SMB2 (or SMB3) support must be supported NOW!

Hi All,

I hope someone on here can help advise me.

I have read through the majority of this discussion and am considering various options between:

1. (preferred option) Buying yet another NAS (I just bought 2 DS220j’s recently in addition to a DS213j I already had so originally intending 2 NAS drives I’d be ending up with 4!!) - a cheap one which I would use locally not connected to the internet and just for Sonos
2. Deciding I am probably safe to continue linking my (very) old Sonos setup (think Zoneplayer 100) to my new Synology NAS running DSM 7 and choosing to ignore the warnings and use SMB1 &  NTLMv1 to keep my Sonos system working despite having a much better NAS solution which warns me otherwise not to mention the warnings on this forum - on the basis that an attack would need to guess my passwords and they are very secure (with admin account disabled on my NAS for example)
3. Adopting Stan’s pi solution (though I do have some questions about that and it does look a little involved)
4. Using Plex which I can install on my NAS server and accessing my music library via Plex (though not really sure I like the idea of the extra unnecessary layer and change in interface and potentially useability - e.g. does Plex import Apple Music playlists and present them via the Sonos controller in the same way?)

For context I’ve used Sonos for years and always with a NAS so that I can connect to it quickly without the need for computers to be running. 

So I am favouring option 1.

I now have 3 NAS devices in different locations synchronising to each other via the internet (Quickconnect) on a semi-regular basis. As my music library is important to me I’d like to keep a copy backed up on these devices but would have it on a new 4th NAS connected to my local network.

With this setup I would then need to synchronise this new NAS (I’m thinking something like a cheap old Buffalo Linkstation) with my new DS220j NAS at home which is in turn synchronising across the internet with the other two. 

My question is this: if my 3 Synology NAS drives are secure running only SMB 2 & 3, NTLM disabled but one of them is connecting to the new local NAS running SMB1 to synchronise & backup my music library, could that be offering up any vulnerability as because the devices are connected? I’m pretty sure it would be completely safe as the internet connected NAS’s would be secure and only have one dedicated connection to the new NAS for synchronisation purposes (which should be safe assuming a locally setup connection (even with SMB1) for that specific purpose) - but you can never be too sure and though I know a fair bit about IT I’m not an expert at the network level so couldn’t say for sure that this would be a safe setup.

Both the Sonos connection and the sync between New NAS & DS220j would have distinct, secure and dedicated usernames & passwords.

It seems to be the best solution to continue using Sonos given I can probably pick up a smallish single bay old NAS drive for very little these days (and maybe even less given the known SMB1 issue quickly making some of these older devices pretty redundant except for very specific purposes like this).

I hope that makes sense, could someone advise?

hi @Alan_77 despite all the hype about SMBv1, I have stayed with Sonos and even expanded the number of speakers - I deploy several Synology NAS in different locations (read: premises/countries) of which two are synchronised using Synology Drive Share sync. The synchronisation between the Synology NAS is using a tunnel (created with the Quickconnect ) and has in my view no impact on the SMB issue which is related to your local file services protocols. Anyway, while the SMBv2 issues seem to being fixed, I am not using Sonos libraries because of the poor features with regards to playlists and manage my tracks with Apple Music and AirPlay streaming. Nevertheless, Sonos and Synology are, in my humble opinion, good products which I continue to use.

In your situation I really like the SMB v1 Gateway solution, on a Pi or any other SMB v1 supporting system that does not contain important data.

There are several steps to get it working but you do that once, make a backup SD card and never have to do it again. In my case, since the gateway is not visible outside my local network I just set it up and let it run. I feel no need to do OS updates or anything else after the initial setup.

Before rebooting it in an attempt to get the album art working again my Sonos/Pi had been running about 150 days with me never logging in to do anything.

The new-NAS puts you in the same situation as the SMB v1 NAS for Sonos which is what I’m running here. Less user setup, more money and you need to remember to not let any connected system put important data on it.

You do not need to use SMB v1 for any connection but to your Sonos so you could connect your NAS devices together using SMB 2/3 to copy/paste music data between. That wouldn’t be a great solution, a NAS based tool like rsync would be much preferred.

How the SMBv1 vulnerabilities leak between machines is beyond my skill-set, I don’t do Windows or Mac so I rarely use it. I do know with the gateway setup and a read-only NFS link from your other NAS there is no issue.

If looking at an older NAS that is going to connect outside your LAN (many need to do so) beware the end of life issue. My MyBook Live went out of support a year after I got it and I felt it was unsafe to have running. I did block it at the firewall and as it was IPv4 only that was simple, a newer IPv6 capable device can be much more difficult to block.

Hi @el rubio, thanks for that, it seems like we have very similar setups actually & I am broadly of the same opinion (so it seems like you are actually option 2 on my list - deciding it isn’t an issue), though if I am to understand you correctly you mean you don’t use a local library at all but stream all of your music from the (Apple) cloud?

I don’t use Sonos playlists instead using my Apple Music library and Imported playlists so also manage my music library in Music (i.e. was iTunes) then just listen to my library via Sonos.

Interesting point about tunnelling - sounds secure anyway. I am not so concerned about the sync task itself but more about having a connected device (Synology NAS) with SMB1 & NTLMv1 enabled at all. Then further to that even if I disable them from the connected NAS units whether then connecting one of these to another NAS with SMB1 could pose any security issue at all. 

Just to be clear - do you have your Synology NAS devices using SMB1 & do you connect your Sonos system or any part of it to any of your Synology NAS devices using the SMB1 protocol?

hi @Alan_77 I am using in one location a Mac mini with the Apple Music library stored on its local SSD and shared with the Sonos system. The files on the Mac are synchronised with the Synology NAS using the Synology Drive Client for backup reasons. I am not using the Apple Music cloud service. 

Hi @Stanley_4 thanks, the new NAS would only be used to store my local Music library in fact more specifically only the music library Sonos uses (as I have more than one library). 

I was very tempted with your gateway solution and even think I have an old raspberry pi lying around somewhere I never really did anything with. I’m also pretty familiar with Unix (Linux) so would be able to work out what I need to do along with your very helpful instructions (thanks for posting these by the way) so if I find the pi I might have a play with that idea anyway.

In the meantime I have actually found an old 500Gb Linkstation NAS on ebay for £40 so that will do the trick and I’ve just this moment bought it convinced between my own thoughts, @el rubio ‘s response and yours. I also don’t know for 100% certain that it’s completely secure but I know it’s a lot safer than having to enable SMB1 & NTLMv1 on my main NAS server with all my other data on it. In addition having a NAS just dedicated for Sonos I can always cut any connection to the other NAS units if necessary, or maybe one day if I find that raspberry pi and I’m still not convinced that there is no vulnerability at all, I could have some fun creating some kind of hybrid solution with the disk from the NAS and the pi.

(anyone listening) am I right in thinking that the only way the SMB1 or NTLMv1 weaknesses can be exploited is if the offending party or software has a valid login to the server with the password (and this would have to be in the list of local users or internal system users on the device) so if I have a few trusted users and my passwords are all very strong (and I’m careful about what I install and the access given to programs) then the SMB issue isn’t really much of an issue at all?

Hi @el rubio ah I see, I understand.

Well I guess that would work quite well but in my case I always preferred historically to not need to have a computer left switched on. That being said I do also have an old Mac mini which I no longer use that I could have used just for that purpose now you mention it. Probably consumes quite a bit more electricity than a NAS though but given the Sonos limitations we’re discussing here not a bad solution. I bought the Linkstation NAS now though.

A man can never have too many NAS drives.

hi @Alan_77 you may find many opinions on this forum about the vulnerability - in my humble opinion, the first ‘perimeter’ to hack is your router firewall or your wifi network, next is indeed getting onto the NAS - strong passwords use and setting read-only access is one of the ways to mitigate the risks

Correct.  Although the sturm and drang over this issue is huge, there’s not been one documented case of malicious hacking of a Sonos library due to SMB1 weaknesses.  

@jgatie well I was more worried about other data/software sitting on the same server being hacked/corrupted than Sonos data but yes I take your point, there does seem a rather disproportionate amount of sturm and drang

@el rubio yep, you’re right of course. I didn’t mention I only noticed it because I bought a new NAS unit therefore moving from DSM 6.2 to DSM 7 which triggered Sonos failure as it by default switches off SMB1. Until then I have been using SMB1 on DSM 6.2 (Synology DS213j) for years with not a care in the world. It’s a sturn in a tea cup. Still, I have to confess to being a bit of a geek and once i hear about a problem, however overblown I do like to find a good solution.

for that matter, UPnP cannot be disabled on Sonos and is also considered as a vulnerability although nobody makes a hype about that - with regards to documentation, I found this (old) paper on the Internet

Absolutely.  I had a long conversation with someone using the SMB1 “attack vector” as a basis for his wish to have passwords in the app to keep his kids from turning the music up in other rooms.  I tried to explain that anyone hacking his system needed to only send raw UPnP calls to Sonos to do almost anything they wish, and no password at the app level was going to stop them.  

Hello everyone, thanks to the introduction of our S2 platform, we've now added support for SMBv3. Sonos S2 devices will use the highest version of SMB supported by your NAS device. To access this update, you may need to manually change the configuration of your NAS device.

For a Synology NAS you may use these settings. 

Great news Sotiris - I’ve  been struggling to get my library to work with Sonos since SMB1 became deprecated by pretty much everyone apart from Sonos.  Album artwork is a bit laggy. 
(I tried Plex - which was flaky for CD quality FLAC files)

Thank you! 
I can confirm my Netgear ReadyNAS + QNAP is now set & working on SMB3 (as a minimum)

But the OP said that they were using old kit “Deciding I am probably safe to continue linking my (very) old Sonos setup (think Zoneplayer 100) “, so surely  this can’t run S2 software.

hello,

Installed yesterday my first DSM 7.0 and Synology has the solution for it (installed in German - i hope translation is correct):

1. Control panel
2. File Services (second point)
3. Extended settings - activate SMB1 as minimum SMB protocol
4. Other tab → Activate NTLMv1 Authentication

Sonos works with all S1 components! 

Some hint, if somebody has problems with storage on Sonos devices:

1. make path as short as possible
2. we use .flac files - every title is named with 01.flac … 09.flac
3. Servername as short as possible: M1
4. share as short as possible: we use “c”
5. full path: //M1/c/artist-album/01.flac

Regards from Austria and have a happy new year!

If I don’t recall it wrongly, Samba 4.17 will remove support for SMBv1, those using a rolling type of distribution like Gentoo, Arch, Artix, Manjaro , you will need to uninstall samba, download the latest 4.16 version, compile it and install it manually and from time to time redo this when dependencies has been update to new versions, til a day when it will not compile anymore.

From the Samba 4.17 release notes:

https://github.com/samba-team/samba/blob/master/WHATSNEW.txt

NEW FEATURES/CHANGES
====================

Configure without the SMB1 Server
---------------------------------

It is now possible to configure Samba without support for
the SMB1 protocol in smbd. This can be selected at configure
time with either of the options:

--with-smb1-server
--without-smb1-server

By default (without either of these options set) Samba
is configured to include SMB1 support (i.e. --with-smb1-server
is the default). When Samba is configured without SMB1 support,
none of the SMB1 code is included inside smbd except the minimal
stub code needed to allow a client to connect as SMB1 and immediately
negotiate the selected protocol into SMB2 (as a Windows server also
allows).

None of the SMB1-only smb.conf parameters are removed when
configured without SMB1, but these parameters are ignored by
the smbd server. This allows deployment without having to change
an existing smb.conf file.

This option allows sites, OEMs and integrators to configure Samba
to remove the old and insecure SMB1 protocol from their products.

Note that the Samba client libraries still support SMB1 connections
even when Samba is configured as --without-smb1-server. This is
to ensure maximum compatibility with environments containing old
SMB1 servers.

Hello 

Sorry I need help, i changed my NAS412 to NAS920 Synology. New NAS ist SW Version 7. Now the NAS cannot be connected to the sonos. I already read the different hints. SMB1 Protokoll or activate LTNMv1. I tried all, but i cannot connect. Access is not granted please check user and PW. in German Zugriff auf Freigabe … Verweiger prüfe Benutzer und/oder Kennwort. I am sure the User and PW is correct. -  the following string i tried \\192.168.1.201\music als with the Servername \\NAS920\music 

Can someone help, i want to integrate my music folder again. Thx.

Klicken Sie in der Systemsteuerung Ihres Synology NAS auf Benutzer & Gruppe. Wählen Sie den Benutzer aus, der Zugriff auf Ihre Musik benötigt, und klicken Sie auf die Schaltfläche Bearbeiten. Klicken Sie auf die Registerkarte Berechtigungen.
Sie sehen eine Liste mit Ordnern und den Berechtigungen, die Ihr Benutzer hat. Hat Ihr Benutzer Lesezugriff auf Ihren Musikordner?

In the Control Panel in your Synology NAS, click on User & Group. Select the user which needs access to your music and click the Edit button. Click on the Permissions tab.
You will see a list of folders and the permissions your user has. Does your user have read access to your music folder?

I’ll just add my 2 cents, and say “me too” - I also have an extensive NAS-based media collection which I’d like to be able to play with my Sonos gear (without resorting to SMB1).

I can serve it all up via Plex, but I’d also much prefer a (simple) http solution - it’s a pretty trivial amount of code for Sonos to write, they already have lots of HTTP handling in their code, so have all the libraries in place. They now just need the will to do it.

Requiring SMB1 as a pre-requisite to play local music ought to be illegal. It’s at the very least amateur-hour hobby-kit level of operation - not something a premium brand should be anywhere near.