Samba Access Based Enumeration - QTS 4.3.3

[neukenio]

Hello, I am new to the forum as I have just received my QNAP. I would like to apologize in advance if I have formatted anything incorrectly or there is a problem with this post (I hope that I am posting this in the correct place). Thus far I am really happy with it and am going through the stages of setting it up and migrating my data over to it. Before I ask my question, please see the following for information pertaining to my NAS:

NAS Information:
NAS Model: TVS-873
Firmware / QTS Version: 4.3.3.0154 (2017/04/13)
Operating System used when connecting to NAS: Windows 7 Pro / Mac OS X 10.11.6 (El Capitan)
Network Setup: Single Port
Highest SMB Version: 2.1

If possible, I would like to request some assistance from the community as I have been trying to read the user manual and Google for the answer, but thus far have come up short -

As I am connecting to the NAS using 2 different operating systems, I have enabled the networking services for Microsoft (SMB) and Apple (AFP). When browsing the network for shared folders on the NAS using the Mac, I am presented with only the shared folders for which the user I am connecting with has access. When browsing via the Windows 7 computer, ALL shared folders are visible despite the user having neither read nor write permissions (i.e. when connecting using the 'Guest' user, all shared folders are displayed). The permissions work properly as the user is not able to navigate into any of the folders for which they do not have permissions (prompted with a user dialog requiring login credentials), but I would like SMB to behave similarly to AFP (hide any shared folders that the connected user does not have read or write access to).

Things that I have tried to accomplish this goal:

1. Change 'Highest SMB Version' setting from 2.1 (I believe this is what the default setting was, please correct me if I'm wrong) to 3.0.
This resulted in my NAS becoming inaccessible to the windows 7 computer. I changed it back and was again able to browse

2. Enable 'Advanced Folder Permissions'
This did not seem to have an effect

3. Edited /etc/config/smb.conf to add 'hide unreadable = yes' (without the quotes of course)
In my search, I found the following two links suggesting that what I am looking to do is possible by editing the smb.conf configuration file:

viewtopic.php?t=25638
https://helpdesk.qnap.com/index.php?/Kn ... networking

I followed the directions by SSH into the NAS using the admin account, editing the smb.conf file to add 'hide unreadable = yes' under the [global] heading (last row under the heading and later further up), then restarting the service. I then disconnected the network computers from the NAS share, and issued the command to restart the smb service. This did not have the desired effect. Next I tried rebooting the NAS, but still no change. I then removed 'hide unreadable' from the [global] heading, and tried adding it under an individual folder heading, saving, then restarting smb. No change.

When I came across the help desk site I thought that I had found the solution. I was hoping that I would be able to add the hide unreadable flag to the global parameters list so that I wouldn't have to individually set this setting for each new folder that I create. If possible, I would like to avoid using ACL (as it would require folder by folder settings changes and I usually administer the NAS from the Mac).

Any help or guidance would be greatly appreciated. Thank you for taking the time to read this post.

[schumaku]

Hello, and welcome to the QNAP NAS Community Forum!

As I am connecting to the NAS using 2 different operating systems, I have enabled the networking services for Microsoft (SMB) and Apple (AFP).

I would aks you to reconsider this idea. Apple is going away from AFP towards SMB very quick. Servers offering both protocols under the same host name in the Bonjour announcements (ie. another mac OS system) is preferably connected by SMB for a longer time already.

When browsing the network for shared folders on the NAS using the Mac, I am presented with only the shared folders for which the user I am connecting with has access.

Yes, this is the default for AFP.

When browsing via the Windows 7 computer, ALL shared folders are visible despite the user having neither read nor write permissions (i.e. when connecting using the 'Guest' user, all shared folders are displayed).

Correct, this is the default for SMB on the QNAP QTS NAS in workgroup mode - implemented for commodity.

The permissions work properly as the user is not able to navigate into any of the folders for which they do not have permissions (prompted with a user dialog requiring login credentials), but I would like SMB to behave similarly to AFP (hide any shared folders that the connected user does not have read or write access to).

You could - but this is off from what is supported as of writing - so anything from here at your own risk.

None of the three mods would change anything - even what was workable before probably, and documented in the QNAP Helpdesk KB.

Essentially, there are two steps ... the first is the one you had deployed already in the [global] section, the second one has to be repeated in each [[sharedfolder]] section - just without editing the smb.conf file:

The global setting...

[~] # setcfg -f /etc/config/smb.conf global "hide unreadable" yes

...and now for each shared folder...

[~] # setcfg -f /etc/config/smb.conf Multimedia "access based share enum" true
[~] # setcfg -f /etc/config/smb.conf Download "access based share enum" true
...

You can check the entries by using getcfg, for example:

[~] # getcfg -f /etc/config/smb.conf Download "access based share enum"
true

Now restart SAMBA ...

[~] # /etc/init.d/smb.sh restart
...

..and enjoy.

Regards,
-Kurt

[neukenio]

Hey Schumaku,

Thank you very much for your prompt reply. I created a backup copy of smb.conf, then followed the instructions you gave to set the "access based share enum" parameter for each of the individual folders and it worked perfectly (with the exception of the "home" folder - after restarting smb.sh it removes the parameter, but I can live with that if there is no way around it). I really appreciate you taking the time to give such specific instructions and to help me with this.

After reading your comment regarding AFP, I was interested as to why this was so I did some research and you are correct - it looks like Apple is only maintaining AFP for backwards compatibility with legacy Macintosh systems and have been focusing efforts on SMB. From what I am reading, since Mavericks, Apple is using SMB as the default protocol even for Mac to Mac file transfers. The new implementation has both security and performance advantages over AFP. I will take your advice and disable AFP in favor of SMB only.

Thank you again for your time and help, I really appreciate it.

[twil21]

Hello!

I tried the commands that you kindly told us, but i have no luck:

[~] # setcfg -f /etc/config/smb.conf global "hide unreadable" yes
[~] # setcfg -f /etc/config/smb.conf SGA Mures "access based share enum" true
Unknown argument true
[~] #

Why is argument not known?

Later Edit: it was because the share name has two different names! I ended up browsing with Winscp and editing manualy the line like this: "access based share enum = true" at the necesary share name and now everything works like a charm!

I searched for a whole day this option in the qnap's web interface! But thanx to you now my wish came true!

Best regards!

[schumaku]

A space is taken to separate words or parameters. Using shared folder names with ie. spaces can cause all the sudden issues.

[~] # setcfg
Usage: setcfg section field setvalue[ -f profile | -c ]
-f profile Specify the path of the profile
-c Section and field names are case sensitive

Without quotes, SGA and Mures are two different parameters, ans used for section and field. To make them one, quote the shared folder name:

[~] # setcfg -f /etc/config/smb.conf "SGA Mures" "access based share enum" true

[Rhialto]

Just created an account for my girlfriend, then logged in once for the folder to be created.

Next I connected to the NAS from MacBook (SMB) with her credentials and saw all the folders on the NAS while I was also thinking she would only see what she had access to. A search on how to fix that brang me here.

Because I was thinking that if I want to do the same with the kids, I would much prefer they only see a single folder where to drop their files, less complicated for them and I won't get question like, "why I can't access that folder?".

While I'm able to connect with FTP and find/edit the smb.conf file I was curious if an utility program could have been made to handle this with simple checkboxes or something?

[twil21]

There will probably be an update in the future from Qnap that will bring this request with a simple checkbox. Synology already has it.

[Rhialto]

There will probably be an update in the future from Qnap that will bring this request with a simple checkbox. Synology already has it.

Interesting but if no requests are made I doubt they will add it... Best option is to open a ticket so they can keep track of it.

[stanley_chung]

Hi schumaku, does it works on TS-259 Pro with QTS 4.2.6?

[schumaku]

Hi Stanley,

Yes, I would expect this does work on the x59 on QTS 4.2.6 which does make use of SAMBA 4.0.25.

Update: Today, QTS 4.2.6 build 2017101 was released for the soon EoL NAS models - which does come with a very recent SAMBA 4.6.7.

-Kurt.

[stanley_chung]

Hi Stanley,

Yes, I would expect this does work on the x59 on QTS 4.2.6 which does make use of SAMBA 4.0.25.

Update: Today, QTS 4.2.6 build 2017101 was released for the soon EoL NAS models - which does come with a very recent SAMBA 4.6.7.

-Kurt.

Thanks schumaku

[sultanbrunei]

3. Edited /etc/config/smb.conf to add 'hide unreadable = yes' (without the quotes of course)
In my search, I found the following two links suggesting that what I am looking to do is possible by editing the smb.conf configuration file:

viewtopic.php?t=25638
https://helpdesk.qnap.com/index.php?/Kn ... networking

I followed the directions by SSH into the NAS using the admin account, editing the smb.conf file to add 'hide unreadable = yes' under the [global] heading (last row under the heading and later further up), then restarting the service. I then disconnected the network computers from the NAS share, and issued the command to restart the smb service. This did not have the desired effect. Next I tried rebooting the NAS, but still no change. I then removed 'hide unreadable' from the [global] heading, and tried adding it under an individual folder heading, saving, then restarting smb. No change.

When I came across the help desk site I thought that I had found the solution. I was hoping that I would be able to add the hide unreadable flag to the global parameters list so that I wouldn't have to individually set this setting for each new folder that I create.

I tried what you did, edited under global heading, and after successful samba restart. My Qnap is no longer showing in the network section of file explorer!
Previously I have successfully made it appear with the new win10 update (1709), and now after the "hide unreadable = yes" command, it disappears again.

Now, I have re-edited the config file, deleted the command line, and then save the file, restart samba. This time the Qnap would still not showing in the network section of file explorer!.. helppppppp