QNAP NAS Community Forum

[Andrewchen]

hi all,
i 've enabled the Microsoft Networking, then i noticed many log items of the following style:
2011-12-15 11:37:28 guest xx.xx.xx.xx my_pc_name SAMBA --- Login OK

guest definitely has not access rights on my shared folders. but how can i totally prevent guest from logining?

thanks

[TonyPh12345]

Denying them access to your shares is not the same thing as invalidating the user.

To completely deny them login privileges you would have to delete the "guest" user.

[P3R]

I don't know if it can be disabled. The question have been asked many times but I have seen no positive answer.

Reading about smb.conf, auth methods is probably the setting by which it could be disabled.
The problem is what they say about changing it: This option allows the administrator to chose what authentication methods smbd will use when authenticating a user. This option defaults to sensible values based on security. This should be considered a developer option and used only in rare circumstances. In the majority (if not all) of production servers, the default setting should be adequate.

Who knows what other problems you may create by disallowing access totally? I don't.

What you have done (disallow all share access for guest) should in my opinion be adequate for most administrators. Yes guest can authenticate but shouldn't be able to do anything.

An even more important question is why you see those logins. I would guess that is because you allow Samba access from an untrusted network and I think that problem with your perimeter defense should be your first priority to fix. That service should in my opinion always be kept within trusted (but not necessarily local) networks only! You worry about guest account logins because you see them logged but possbly they are the least of your worries considering the many different attack vectors in that service...

[TonyPh12345]

P3R: I don't know why either, but Windows 7 (and some Win XP) systems attempt to log in as guest to any systems it finds via network discovery. It does this roughly every 32 minutes. Not 30, but 32.

In my case, that login would spin up my drives, even if it wasn't doing anything, because SMBPASSWD and CONNECTIONS.TDB files would be read / updated at every login.

viewtopic.php?f=50&t=47246&p=211824&hilit=samba+solved#p211824

[Raptor25]

I want to disable Guest account access also.

I suspect Windows Drive Mappings I mapped for my technologically challenger mother are logging in as guest, so I may have to change those around to log in as other account, but if its a Windows default action to log in as guest, can I block this behaviour?

Also Im new to Linux, have worked out how to change folder permissions using SSH, PuTTY and chmod. Does a directory permission listing of drwxrwx--- mean that OTHER (does this mean guest as well) has no access? QNAP Web Admin UI says Guest still has full access.

Any solutions? Using the Web Admin UI, the Windows PC stalls on 0% applying folder permissions (advanced). Will try again via Mac OSX Web UI. So which is telling me accurate folder permissions, linux listing , or Web UI??

Please help, Linux and Mac OSX newbie here!

[schumaku]

Please do not spam _every_ thread you find woth the word guest seeking for whatever please.

It's possible to disable guest acces from the Web UI on the QNAP NAS. If you have Advanced Folder Permissions enabled, the ACL need to be rewriten on all subfolders and files.

However - it's a common misundestanding: There is _no_ guest login. This is just an non-authenticated access _without:_ a username and a password. Windows does try to connect non-authenticated as a last resort attempt, under some conditions there can be some discovery- or keep-alife connections.

[Raptor25]

Spamming was not intentional. This thread is about Guest account/unauthenticated logon so how is my post spam vs relevent?

I have discovered something. I renamed the Administrator account to a different name as is recommended in various sources for security purposes a while back, but the home folder for that account retains the original account name: Owner, that was setup by PC shop that my mother purchased it from pre-configured (I was out of town at the time, its her PC not mine, I own a mac).

If I create a user on NAS called Owner with same password as account on Windows XP, rather than the new/current account name, might that sort my problem?

Might try that tonite.