Jump to content

How do you make User Share Security Work????


sam9s

Recommended Posts

Friends,

 

Just upgraded to version 5 Beta11 and also purchased the Plus. The moment I did that the first thing I did was to start the preclearing process for rest of my drives. I then started working on my User Level Security and this has been a Major PITA believe me. First thing first. If I am not getting this right, for a newbie to enable the User Share Security you go to ...

 

1. Users Tab and create a User ... okie

2. Go to shares tab click on a Share you have created, and change the security to "Secure" (Not sure what private does though I tried that as well)

3. The moment you do that Unraid shows root and user(s), you have created just below the security part.

4. Per my understanding only those users should have access to the share depending upon the read/write access we select.

5. So again correct me if I am wrong Any other user who tries to access the share should be prompted with a credentials screen ..... right ..???

But it doesnt even remotely happens in that fashion. What ever I do or choose. I can access my share from any machine connected to my network (LAN)

 

I have tried stopping the array and restarting it. Rebooting the server, but nothing happens and I am always able to access my share from my 2 system that are connected to this LAN.

 

Now the strange part is that one of my machine suddenly popped up the credential screen, when I rebooted it.(after gazillions attempts) but it wont accept my credentials. Nor for the user neither for root ..???????? The other share simply would not even pop up the password screen and would just say can not access.

 

Now I go back to the Unraid User Security page and set the security back to public. ... ok the effects take immediately and I am able to access all the shares. Then I again set the security to "Secure" and same behavior ......nothing happens and I still can access the share ............??????

 

I do not understand the pattern here and how does this work.

 

I now then try "Private" and I have the pop again, but alas none of the user credentials work ............ again

 

I then try opening up the share via run command with \\<<ip address>>\My share name .... and I vola!! I get the pop up and credentials work. BUT BUT, once the share is opened it keeps on opening in all tries without asking the credentials again (though I DID NOT put a check on save the password on the pop upscreen)

Credentials still do not work via normal access to share under Networks.

 

If I attempt to Map the share, I have the password pop up but when I put the credentials, I have an error after a long wait    .... " The network folder specified is currently mapped using a different user name ans password. To connect using a different user name ans password firct disconnect any existing mapping" ......................but I DO NOT have any existing mapping ...???

 

The point is ..... whole thing seems absolute hit and trial, and I can not find a definitive way to get this secure on LAN.

 

If anyone can help me sort this out cleanly, It will be truly appreciated.

 

Regards

Sammy

syslog-2011-08-17.txt

Link to comment

Do you have any particular reason for running the beta version of unRAID?  The User Share Security works well in 4.7.  Perhaps it is buggy in the betas, I don't know as I don't use the betas for anything except testing.

 

Well the only reason I upgraded to Beta 11 was that version 5 supports hot swapping, BUT I am ready to roll back if needed mainly because ..

 

1. I managed to get SNAP plugin work which pretty much solves my need for hot plugin

2. User security is very important for me as my NAS would be accessed by my friends as well via a VPN tunnel.

 

So yes I can roll back to 4.7. Can you guide me or point me in the direction how can I roll back, without loosing out all of my add-ons.

 

Thanks in advance

Regards

Sammy

Link to comment

Did you read through the thread here that describes the security models of the new 5.0bX releases of unRAID?

 

prostuff1 , I went through the entire article very carefully and tried again to see for any changes, unfortunately it still is a bit hit and trial.

 

Lets start with the first level "Secure", ..........the guide says ...

 

Secure means that no user account is necessary on the server in order to access the share, and no login box will pop up.  But in this mode you can select users than can have read/write access to the share, all other users will have read-only access.  Since no login box will appear, in order to get this to work, this must be true:

- Whatever username you used to log in to your windows PC must also be a user name on the server.  The 'case' of the user name does not matter (actually you must enter all lower-case on server side).

- The password you set on the server must match exactly the password used for your windows logon.  The password IS case-sensitive.

 

1. To test this I reset the Share to public and refreshed the networks and was able to access the share ........ obviously.

2. Now I again set it to Secure with read/write access to root and one of my other account created called "admin"

3. Go to my other laptop on LAN, refresh the network and I still am able to access the share ........

 

My windows user name is "sam9s" and the user name I created on server is "admin", The passwords are also completely different for windows and Unraid, then how am I able to access the share form my laptop ... ??????????

 

Before I move to Private, I need to make Secure part clear ......

 

Else lets roll back to 4.7 and see .......  can you point me to the instructions how to do it......

 

Regards

Sammy

 

 

Link to comment

prostuff1 , I went through the entire article very carefully and tried again to see for any changes, unfortunately it still is a bit hit and trial.

OK, good to know, just wanted to make sure that you had seen it and read through it.

 

Lets start with the first level "Secure", ..........the guide says ...

 

Secure means that no user account is necessary on the server in order to access the share, and no login box will pop up.  But in this mode you can select users than can have read/write access to the share, all other users will have read-only access.  Since no login box will appear, in order to get this to work, this must be true:

- Whatever username you used to log in to your windows PC must also be a user name on the server.  The 'case' of the user name does not matter (actually you must enter all lower-case on server side).

- The password you set on the server must match exactly the password used for your windows logon.  The password IS case-sensitive.

 

1. To test this I reset the Share to public and refreshed the networks and was able to access the share ........ obviously.

OK, that should be correct.  Public should have given EVERYONE read/write access.

 

2. Now I again set it to Secure with read/write access to root and one of my other account created called "admin"

3. Go to my other laptop on LAN, refresh the network and I still am able to access the share ........

Under secure you would be able to access that share as GUEST.  If there is not a Username and login that matches on the unRAID server then the GUEST login is used.  That guest login should not be able to write to the User Share but it should be able to read.

 

My windows user name is "sam9s" and the user name I created on server is "admin", The passwords are also completely different for windows and Unraid, then how am I able to access the share form my laptop ... ??????????

As I said above, accessing the share via secure should be easy enough, but writing to it if not logged into the server as "admin" (the account you created on unRAID) should not be allowed.

 

Before I move to Private, I need to make Secure part clear ......

It sounds like it is working like it is designed.  Everyone can see and access the User Share but only admin and root would be able to write to it.

Link to comment

mmmm Okie I agree I might have miss interpreted the case here ..... Guess I am getting too old for this .... I was not able to write on the drive as mentioned in the guide.

 

Ok being more diligent for "Private" segment now.

 

Private means that you specify the exact set of users that can either have readonly or read/write access to the share.  If you try to connect to the server you may or may not get a login box.  If the username/password of your windows login matches one of the usernames defined on the server side, and that username has either readonly or read/write access (ie, not 'no access), then no login box will appear and you will be be logged into the share with the access rights specified.  But if either your windows username is unknown on the server, or your windows password does not match, then windows will present a login box prompting for a username/password.  Using this box you can then login to the share using one of the other username/passwords on the server.

 

The users remain same i.e root and admin. Windows user is sam9s so that does not matches the unraid one. I refreshed the page again and set the permission to Private with R/W permissions to root n admin.

 

Tried to access the share, and I do get the prompt ...... BUT once I put in the credentials, windows does not ask for them again, despite my not putting a check on "save my credentials". Windows should ask for the credentials every time I access the share right, unless I do save it. Is this something to do with windows, or Unraid ... ???

 

I am gonna try this with my other computer as well. Hope it works with all.

 

Thanks for all of the help here friends.

Regards

Sammy

Link to comment

Friends I am back to Square 1.

 

With success to my first share. I tried the Private security with my other shares. And I did not get the pop up for credentials  >:( >:(. What am I now missing ..... tried with another share and its same, windows just opens up the files in the explorer  ..... this is with my Laptop on my LAN

 

few more things to add. I tried accessing my shares from my 2nd PC and I get the pop up but it does not take the "admin" user credentials. Says I cannot access it. Once this happens windows DOES NOT provides the pop again for me to try to re log in with different credentials .......  >:(grrr very confusing .... and on the top of that allows me to enter other shares. (""All shares are now Private BTW"") ...... this is definately not working the way it should ....

 

 

Link to comment

Just a shot in the dark, but could this have anything to do with the Windows behaviour of remembering your credentials once you enter them for one share, and automatically applying it to any other share you try and access, while on the same windows machine, whether you want it to or not?

 

I'm told this is how Windows is supposed to work, even though it makes no sense to me.

 

I would have assumed that every share you open prompts you once for the UN/PW, and if you don't save the credentials, once you close the Explorer window to that share, you need to re-enter them again to open....

Link to comment

Just a shot in the dark, but could this have anything to do with the Windows behaviour of remembering your credentials once you enter them for one share, and automatically applying it to any other share you try and access, while on the same windows machine, whether you want it to or not?

 

This should only happen if I choose to put a tick on the "save credentials" on the pop up. I made sure that I did not do that.

 

I would have assumed that every share you open prompts you once for the UN/PW, and if you don't save the credentials, once you close the Explorer window to that share, you need to re-enter them again to open....

 

This is how its suppose to be, but its not behaving at all in that way, its very very ambiguous behaviour. Ideally speaking once I close out the explorer window, windows should ask for the credentials again, which it does not.

 

Infact the I just discovered that my other user created "admin" credentials does not even work (I was using the root UN/PSS all the way to access shares). With admin user created the behaviour is even more wierd. First it pops up the screen for credentials for all shares ( this is the PC I am talking about on my LAN........ not the laptop, which isnt even showing the pop now for any share) ok First it pops up the screen for credentials for all shares, then when I put the credentials for my user "admin" it does not accespts the credentials and shows a access denied ....okie ... then when I again try to open the same share, it DOES NOT even gives the pop up again and simply slams the " no access pop up" how am I suppose to enter the other credentials...... ...... it does not end here............. after this behavior, now if I click on my other shares, windows opens them easily ..........?????????? which were giving the credentials pop a moment ago .......... totally confusing behavior ....??????????????

Link to comment

Windows will remember credentials once you have logged in.  If you hit the "remember login" thing it will remember them across reboot.  It is not a problem with unRAID.  Even after you disconnect from the server I think it remembers them.  You have to log out I think before Windows will forget the login... I know restarting will clear it.

 

There is also a command.exe line that you can run to forget the logins, though I don't know them off the top of my head.

Link to comment

I suspect some or all of the issue is Windows and it is still remembering. Windows will likely just exibit short term memory without checking that box.

 

It does sound like there is an initial access issue where you are first denied and then it works on the second attempt. You should likely contact Tom at Limetech directly and go through that part with him. If there are issues with the security model in the new beta releases then he'll want to know so he can correct them.

 

Peter

 

Link to comment

Windows will remember credentials once you have logged in.  It is not a problem with unRAID.  Even after you disconnect from the server I think it remembers them.  You have to log out I think before Windows will forget the login... I know restarting will clear it.

 

There is also a command.exe line that you can run to forget the logins, though I don't know them off the top of my head.

 

prostuff1 .... even if windows remembers credentials it should for one share only right. When I set up the Private security I checked that all of my shares were popping up the credential window on my PC. Then I put the UN/PASS in one of the shares and log in, and what windows does now, is it allows me to enter in all of my shares ...... this is not how its suppose to be. even if it does remembers it shold only for one share.....I might not want people to enter my other shares

 

and what about this peculiar issue

 

 

Infact the I just discovered that my other user created "admin" credentials does not even work (I was using the root UN/PSS all the way to access shares). With admin user created the behaviour is even more wierd. First it pops up the screen for credentials for all shares ( this is the PC I am talking about on my LAN........ not the laptop, which isnt even showing the pop now for any share) ok First it pops up the screen for credentials for all shares, then when I put the credentials for my user "admin" it does not accespts the credentials and shows a access denied ....okie ... then when I again try to open the same share, it DOES NOT even give the pop up again and simply slams the " no access/access denied window" how am I suppose to enter the other credentials...... ......and wait it does not end here............. after this behavior, now if I click on my other shares, windows opens them easily ..........? which were giving the credentials pop a moment ago

 

So basically I now am not able to enter the share, where I want people to enter, and I am able to enter all other shares where I do not want people to enter ....... trust me ...... something is wrong, I will not misread this big a gap or Unraid User Level Security is not that comprehensive ...

 

to repeat all my shares now have Private security.

 

 

Link to comment

Okie further findings that clears the situation a bit more.

 

I rebooted my PC so that all the password cache is cleared. SO I was again presented with the password and as expected. Once I enter password to one of the share. Windows lets me enter all other shares, without asking for credentials.

 

So, my question is ...........

How can I make sure that out of my.....say 5 shares, I only provide access to two for one set of users and two to other set of users and one to no one, with me having access to all with my admin password 

 

can this be done ......

 

Regards

Sammy

Link to comment

Okie further findings that clears the situation a bit more.

 

I rebooted my PC so that all the password cache is cleared. SO I was again presented with the password and as expected. Once I enter password to one of the share. Windows lets me enter all other shares, without asking for credentials.

 

So, my question is ...........

How can I make sure that out of my.....say 5 shares, I only provide access to two for one set of users and two to other set of users and one to no one, with me having access to all with my admin password 

 

can this be done ......

 

Regards

Sammy

 

I am honestly not sure.  I do not use a windows machine with my unRAID system (Mac and Linux are my main machines)

 

This "problem" stems from a windows issue and I would suggest a google search on the subject.  It will probably come back with more answers that what we can provide.

Link to comment

How can I make sure that out of my.....say 5 shares, I only provide access to two for one set of users and two to other set of users and one to no one, with me having access to all with my admin password[/b] 

 

can this be done ......

 

I am not adequately familiar with 5.0, but under 4.7 this is done in the settings for each share using Valid users and Invalid users.

 

From http://lime-technology.com/wiki/index.php?title=Un-Official_UnRAID_Manual

 

Valid users

 

A list of users who can exclusively access the share. Blank means all users.

 

Note: this parameter is present only when User level security is enabled.

[edit] Invalid users

 

A list of users who may not access the share at all. Blank means no users.

 

Note: this parameter is present only when User level security is enabled.

Link to comment

I didn't believe you set the access UN/PW for the share, but rather first set-up users and then assign the users to certain shares. Can you post screen shots showing your different share settings?

 

Peer

 

If I remember correctly yes thats how I did it. Would this make a difference. I created the users and then went to the shares to define the access.

Here the snaps of my share settings ...

 

sharessnap.jpg

 

audiomediasharesettings.jpg

 

officesharesettings.jpg

 

publicsharesettings.jpg

 

Pictures n Snaps and Video Media also have the exact same settings as the rest. Only Public Share is set to public.

 

Now obviously I do not want anyone to have access to my Office share, few specific people to have access to Audio and Video share and everybody to have access to public share, with me as an admin access to all of my shares.

 

This is the model I want to achieve. If 4.7 can help me to achieve this I am ready to roll back. Just point me in the direction of how to do this .

With current security model, the moment I put in the password on one share all of the share start to open indefinitely ..... :(

 

Regards

Sammy

 

PS :: Why have we removed this "Valid and Invalid" user concept with ver 5. Seems to be pretty versatile and flexible security option.

 

Link to comment

It's working exactly as expected. You have 2 users who have full read/write permissions for all the shares. So, once you enter the UN/PW for one of those users then all the shares are fully accessible.

 

Create all your users and then setup the shares with the appropriate permissions for every user. Test again. You will have to reboot the PC to test each user.

 

Just curious, but what are the possible access options for each user???

 

Peter

Link to comment

I am fairly sure I understand what you want to accomplish but this is not an unRAID issue... if I am understanding you correctly.

 

Windows is the system that is caching the access as soon as you log into ANY share for the connected server.  It is a limitation/oversight as far as I am concerned.

 

I am not overly familiar with windows so the only thing I can think of off the top of my head is creating a .bat file that runs a command to clear the those passwords.  You can't be the only person looking for this.  Try doing some google searching.  I did some quick ones an came back with:

 

http://superuser.com/questions/88668/make-windows-not-remember-network-password

http://superuser.com/questions/88672/how-to-get-windows-to-forget-a-network-password

 

Link to comment

@lionelhutz, you only have Read or read/Write permission for any user you create. So if you provide rw access to specific users (like i have done for admin) rest all can open all shares with read access. That is not the point. Let me restate the exact model I am looking for........ and I am sure most of the people would also like to use shares in this manner only ....

 

I do not want anyone to have access to my Office share, few specific people to have access to Audio and Video share and everybody to have access to public share, with me as an admin access to all of my shares.

 

So if I create a user ami I would want this user to Only have access to Audio and Video share with ofcourse his own specific credentials which I can set when I create that user. But I would not want him to have access to rest of my shares like Office etc.

 

With the current model (call it a limitation of windows or Unraid's improvident security measure) once my user "ami" puts his credentials to access his "allowed Audio Video" share he is given full access to all of the other shares as well.

 

@prostuff1 its not just the problem of windows saving the password, I might find a way to clear the cache and have windows ask for credentials everytime the share is accessed, but the point it once the credentilas have been placed, the user get access to all shares. That is of more concern

 

To make it more precise ..... what I want (or I think people would agree, what it should be...), is my user "ami" should be presented for a credential pop up screen for only his allowed share, and on all rest of the shares he should recieve an "access denied" pop up. Its okie if windows saves the credentials, but should do only for the one I have provided "ami" the access for

 

I hope I made some sense ...... :)

 

Regards

Sammy  

 

Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...