Allow SMB1 access for single share

[BetYourBottom]

Is there a way to enable SMB1 access on only a single share instead of globally in the configuration?

I've tried overriding it in the additional parameters under the share itself but with no luck. The only way that my device could connect was if I enabled it globally via the service options.

 

[BetYourBottom]

I still don't know how to configure a single share to allow SMB1 within FreeNAS itself, however I found a workaround for the moment.

The workaround is that I have created a new jail, added the directories that I want to share on SMB1 to the jail, then manually installed and configured a samba server within the jail itself.

This is still not idea, I'd prefer to be able to manage all my shares directly within the UI as normal with an option for SMB1 within individual shares.

 

[anodos]

You can't configure SMB1 for a single share.

 

[Constantin]

Can’t be done on a single share basis.

Due to the security implications associated with having SMB1 enabled, I suggest an alternative approach: duplicate the content on a spinner that is attached to a RPi, Apple Airport, or like lite-duty “NAS“. Then, if it gets nuked, oh well, now you know you have a problem in your network (ie honeypot)

that’s how I keep my music for the Sonos as the Sonos way is insecure for anything that they’re not required to secure by content providers. From what I have been able to gather on the Sonos forums, despite the S1/S2 Firmware split, SMB2+ is still not available on either.

if this external drive has to be semi performant, consider marrying a RPi with a leftover mSATA / NVME Drive holder (see geekworm), use Ubuntu server and bcache to fuse the SSD and the HDD. That’s what I’m slowly setting up as a time machine target for my kids. Low power, separate from the server, good enough for their use case.

my laptop then periodically synchronizes these external units with the server. Not yet certain how I will do it re: the TM share as that is a different VLAN. Most likely, makes sense to configure that as a plug-in USB adapter that is only used for that application. Not air-gapped, but close.

 

[BetYourBottom]

You can't configure SMB1 for a single share.

On FreeNAS, I was already aware; If you mean in general, then I didn't know.

Can’t be done on a single share basis.

Due to the security implications associated with having SMB1 enabled, I suggest an alternative approach: duplicate the content on a spinner that is attached to a RPi, Apple Airport, or like lite-duty “NAS“. Then, if it gets nuked, oh well, now you know you have a problem in your network (ie honeypot)

that’s how I keep my music for the Sonos as the Sonos way is insecure for anything that they’re not required to secure by content providers. From what I have been able to gather on the Sonos forums, despite the S1/S2 Firmware split, SMB2+ is still not available on either.

if this external drive has to be semi performant, consider marrying a RPi with a leftover mSATA / NVME Drive holder (see geekworm), use Ubuntu server and bcache to fuse the SSD and the HDD. That’s what I’m slowly setting up as a time machine target for my kids. Low power, separate from the server, good enough for their use case.

my laptop then periodically synchronizes these external units with the server. Not yet certain how I will do it re: the TM share as that is a different VLAN. Most likely, makes sense to configure that as a plug-in USB adapter that is only used for that application. Not air-gapped, but close.

Is SMB1 so insecure that I have to worry about something breaking it and then breaking out of the jail into the rest of the box? Because as it stands the vast majority of the data that I'd worry about is going to be/is mounted read only by iocage and then I have a separate directory that it can write to union mounted over top. So unless it can actually break out of the jail (intel processors aren't the safest), I should think that it shouldn't be able to do anything malicious.

 

[anodos]

On FreeNAS, I was already aware; If you mean in general, then I didn't know.


Is SMB1 so insecure that I have to worry about something breaking it and then breaking out of the jail into the rest of the box? Because as it stands the vast majority of the data that I'd worry about is going to be/is mounted read only by iocage and then I have a separate directory that it can write to union mounted over top. So unless it can actually break out of the jail (intel processors aren't the safest), I should think that it shouldn't be able to do anything malicious.

I meant in general. It's a global option even on windows.

The main problem with having two samba servers sharing same data (one in jail and one in main OS) is that there will not be any coordination of samba's tdb files (used for many things). At a minimum you'll want to disable opportunistic locks and SMB2 leases for datasets shared between the two servers.

 

[anodos]

Upstream samba will eventually remove support for SMB1, but it looks like SMB1 support is still in 4.13-RC1. So this means minimum of 1.5 years of continued support. TrueNAS 12.0 will be based on Samba 4.12. TrueNAS 12.1 will be based on Samba 4.13 (probably).

 

[Constantin]

...Because as it stands the vast majority of the data that I'd worry about is going to be/is mounted read only by iocage and then I have a separate directory that it can write to union mounted over top. So unless it can actually break out of the jail (intel processors aren't the safest), I should think that it shouldn't be able to do anything malicious.

Our use cases are different and likely our preferences re: security also. I am a network novice and am glad when I can get my Edgerouter, Microtik Switch, pi-holes, and all the other stakeholders to behave.

Jail or no Jail, I don't want my kids to be able to reach the server, period. Someone somewhere is eventually going to be smart enough to write something for FreeNAS as they have for Synology, QNAP, ReadyNAS, etc. I just don't want to deal with it. Despite malware and other detection software installed on their machines, I keep their machines are on a separate VLAN for that reason. But backing up their machines makes sense, so I will create a simple RPi TimeMachine unit for them.

The Sonos falls into the same category. It requires the use of SMB1 and I don't want to give it access to the NAS. Sonos simply has a terrible track record re: security. Even on a home NAS, I am uncomfortable allowing SMB1 to be used - there is no expectation of security. Thus, a disposable NAS to host said data with SMB1, allowing me to ignore that security risk.

 

[BetYourBottom]

At a minimum you'll want to disable opportunistic locks and SMB2 leases for datasets shared between the two servers.

Thanks for the info, I definitely didn't know that it was mandatory to have as a global setting.
Could you provide some more details on what you are suggesting I do here, as in how to do it and what it means security and functionality-wise. Is it to brace up security or is it to just keep the two instances from stepping on toes?

Our use cases are different and likely our preferences re: security also. I am a network novice and am glad when I can get my Edgerouter, Microtik Switch, pi-holes, and all the other stakeholders to behave.

Jail or no Jail, I don't want my kids to be able to reach the server, period. Someone somewhere is eventually going to be smart enough to write something for FreeNAS as they have for Synology, QNAP, ReadyNAS, etc. I just don't want to deal with it. Despite malware and other detection software installed on their machines, I keep their machines are on a separate VLAN for that reason. But backing up their machines makes sense, so I will create a simple RPi TimeMachine unit for them.

The Sonos falls into the same category. It requires the use of SMB1 and I don't want to give it access to the NAS. Sonos simply has a terrible track record re: security. Even on a home NAS, I am uncomfortable allowing SMB1 to be used - there is no expectation of security. Thus, a disposable NAS to host said data with SMB1, allowing me to ignore that security risk.

Yeah, I can understand that, especially for an always online IoT device. The device I'm using is a piece of legacy hardware that is unlikely to exploited and is off most of the time. Plus it's hopefully going to get a patch to SMB2 at some point in the future based on the whispers in its corner of the internet.