Page 3 of 5

Re: Unable to access NAS as guest following firmware update to v4.3.6.0979

Posted: Thu Jun 27, 2019 9:43 pm
by Rastan
As a follow up to the excellent advice from BrutisNA, simply removing guest from invalid users = guest (so it simply has: invalid users = ) and restarting Samba with: /etc/init.d/smb.sh did the trick. I couldn't find the /sbin/setcfg global entries in smb.sh. I can now login anonymously via phone and other devices.

As stated, though, a quick and dirty fix.

Cheers,

Rastan

Re: Unable to access NAS as guest following firmware update to v4.3.6.0979

Posted: Fri Jun 28, 2019 5:13 am
by BrutisNZ
Rastan wrote: Thu Jun 27, 2019 9:43 pm As a follow up to the excellent advice from BrutisNA, simply removing guest from invalid users = guest (so it simply has: invalid users = ) and restarting Samba with: /etc/init.d/smb.sh did the trick. I couldn't find the /sbin/setcfg global entries in smb.sh. I can now login anonymously via phone and other devices.

As stated, though, a quick and dirty fix.

Cheers,

Rastan
I tried that simple approach first (as you have done) but I found it was reset by smb.sh or by rebooting the NAS.
Anyway, glad it worked for you but I'm surprised the "invalid users =" stayed set in smb.conf after you restarted smb. The function of smb.sh is to set all the smb.conf settings correctly so it should have set it back to "invalid users = guest"
Did you downgrade your firmware or are you still using QTS 4.3.6.0979 build 20190620?

If you can find the section of code in your smb.sh (below) I would be interested if you could post it or just post your smb.sh file

As you can see the line of code that is causing the problem (apparently) is the last line.

Code: Select all

_init_anonymous()
{
	# "guest account" check.
	guest_account=`/sbin/getcfg global "guest account" -d "NOT_FOUND" -f ${CONFIG}`
	#if [ "x${guest_account}" == "xNOT_FOUND" ]; then
		#/sbin/write_log "[Microsoft Networking] ${CONFIG} setup 'guest account' not found. Repaired." 2
	#fi
	# "guest account" reset.
	/sbin/setcfg global "guest account" "guest" -f ${CONFIG}

	# "map to guest" check.
	map_to_guest=`/sbin/getcfg global "map to guest" -d "NOT_FOUND" -f ${CONFIG}`
	#if [ "x${map_to_guest}" == "xNOT_FOUND" ]; then
		#/sbin/write_log "[Microsoft Networking] ${CONFIG} setup 'map to guest' not found. Repaired." 2
	#fi
	# "map to guest" reset. Dependes on "restrict anonymous".
	restrict_anonymous=`/sbin/getcfg global "restrict anonymous" -d "NOT_FOUND" -f ${CONFIG}`
	if [ "x${restrict_anonymous}" == "x2" ]; then
	# restrict anonymous level 2.
		/sbin/setcfg global "map to guest" "Never"    -f ${CONFIG}
	else
		/sbin/setcfg global "map to guest" "Bad User" -f ${CONFIG}
	fi
	/sbin/setcfg global "invalid users" "guest" -f ${CONFIG}
	}
I have asked QNAP about why that line of code is there for every level of "Restrict anonymous users from accessing SMB shared folders" but they won't reply to this question.

Their smb.conf contains
map to guest = Bad User
invalid users = guest

I pointed them to the SAMBA manual which states -
map to guest (G)
Bad User - Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and mapped into the guest account.
and
invalid users (S)
This is a list of users that should not be allowed to login to this service. This is really a paranoid check to absolutely ensure an improper setting does not breach your security.
Anyway will see what they do to fix it but what ever it is, they broke it with the firmware update.

P.S If I was to take a stab at fixing their code (I don't fully know how it works as a part of their whole system) but this is what I would do,

Code: Select all

_init_anonymous()
{
	# "guest account" check.
	guest_account=`/sbin/getcfg global "guest account" -d "NOT_FOUND" -f ${CONFIG}`
	#if [ "x${guest_account}" == "xNOT_FOUND" ]; then
		#/sbin/write_log "[Microsoft Networking] ${CONFIG} setup 'guest account' not found. Repaired." 2
	#fi
	# "guest account" reset.
	/sbin/setcfg global "guest account" "guest" -f ${CONFIG}

	# "map to guest" check.
	map_to_guest=`/sbin/getcfg global "map to guest" -d "NOT_FOUND" -f ${CONFIG}`
	#if [ "x${map_to_guest}" == "xNOT_FOUND" ]; then
		#/sbin/write_log "[Microsoft Networking] ${CONFIG} setup 'map to guest' not found. Repaired." 2
	#fi
	# "map to guest" reset. Dependes on "restrict anonymous".
	restrict_anonymous=`/sbin/getcfg global "restrict anonymous" -d "NOT_FOUND" -f ${CONFIG}`
	if [ "x${restrict_anonymous}" == "x2" ]; then
	# restrict anonymous level 2.
		/sbin/setcfg global "map to guest" "Never"    -f ${CONFIG}
		/sbin/setcfg global "invalid users" "guest" -f ${CONFIG}
	else
		/sbin/setcfg global "map to guest" "Bad User" -f ${CONFIG}
		/sbin/setcfg global "invalid users" "" -f ${CONFIG}
	fi
	}

Re: Unable to access NAS as guest following firmware update to v4.3.6.0979

Posted: Fri Jun 28, 2019 9:48 am
by gregeeh
Rastan wrote: Thu Jun 27, 2019 9:43 pm As a follow up to the excellent advice from BrutisNA, simply removing guest from invalid users = guest (so it simply has: invalid users = ) and restarting Samba with: /etc/init.d/smb.sh did the trick. I couldn't find the /sbin/setcfg global entries in smb.sh. I can now login anonymously via phone and other devices.

As stated, though, a quick and dirty fix.

Cheers,

Rastan
This worked for me too. I also did could not find the /sbin/setcfg global entries in smb.sh.

Re: Unable to access NAS as guest following firmware update to v4.3.6.0979

Posted: Fri Jun 28, 2019 5:01 pm
by Rastan
Hi BrutisNZ,

I forgot to thank you for the quick fix solution from earlier!

Anyway, I couldn't find the global references you referred to in smb.sh. I edited the /etc/config/smb.conf file, to remove the guest entry in invalid user. Then restarted Samba with the command you gave. I assumed that it would reset everything, but for some reason it didn't.
NAS.PNG
As a result, the smb.conf file invalid users section remains blank and everything works as it did.

Just forgot, I did do a manual installation of the last known good firmware: TS-X53_20190531-4.4.6.0959 (I have a TS-253 Pro NAS). Don't know if this will affect the process or not, but since it works I'm leaving it alone for the time being.

Cheers,

Rastan

Re: Unable to access NAS as guest following firmware update to v4.3.6.0979

Posted: Fri Jun 28, 2019 5:02 pm
by zebulon-ufh
BrutisNZ wrote: Thu Jun 27, 2019 5:39 pm
/sbin/setcfg global "invalid users" "guest" -f ${CONFIG}
change to (note the # at the beginning)
# /sbin/setcfg global "invalid users" "guest" -f ${CONFIG}
add the following line below it
/sbin/setcfg global "invalid users" "" -f ${CONFIG}
Thank you very much for this patch. It helps me out too.

But wouldn't it be better to fully disable this part of code instead of replacing it? Before your patch it wasn't able to unset "invalid users = guest" within the smb.conf, now it looks like with your patch it isn't possible to set "invalid user = guest", if desired.

Regards,
Ulrich

Re: Unable to access NAS as guest following firmware update to v4.3.6.0979

Posted: Fri Jun 28, 2019 7:23 pm
by BrutisNZ
Rastan wrote: Fri Jun 28, 2019 5:01 pm Hi BrutisNZ,

I forgot to thank you for the quick fix solution from earlier!

Anyway, I couldn't find the global references you referred to in smb.sh. I edited the /etc/config/smb.conf file, to remove the guest entry in invalid user. Then restarted Samba with the command you gave. I assumed that it would reset everything, but for some reason it didn't.

NAS.PNG

As a result, the smb.conf file invalid users section remains blank and everything works as it did.

Just forgot, I did do a manual installation of the last known good firmware: TS-X53_20190531-4.4.6.0959 (I have a TS-253 Pro NAS). Don't know if this will affect the process or not, but since it works I'm leaving it alone for the time being.

Cheers,

Rastan
That's fine, I'm just glad you have a working solution. I think the reason it wasn't reset is because you downgraded the firmware if you go back to the new firmware again then you won't be able to edit the smb.conf.

Re: Unable to access NAS as guest following firmware update to v4.3.6.0979

Posted: Fri Jun 28, 2019 7:32 pm
by BrutisNZ
zebulon-ufh wrote: Fri Jun 28, 2019 5:02 pm
BrutisNZ wrote: Thu Jun 27, 2019 5:39 pm
/sbin/setcfg global "invalid users" "guest" -f ${CONFIG}
change to (note the # at the beginning)
# /sbin/setcfg global "invalid users" "guest" -f ${CONFIG}
add the following line below it
/sbin/setcfg global "invalid users" "" -f ${CONFIG}
Thank you very much for this patch. It helps me out too.

But wouldn't it be better to fully disable this part of code instead of replacing it? Before your patch it wasn't able to unset "invalid users = guest" within the smb.conf, now it looks like with your patch it isn't possible to set "invalid user = guest", if desired.

Regards,
Ulrich
Remember it was just a temporary solution to just solve one problem. I don't work for QNAP or profess to understand how their software works.
You do the change at your own risk to solve one nagging problem it's not meant to be a cure for whatever software bug they introduced in their "code"
I provided a more comprehensive explanation in my second post above ^^^^
Hopefully they resolve the issue soon in the meantime I'm glad the rough and dirty fix is working for you.

Re: Unable to access NAS as guest following firmware update to v4.3.6.0979

Posted: Fri Jun 28, 2019 9:41 pm
by thibbea
BrutisNZ wrote: Thu Jun 27, 2019 5:39 pm Oh btw I'm still waiting for the QNAP tech to access remotely.
This fix below has been working for the last few days, it is NOT QNAP APPROVED
If you know what you are doing here is a temporary solution. It is working for me. Do this at your own risk! blah blah blah

Search for and change the following line in smb.sh located in /etc/init.d

/sbin/setcfg global "invalid users" "guest" -f ${CONFIG}
change to (note the # at the beginning)
# /sbin/setcfg global "invalid users" "guest" -f ${CONFIG}
add the following line below it
/sbin/setcfg global "invalid users" "" -f ${CONFIG}

Save the file and restart SMB with /etc/init.d/smb.sh restart

You should now be able to login without guest credentials.

The above changes the smb.conf file located in /etc/config
from
invalid users = guest
to
invalid users =

If QNAP provide a solution then just reverse the above and restart smb

Cheers,
Thanks It work perfectly :)

Re: Unable to access NAS as guest following firmware update to v4.3.6.0979

Posted: Sat Jun 29, 2019 12:01 am
by drivie
BrutisNZ wrote: Thu Jun 27, 2019 5:39 pm Oh btw I'm still waiting for the QNAP tech to access remotely.
This fix below has been working for the last few days, it is NOT QNAP APPROVED
If you know what you are doing here is a temporary solution. It is working for me. Do this at your own risk! blah blah blah

Search for and change the following line in smb.sh located in /etc/init.d

/sbin/setcfg global "invalid users" "guest" -f ${CONFIG}
change to (note the # at the beginning)
# /sbin/setcfg global "invalid users" "guest" -f ${CONFIG}
add the following line below it
/sbin/setcfg global "invalid users" "" -f ${CONFIG}

Save the file and restart SMB with /etc/init.d/smb.sh restart

You should now be able to login without guest credentials.

The above changes the smb.conf file located in /etc/config
from
invalid users = guest
to
invalid users =

If QNAP provide a solution then just reverse the above and restart smb

Cheers,

Thanks for posting this.

I assume you're using vi to edit the file? I'm terrible with vi. Can you please tell me how to search for that string within the smb.sh file using vi?

Re: Unable to access NAS as guest following firmware update to v4.3.6.0979

Posted: Sat Jun 29, 2019 5:51 am
by gregeeh
Can you please tell me how to search for that string within the smb.sh file using vi?
http://bfy.tw/OLNU

Re: Unable to access NAS as guest following firmware update to v4.3.6.0979

Posted: Sat Jun 29, 2019 7:30 am
by BrutisNZ
drivie wrote: Sat Jun 29, 2019 12:01 am Can you please tell me how to search for that string within the smb.sh file using vi?
Hi,
A long time ago in the dark ages when I used vi and nano to edit in Linux, I could have answered that.

But now I always access my Linux Servers and NAS boxes from Windows
putty via ssh - command lines, running scripts .....
winscp with notepad++ integrated, file transfers and editing
A much more pleasant experience in my opinion.

cheers

Re: Unable to access NAS as guest following firmware update to v4.3.6.0979

Posted: Sat Jun 29, 2019 8:22 am
by drivie
BrutisNZ wrote: Sat Jun 29, 2019 7:30 am
drivie wrote: Sat Jun 29, 2019 12:01 am Can you please tell me how to search for that string within the smb.sh file using vi?
Hi,
A long time ago in the dark ages when I used vi and nano to edit in Linux, I could have answered that.

But now I always access my Linux Servers and NAS boxes from Windows
putty via ssh - command lines, running scripts .....
winscp with notepad++ integrated, file transfers and editing
A much more pleasant experience in my opinion.

cheers
Got it, thanks. I didn't think to use WinSCP.

Re: Unable to access NAS as guest following firmware update to v4.3.6.0979

Posted: Sat Jun 29, 2019 8:45 am
by drivie
BrutisNZ wrote: Thu Jun 27, 2019 5:39 pm Oh btw I'm still waiting for the QNAP tech to access remotely.
This fix below has been working for the last few days, it is NOT QNAP APPROVED
If you know what you are doing here is a temporary solution. It is working for me. Do this at your own risk! blah blah blah

Search for and change the following line in smb.sh located in /etc/init.d

/sbin/setcfg global "invalid users" "guest" -f ${CONFIG}
change to (note the # at the beginning)
# /sbin/setcfg global "invalid users" "guest" -f ${CONFIG}
add the following line below it
/sbin/setcfg global "invalid users" "" -f ${CONFIG}

Save the file and restart SMB with /etc/init.d/smb.sh restart

You should now be able to login without guest credentials.

The above changes the smb.conf file located in /etc/config
from
invalid users = guest
to
invalid users =

If QNAP provide a solution then just reverse the above and restart smb

Cheers,
Well, I searched through the smb.sh file (in /etc/init.d directory) using WinSCP editor and could not locate the line you listed. I had downgraded my firmware to 4.3.6.0959 so I wonder if that line is missing because of that...? Still unable to access any shares as a guest user though. Not sure where to go from here.

ETA: I went ahead and upgraded to 4.3.6.0979 again and the line you listed was in the smb.sh file so I was able to make the changes. Guest access is working now. Thank you so much!!!

Re: Unable to access NAS as guest following firmware update to v4.3.6.0979

Posted: Sat Jun 29, 2019 10:46 am
by BrutisNZ
drivie wrote: Sat Jun 29, 2019 8:45 am Well, I searched through the smb.sh file (in /etc/init.d directory) using WinSCP editor and could not locate the line you listed. I had downgraded my firmware to 4.3.6.0959 so I wonder if that line is missing because of that...? Still unable to access any shares as a guest user though. Not sure where to go from here.

ETA: I went ahead and upgraded to 4.3.6.0979 again and the line you listed was in the smb.sh file so I was able to make the changes. Guest access is working now. Thank you so much!!!
Yes, It appears if you downgrade from 4.3.6.0979 the line "/sbin/setcfg global "invalid users" "guest" -f ${CONFIG}' doesn't appear in smb.sh
This is what is happening -
pre 4.3.6.0979 smb.conf "invalid users =" does not exist
upgrade to 4.3.6.0979 smb.conf "invalid users = guest" (added because of smb.sh)
downgrade to 4.3.6.0959 smb.conf still "invalid users = guest" (can't be changed by smb.sh as no code to change it)

The problem with using "invalid users = guest" QNAP, is simply explained in the SAMBA manual which states -
invalid users (S)
This is a list of users that should not be allowed to login to this service. This is really a paranoid check to absolutely ensure an improper setting does not breach your security.
If you try to access your shares and the Account you use is not on the NAS, SAMBA sends it to the guest Account but as we saw the guest is blocked by "invalid users = guest" and it fails.

Soooooo...
if you downgrade to 4.3.6.0959 or lower then edit smb.conf "invalid users =" Save the file and restart SMB with /etc/init.d/smb.sh restart
(Note: Below is not QNAP approved. Just my own way of fixing what I think they were trying to achieve.)
if you are still on 4.3.6.0979 then edit smb.sh as below adding the two lines
/sbin/setcfg global "invalid users" "guest" -f ${CONFIG}
/sbin/setcfg global "invalid users" "" -f ${CONFIG}
and remove the last
/sbin/setcfg global "invalid users" "guest" -f ${CONFIG}
so the code looks like below
Save the file and restart SMB with /etc/init.d/smb.sh restart

Code: Select all

_init_anonymous()
{
	# "guest account" check.
	guest_account=`/sbin/getcfg global "guest account" -d "NOT_FOUND" -f ${CONFIG}`
	#if [ "x${guest_account}" == "xNOT_FOUND" ]; then
		#/sbin/write_log "[Microsoft Networking] ${CONFIG} setup 'guest account' not found. Repaired." 2
	#fi
	# "guest account" reset.
	/sbin/setcfg global "guest account" "guest" -f ${CONFIG}

	# "map to guest" check.
	map_to_guest=`/sbin/getcfg global "map to guest" -d "NOT_FOUND" -f ${CONFIG}`
	#if [ "x${map_to_guest}" == "xNOT_FOUND" ]; then
		#/sbin/write_log "[Microsoft Networking] ${CONFIG} setup 'map to guest' not found. Repaired." 2
	#fi
	# "map to guest" reset. Dependes on "restrict anonymous".
	restrict_anonymous=`/sbin/getcfg global "restrict anonymous" -d "NOT_FOUND" -f ${CONFIG}`
	if [ "x${restrict_anonymous}" == "x2" ]; then
	# restrict anonymous level 2.
		/sbin/setcfg global "map to guest" "Never"    -f ${CONFIG}
		/sbin/setcfg global "invalid users" "guest" -f ${CONFIG}
	else
		/sbin/setcfg global "map to guest" "Bad User" -f ${CONFIG}
		/sbin/setcfg global "invalid users" "" -f ${CONFIG}
	fi
	}
EDIT:
I can now confirm the above (after backing up, reinitialising, installing 4.3.6.0959, reconfiguring NAS and checking the files - PHEW!)
This bug was introduced by QNAP when they rewrote smb.sh in 4.3.6.0979
Previous firmware did not have "invalid users = guest" in smb.conf or a line in smb.sh to configure it!
Waiting for QNAP to fix their code.
Waiting..............

Re: Unable to access NAS as guest following firmware update to v4.3.6.0979

Posted: Tue Jul 02, 2019 7:06 pm
by BowGo
Any news whether or not the latest Beta firmware addresses this issue? 4.4.1.0978 (Public Beta 2) build 20190626
I for one, not wanting to edit files manually, and seeing that downgrading has no effect, the only option is to install a new firmware.