March-2016-Users and Groups

Continuing the discussion from Users and Groups - How does the security work?:

Having spent the last few days working with a DL4100, I finally understand why I kept receiving “CIFS Password” log messages and Windows and OSX login errors.

The WD PHP/JS dashboard code for manipulating the smb.cnf file is NOT commutative. I.e., the order you assign users and grooups permissions to shares and the order you add and remove users from groups results in different settings in the smb.cnf file.

Specifically, the rules for samba/SMB are well described here “samba.org Chapter 9. Users and Security”.

My situation was that using the dashboard (wd web interface) I created a user “dtest”, that resulted in a share called “dtest”. I then created a group called “home”. I then added “dtest” to the group “home” and after some adds and removes of permissions to the “dtest” share, I was mysteriously denied access to the “dtest” share.

In truth I had this problem for many users and groups I had set up. The mystery was that the web dashboard showed that, in this case, user dtest had RW access to share dtest, while no other users or groups were granted permission, and dtest share had public access turned OFF.

In that configuration dtest should have been able to log in and connect to share dtest. I wasted days fiddling with network switches and windows smb/network related issues before testing with a OSX and linux machine (including numerous calls to WD support).

Once I tested with linux machines and OSX machines I readily verified the problem was not in the network, or on the clients. It was in fact in the WD NAS server itself. From there I enabled SSH and logged into the machine and examined the SMB configuration. What I saw in the smb.conf file explained very clearly what the problem was.

The WD web dashboard (which is a apache PHP/JS web app) had not commutatively (correctly) maintained the permissions in the smb.conf file.

The Samba rules state clearly that you can set the following list of rules:
valid users=, invalid users=, read list=, write list=.

Samba rules also detail use of @,&,+ for specifying NIS (smb perms) and HOST (linux ext4) perms ordering.

What WD NAS does is make all files and directories on the share drives 777 so owner, group, other all have RWX permissions. Thus access to shares is completely controlled by the NIS (smb) rules only. Because SMB perms are always based on requiring that BOTH NIS and HOST filesystem permission must be enabled for a user to have access. So, by using linux 777 (RWX for everyone), only the NIS (smb conf) rules need to be modified. So, while less secure, it is fast and easy to manage for the WD dashboard software tools.

With that in mind, the only question was why were the NIS rules not letting dtest have access to the dtest share when the WD dashboard said dtest had RW access.

The answer:
dtest was listed in the write list=, dtest was listed in the valid users= rules, @home was listed in the invalid users= rules, AND the BUG… dtest WAS NOT listed in the read list= rules.

Since invalid users trumps valid users, dtest was denied access based on being a member of the home group. So to provide WRITE access it needs write list= which trumps invalid users= so dtest had WRITE access. To provide READ access it needs read list= which also trumps invalid users=, BUT dtest was not in the read list= and thus DID NOT have READ access. Which by NIS SMB rules meant the user would be denied when attempting to log in.

What’s more confusing is that if the user was already authenticated to the share and had it mounted/mapped etc, and one then used the WD dashboard to add them to a group, the smb.conf file would be incorrectly set up as described above, but the user would still be able to access the share until their session needed to be reconnected. I.e., they were not forced to re-authenticate by the WD code configuring the SAMBA (SMB) permissions in the smb.conf tables because it thought (presumably) that the session would still have permission since the user had RW even though the group the user belonged to, did not.

The WD code needs to be revised to correctly (commutatively) preserve the NIS permissions in the smb.conf file without regard to the order in which a user, share, or group are manipulated to grant private Read or RW access. It should not matter in what order a user is granted, revoked, or a group is granted, revoked access to a share, or a user is added/removed from a share. BUT in fact it does matter and it gets incorrectly configured.

Correction to my last paragraph:

The WD code needs to be revised to correctly (commutatively) preserve the NIS permissions in the smb.conf file without regard to the order in which a user, share, or group are manipulated to grant private Read or RW access. It should not matter in what order a user is granted, revoked, or a group is granted, revoked access to a share, or a user is added/removed from a group. BUT in fact it does matter and it gets incorrectly configured.

Smallscript, informative post. However, because your referencing a DL series device you may want to post this information to the dedicated DL subform or back to the dedicated Mirror forum where the “How does the security work?” thread that you are referencing is hosted. This My Cloud subforum is generally for the single bay My Cloud devices that may have different features and operating system than the Mirror and DL series devices.

https://community.wd.com/c/network-attached-storage/my-cloud-business-series

https://community.wd.com/c/personal-cloud-storage/wd-my-cloud-mirror

The comments apply to ALL the WD MyCloud devices. I happened to debug the problem on my DL4100, but have been testing other MyCloud devices (Arm models as well as the Intel models).

All the MyCloud devices are running linux (with embedded linux libraries). The software under the hood is basically the same for all the units. The DL series software offers a few more things enabled for ActiveDirectory integration and things like iScsi sharing of raw partitions that can be mounted and managed by a client as a raw drive. If you enable the SSH option you can log into your MyCloud device and you will see all its linux configuration etc - although doing so will possibly void you support warranty until you rebuild your server (forcing a factory reset of the linux configuration).

The applications you can install on your MyCloud devices are “dockers” which are linux containers sandbox processes utilizing the docker management system that has become pretty much industry standard in the last 12 months and is now supported on linux, osx, and windows officially as a means to deploy applications that can run in sandbox process space. On OSX and Windows a single linux OS is required to run as a Virtual Machine on the host OS, and the dockers then run as sandboxed container (kernel cgroups) [each container is a collection or one or more processes that share a common resource jail] within that virtual machine based linux.

For the WD NAS MyCloud family they are all running linux so dockers are very lightweight running as a docker lobrary container using the docker’ container management infrastructure. The docker support library and docker management components are written in the go language, but a given docker program/application can be written in any language and will see its execution world (a kernel cgroup) as if it was an entire linux machine even though it is really just a set of processes grouped together by the kernel to share a common resource restricted view of the real underlying hosting linux kernel.

If you have an ARM based MyCloud device then you are limited to dockers that will work on your ARM cpu, and if you have an Intel based MyCloud device then you are limited to dockers that will work on a Intel based cpu.

The hardware differences are in the various series are whether they are running on an Arm process or an Intel processor, and whether they have dual-ethernet ports and dual power-supply ports. The dual-ethernet ports allow various forms of bonding to enable more bandwidth to all clients and faster network transfer rates to those clients that also have bonded ethernet ports or 10GB ethernet etc. The 2100 series are ARM based and do not allow expanding the onboard memory. The 4100 series are Intel based and do allow expanding the onboard memory. The non DL models are basically equivalent to the 2100 series but don’t have the dual ethernet and dual power supplies and are packaged in a different case. The My Mirror units support two drives for raid 0 or raid 1 and allow access to those drives for hot swapping on raid-1 failure.

Western Digital’s developer website talking about their support of dockers and how to build a docker using their “My Cloud Device SDK”.

[quote=“smallscript, post:4, topic:155256, full:true”]
The comments apply to ALL the WD MyCloud devices. I happened to debug the problem on my DL4100, but have been testing other MyCloud devices (Arm models as well as the Intel models).[/quote]
For the single bay v4.x My Cloud there is no Dashboard option to assign a user to a group as you indicated you did in your initial post on the DL4100. Further the on the v4.x single bay My Cloud the smb.conf file (/etc/samba/smb.conf) contains only the following:

[global]
  workgroup = WORKGROUP
  realm = WORKGROUP
  netbios name = WDMyCloud
  server string = WD My Cloud

  include = /etc/samba/smb-global.conf
  include = /etc/samba/smb-global_veto.conf
  include = /etc/samba/overall_share

Instead the “overall_share” file is what contains the; write list, read list, invalid users, and valid users listings for each Share. Much like you mention in your first post the User is not listed in the “read list” entry. Here is one example of a Share entry in the overall_share file:

[1Unwatched]
comment = 1Unwatched
path = /shares/1Unwatched
browseable = yes
public = no
available = yes
oplocks = yes
map archive = no
write list = "admin"
read list =
invalid users = "nobody"
valid users = "admin"
# !!properties = "media_serving","remote_access"

You are right Bennor. The overloaded use of the phrase “My Cloud” by WD for their (NAS) network addressable storage product lines is a bit confusing if one uses shorthand.

My Cloud OS 3 NAS Devices (WD Customized Ubuntu Linux for ARM and Intel))

• Personal Cloud series of the My Cloud OS 3 NAS Devices:
  I have a Personal Cloud:My Cloud Mirror Gen 2 device. I don’t have one of the “Personal Cloud:My Cloud” devices. From the user manual for it, I am guessing that the “Personal Cloud:MyCloud” is running a My Cloud OS 3 version that exposes a limited version of the My Cloud OS 3 web management interface.

• Network Attached Storage EX and DL series of the My Cloud OS 3 NAS Devices:
  These devices fall into the EX (ARM cpu based linux My Cloud Expert Series) and DL (Intel cpu based linux My Cloud Business Series) families.
  The EX and DL series devices both have the docker system installed on their My Cloud OS 3 implementation.
  I incorrectly referred to the DL2100 as an ARM device in a previous post

• According to WD Developer Questions, The Personal Cloud series devices all support SSH, but only the My Cloud Mirror Gen 2 device is configured out of the box to support dockers. Without SSH logging in and examining the Ubuntu linux setup on the single drive Personal Cloud devices, it’s unclear if that limitation is just a marketing limitation, an older software version awaiting upgrade or a technically driven decision that there is insufficient RAM or CPU capacity to support dockers on those devices.

My Book Devices

• The “External Storage:MyBook” devices, which I have two of, are not NAS devices they are USB3 interfaced drives. These drives work excellently as additional storage when attached to any of the My Cloud devices.

From anandtech review:

Western Digital’s embedded Linux-based NAS offerings target a wide range of market segments. The My Cloud Mirror Gen 2 targets the typical average consumer - someone who has a vague idea of what network attached storage means, but has never used one in his setup. This type of customer is typically not very tech-savvy, and so, ease of use is very important. Several features that power users take for granted might not be necessary in a product targeting such a consumer. Eagle-eyed consumers might note that the My Cloud Mirror Gen 2 and the My Cloud EX2 share a similar chassis. The difference between the two is in terms of firmware features. The following aspects are not supported in the My Cloud Mirror Gen 2:

• iSCSI LUNs
• Encrypted shared folders / volumes
• IPv6 for the network interface
• Hot-swap capability for hard drives
• Active Directory support

Compared to the My Cloud Mirror model from last year, the Gen 2 version has a faster internal platform. While Gen 1 used the Marvell ARMADA 370 SoC with a single-core ARMv7 CPU running at 1.2 GHz, the Gen 2 uses the Marvell ARMADA 385 SoC sporting two ARM Cortex-A9 cores running at 1.33 GHz. Other than that, the other specifications such as the external I/O ports and amount of RAM on the board remain the same. As we shall see later, the faster CPU will definitely be of help in handling the extra features provided by the My Cloud OS 3.

From hardware secrets review:

The Personal Cloud:My Cloud WS NAS device specs are described as:

The control board uses a Mindspeed Comcerto 2000 (M86261G-12) CPU, which has two Cortex-A9 ARM cores, running at 650 MHz.

Western Digital Introduces Its First Helium-Filled HDDs for Consumer Applications

Western Digital Helium Filled Drives (include new 8TB and 10TB capacity drives).

• WD Red Drives (5400 RPM)
• WD Red Pro Drives (7200 RPM) [Just bought them under the Hitachi NAS while they are still available as hitachi drives series]
• WD Purple Drives (The Hitachi Series drives / HGST acquired by WD)

Just to add to the confusion, there are now two generations of single-bay MyCloud drives, which aren’t easily distinguishable to a naïve purchaser. The old, ‘Gen 1’ drives run a version of Debian Linux, and v4 firmware. The newer, ‘Gen 2’ devices are based on BusyBox, and run something called v2 firmware, which appears to be a version derived from their exclusive to Japan ‘WD Cloud’ product, to avoid the pre-existing trademarked MyCloud product there…

The OS used on the first gen (personal) single bay My Cloud, those running v4.x firmware, while Linux (Debain) is slightly different than those running on the gen two single bay My Clouds, those running v2.x firmware that uses BusyBox on Linux. The Dashboard interface is slightly different as well. The v2.x has an “App” section while the v4.x version does not. In certain cases the SSH commands one issues is different due to the firmware folder layout of each version too.

Why WD decided to release a new version, keeping the same name as the old version, yet have different firmware and different user interface is beyond me. Its lead to some considerable confusion on this support site when the end user asks questions but doesn’t provide their firmware version. What makes it worse is they’ve change the name of certain features between the two, like for example; “Safepoint” for v4.x and “Backup” for v2.x for backing up the My Cloud to another location. Then there are major goofs in v2.x Dashboard where WD apparently forgot to code in a Shutdown button even though the User Manual (link below) for v2.x indicates, in two places, that there is a Shutdown button. And the fact that the v2.x “Backup” module doesn’t support a creating a schedule backup either.

Version 4.x firmware Dashboard (generic image from WD):

Version 2.x firmware Dashboard (image from User Manual):

843×467 55.1 KB

There are two different WD My Cloud User Manuals too.
v4.x: http://www.wdc.com/wdproducts/library/UM/ENG/4779-705103.pdf
v2.x: http://www.wdc.com/wdproducts/library/UM/ENG/4779-705147.pdf

For me, the bigger question is: why have they got multiple firmware lines at all? Wouldn’t they be better off with a single firmware base, on a common platform, with scalable features to support the different product lines?

Having to support and maintain so many different firmware streams must make their life hard. No wonder there are so many unresolved problems…

And can some one tellme of the is docker for the mycloud pr4100 with V2.11