Does merlin support samba guest sharing?

[themaster]

yah, know as read-only???

I found this article on how to do it.. but was just hoping to avoid a lot of unix commands etc.

 

[RMerlin]

yah, know as read-only???

I found this article on how to do it.. but was just hoping to avoid a lot of unix commands etc.

User access is configurable on the webui - same interface as found on the stock firmware.

 

[themaster]

Yah, it's that interface that is limiting.. (hence this entire article about getting around it!) the ability to allow GUEST (no password) access with READ-ONLY so someone doesn't delete your files!!! Would be invaluable..

I would like to get my firetv stick/kodi to read the entire contents of the hard drive.. now I know it does this with windows nework/samba.. but unless I'm missing something.. I don't know how to lock the files as "read-only" preventing some moron from wiping them all out or worse

 

[sfx2000]

yah, know as read-only???

I found this article on how to do it.. but was just hoping to avoid a lot of unix commands etc.

Just a thought... security wise that is...

If the user is on the Guest Network, that means there is a level of trust that isn't allowed by the primary SSID - are you sure you want to even consider this, as opposed to perhaps OneDrive or Dropbox?

 

[themaster]

Just a thought... security wise that is...

If the user is on the Guest Network, that means there is a level of trust that isn't allowed by the primary SSID - are you sure you want to even consider this, as opposed to perhaps OneDrive or Dropbox?

Yes, first off those devices don't deliver 4 Gb of data..

2ndly when it's locked properly/READ-ONLY guess sharing just keeps unnecessary passwords out of the mix.. that's exactly why that guy in that URL did all the work.. because guest read-only is nice.. but right now.. it's open to right too on my network.. which is nice till someone accidentally hits delete

If the user is on the Guest Network

this is not guest network.. this is a Guest account built-in to windows that allows you looking at files and shares without a password.. it's a winndows feature. Works fine on windows.. but here there's no ability to configure READ-ONLY (which is something you can do in windows and in samba.. if it was enabled some how? I'd prefer not to do this guy's router hack to do it.)

 

[sfx2000]

Well, again, it goes back to the trust issue... I'm not being paranoid, I'm just being practical/pragmatic..

I have a guest SSID running - and it's VLAN'ed straight out to the internet, and I have AP-isolation enabled, so guests get WiFi and Internet, but are totally isolated from my LAN, and from each other over the WLAN...

I work from home, and my work laptop is on that Guest SSID, as I don't trust them (anything inside their network) and they probably shouldn't trust me...

My guest SSID is WPA2 protected, btw... I don't use a captive portal...

 

[themaster]

Well, again, it goes back to the trust issue... I'm not being paranoid, I'm just being practical/pragmatic..

I have a guest SSID running - and it's VLAN'ed straight out to the internet, and I have AP-isolation enabled, so guests get WiFi and Internet, but are totally isolated from my LAN, and from each other over the WLAN...

I work from home, and my work laptop is on that Guest SSID, as I don't trust them (anything inside their network) and they probably shouldn't trust me...

My guest SSID is WPA2 protected, btw... I don't use a captive portal...

What the heck does that have to do with Microsoft Client for Microsoft Networks/samba/File and Printer Sharing for Microsoft Networks?

 

[sfx2000]

What the heck does that have to do with Microsoft Client for Microsoft Networks/samba/File and Printer Sharing for Microsoft Networks?

Jeez... this popped up on my radar due to basic security concepts...

But I'll give it a try...

Comes down to TRUST - a Guest Network/SSID means you don't trust someone to access your network resources, period... if you are, well, you're doing it wrong from a security perspective...

User/Group/World - the world is everything, groups can define access to specific resources, and users can be added to groups, and properties are inherited up the access chain.

MS Workgroups/Homegroups - they all live within the private domain, and you should never, ever, never cross that line - either you trust the client, or you don't - and when you don't, either don't give them access to your WLAN at all, or sandbox them into the Guest WLAN, and that's that...

'nuff said?

sfx

 

[themaster]

Jeez... this popped up on my radar due to basic security concepts...

But I'll give it a try...

Comes down to TRUST - a Guest Network/SSID means you don't trust someone to access your network resources, period... if you are, well, you're doing it wrong from a security perspective...

User/Group/World - the world is everything, groups can define access to specific resources, and users can be added to groups, and properties are inherited up the access chain.

MS Workgroups/Homegroups - they all live within the private domain, and you should never, ever, never cross that line - either you trust the client, or you don't - and when you don't, either don't give them access to your WLAN at all, or sandbox them into the Guest WLAN, and that's that...

'nuff said?

sfx

Yah, I understand all that.. what I'm interested in again is a "Guest" network neighborhood account/client computer that is SERVED "read-only" that is served by a usb 3.0 connection ntfs hard drive from a asus router....

I was wondering if merlin can do that.. or maybe someone can build the functionality since the article/URL above provides all the steps to get it done?

 

[sfx2000]

Yah, I understand all that.. what I'm interested in again is a "Guest" network neighborhood account/client computer that is SERVED "read-only" that is served by a usb 3.0 connection ntfs hard drive from a asus router....

Security violation, IMHO... unless that share is public to the world, it's hard to segregate it any further... can't have world and not so much world in the same space - again, goes back to trust...

 

[themaster]

Security violation, IMHO... unless that share is public to the world, it's hard to segregate it any further... can't have world and not so much world in the same space - again, goes back to trust...

the share is public to the LAN it has nothing to do with a WAN

 

[sfx2000]

the share is public to the LAN it has nothing to do with a WAN

So don't worry about the guest network eh? Consider a Guest SSID is being world visable, ok?

Inside the LAN, going back to the share itself, you can define properties there - for most, one person should be owner with read/write, and then everyone else should be read only...

One can always make a general share with write only as a dropbox, and perhaps a public read-write - and this can be done on a folder/directory basis.

Nice thing about Samba, you have that ability

Guess the best way to describe this - know what your sharing, and who do you trust?

 

[themaster]

So don't worry about the guest network eh? Consider a Guest SSID is being world visable, ok?

Inside the LAN, going back to the share itself, you can define properties there - for most, one person should be owner with read/write, and then everyone else should be read only...

One can always make a general share with write only as a dropbox, and perhaps a public read-write - and this can be done on a folder/directory basis.

Nice thing about Samba, you have that ability

Guess the best way to describe this - know what your sharing, and who do you trust?

I'd rather just have the feature I know samba can do.. and if I can't get it.. I guess, I'll enable passwords..

 

[sfx2000]

I'd rather just have the feature I know samba can do.. and if I can't get it.. I guess, I'll enable passwords..

Fair enough - yep, I know it's a hassle, but it's a good kind of hassle, agree?

 

[themaster]

Fair enough - yep, I know it's a hassle, but it's a good kind of hassle, agree?

nope, not really it's pretty stupid.. I'd share the drive via a windows machine.. but then I'd have to keep it on 24/7.. where as leaving the router on 24/7 is a better option..

 

[minilude]

I'm trying to do the same thing blogged by David Longenecker at https://www.securityforrealpeople.com/2014/12/customizing-samba-on-asuswrt-wireless.html

and found this thread by searching.. but disappointed to see the whole thread is discussing a "guest" SSID...
The purpose of this anonymous login is for kids, elderly, friends, or husband/wife to be able to see your file and use your file (without hassle of username/password) but prevent them delete or edit your file. I know a visitor username/password can do the same job but we are discussing things without a visitor username/password and they are using regular home SSID. Why would you want your kids or parents or wife to use guest SSID or dropbox...geez..

I flashed my stock ASUSWRT (AC68U) to Merlin just trying to see it has this feature but I guess no..

I found DDWRT's tab of NAS sharing has this feature so maybe developer can take a look at it?

 

[RMerlin]

I found DDWRT's tab of NAS sharing has this feature so maybe developer can take a look at it?

I don't want to devote any time on the disk sharing code, sorry. The only reason SMB is supported is because Asus does. My personal opinion is that SMB sharing does not belong in a router, for a wide range of reasons, including performance and security.

You should be able to achieve what you want however through customizing the smb.conf config file, by creating your own shares.

 

[minilude]

Thanks. Just trying confirm whether this capability is supported or on the way for noobs. For those who would like to follow David's blog, things should be do-able.