Access denied to NAS


Userlevel 1
Badge +1
First of all: Seriously, Sonos? I pay a premium for a cheaply manufactured premium marketed product, and I still need to ask your other customers on a forum for help? Where's the instant chat? Where's the 24/7 international support phone number?

Not for the other problem: After updating to version 7.2, I can no longer play music from the library on my NAS. 'Radio' still works fine, but any song I try to play from my library results in an error: "Unable to play 'TITLE' - access to SERVER denied".

The credentials are still valid. I can log on with them and access my music from a workstation just fine. I have tried a second account, and I have tried to re-add the server using the Sonos controller on my Mac, but even that results in access related errors. I have tried forward and backward slashes, a dns resolvable name and an IP address, but none of that matters.

My NAS running FreeNAS and this setup has been working well for a long time, before updating the Sonos system.

This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.

28 replies

Userlevel 1
Badge +1
Hm, I suppose 24h response isn't a thing, at Sonos...
With your attitude, why should any of us bother?
Userlevel 1
Badge +1
With your attitude, why should any of us bother?
As a fellow customer: You shouldn't.

But future customers should be aware that if anything goes wrong, and they cannot resolve it themselves, they'll be depending on the charity of other users for support. Because they're for sure not getting any from Sonos. This is to be expected for cheap Chinese products, but it is disturbing for a premium product like Sonos.
Userlevel 7
Badge +19
Have you raised a support ticket.
Userlevel 1
Badge +1
Have you raised a support ticket.
Yes, admittedly, after posting here; That possibility was a bit hard to find. It's around 14 hours ago, so I'll still give it some time.
Userlevel 1
Badge +1
With your attitude, why should any of us bother?
As a fellow customer: You shouldn't. Help from other customers is appreciated and gratefully accepted, but it shouldn't be the sole pillar of a premium brand's support.

When I buy a premium brand product, at an according price, I expect premium support, instead of being at the mercy of other user's charity. I'm using FreeNAS, I know what it is to ask a community of enthusiast fellow users for help and to return the favor when possible. But Sonos isn't a free product. Sonos is a commercial product, presenting itself as a premium brand, making profit. I expect that some of that profit is used to provide premium support, instead of fending that off to a small community of enthusiast users. Yes, I said 'small', because I know that the actual contributors are usually just a small fraction of the members.
Userlevel 7
Badge +20
With your attitude, why should any of us bother?
As a fellow customer: You shouldn't. Help from other customers is appreciated and gratefully accepted, but it shouldn't be the sole pillar of a premium brand's support.

When I buy a premium brand product, at an according price, I expect premium support, instead of being at the mercy of other user's charity. I'm using FreeNAS, I know what it is to ask a community of enthusiast fellow users for help and to return the favor when possible. But Sonos isn't a free product. Sonos is a commercial product, presenting itself as a premium brand, making profit. I expect that some of that profit is used to provide premium support, instead of fending that off to a small community of enthusiast users. Yes, I said 'small', because I know that the actual contributors are usually just a small fraction of the members.


Hi MindBender,

It looks like our technical team has reached out to set up a phone call. Please reply to the email with your availability and we'll help get you up and running.
Userlevel 1
Badge +1
It looks like our technical team has reached out to set up a phone call. Please reply to the email with your availability and we'll help get you up and running.
Credit where credit is due: Sonos Technical support replied to my support ticket, and well within the 24h the website promised, with a request to call them. So I left work early, went home and called them.

I got a friendly guy on the phone, who seemed knowledgable, skillful and focussed toward solving this problem. He took over my workstation, tried all the things I had already tried, and much to my relief, it didn't work when he tried it either. Diagnostics were submitted and the system _really_ seems to think it is denied access. Yet the credentials used and my administrator credentials work fine for this NAS, on Mac, on Windows 10 and on Ubuntu. We tried forward and backslashes, names with and without local domain and even bare IP addresses. Nothing made any difference.

The guy took his time, but tech support closes at 18:00, so we had to put an end to it. No solution yet, only more questions, but a colleague of him will contact me next week to schedule another session. I'll keep you posted.
Userlevel 1
Badge +1
The cause
This problem is caused by Sonos still not supporting NTLMv2 authentication, and NTLMv1 being disabled by default for Samba 4.5+ and version 4.5.5, in FreeNAS 9.10.2-U2 and later.

The Fix
This problem should be fixed by Sonos, by implementing NTLMv2. Still using NTLMv1 is a security hazard.

The work-around
This problem can be worked around by lowering your NAS' authentication security, by explicitly enabling NTLMv1. To do this, add the statement ntlm auth = yes to the smb.conf, likely located in /etc/samba/.

FreeNAS users can lower their authentication security by adding ntlm auth = yes in the SMB service auxiliary parameters box.


With this setting, my Sonos plays music from my NAS again.
Userlevel 7
Badge +21
Can you explain how changing access protocol to your NAS makes your network, or even the NAS, even less or even more secure?
Surely the security is only as good or bad as the security on your router/network?
Userlevel 1
Badge +1
Can you explain how changing access protocol to your NAS makes your network, or even the NAS, even less or even more secure?
NTLMv1 is the protocol used to authenticate credentials on Windows shares. The v1 version has known vulnerabilities for a long time, hence plenty of chance for the implementation of exploits. Because of this, it is recommended for some time already to disable NTLMv1 on servers and workstation, in favour of using NTLMv2. Recently, the developers of the Open Source implementation SMB have found it to be time to close this security hole and make this the default setting. As a side-effect, many Open Source based equipment, in this case mainly NASes, will no longer authenticate Sonos' after a system update, unless NTLMv1 is explicitly re-enabled. Re-anabling NTLMv1 re-opens the NTLMv1 vulnerability security hole. Even Microsoft themselves recommend disabling NTLMv1, since 2013 (https://support.microsoft.com/en-us/help/2793313/security-guidance-for-ntlmv1-and-lm-network-authentication).
Surely the security is only as good or bad as the security on your router/network?
For attacks from the outside, yes. But not for attacks from within your network, from people accessing your WiFi or from malware/spyware you your PC.
You have voted your own answer as the best answer to your question? Why ask the question then:?
Userlevel 1
Badge +1
You have voted your own answer as the best answer to your question? Why ask the question then:?
Obviously, I didn't have the answer when I posted the question, two days ago.
And now I've figured out what the problem was, and how to work around it, I thought it would be nice to share it here, so other people do not need to spend the same time diagnosing similar symptoms. And yes, my answer is right answer to my question, so I voted it accordingly, marking it easier for people to find. Apparently to forum allows this.
I can confirm that this fixed my issue. Upgraded from ~9.0 NAS4Free to 11.0 and Sonos was the ONLY thing that stopped working correctly. Once this is fixed on the Sonos end, I will remove the ntlm auth = yes parameter and go back to a secure system. Sonos tech support - please fix this! I concur that, having purchased now 7 Sonos devices, I am disappointed to find out that the system does not leverage the best security (NTLMv2 is pretty old at this point!).
Userlevel 7
Badge +21
If you want your security back now you can move your music to something like a Raspberry Pi and an external SSD fairly cheaply. I'm doing that here and with a Pi v3 the system is having no problems running three streams, cpu use for smbd is under 3%. Since it has nothing valuable on it the weak security isn't a problem for me.
If you want your security back now you can move your music to something like a Raspberry Pi and an external SSD fairly cheaply. I'm doing that here and with a Pi v3 the system is having no problems running three streams, cpu use for smbd is under 3%. Since it has nothing valuable on it the weak security isn't a problem for me.

Thank you for the suggestion. I'll exploring that option, but I think I'll run into some capacity/cost constraints. I have over 1.75TB of music, so I'll need more than just a cheap SSD. I have a few 1TB WD Black drives from an abandoned project - perhaps I can create an external array for the Raspberry Pi...
Userlevel 7
Badge +21
A WD Elements 2.5" - 2 TB USB external drive is about $75 on Amazon, makes it hard to justify doing anything fancy.

WD Black drives are nice ones but they are power hogs to give that performance, not always really quiet or cool either so I'd pass on them. Messing with RAID on USB connected devices probably isn't that great an idea either but it could be done with some tweaking.

My ripped CD collection fits nicely on a 256 GB SSD from my junk box so all I had to do was grab a USB-SATA cable and I was good, about $12 on Amazon.
I am running Ubuntu 17.10 with the latest Samba. The Samba writers fixed it so NTLMv2 was default. So, what worked for me was disabling NTLMv2 and enabling NTLMv1. As an IT Security Professional this made me cringe but I don't expose my inside network. You actually have to put in 2 statements into smb.conf:

client NTLMv2 auth = no
ntlm auth = yes

I highly recommend Sonos developers fix this and ensure the latest security protocols are supported.
Userlevel 2
I have a similar problem using nas4free. I recently upgraded from version 11.0.0.4 to 11.1.0.4 and ever since I have lost my connection with library. Everything had been working just fine for the past 5 years. Since the main purpose of having a NAS is to house my 32,000 song lossless music collection, it is frustrating.

I tried adding the lines suggested above by Lemex but it seems nas4free does not respond to the same auxiliary commands.

Does anyone else have experience like this with nas4free?
@silverspeedfreak I am not sure what the config looks like for nas4free. It’s probably something subtle. When I did my change for Ubuntu both lines were not obvious in this thread so it took a bit of digging.
Userlevel 1
Same issue as for silverspeedfreak and many other nas4free users. Read various posts on Nas4free forum CIFS/SMB topic.
Their developers are aware of and the suggested patch (ntlm auth = yes to the smb config file doesn't work with recent SAMBA releases.
SONOS MUST move and implement NTLMv2. There are plenty of litterature on NTLMv1 sercurity hazard.
Please consider this as a strong Evolution Request from SONOS clients.
Thanks MindBender, your solution solved my problem.

To Sonos developers: please fix.
Userlevel 1
Badge +1
I have upgraded my FreeNAS to v11 now, and the problem is back. The error message is a bit more cryptic:


Everything I can find about error 900 blames the - assumed to be - Windows server to be the problem.

Now I am aware that FreeNAS v11 has a different way of enabling NTLMv1: The kind folks of FreeNAS have added an 'NTLMv1 auth' checkbox, just for the Sonos people:


But that doesn't mean the added auxiliary parameter 'ntlm auth = yes' will no longer work: It probably does.

However, with neither my Sonos system can connect. Does other FreeNAS user experience the same problem? It is discussed in the FreeNAS forum as well: https://forums.freenas.org/index.php?threads/unable-to-access-share-from-sonos-controller.53739
Userlevel 1
Badge +1
UPDATE
The knowledgeable people from the FreeNAS forum came to the rescue with the right solution.

For your Sonos to work with FreeNAS v11, you need to reduce your FreeNAS security level by enabling a, now per default disabled, proven vulnerable protocol, abandoned by Microsoft themselves back in 2007. If you're feeling lucky, below the settings to go back to Windows Vista grade security:

Userlevel 7
Badge +21
Kinda risky to enable SMB v1 on a NAS holding real data but if that is your choice at least you are aware of the risks involved.

Me being a worrier about security is why I have a Raspberry Pi with a copy of my music on it running SMB v1 and my real NAS as secure as I can make it. Nothing sensitive on it at all, not even a common user name with the rest of my gear.