Synology SMBv1 Docker container workaround

So I've got a Synology NAS and a couple of Sonos speakers. Some day I got the stupid (!) idea to switch SMBv1 off and soon I found out that my Sonos stuff was unable to find my local music library.

Of course I agree that Sonos should move to v2 or v3, but since there is no sign they will, even after the whole S2 operation, it seems we will have to solve this ourselves.

I’ve seen the Raspberry pi solution here on the forum, but I didn’t want separate devices and I thought it should be possible to do the same with docker on the NAS itself. If you are not familiar with Docker yet: it is like running an extra machine (called “container”) on your NAS, a little bit like virtual machines, but easier and more lightweight. The container runs isolated on your NAS, it only gets the access to your NAS you grant it specifically. Docker is a standard package on Synology. It also has a nice “registry”: an app store where everyone can share their containers.

So the idea is: run a container with SMB (Samba) v1 with read-only access to the music library on the Synology NAS only.

This workaround can almost completely be done from the DSM user interface!

Unfortunately you’ll need to enter one command on the command line. This is because standard Docker networking won’t suffice. Most containers use the IP-address of the host-machine (your NAS). I assume you want to keep Samba running on your NAS to access your (other) files on Windows and only upgrade it to a higher (more secure) version. This is why standard Docker networking won’t be enough here. Your container needs it’s own IP-address. This can be done with Docker macvlan networking, but there is no way to enable that from the user interface.

How to

Step 1 – install Docker

Login to your Synology NAS web interface (DSM) – you need to be administrator

1. Open the Package Center
2. In the Search field, search for docker
3. Click Install on the Docker result

Step 2 – enable macvlan networking

As mentioned above, Docker containers usually don’t need their own IP-address, but in this case, it does. So your NAS will be connected to your network with only one cable, but it will have 2 IP-addresses. We need macvlan networking for this. With macvlan networking, Docker will supply your container with it’s own IP-address from  a designated pool of addresses, but all IP-address need to be on the same subnet!

Example IP-addresses

Your router:		192.168.0.1
Subnet:				255.255.255.0
Your Synology NAS:	192.168.0.2

Now your router will probably automatically supply computers on the network with IP-addresses (DHCP). Docker won’t listen to your router, but does this on it’s own. Therefore, you need a small range of IP-addresses that won’t be used by your router. In my case, my router manages IP-addresses from 192.168.0.1 to 192.168.0.200. So I can use anything between 192.168.0.201 to 192.168.0.254. I decided to use the end of the range: 192.168.0.240 – 192.168.0.254 which can also be described as 192.168.0.240/28. Many routers will be save using these high numbers, but please check your router settings to be sure and check the manual of necessary. Your network will become a mess if IP-addresses are used multiple times. If you can’t use 240-254, please Google subnet calculation to find another small range you could use.

To set this up in Docker, you need to login to the command line with SSH. On windows you can do this with Putty. You might need to enable SSH to do this. Settings are on the Control Panel under Terminal & SNMP.

After login just type (or copy here and paste in Putty using right mouse-click):

sudo docker network create --driver=macvlan --gateway=192.168.0.1 --subnet=192.168.0.1/24 --ip-range=192.168.0.240/28 -o parent=eth0 macvlan

And press enter. You will need to re-enter your password after this, because you are using sudo (to run administrative tasks)

After that, some random range of numbers will be shown. You’re done! Type “exit” and confirm with enter to leave.

Go back to the userinterface (DSM) en open Docker. Click on Network to confirm your macvlan network is there.

To find out more about Docker macvlan, see:

https://docs.docker.com/network/macvlan/

https://docs.docker.com/network/network-tutorial-macvlan/

https://collabnix.com/2-minutes-to-docker-macvlan-networking-a-beginners-guide/

Step 3 – download and launch Samba container

Now it’s time to download and launch your Samba container. Fortunately, several people have created Samba containers before, so you don’t have to create one yourself.

Click on Registry and type samba. First hit will be dperson/samba. This version is by far the most common. Select it by clicking on it and then hit download. A version selector will be shown, and latest is fine, so just continue. Download will start and will be ready soon, the image is pretty small.

Now go to Image. Here you will see all the images you downloaded and are waiting to be used. As long as the storage icon is changing, download is still in progress. A notification will pop up when download is ready. Select dperson/samba:latest and hit launch.

On the next screen, give your Container a nice name, like “sonos-samba” and you may want to limit resources. 512 MB should be enough.

Go to Advanced Settings and hit Enable auto-restart if you like. This will restart the container if it – for some reason – fails.

Then go the Volume and click Add Folder. Select the folder your music is stored. In general, this will be the “music” share. Make sure not to select any folder with anything private in it. So, if you store your music in your home folder, make sure not to select /homes/, but only select the subfolder containing music.

After this, in mount path, just type /music. And make sure to hit the Read-Only button. This way Docker will grant read-only access to this share. So even if your container gets compromised, it can’t hit anything on your Synology NAS.

Next go to Network. Make sure to remove Bridge (select and hit - ) and add your newly created macvlan network.

Port Settings and Links are fine, don’t touch.

Your share settings have to be added on the Environment-tab.

Although you might add the share as a public share, I prefer to use passwords anyway. Please make sure you use a generated password that you don’t use anywhere else!

Following Environment variables have to be set:

PATH 	= leave as is.
GLOBAL 	= ntlm auth = ntlmv1-permitted
# this will enable old authentication mechanism, necessary for Sonos
SMB		= disable
# This will enable SMBv1
SHARE	= music;/music;yes;yes;no;sonos;;;SonosMusic
# This is will add a share music, located at /music (location where you mounted your local music on the Volume page), read-only accessible for user sonos with description SonosMusic.
USER	= sonos;verysecretgeneratedpassword12345

If you think you may need more settings, or want to understand these, please check the webpage of this container: https://hub.docker.com/r/dperson/samba

Click Apply.

Click Next

Click Apply.

Your container will now start!

After a few seconds you will be able to go to \\192.168.0.240\ (or any other IP-address you’ve set) in the windows explorer. You will need to enter sonos as username and your verysecretgeneratedpassword12345 as password and then you will see your music share and will be able to browse through your music collection.

If this works, go to your Sonos settings and add \\192.168.0.240\music as music library. If it connects properly, it will first start indexing. It’s a sign it is working and you can now safely remove the existing share pointing directly to your Synology NAS.

Don’t forget to turn SMBv1 off on your Synology! You can find it in the Control Panel under File Services. Click Advanced under SMB and change Minimum SMB protocol tot SMB2 or higher.