We are writing summer 2019 and still Sonos only supports SMB version 1 for the Music Library share.
This is not acceptable.
A file share running SMB1 is extremely vulnerable to all the variants of cryptolocker virus that exists today. File share servers (NAS, Windows, Apple OS) can only support one version of SMB - so you cannot from the same box have one file share (for Sonos) using SMB1 and the other file shares using SMB2 or SMB3. This way Sonos puts each and every file share at serious risc - just because they don’t update their file share protocol to comply with this century.
And for the record - the “solution” through PLEX is not a solution. Unstable at best.
Page 2 / 12
Userlevel 7
+23
bockersjv,
Thanks for the response.
I’m now aware that my original assumption that the Controller was what serves local files was incorrect.
It is interesting, as to an end user, it isn’t obvious that the Controller (GUI) software is a separate piece of code than the HTTP server that provides music files to the speakers. They are, after all, installed together.
I have to say, with knowledge of the distinction between the two pieces of software, I believe my original premise stands.
I don’t see why support for brokering network file shares through the HTTP server that’s already running on a local PC couldn’t be added. This would certainly be an easier engineering task than trying to get a larger Linux kernel loaded into the older speakers. And, it would have the benefit of working with the investment that folks have already made into old and newer hardware.
It would also mean that it’s possible to avoid running a Raspberry Pi with flawed software - which seems to already suffer from the “additional wireless hops into the music path” problem.
For sharing files on a PC, it makes sense that the PC is powered on, and running the http server. No-one needs to be logged in though, and certainly no controller needs to be running.
For sharing files from a NAS however, requiring that a PC also be powered on to run the http server as a proxy, seems sub-optimal. Else why even use a NAS: put the files on the PC in the first place.
The “correct” solution would be to run the Sonos http server on the NAS itself. This is not difficult technically, but no-one seems interested enough to do this.
I want to use my Sonos with my Synology without using an insecure filesharing protocol. Is that really such a tough ask?
Did you see my comment below?
“I hesitate to say this, but my Amp and Ones appear to be talking to my Synology NAS using SMB3 now. All devices and controllers are running S2 v13.4.”
I still do not understand the problem of changing from SMB1 to SMB2 or 3.
Can anyone explain me exactly why the hardware cannot run software using SMB2?
First of all SMB1 is very vulnerable and for that reason been depreciated as protocol, and secondly the SMB drivers are not using specific hardware, that is not present in the mentioned old units, right?
SONOS, you have a problem. If any user gets hacked or encrypted through SMB1 due to your missing support of SMB2, it may fall back on you and the Sonos brand.
We need SONOS to change the version of SMB, and ensure it will run on older hardware.
Userlevel 7
+21
For Systems running S1, I doubt if there will ever be and SMB upgrade. The memory constraints of those speaker restrict what can be done.
For S2 it may be possible, but probably requires a significant development commitment, and given the bulk of new customers tend to use streaming services (and that there is a workaround), I can’t see this being high on the list for Sonos.
I run a dedicated Pi based NAS running SMB1 ,for my Sonos music only, that is sacrificial.
In many ways I agree with you. I resent having to run a sacrificial NAS purely to support Sonos. As you say, the Plex approach for Sonos is very poor.
However, if it was a simple thing for them to do I then I suspect that they would already have done it. The more likely scenario is that there's a larger overhead on later versions of SMB, which could mean that older units would stop working (e.g. ZP80/90 etc) - something that the community would find very undesirable. Sonos do seem committed to keeping their own hardware running as long as possible. Also, they are not very interested in local files these days, as apparently the future is streaming.
I've been exploring alternatives lately, and found that you can use a casting app to cast direct to the Sonos device, using a media server on a NAS with SMB1 disabled. This doesn't seem as reliable/convenient as one would wish, but adding a Chromecast Audio into the line in makes a huge difference. I run the CCA into a Play5 and it can then be chosen as a source for other devices. On the AV amp I run the CCA direct, bypassing the ZP90. I'm still using the Sonos software at the moment, but this seems a valid back-up plan should my devices go belly-up. I don't really think that Sonos meets my needs even now, so don't see it as a viable option into the future - consequently, if the devices fail, then I doubt that I'd replace them.
However, if it was a simple thing for them to do I then I suspect that they would already have done it. The more likely scenario is that there's a larger overhead on later versions of SMB, which could mean that older units would stop working (e.g. ZP80/90 etc) - something that the community would find very undesirable. Sonos do seem committed to keeping their own hardware running as long as possible. Also, they are not very interested in local files these days, as apparently the future is streaming.
I've been exploring alternatives lately, and found that you can use a casting app to cast direct to the Sonos device, using a media server on a NAS with SMB1 disabled. This doesn't seem as reliable/convenient as one would wish, but adding a Chromecast Audio into the line in makes a huge difference. I run the CCA into a Play5 and it can then be chosen as a source for other devices. On the AV amp I run the CCA direct, bypassing the ZP90. I'm still using the Sonos software at the moment, but this seems a valid back-up plan should my devices go belly-up. I don't really think that Sonos meets my needs even now, so don't see it as a viable option into the future - consequently, if the devices fail, then I doubt that I'd replace them.
Unless you actually have a need for the new facilities, it might be worth doing this sooner rather than later. At least you then have full control over what's happening on the system that you've paid good money for.
(anyone listening) am I right in thinking that the only way the SMB1 or NTLMv1 weaknesses can be exploited is if the offending party or software has a valid login to the server with the password (and this would have to be in the list of local users or internal system users on the device) so if I have a few trusted users and my passwords are all very strong (and I’m careful about what I install and the access given to programs) then the SMB issue isn’t really much of an issue at all?
Correct. Although the sturm and drang over this issue is huge, there’s not been one documented case of malicious hacking of a Sonos library due to SMB1 weaknesses.
Userlevel 7
+23
I wish Sonos would just publish the web service protocol they use now for sharing files on the PC (and I assume the Mac), then the NAS folks could implement that, then SMBv1 would be gone forever.
Userlevel 1
I dread the day Sonos e-mails me to tell me to add my Zone Players and Play 5 Gen 1 systems to the junk pile with my CR-100s. I may have to go back and follow the example of folks that disabled Sonos updates to keep their CR-100s alive at that point.
And here we are…
I came here to look for solutions for streaming from my Synology w/o SMB1 enabled. I can't believe there's no SMB2 support. IMHO, this is the pitfall of forcing all devices to run the same software and not making a central control/distribution device that could be upgraded periodically and allow legacy satelite speakers to remain relevant.
Userlevel 1
The Sonos Amp is my first Sonos purchase and it could be the last.
It never occurred to me that any company would release a brand new product that only supports the obsolete SMB1 protocol!
Had this been a cheap bit of Chinese kit I might have forgiven it but Sonos is supposedly a high-end manufacturer with a reputation to protect.
Come on Sonos, get your act together or go home …
Hello everyone, thanks to the introduction of our S2 platform, we've now added support for SMBv3. Sonos S2 devices will use the highest version of SMB supported by your NAS device. To access this update, you may need to manually change the configuration of your NAS device.
Thank you!
I can confirm my Netgear ReadyNAS + QNAP is now set & working on SMB3 (as a minimum)
We are writing summer 2019 and still Sonos only supports SMB version 1 for the Music Library share.
This is not acceptable.
A file share running SMB1 is extremely vulnerable to all the variants of cryptolocker virus that exists today. File share servers (NAS, Windows, Apple OS) can only support one version of SMB - so you cannot from the same box have one file share (for Sonos) using SMB1 and the other file shares using SMB2 or SMB3. This way Sonos puts each and every file share at serious risc - just because they don’t update their file share protocol to comply with this century.
And for the record - the “solution” through PLEX is not a solution. Unstable at best.
2 years after this post SONOS have still not resolved this issue. They forced us to upgrade to V2 products to “enable new functionality” but their customers security apparently isn’t important to them. BlueSound do recognise the issues with SMBv1!
With DSM 7.0 this has become an imminent problem for every synology user. Shame on you SONOS for not fixing a problem that’s raised in freaking 2006.
Very disappointed in Sonos. I have just updated all my older speakers to support S2 and still they are running a version of SMB known to be insecure SMB V1, even on the new S2 APP. This version of SMB was superseded over 3 years ago. Come on Sonos Sort this out, stop putting our systems at risk.
+1
Hi,
This post just to inform that there are 3 solutions for fixing that sad issues ( sad for Synology and Sonos)
- Use a cheap Raspeberry PI 0 that will make the link between the Synology/SMB2 or 3 and the Sonos/SMB1. I did not experiment that solution as it would require additional hardware and a good minimal Linux skill.
- Use the Plex solution . I am currently experimenting that solution. I would say that it did not start at the beginning but finally it did without clear reasons. Therefore I have some doubts about its reliability. The big advantage of this solution is that you have the jackets of the albums just beside each album name that you don't have with the usual method.
- use an additional Docker Samba interface between the SMB>1 Synology and the SMB1 Sonos. I am currently experimenting as well that solution that is working well.
So currently I have both methods running between my Sonos equipments and the DSM 7.0 beta.
My wife is happy !
But let's be honest : I hope both Synology and Sonos will find TOGETHER a solution for music lovers.
Regards (from France )
Philippe
Really…. stop harassing met about S2, first allow SMB2 or SMB3 support for “older” hardware.
If you mean S1, that certainly isn’t going to happen. S1 is frozen functionally, owing to hardware memory limitations in the older players.
Userlevel 7
+23
I am giving my opinion based on over a decade of streaming files to my Sonos, after creating multiple commercial Sonos apps, after working with Sonos engineering in their codebase and after many years of monitoring this forum and it's predecessor. It's an opinion, treat it as you like.
Userlevel 7
+22
Take the time to go back and read the history on this issue. I’m not going to re-do all the work I’ve put in in the past and I expect others feel the same just to save you looking it up.
I will sum it up quickly, Sonos has long used an unsupported version of Linux that they have manually patched with the bare minimum stuff needed to stay secure. SMB didn’t make the cut because it required a newer kernel that wouldn’t fit on the older hardware. Making it worse the newer SMB is bigger too.
There is hope but it involves Sonos doing a new kernel and that is mind-bendingly difficult. Then they have to port all their patches and tweaks to the new kernel. Then they have to do the applications. And finally when the core is complete they need to port the Sonos software onto the kernel/GPL base.
OK, I am now hit with this issue, I have the Synology DSM beta installed and I now cannot connect my Sonos system as they have disabled ntlmv1
More info here
[Update] Lost SMB access with NTLMv1 in DSM 7 Beta | Synology Community
I don;t understand what this means apart from I now cannot access my music
Hi Mick
you will need to install the “SMB Service” package on your DSM 7 NAS drive to enable SMB 1 protocol and get your music library back.
it worked for me.
I spent half an hour looking for why I couldn’t add my music library and discovered that it’s because it requires smb v1 on the NAS.
Reading this forum put me into increasing disbelief that a) there were trolls saying pull support for NAS (why do you even bother?) and b) there seems to be some excuse that it’s somehow hard to use a current kernel with smbv2/3 support. It’s not and from a security standpoint it’s ridiculous that an old kernel is being used.
hello,
Installed yesterday my first DSM 7.0 and Synology has the solution for it (installed in German - i hope translation is correct):
- Control panel
- File Services (second point)
- Extended settings - activate SMB1 as minimum SMB protocol
- Other tab → Activate NTLMv1 Authentication
Sonos works with all S1 components!
Some hint, if somebody has problems with storage on Sonos devices:
- make path as short as possible
- we use .flac files - every title is named with 01.flac … 09.flac
- Servername as short as possible: M1
- share as short as possible: we use “c”
- full path: //M1/c/artist-album/01.flac
Regards from Austria and have a happy new year!
Curious for your perspective on b). If the group is correct about there not being enough RAM on the devices to hold the larger kernel to support a higher version of SMB, how does that get resolved? Do all customers who have these devices get to send them in, and pay for new electronics (motherboard, CPU and RAM, plus manpower to install it) to get them updated? Or does Sonos just say ‘too bad’ and brick millions of currently running devices? Is there a third alternative I’m missing?
Hi, I have not been able to read the entire thread, but I can see we are still talking about SMB2/3 support vs SMB1. I found all this while trying to set up a music library on a Raspberry PI.
About half of my job is pentesting and I think I’ll be mostly preaching to the choir here, but I could probably count on all of our fingers and toes how many Credit Unions and Banks my company has fully compromised due to the use of SMBv1 and/or lack of SMB Signing. (and maybe run out of hands and feet.)
SMB Signing could potentially solve the issue as well, however, I read a post explaining that SMB has been deprecated by Sonos in favor of HTTP, which still transmits in clear text, but it isnt the data we are protecting (music) it is the network authentication credentials and identities of computers/users but removing SMBv1 in favor of more secure authentication protocols.
The danger as I understand it would be an attacker’s ability to impersonate devices and initiate a Man-in-the-Middle attack. With SMB Signing required for Samba and Windows hosts alike (all compatible systems), the attacker would not be able to utilize this attack vector. Unfortunately, if the network in question had any hosts utilizing NTLMv1 and Broadcast Domain Services such as MDNS, NBT-NS, or LLMNR, an attacker may still be able to capture NTLM hashes, likely resulting in the compromise of the system or network utilizing those credentials.
All of this aside, I opened up Wireshark when I heard about the HTTP over SMBv1 situation, and I can confirm that using Sonos S1 with Gen 1 Play 5 and 2-Gen 1 Play 1’s that HTTP and HTTP/XML is in use, and I have yet to see an SMB packet while playing music from a local library on a Windows 10 machine.
So my question is, since HTTP is now in use over SMB of any kind, is the conversation about using SMBv2/3 even worth having? If so, could someone please explain this to me?
Userlevel 7
+22
This is a fairly new SMB topic, only a year old at this point. The SMB issue goes way back, maybe 2008, and the answer from Sonos has always been the same.
Ask, complain, whatever works for you. I chose to solve the problem with my two Pi options. Someday I may be able to switch to a Sonos solution but it hasn’t been that day for 13 years now and counting.
I’m just hoping Sonos doesn’t just drop SMB sharing and make the whole problem go away. That would be the easy path, couple edits to the source code and push an update and POOF, no more SMB complaints.
Userlevel 7
+22
Well one of my speakers is the new Play One which Sonos said we needed to support Airplay and other features. I imagine implementing Alexa is a little more memory demanding than adding an SMB2 stack.
Actually no, Alexa is an app that can easily run on the current Linux kernel. SMB is s system service that is tightly integrated into the current kernel. Going to v 2 or 3 requires a newer kernel, as well as porting all the Sonos patches and tweaks. Not fast or easy and you don’t find Linux kernel programmers cheap either.
Page 2 / 12
Reply
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.