Answered

Support for SMB v2 or v3



Show first post
This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.

110 replies

Userlevel 1
So to revive an old thread. I run an entirely Mac/FreeBSD/Unix network at my house. I have been allowing smb v1 regretfully for a while now. Even before wanacry virus became known to the masses. I recently shut it off on the last remaining device I have on my network (My Nas). I am left with two options... Wait for sonos to fix the problem, Or hack my sonos if possible. The other option is to replace the sonos with a small form factor linux box and run CMUS with some of the remote applications for it. They won't be as polished as the sonos app on my phone, but I can be sure the file share over SSHFS is going to be a hell of a lot more secure than SMB V1.

So SONOS. I have been a customer since the ZP90. I have told many people how easy to use your system is. How it has Apple-like 'it just works' qualities. But until you decide to patch such a gaping security hole as SMB v1, I can't continue to use or recommend your products.
Userlevel 1
Badge +1
I got bit by this today, in an effort to improve security on my Synology NAS, I set SMB V2 as the minimum level. Everything was hunky dory except all of a sudden music library on the Sonos doesn't work. Foolish me, thinking my "premium" audio solution would support SMB levels from this millennium!

Yeah, it's ridiculous...
Userlevel 6
Badge +5
It will be interesting to see when this item (that is allegedly on a to-do list per the Sonos CEO) will be fixed. I'm not holding my breath given that there is little future monetary income potential from doing so (bug fixes are rarely profitable). Streaming and voice integration are squarely the center of attention at Sonos right now.

Interesting to hear that the SMB 3.11 stack is smaller than the SMB1v1 stack. Does that go for Flash and RAM? I imagine that the RAM in the players is a limiting factor besides the 'mini-computer' CPU (not my description).
Userlevel 7
Badge +22
That link isn't a list of distributions, rather it is a list of links to the kernel versions, programs and libraries used by Sonos. The Attributions file gives some info but you'd have to dig into the actual sonos-kernel.tgz file to see which bits from where are used. Switching your Linux kernel is not a trivial operation and doing it on an embedded system is even more difficult.

There was a huge size increase in the core OS going from Linux v2.0 to Linux v2.6, if I recall correctly, which is why so many embedded devices never even attempted the change. The change from v2.6 to v3 was more cosmetic because they thought the 2.XX number was getting too big.

https://www.phoronix.com/scan.php?page=news_item&px=MTAxNDg

Version 2.4 I don't recall, Version 2.6 LTS (Long Term Support) looks to have ended active maintenance in 2016 sometime. Version 3.2 LTS likely ends in May of 18.

Many system maintainers continue to use the Linux kernel version that was originally released with their device and backport any needed operational or security fixes to that which makes their internal release numbers very different from the kernel's version numbers.

Any size increase in any area of the firmware in a Sonos device means there is less space available for something else. If features are added that fit in newer devices but don't fit in older ones we are faced with the CR-100 situation again. Older devices will soon be missing features and incur additional costs to maintain, edging closer to the "No longer supported" status that ended the life of the CR-100s.
Userlevel 7
Badge +22
Supposition, based on looking at the Linux version that Sonos is using versus the version that works with the newer SMB releases. I'm retired now and a bit rusty at that kind of thing so no guarantee on my guess.

You can do the same research, all the source code is available from Sonos for their Linux version and the newer Linux kernels and
SMB stuff are on-line about anywhere.

If it was a simple thing Sonos would have had their Linux kernel maintainer do a bit of copy/paste and had SMB v3 working years ago.

If Sonos is truly evil and nasty, just jerking us around for their amusement despite it hurting their sales numbers then my (researched) guess is wrong.
Userlevel 7
Badge +26
Hi everyone, starting with today's update, Sonos 8.6, Windows computers will be able to set up shares to their local libraries to Sonos without using SMB file sharing. We aren't removing support for SMB at this time, and you will continue to need to use it for NAS drives, but Mac computer and Windows computers now both have the ability to share using our implementation of HTTP file sharing using the Sonos app. For more details, see the post here.
Userlevel 5
Badge +1
For those of us not using Windows to share our libraries, can we expect an update to HTTP or SMB 2/3 or are we locked in at smb1?
Mac computer and Windows computers now both have the ability to share using our implementation of HTTP file sharing using the Sonos app.

I consider this a weird hack to “solve” the issue of Win 10 dropping OOTB support for SMBv1 (for good reason!). We asked for an alternative for SMBv1 since *years*, and now only one months after latest Win 10 version, you deliver a half-baked “solution”. Still, this is a weird hack, implementing a web server inside a client application to allow external (speaker) access to local files. Let us see how long it takes someone finds a security issue inside the Sonos “client”, as I guess Sonos’ development strengths do not necessarily include secure http servers. And what happens next, will the application become a full functional email client (ref: http://www.catb.org/jargon/html/Z/Zawinskis-Law.html)?

Besides all the fuzz: what is so difficult in implementing an SMBv2 or v3 client in Sonos speakers? I guess we all would accept any reasonable answer much more than just no communication and weird hacks/incomplete workarounds.

Jonas
Userlevel 1
Like so many others before me, I find myself on these forum threads after having just purchased my first Sonos product and finding out it doesn't support any modern file sharing mechanisms.

Hi everyone, starting with today's update, Sonos 8.6, Windows computers will be able to set up shares to their local libraries to Sonos without using SMB file sharing.

For those of us who can't or don't want to use the Sonos app on the media server, is there any hope of seeing support for a standard like WebDAV, rather than the proprietary Sonos HTTP protocol? I don't even need TLS (in case certificate management is considered a showstopper), since my media is streamed over its own, isolated wired network.

If WebDAV is not on the horizon, as there have been no updates here for the past few months, may I again ask if SMBv2 or SMBv3 are going to be available any time soon?
Userlevel 7
Badge +22
I think you'll have time to plant a redwood tree, watch it grow, harvest and dry the lumber and build yourself a new deck for your Sonos to sit on before we hear even an announcement. :-)

Just get a Raspberry Pi and set it up to serve your music and be done with it. Maybe by the time th Pi goes out of support Sonos will have news.
Userlevel 1
Badge
I sent a note to Sonos about this on Twitter last night. They responded quickly and directly, but didn't offer any solutions. Apparently we're supposed to enable SMBv1 on Raspberry Pi's and put our home network security at risk? This isn't a solution; it's a hack, and a terrible one. Here's the thread I opened with them: https://twitter.com/SonosSupport/status/1079231302438711296

I don't use a Windows system as a 24x7 server to share content. That's what my low-power, Linux-powered Raspberry Pi devices are for.

When will Sonos get this multi-year issue fixed? This isn't optional. Your customer's security should be priority #1.
My vote on SMBv3 support: +1
Userlevel 7
Badge +22
As far as I'm aware there have been very few if no reports of domestic infection from the WannaCry ransomware.

So, I don't want to cry (wolf).
Yeah, i figured you'd say that. Doesn't change the fact your narrative is nonsense when conronted with the fact they acknowledged the problem and stated they are looking into options. That response alone is more indicative of their intentions than 99% of every other response, which usually says "we will pass this on to the engineers."

And as an engineer, cheerleading may not help, but obsessed posters who exaggerate the threat and constantly harp on one thing are a definite negative, resulting in placating rather than taking action, and are the very reason the phrase "fire the customer" was invented.
Sigh.
Userlevel 3
Badge
Same here - was going to buy some Play1's for surround sound under the recent offer but my main use-case is SMB access to a Windows 2012 server that (for obvious reasons) now has SMB v1 disabled. I've got just over 1.1 TB of FLAC files on there that the Sonos can no longer access. Every CD / Vinyl I buy goes straight onto there (the latter using an M-Audio FireWire device and Audacity software)
Userlevel 7
Badge +21
For my education, could you outline the specific risks I'm facing in allowing my Sonos equipment to continue to utilise SMB v1 while connecting to the NAS on my Apple Time Capsule? In what way are my speakers 'totally insecure'? Or does the insecurity apply only to Microsoft's products? Thanks.

Your speakers aren't insecure themselves. But if you connect your Sonos system to a music library stored on your computer or a Network Attached Storage (NAS) device, the connection to that music library is using a version of SMB that is full of vulnerabilities and attacks, and that Microsoft itself has recommended everyone stop using because of the vulnerabilities that exist in it. So Sonos is requiring that you run other devices in an insecure manner in order to use that functionality of Sonos.

But if you do all of your music listening through streaming sources and don't have your own local music library, then there's nothing for you to worry about, as far as Sonos is concerned.
Userlevel 7
Badge +21
Actually, Microsoft has acknowledged at least one denial-of-service vulnerability in SMBv1 that it is not patching in Windows.

http://securityaffairs.co/wordpress/61530/hacking/smbloris-smbv1-flaw.html

Now, some might say that's not a security issue, since it's not gaining control of an account or accessing data or elevating privileges, but it's still a vulnerability and it's still unpatched.

And yes, I'm aware that Sonos has stated that they see streaming as the future, regardless of how many of us have thousands of songs in digital music libraries stored on computers or NAS devices. I also realize that they may not put as high of a priority on fixing the issue as a result. But that doesn't lessen its importance, or the desire of some to continue pushing for this to be fixed/changed until it is done.
Userlevel 7
Badge +22
If you are worried about your NAS data just add a different NAS device that can be running the v1 SMB to keep Sonos happy. I used a Raspberry Pi and old disk drive and got it working for under $50. No need to worry if all that is there are copies of your music files.
Userlevel 6
Badge +5
I agree with stanley, treat your music server for the Sonos as a disposable device. I use a Airport extreme base station (AEBS) with a 2TB 2.5" drive to host the data and it works fine. Every time I update my iTunes library, I use Carbon Copy Cloner to synchronize the Sonos source drive with my NAS. Doesn't take too long. It's my canary in the coalmine and if the data is lost, so what, it's just a copy.

With the above, I don't put *all* the data on my NAS at risk just to accommodate a outdated network stack by the only product that still needs it in my home. AFAIK, no NAS allows selective SMB authentication requirements on a per-share basis. Thus, as file sharing protocols go, the server security is only as good as the dumbest/most outdated file sharing protocol you allow it to use.
Userlevel 5
Badge +12
I agree with stanley, treat your music server for the Sonos as a disposable device. I use a Airport extreme base station (AEBS) with a 2TB 2.5" drive to host the data and it works fine. Every time I update my iTunes library, I use Carbon Copy Cloner to synchronize the Sonos source drive with my NAS. Doesn't take too long. It's my canary in the coalmine and if the data is lost, so what, it's just a copy.

With the above, I don't put *all* the data on my NAS at risk just to accommodate a outdated network stack by the only product that still needs it in my home. AFAIK, no NAS allows selective SMB authentication requirements on a per-share basis. Thus, as file sharing protocols go, the server security is only as good as the dumbest/most outdated file sharing protocol you allow it to use.


Unfortunately not a minimal configuration at all...
Sonos devices are considered minimalistic and aesthetically beautiful.
Userlevel 7
Badge +22
A Raspberry PI can be quite minimal and attractive if you buy a nice looking $10 or so case, and it doesn't need more than USB power, Ethernet and your data drive attached to it. You could possibly use a BIG SD card for your music and the operating system but that isn't the best long term solution. Easy to tuck a Pi behind your router or somewhere similar, out of sight and mind. All updates and administration (vary rarely needed) can be done via the Ethernet and VNC.

https://www.adafruit.com/product/2604
Userlevel 2
Badge
A Raspberry PI can be quite minimal and attractive if you buy a nice looking $10 or so case, and it doesn't need more than USB power, Ethernet and your data drive attached to it. You could possibly use a BIG SD card for your music and the operating system but that isn't the best long term solution. Easy to tuck a Pi behind your router or somewhere similar, out of sight and mind. All updates and administration (vary rarely needed) can be done via the Ethernet and VNC.

https://www.adafruit.com/product/2604



But the point is CONSUMER SALES will keep it alive, it's not good enough for tech geeks to love Sonos any more, competition is here and aiming at people who want to plug it in and use it.

I find it hard to believe this is still an issue... just like to wish SMB 3 a happy 15th birthday, and SMB 2 is now old enough to vote in most countries! Even version 4 would be of school age now...

This isn't a feature request, it's not even a keep up with the technology request, it's just a desire to keep it real and keep Sonos competitive, Mesh is now common, many competitors are snapping at the heals of Sonos the next couple of years will have competition like never before.

Isn't it about time 18 year old technology was implemented as standard!

:?
Agreed, it's indeed a software stack. But what if that software stack, with an inclusion/replacement of SMB V2 or 3 no longer fits in the memory available on the devices mentioned? There is, to my meager knowledge, a limit to the amount of memory available on the older devices. That leads me to the conclusion that the "stack" might not fit any longer, if they were to add an update to that library.

I don't know that for sure, and I'm not a programmer, nor have I looked in to exactly what the usage is currently, or the cost to update. My only point of reference is prior work in maintaining software in gaming, and an assumption that Sonos is actively trying to solve the problem. It's entirely possible that I'm way off base. But I do feel comfortable in saying that Sonos isn't ignoring the problem. It would be an odd stance for a software driven company to take.
Userlevel 7
Badge +22
Since I can't do anything about it I'm not spending hours looking into the guts of the issue but if one wanted to do that...

Remember it is a "stack" and you can't just update one component of that stack in many cases. What kernel is Sonos running, does that kernel support the latest SMB code? What fiddling has Sonos done to the various bits of code involved and how does that port to the newer releases that are needed to update the SMB.

I used to do a bit of embedded systems work before I retired and I can tell you that we missed a lot of release milestones over interactions and dependencies in the code we were upgrading, before we even got to glitches in the hardware support it offered. I've never had the lid off any of my gear to look but is there even hardware dubbing support available in the standard units sold or is that something they reserve for in-house test hardware?

I'll stick with my "too many worms for the can - it is a hard problem" theory over greed, stupidity or just evil.