Synology SMBv1 Docker container workaround

  • 18 October 2020
  • 73 replies
  • 9253 views

Userlevel 3
Badge

So I've got a Synology NAS and a couple of Sonos speakers. Some day I got the stupid (!) idea to switch SMBv1 off and soon I found out that my Sonos stuff was unable to find my local music library.

 

Of course I agree that Sonos should move to v2 or v3, but since there is no sign they will, even after the whole S2 operation, it seems we will have to solve this ourselves.

 

I’ve seen the Raspberry pi solution here on the forum, but I didn’t want separate devices and I thought it should be possible to do the same with docker on the NAS itself. If you are not familiar with Docker yet: it is like running an extra machine (called “container”) on your NAS, a little bit like virtual machines, but easier and more lightweight. The container runs isolated on your NAS, it only gets the access to your NAS you grant it specifically. Docker is a standard package on Synology. It also has a nice “registry”: an app store where everyone can share their containers.

 

So the idea is: run a container with SMB (Samba) v1 with read-only access to the music library on the Synology NAS only.

 

This workaround can almost completely be done from the DSM user interface!

 

Unfortunately you’ll need to enter one command on the command line. This is because standard Docker networking won’t suffice. Most containers use the IP-address of the host-machine (your NAS). I assume you want to keep Samba running on your NAS to access your (other) files on Windows and only upgrade it to a higher (more secure) version. This is why standard Docker networking won’t be enough here. Your container needs it’s own IP-address. This can be done with Docker macvlan networking, but there is no way to enable that from the user interface.

 

How to

 

Step 1 – install Docker

Login to your Synology NAS web interface (DSM) – you need to be administrator

  1. Open the Package Center
  2. In the Search field, search for docker
  3. Click Install on the Docker result

 

Step 2 – enable macvlan networking

As mentioned above, Docker containers usually don’t need their own IP-address, but in this case, it does. So your NAS will be connected to your network with only one cable, but it will have 2 IP-addresses. We need macvlan networking for this. With macvlan networking, Docker will supply your container with it’s own IP-address from  a designated pool of addresses, but all IP-address need to be on the same subnet!

Example IP-addresses

Your router: 192.168.0.1
Subnet: 255.255.255.0
Your Synology NAS: 192.168.0.2

 

Now your router will probably automatically supply computers on the network with IP-addresses (DHCP). Docker won’t listen to your router, but does this on it’s own. Therefore, you need a small range of IP-addresses that won’t be used by your router. In my case, my router manages IP-addresses from 192.168.0.1 to 192.168.0.200. So I can use anything between 192.168.0.201 to 192.168.0.254. I decided to use the end of the range: 192.168.0.240 – 192.168.0.254 which can also be described as 192.168.0.240/28. Many routers will be save using these high numbers, but please check your router settings to be sure and check the manual of necessary. Your network will become a mess if IP-addresses are used multiple times. If you can’t use 240-254, please Google subnet calculation to find another small range you could use.

 

To set this up in Docker, you need to login to the command line with SSH. On windows you can do this with Putty. You might need to enable SSH to do this. Settings are on the Control Panel under Terminal & SNMP.

After login just type (or copy here and paste in Putty using right mouse-click):

 

sudo docker network create --driver=macvlan --gateway=192.168.0.1 --subnet=192.168.0.1/24 --ip-range=192.168.0.240/28 -o parent=eth0 macvlan

 

And press enter. You will need to re-enter your password after this, because you are using sudo (to run administrative tasks)

 

After that, some random range of numbers will be shown. You’re done! Type “exit” and confirm with enter to leave.

 

Go back to the userinterface (DSM) en open Docker. Click on Network to confirm your macvlan network is there.

 

To find out more about Docker macvlan, see:

https://docs.docker.com/network/macvlan/

https://docs.docker.com/network/network-tutorial-macvlan/

https://collabnix.com/2-minutes-to-docker-macvlan-networking-a-beginners-guide/

 

Step 3 – download and launch Samba container

Now it’s time to download and launch your Samba container. Fortunately, several people have created Samba containers before, so you don’t have to create one yourself.

 

Click on Registry and type samba. First hit will be dperson/samba. This version is by far the most common. Select it by clicking on it and then hit download. A version selector will be shown, and latest is fine, so just continue. Download will start and will be ready soon, the image is pretty small.

 

Now go to Image. Here you will see all the images you downloaded and are waiting to be used. As long as the storage icon is changing, download is still in progress. A notification will pop up when download is ready. Select dperson/samba:latest and hit launch.

 

On the next screen, give your Container a nice name, like “sonos-samba” and you may want to limit resources. 512 MB should be enough.

 

Go to Advanced Settings and hit Enable auto-restart if you like. This will restart the container if it – for some reason – fails.

 

Then go the Volume and click Add Folder. Select the folder your music is stored. In general, this will be the “music” share. Make sure not to select any folder with anything private in it. So, if you store your music in your home folder, make sure not to select /homes/, but only select the subfolder containing music.

 

After this, in mount path, just type /music. And make sure to hit the Read-Only button. This way Docker will grant read-only access to this share. So even if your container gets compromised, it can’t hit anything on your Synology NAS.

 

Next go to Network. Make sure to remove Bridge (select and hit - ) and add your newly created macvlan network.

 

Port Settings and Links are fine, don’t touch.

 

Your share settings have to be added on the Environment-tab.

Although you might add the share as a public share, I prefer to use passwords anyway. Please make sure you use a generated password that you don’t use anywhere else!

 

Following Environment variables have to be set:

PATH 	= leave as is.
GLOBAL = ntlm auth = ntlmv1-permitted
# this will enable old authentication mechanism, necessary for Sonos
SMB = disable
# This will enable SMBv1
SHARE = music;/music;yes;yes;no;sonos;;;SonosMusic
# This is will add a share music, located at /music (location where you mounted your local music on the Volume page), read-only accessible for user sonos with description SonosMusic.
USER = sonos;verysecretgeneratedpassword12345

If you think you may need more settings, or want to understand these, please check the webpage of this container: https://hub.docker.com/r/dperson/samba

Click Apply.

Click Next

Click Apply.

Your container will now start!

 

After a few seconds you will be able to go to \\192.168.0.240\ (or any other IP-address you’ve set) in the windows explorer. You will need to enter sonos as username and your verysecretgeneratedpassword12345 as password and then you will see your music share and will be able to browse through your music collection.

 

If this works, go to your Sonos settings and add \\192.168.0.240\music as music library. If it connects properly, it will first start indexing. It’s a sign it is working and you can now safely remove the existing share pointing directly to your Synology NAS.

 

Don’t forget to turn SMBv1 off on your Synology! You can find it in the Control Panel under File Services. Click Advanced under SMB and change Minimum SMB protocol tot SMB2 or higher.


73 replies

Userlevel 4
Badge +1

Hello,
I am still stuck trying to debug this. I have reconfigured it all from the start.
I have also tried to enable guest accounts:
SHARE=music;/music;yes;yes;yes;sonos;;;SonosMusic

This still doesn’t do it (but I can now mount this samba drive from a Linux and a Windows PC, without credentials).
I can ping my Sonos units from within the Docker image.
But from the Sonos app, when I enter the server details ( \\ipaddress\music), I still get an access denied error.
Any clue on what to do next?

Userlevel 4
Badge +1

Hello,

Need a little here in configuring this. As a background, I have been trying to fix this issue for 2 days, going nuts. Definitely not a beginner, I use Docker for work etc. But whatever I do, Sonos says that access to my synology is denied.
As a side note, I have also tried to apply the changes described in this thread, without success.

Where I am: from a Windows file explorer, I see everything, my music is there.
From inside Docker, all the env seems to be in place:

sudo docker exec -ti dperson-samba1 env

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

HOSTNAME=dperson-samba1

TERM=xterm

GLOBAL=ntlm auth = ntlmv1-permitted

SMB=disable

SHARE=music;/music;yes;yes;no;sonos;;;SonosMusic

USER=sonos;hiddenpassword:-)

HOME=/root

There is no other device on my LAN using the same IP address as my container (and again, Windows sees all my samba folders without any problem).
My Synology Firewall is off.

My Sonos devices are a ZP80 and ZP100.

Any clue as to what to check next? Thanks!

Thanks for a helpful solution, @jelvank and all the others who chimed it. We had it working for several months, but then we moved to a new place with a new router.  The NAS and the new router are both from Synology.  The old router from Starry had a different subnet, so we recreated the macvlan and then recreated the sonos-samba container. For a while, we couldn’t even ping our new music library IP address, 192.168.1.240, but changing the macvlan parent from eth0 to eth1 fixed that.

Now, we are getting “connection refused” on 192.168.1.240/music. Regular file access to the NAS is fine.  What could be missing in our Docker or network setup for Sonos?

Any suggestions would be much appreciated.

Userlevel 3
Badge

@jelvankeverything is still running and streaming music perfectly. Again thanks for this secure work around.
I have added some folders in my /Music folder, I go to Sonos and tell it to update music library, it shows indexing, it finishes indexing yet none of the new folders or music are showing in Sonos. Any idea why?
I’ve stopped and re-started Docker. Closed and re-opened Sonos app on my macbook pro. Nothing seems to allow Sonos to update.
If I’m reading the below screenshot, is everything r/w?
 Here is a screen shot from ls -alF

 

@jelvankI figured it out for the added music. I have to go into the Folders section of Sonos and choose from there not from the Artist/Album list on top.

You should be able to find everything through Artist/Album as well, but this depends on ID3 tags in the files and indexing from Sonos.

 

 

If you see this, still have a question about the screenshot and privileges...Is drwxrwsrwx all read right privs? If so, how do I fix that? Thanks in advance..

As far as I know, Docker manages priviledges on it's own. As long as you mount this directory as read-only (see settings of this container in Docker), the container won't be able to change anything. This also protects your music collection (and the rest of the file system on your Synology) from any vulnerabilities within Samba. So your container might get messed up, but your files will be ok.

Badge +1

@jelvankeverything is still running and streaming music perfectly. Again thanks for this secure work around.
I have added some folders in my /Music folder, I go to Sonos and tell it to update music library, it shows indexing, it finishes indexing yet none of the new folders or music are showing in Sonos. Any idea why?
I’ve stopped and re-started Docker. Closed and re-opened Sonos app on my macbook pro. Nothing seems to allow Sonos to update.
If I’m reading the below screenshot, is everything r/w?
 Here is a screen shot from ls -alF

 

@jelvank I figured it out for the added music. I have to go into the Folders section of Sonos and choose from there not from the Artist/Album list on top.

If you see this, still have a question about the screenshot and privileges...Is drwxrwsrwx all read right privs? If so, how do I fix that? Thanks in advance..

Badge +1

@jelvank everything is still running and streaming music perfectly. Again thanks for this secure work around.
I have added some folders in my /Music folder, I go to Sonos and tell it to update music library, it shows indexing, it finishes indexing yet none of the new folders or music are showing in Sonos. Any idea why?
I’ve stopped and re-started Docker. Closed and re-opened Sonos app on my macbook pro. Nothing seems to allow Sonos to update.
If I’m reading the below screenshot, is everything r/w?
 Here is a screen shot from ls -alF

 

@afawaz and anybody else that’s getting the error “failed to create the macvlan port: device or resource busy” - the issue is most likely because you’re using an incorrect network device. If you have vSwitch enabled (a must if you use Virtual Machines on Synology), you can’t use eth0 because it won’t have the ip address of your Synology. You’ll need to prefix your network device with ovs_

 

Ex. Instead of using parent=eth0 when creating your macvlan try using parent=ovs_eth0

 

Here’s a post that helped me find the link between this issue and vSwitch. I recently installed VMM on Synology and ran into this issue and removing macvlan and redoing it with ovs_eth0 fixed it.

 

Like @jelvank said - use the ifconfig command and search for the network device that has inet addr:{your-synology-ip-here} and use that network device in your macvlan configuration.

@Rowena B.Just to clarify, I was able to get my Sonos to talk to my NAS by creating a separate server using outdated and insecure protocols.  Sonos MUST fix their SMB protocol - users should not have to go to these lengths just to listen to their own music.

Just use a PC or a Mac to host your files: no SMB required.

I second that. Moreover, hosting the files on my Mac mini offers me a better playlist management :yum:

 

Hi 

When starting the container with the settings above, I get an error:

Start container sonos-samba failed: {"message":"failed to create the macvlan port: device or resource busy"}.

I followed the information and SSH information in your post.

 

Thanks

Andrew


Could be a lot of things. I know about an issue with macvlan and Synology Vswitch:

https://www.reddit.com/r/homelab/comments/cng2s2/issue_with_synology_vswitch_and_docker_macvlan/

If you use vSwitch you might need to switch it off.

Hi all,

I followed the instructions in this post and had the same issue that AndrewKorn faced. Using the link above, I did an ifconfig -a and verified that my virtual network adaptor is named ovs_eth0. So I used this in place of just eth0 and voila, everything is up and running.

Thanks heaps Jelvank for sharing your workaround. It has given my 2 Sonos speakers a new lease of life.

hewmf

This works perfectly. Took a couple of attempts due to the fact it was the first time I've used Docker but it has given me a great introduction to docker/containers and also solved the problem of not having to enable smbv1 on my syno NAS and enabled me to share my music SAFELY from my NAS to Sonos. 

Follow the instructions accurately and it will work. Remember that when setting environment variables that the paths for the directory where you music is stored need to be exact i.e. case sensitive and don't miss the smb variable or you music folder will appear empty. I know because I made that mistake :)

 

Thanks for this workaround, top marks!

 

Userlevel 3
Badge

 

Your share settings have to be added on the Environment-tab.

Although you might add the share as a public share, I prefer to use passwords anyway. Please make sure you use a generated password that you don’t use anywhere else!

 

Following Environment variables have to be set:

PATH 	= leave as is.
GLOBAL = ntlm auth = ntlmv1-permitted
# this will enable old authentication mechanism, necessary for Sonos
SMB = disable
# This will enable SMBv1
SHARE = music;/music;yes;yes;no;sonos;;;SonosMusic
# This is will add a share music, located at /music (location where you mounted your local music on the Volume page), read-only accessible for user sonos with description SonosMusic.
USER = sonos;verysecretgeneratedpassword12345

 

Hi Jelvank, 

 

Thank you so much for this, absolutely stellar!

I have one question… as a SSH and Docker noob, I have been copy-pasting your environment variables to the letter.. literally setting my pasword to:”verysecretgeneratedpassword12345”… Is there a way to chance this password afterwards without going through the whole process from the start?

 

Many thanks!

 

Bastiaan


Hi Bastiaan,

Yes, you can do so easily:

  • Open Docker
  • Hit Container
  • Stop your Sonos-container by switching the button behind the container, wait for it to stop.
  • Hit Edit
  • Go to the tab Environment
  • Down below you will find the variable user. First part is the username and behind the semicolon your very secret password waits for you to be changed :-)
  • Hit Apply, close the Edit window and start the container again by switching the button.

 

Userlevel 1
Badge

Well, I think I’m in a good place now: I did get that new NAS (Asustor AS5202T 2-bay), and I have successfully moved my Music Folder over to it. Using SMB1 enabled, I set up a new library in the SONOS app that points to the Music folder on the NAS. As long as I don’t want to change the structure of the SONOS library, I can disable SMB1 and still update the music files and the .m3u playlist files just by copy things from my PC to the NAS. I then re-index the SONOS library, and I don’t need SMB1 to do that step. Seems to work fine. Thanks for your insights and suggestions on all this. 

Userlevel 7
Badge +23

but it requires the PC to be on all the time

The particular NAS I was considering has an Intel Celeron running a modification of linux for the OS, so I thought it would be possible to port SonosLibraryService to that machine (it already runs many many apps).  Anyway, I have a working solution using my old Buffalo NAS that allows me to turn off my laptop and still hear SONOS music. A little extra work to add new music, but easy enough to do. Thanks very much for your insights on this for me...Jack


It would be easy to port the library service to any device that can run .Net Core - just decompile it to C# and recompile for the new target. Setup will probably be harder (ie getting the controller to add it to the system) and secrets management.

Userlevel 1
Badge

but it requires the PC to be on all the time

The particular NAS I was considering has an Intel Celeron running a modification of linux for the OS, so I thought it would be possible to port SonosLibraryService to that machine (it already runs many many apps).  Anyway, I have a working solution using my old Buffalo NAS that allows me to turn off my laptop and still hear SONOS music. A little extra work to add new music, but easy enough to do. Thanks very much for your insights on this for me...Jack

Userlevel 7
Badge +23

Question(2): Seems like an app running on a modern, nonSMB1, NAS could also use SonosLibraryService if it was configured to do so. Not possible?

Technically yes, but it requires the PC to be on all the time, which kind of defeats the point of the NAS: just put the files on the PC itself instead.

Userlevel 1
Badge

OK, thanks for the clarification. I have an ancient Buffalo NAS that can only use SMB1. I can see the folders on that NAS if I have SMB1 activated on my laptop, and I curate the music there using MusicBee, After that step, I use the SONOS app to map that Music folder to be the library for SONOS, and it can see that folder, indexes it properly, and plays the music on the zones properly. I only store music, not data, on that NAS. I then deactivate SMB1 on my laptop. I presume that SONOS is using SMB1 to communicate with the NAS on my LAN.

Question(1): Is that any kind of security risk for my network?

Question(2): Seems like an app running on a modern, nonSMB1, NAS could also use SonosLibraryService if it was configured to do so. Not possible?

Userlevel 7
Badge +23

So, I just ran an experiment with my new laptop: I turned off the Windows Feature SMB 1.0/CIFS (I had previously turned it on). I then asked the SONOS app to index my Windows Music folder. It worked fine, and, in fact, was the fasted indexing I have ever experienced. Music played fine. Why does this work without SMB1 activated? I thought the SONOS system needed SMB1.

I was about to buy a Sonology DS220+ (It’s already in my Amazon cart!!!), but this thread is scaring me away from that. 


Sonos does not use SMB for PC or Mac local file access (stopped that a few years ago), it uses a local http server called SonosLibraryService. Sonos only use SMB for networked devices such as NAS and the device you are considering purchasing.

Userlevel 1
Badge

So, I just ran an experiment with my new laptop: I turned off the Windows Feature SMB 1.0/CIFS (I had previously turned it on). I then asked the SONOS app to index my Windows Music folder. It worked fine, and, in fact, was the fasted indexing I have ever experienced. Music played fine. Why does this work without SMB1 activated? I thought the SONOS system needed SMB1.

I was about to buy a Sonology DS220+ (It’s already in my Amazon cart!!!), but this thread is scaring me away from that. 

Userlevel 2

 

Your share settings have to be added on the Environment-tab.

Although you might add the share as a public share, I prefer to use passwords anyway. Please make sure you use a generated password that you don’t use anywhere else!

 

Following Environment variables have to be set:

PATH 	= leave as is.
GLOBAL = ntlm auth = ntlmv1-permitted
# this will enable old authentication mechanism, necessary for Sonos
SMB = disable
# This will enable SMBv1
SHARE = music;/music;yes;yes;no;sonos;;;SonosMusic
# This is will add a share music, located at /music (location where you mounted your local music on the Volume page), read-only accessible for user sonos with description SonosMusic.
USER = sonos;verysecretgeneratedpassword12345

 

Hi Jelvank, 

 

Thank you so much for this, absolutely stellar!

I have one question… as a SSH and Docker noob, I have been copy-pasting your environment variables to the letter.. literally setting my pasword to:”verysecretgeneratedpassword12345”… Is there a way to chance this password afterwards without going through the whole process from the start?

 

Many thanks!

 

Bastiaan

An update for those who are using Synology NAS running DSM 7.x.

Default settings means SONOS does not work with Synology shared folders as they require minimum of SMB2 / NTLMV2. However if you go to  File Services > SMB > Advanced Settings > General. Make sure minimum SMB protocol is SMB1 and then Advanced Settings > Others set the “Enable NTLMV1 Authentication” flag. You will get a warning about security issues accept and clear SMB Cache on the General tab.

This enabled the insecure SMB1 and my SONOS was able to connect to the shared folder. I also created a special user and restricted it to the music shared folder to mitigate the crap protocol SONOS forces us to use. 

 

This is ridiculous SONOS that an insecure protocol that was replaced years ago is still the only option in SONOS.  

Badge +1

Ok, this basically shows that your Docker container doesn't see any files. I think you should check the location of your music files, they might have moved after your HD migration. You can locate your music directory in Synology File Station and make sure the files are there. And check the Volume settings of your container and make sure it is pointing to the same location.

@jelvank Thank you for all your help…. I got it to work...I guess it is my lack of knowledge of Docker and how all this works, it turns out the problem was this whole process is CAPS specific. 

My music share folder is Music and I was doing everything in lower case, assuming that CAPS didn’t matter. 

Made changes to everything to match all the CAP letters and everything is working as you designed.

Again, thanks for your help and this secure fix that Sonos FAILS to address and fix properly. 

Userlevel 3
Badge

Ok, this basically shows that your Docker container doesn't see any files. I think you should check the location of your music files, they might have moved after your HD migration. You can locate your music directory in Synology File Station and make sure the files are there. And check the Volume settings of your container and make sure it is pointing to the same location.

Badge +1

@jelvank yes currently only using my shared folder /music, I still the HD_Music folder, just not messing with it, until I get this issue resolved. 

Here is a screen shot of the terminal results. 



Sonos is actually directing people to this thread?? WOW!! Pathetic support! When they (Sonos) first came on the scene, they were all about the end users, that has sadly changed, 

Userlevel 3
Badge

@Joeschmoe no there's no Sonos user on Synology. Your Synology is not aware of what is going on inside the Docker container. That is more or less the cool thing about containers. But you should try setting your Music share (if that's where your music is located) to world readable.

As to command line. I think this one is pretty simple. Open your Docker container. Choose the Terminal tab and click Create (the button itself, not the arrow). Then you simply enter the commands given above and post the output here. It should show something like this:

Thank you for the continued support of this fix….Sad Sonos won’t get off their butts and make a permanent solution 

Yeah well, what bothers me a bit is that lately Sonos seems to be pointing people here. Maybe they could offer some support themselves if they think this is the way to go...

Badge +1

@jelvank, Should there be a user “Sonos” in users? If so, there is not. The default guest account is set to read only, however when I set up my new HDDs in the NAS I had it diesabled, did Docker change this? 

I can do command line, IF it is done for me, such as your instructions for macvlan…..other than that, no I cannot. 

Thank you for the continued support of this fix….Sad Sonos won’t get off their butts and make a permanent solution 

Reply