03fc35ss

Members
  • Posts

    22
  • Joined

  • Last visited

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

03fc35ss's Achievements

Noob

Noob (1/14)

19

Reputation

  1. The following config is confirmed working with the test devices I have: server min protocol = SMB3_11 client ipc min protocol = SMB3_11 server signing = mandatory client NTLMv2 auth = yes restrict anonymous = 2 null passwords = no raw NTLMv2 auth = no smb encrypt = required client signing = required client ipc signing = required client smb encrypt = required server smb encrypt = required Note that the line in my previous config: client protection = encrypt Breaks auth attempts. So it shouldn't be used. @dopeytree It Sounds like your issue might be a bug in MacOS Ventura. I don't have a MacOS device running Ventura to test with unfortunately. I can confirm I can access file shares with the following devices and the below config: - MacOS Monterey - Windows 11 - Windows 10 - iOS VLC (using a beta release) - Android VLC Also note that the syntax between releases of Samba has changed and 'mandatory' has become ''required" for some settings.
  2. As expected, some of the syntax changed between versions of Samba (why would they do this for minor versions I have no idea...) This is the current config I believe works. I'll do more testing at a later time to confirm it's all applied correctly. server min protocol = SMB3_11 client ipc min protocol = SMB3_11 client signing = required server signing = mandatory client ipc signing = required client NTLMv2 auth = yes client protection = encrypt client smb encrypt = required server smb encrypt = required smb encrypt = required restrict anonymous = 2 null passwords = No raw NTLMv2 auth = no
  3. The purpose of this thread is to IMPROVE the security configuration. Not reduce it. Enabling encryption and signing does cause a performance hit. These mitigations/hardening options are meant for networks where there are potentially untrusted clients (corporate networks) not really for home network setups. SMB3_11 is supported with the beta/Testflight versions of VLC (Currently using 3.4.7 (533)) on iOS. It's a bug I raised with them when I initially wrote this guide. Most 3rd party apps on android and iOS do not have support for a hardened version of SMB. I believe it's an app specific issue and not an OS one. I'm in the process of building another tower. I see that Samba version is now 4.17.7 so I'll be updating the config options in line with https://www.samba.org/samba/docs/4.17/man-html/smb.conf.5.html as a reference.
  4. Note that the next version of Unraid OS (currently 6.10.0-rc2) will be using samba 4.15 or higher as per these release notes: Once it is out of RC status, I'll update the guide with the 4.15 flags to achieve the same hardening setup as above.
  5. Just a note: In light of the current issues regarding CVE-2021-44142 I would strongly encourage SMB users to disable the 'Enhanced macOS interoperability' setting in the SMB settings page to mitigate the issues until a patch is released: As always seems to be the case in security, if you don't need a feature, disable it and reduce your attack surface.
  6. Hopefully when 6.10 moves into stable it'll also be upgraded to include the patch. The announcement says 4.15.5 has the patch but 6.10.0rc2 is running version 4.15.0. As I understand it, this specifically affects devices that have enabled the vfs_fruit module. The vfs_fruit module provides enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver. The current workaround is to remove 'fruit' from 'vfs objects' lines in Samba configuration files (e.g., smb.conf). Specifically for Unraid, It is my understanding that the "Enhanced macOS interoperability" setting in SMB settings as seen here should be disabled: As this setting is reflected by the offending vfs objects in the smb-shares.conf: vfs objects = catia fruit streams_xattr I do not believe there is currently any PoC available so I can't test to confirm but I believe disabling the "Enhanced macOS interoperability" setting should mitigate this issue for now.
  7. I would like to change the array file system that is currently in place from xfs to xfs - encrypted. However, I already have data stored on the array. The interface warns me that: I assume that means that I cannot change the file system on the disks without either doing one disk at a time and then rebuilding parity, or re-building the array from scratch (likely a faster option with the amount of data I have). Is there anything I can do to efficiently migrate the data from an unencrypted file system to an encrypted one?
  8. Okay, so I did the following: Set all shares to use only Disks 1-5 (note 6 is not an option) Screenshot of drive assignments Take array offline Tools -> New config Preserve current assignments -> All -> Yes I want to do this -> Apply Confirmed that drive assignments are still correct Confirmed that array devices is no longer listing disk 6 as 'missing' Started the array This appears to have resolved my issue and the offending drive is no longer showing. I think I did not set all shares to use specific disks previously when attempting this. The array is now re-building parity: Thank you!
  9. Okay. So it sounds like I did the wrong thing then. So how can I remove it from there now?
  10. No worries. @User4123123Hope it helps! Note that the commands will be different for the next release of unraid as it appears there will be a migration to Samba version 4.15.
  11. Unfortunately, I attempted this a couple of weeks back so I don't recall the exact process I followed. I'm pretty sure the disk (Disk 6 as per the above screenshot) was in the state it is now, 'unassigned'. Any ideas on what I could try next?
  12. Hi all, When building my array, I accidentally included a small 256G SSD as part of the array. Wanting to use it as a cache drive instead, I took the array off-line, unassigned the drive (Disk 6) and assigned the drive to be the cache device. I then went to tools, new config and preserved the current assignments. I then started the array again and ran a 'check'. As can be seen below, I am still seeing the missing drive in the array and there appears to be no way that I can find to remove it. I am still very new to unRAID so any pointers in how to fix this would be much appreciated. I'm running version 6.9.2. Thanks!
  13. I wrote a quick guide on how to achieve a hardened configuration if anyone is interested:
  14. Hey @Frank1940 I got it sorted out in the end after chatting with Tom, there are two issues. 1) The config has to be applied globally (fine with me, but potentially an issue for other users) 2) The version of Samba that Unraid uses is not the latest, and the latest version has significantly different flags for the settings I wanted to apply. Thus those settings broke the config or otherwise didn't apply when I set them. I wrote up a quick guide on how to best configure the hardening options for SMB (in my opinion):