SMBv1 Sonos TrueNas 12 RC1

[velocity08]

Hey All

have seen a few posts in the forum about SMBv1 and sonos systems.
recently moved to TrueNas core and SMBv1 stopped working, upgraded to RC1 last night and the GUI functions returned - YaY
unfortunately Sonos still cant connect no matter what ACL's are set, shares are set (Guest etc) and have tried simple usernames + PW for troubleshooting.
any pointers on troubleshooting steps to identity the issue would be great.

""Cheers
G

 

[hescominsoon]

Make sure smb1 didn't get turned off. What i have found is you have to strip all of the ACL's off and then use ONLY the permissions...then you should regain access to your files.

 

[anodos]

What i have found is you have to strip all of the ACL's off and then use ONLY the permissions...then you should regain access to your files.

As we discussed in the previous post you made to this effect. This statement is incorrect. The particulars of how you choose to administer your server are up to you, but please stop advising users to strip ACLs to solve issues. Depending on how the underlying permissions / services are configured this _may_ result in significant impact on operation of services. It's a much better option to troubleshoot the actual issue.

If you have a reproducible issue with the ACL manager or ACLs in general, please file a bug ticket on our tracker and provide steps to reproduce what you have seen and I will try to get a fix into the next release.

 

[anodos]

Hey All

have seen a few posts in the forum about SMBv1 and sonos systems.
recently moved to TrueNas core and SMBv1 stopped working, upgraded to RC1 last night and the GUI functions returned - YaY
unfortunately Sonos still cant connect no matter what ACL's are set, shares are set (Guest etc) and have tried simple usernames + PW for troubleshooting.
any pointers on troubleshooting steps to identity the issue would be great.

""Cheers
G

Is the checkbox for SMB1 checked? If so, run the command testparm -s and verify that the smb4.conf file contains the entry server min protocol = NT1

 

[anodos]

On core you can also run the command midclt call smb.status AUTH_LOG | jq and review the details of authentication attempts from your sonos.

 

[hescominsoon]

As we discussed in the previous post you made to this effect. This statement is incorrect. The particulars of how you choose to administer your server are up to you, but please stop advising users to strip ACLs to solve issues. Depending on how the underlying permissions / services are configured this _may_ result in significant impact on operation of services. It's a much better option to troubleshoot the actual issue.

If you have a reproducible issue with the ACL manager or ACLs in general, please file a bug ticket on our tracker and provide steps to reproduce what you have seen and I will try to get a fix into the next release.

This is like your other reply where you say it's just bad don't do it without giving anything concrete. It's not just 12..i have been doing this since acl's were introduced in 11.x..with no ill effects. I'll continue with this in pm..but so far your reasons are just it's bad..not as to why. If it was so dangerous..do not give us the ability to do it in the webui...

 

[anodos]

This is like your other reply where you say it's just bad don't do it without giving anything concrete. It's not just 12..i have been doing this since acl's were introduced in 11.x..with no ill effects. I'll continue with this in pm..but so far your reasons are just it's bad..not as to why. If it was so dangerous..do not give us the ability to do it in the webui...

I gave a general overview of how ACLs work in your other thread and the short-comings of the mitigations I put in place to have things work more-or-less as expected with a trivial ACL on files (an ACL that can be expressed as a POSIX mode without information loss). Going into technical details here is beyond the scope of what's needed in this particular thread. I will happily reply to your PM / questions in a distinct thread as I have time.

The point of BETA and RC releases is to catch and fix bugs. Telling users to strip off ACLs because they're broken (without filing bug reports or any further action to identify the actual underlying problem) is counter-productive to what we're trying to do here.

 

[Constantin]

...have seen a few posts in the forum about SMBv1 and sonos systems....recently moved to TrueNas core and SMBv1 stopped working, upgraded to RC1... unfortunately Sonos still cant connect no matter what ACL's are set, shares are set (Guest etc) and have tried simple usernames + PW for troubleshooting.

1. I would not allow a SONOS to connect to your Free/TrueNAS. To allow it, you need to downgrade your SMB security to SMB1, NTLM v1. This is a really bad idea, as it downgrades SMB security across the entire NAS to levels that Ned Pyle at MS (Principal Program Manager in the Windows Server Engineering Group) declared as unsafe 5 years ago.
2. If you are dead-set on running your Sonos off your iTunes collection, I would set up a copy on a burner NAS. I use a Raspberry Pi with a 2TB drive to serve up content to the SONOS. It's a canary in the coal mine, likely the first server to get hacked due to its crummy, low security. I simply copy the contents of my FreeNAS share to the burner NAS whenever I add more iTunes content.
3. If you do not want to use a burner NAS for Sonos content, please consider installing Plex on the FreeNAS instead. It offers better security and a larger index count than Sonos does natively and at least Plex is being maintained (unlike Sonos' NAS-centric software stack).

Given all the issues with SONOS and telemetry, forced updates, equipment bricking, etc. I limit my SONOS' access to the internet severely (thank you pi-Hole). My Zone Players can only contact the sslvalidator server at Sonos (all other subdomains remain blocked) and TuneIn internet radios. For example, despite turning off tracking, each zone player attempts to contact the mothership hundreds of times per day. Never mind the 8.5+ FW debacle where Sonos purposely bricked functional CR100 hardware.

While Sonos may have been focused on NAS integration in the early days, their corporate focus is 100% on streaming now. In the last five years, they were blindsided by the quick entry of Google, Amazon, and Apple into their sphere and went from being a leader in a comfortable, high-margin niche to being a puny competitor who couldn't charge the same margins anymore since the big three were willing to sell their gear at or below cost to buy market share.

IMO, Sonos was subsequently positioned / shopped as an acquisition play by one of the big 3, (which is why they tried to jettison everything now covered by the S1 firmware stack), made their products broadly compatible, etc. and when that didn't happen, they pivoted again to the next shiny object, i.e. content creation. Thanks but no thanks. I love my Sonos hardware but the Sonos upper company management is a hot dumpster fire.

 

[anodos]

Oh. One more point about legacy protocols and such. The netbios name server is disabled by default in 12.0. You can re-enable by clicking on Network->Global Configuration and checking the "NetBIOS-NS" box. This might be something impacting connectivity for the Sonos.

 

[styno]

Another option you have is to install Plex and let it index your music collection, then point Sonos to Plex instead of your smb share.