates. So far I've been able to dig this out:

1. There are samba config files per usb drive (each has it's own), at least that's what transformer-cli suggests : uci.samba.sambashare.@Sabrent_1_c11b.configpath [string] = /var/etc/smb.auto/USB-A1.conf , but there is no such conf file so who generates those and from what it's still up in the air. The /var/etc/smb.auto is defined in samba uci config file then it shows up in uci get samba.samba.configsdir='/var/etc/smb.auto' . But who sets that configpath and then who's supposed to parse that config file ? The nqe init script (upon starting service) calls cs_update_sharesconfig() from /lib/functions/contentsharing.sh which does a simple job of setting an available flag by reading /var/state/samba which already contains configpath, so something else runs before the samba/nqe server and sets all this things up. What is interesting is that after the function is done with the available flags it calls another function named cs_update_sambaconfig() which might be our best friend as this one loops through all the conf files in $configsdir and adds their path to smb.auto.conf in a include = statement (yeah it's a conf file with the same name as the configsdir). Now the tricky part, and where I left the rabbit hole off: cs_add_device_sambaconfig() should create the config file (that's its only job) associated with the device using parameters as the default values, but it never does. For this reason smb.auto.conf is always generated empty (no include lines). The cs_add_device_sambaconfig has a check for number of arguments, if it fails to have 4 arguments (still who calls this function before nqe even starts ? ) then it doesn't create the conf file and spits out a log message with logger -t contentsharing (where can those logs be found ? )

2. this is a short one but might be useful somehow as it deals with users: There is the nqcsctrl (NQ CIFS Server Control) tool which has the command +U to add users . By the looks of the available commands one can create 2 users: normal and administrator , then set the share to read only hopefully administrator can still write. I haven't tried this one so I don't know if it persists upon reboot as the /var files all lie in /tmp actually which is RAM. That said I don't know if nqcsctrl would user /var or not, haven't used it.

I believe we can get more control if we can get the "USB-A1.conf" files to actually be created after which one can manipulate each share. Alternatively one could write it's own "USB-A1.conf" based on GUI fields then call nqe reload which should parse that conf.

nqcsctrl help output

if you read this with Firefox ... I'm sorry :(

-- NQ CIFS Server Control tool --
Usage: nqcsctrl <command> <parameters>
  where parameterers are positional per command as:
  'S' - stop NQ Server
  'R' - restart NQ Server
  '+S "<name>" "<local path>" "<description>" [P]' - add new share
      'P' for a printer share
  '-S "<name>" ' - remove share
  'ES' - enumerate shares
  'RO "<Share Name>" <ReadOnly Status>' - set shares
  '+U "<name>" "<full name>" "<description>" "<password>" [A]' - add new user
      'A' gives new user administrative rights
  '-U "<name>" ' - remove user
  'C  "<name>" [D]' - close user connections
      'D' for domain user
  'EU' - enumerate users
  'EC' - enumerate clients
  'EF' - enumerate files
  'SEL <encryption level>'- set encryption level
  'MSG <newPolicy>  - set message signing policy