DSM-G600, DNS-3xx and NSA-220 Hack Forum

Unfortunately no one can be told what fun_plug is - you have to see it for yourself.

You are not logged in.

#1 2011-01-22 21:37:24

ShrewLWD12
New member
Registered: 2011-01-08
Posts: 1

Successfully connected DNS323 to Active Directory Domain

Hi everyone,

After countless hours trying as many different options found in this forum as I can, I have collected up the useful parts, and come up with a go-by that has worked for me for 3 separate DNS323 installs.  95% of this is code from users of this forum, who deserve all the credit

Some pre-notes:
-I am a windows admin/user, and am writing this as a 101 user guide for other windows admins/users who may not have the time to deep-dive into Linux just to complete one step of a large network build-out project.
- if this go-by has redundant /unneccesary steps, I welcome any changes!
-I have made arbitrary decisions for where to save backup files to counter the reboot.  I welcome advice on those too!
-This option allows multiple users to have secured access to multiple secured folders within the DNS.

Prerequisite software:
notepad++
PuTTY
Laptop running Linux (I used Ubuntu Netbook 10.10 running on USBStick, using pendrivelinux.com)
DNS-323 firmware v1.09

Some Linux commands:
VI Commands
x      #erases letters
dd    #erases a line
3dd  #erases 3 lines
i       #inserts (allows editing. Don't use arrow keys while in this mode)
ESC #exits insert, resumes scrolling
ZZ   #Saves and quits
:q!   #force exits

#use SUDO before every command in Ubuntu Terminal

#NOTE: Make sure the Linux Laptop and the DNS-323 have the correct date/time set, within 5 minutes of the domain server,
#or you will not get the secrets.tdb file, later in the go-by!


##GO-BY##
____________________________________________________
DNS-323

#Set Date/Time
#Do not change the DNS box name yet
#Download funplug
#enable ftp for anonymous root
#ftp to root, then cd to Volume_1
#upload fun_plug and fun_plug.tgz
#reboot NAS

#Verify ffp works by Putty to NAS (NOTE: PuTTY defaults to SSH...switch to Telnet for this step)
#If you get a '#' symbol, ffp correctly installed. Close PuTTY.
____________________________________________________
LINUX Laptop (Ubuntu Netbook 10.10 running on USBStick, using pendrivelinux.com)

#Set Correct Date and Time in the Ubuntu GUI
#Open Terminal
sudo vi /etc/samba/smb.conf

#Substitute HOME and HOME.LOCAL for your NETBIOS and FQDN of your domain, below.
#dns323 is what I called my DNS box, you could call it NAS, if you like, but remember what you called it 
#Point your WINS to a local WINS, if you are running one
#Edit/Add the following lines:

  workgroup = HOME
  netbios name = dns323
  security = DOMAIN
  realm = HOME.LOCAL
  wins server = 192.168.0.8
  name resolver order = host wins lmhosts bcast

#Save and Exit smb.conf

sudo vi /etc/hosts

#Add the following line
#Substitute the IP address below with the IP address of your server. 
#Put in it's FQDN, followed by a TAB, followed by its NETBIOS name.

192.168.0.8 server3.home.local server3

#Save and exit hosts

#substitue HOME.LOCAL below with the FQDN of your domain)

sudo net join -W home.local -U Administrator
#type in domain admin password
#You will get a Kerberos Error, but it will update secrets.tdb in var/lib/samba, and
#Active Directory will accept it a a domain PC

ls -l /var/lib/samba
#Verify the secrets.tdb has a time-stamp of a few seconds ago
#copy secrets.tdb to thumb drive
#Shutdown Linux (to avoid duplicate names on the network)
____________________________________________________
#Using Notepad++, copy, paste, save the code below to a thumbdrive as 'samba-addomain.sh'
#Note: I included a line to grab the stashed copy of smb.conf and drop it into the runnig config.
#It is not in that location yet though, so don't reboot the DNS yet


#!/bin/sh
smbd_start() {
      cp -p /mnt/HD_a2/ffp/etc/secrets.tdb /tmp/samba/secrets.tdb
      cp -p /mnt/HD_a2/ffp/etc/smb.conf /etc/samba/smb.conf
      killall smbd
      /usr/bin/smbd -D
}
smbd_stop() {
  killall smbd
}
smbd_status() {
  echo
}
case "$1" in
  stop)
      smbd_stop
      ;;
  restart)
      smbd_stop
      sleep 1
      smbd_start
      ;;
  status)
      smbd_status
      ;;
  start|'')
      smbd_start
      ;;
  *)
      echo "Usage: $0 start|stop|restart|status"
      ;;
esac
______________________________________________________

DNS323 Box


mount -t minix /dev/mtdblock0 /sys/mtd1
mount -t minix /dev/mtdblock1 /sys/mtd2
#EDIT both copies of smb.default
vi /sys/mtd[12]/smb.default
#Change the line "workgroup = workgroup" to "workgroup = HOME" (Be careful NOT to include a space after HOME)
#Change the line "nebios name = dlink-xxxxxx" to "netbios name = dns323" (or whatever name you chose above, e.g. NAS)
#Change the line "security = SHARE" to "security = DOMAIN"

#Save and exit smb.default

sync
umount /sys/mtd1 /sys/mtd2

________________________________________________________
#ftp secrets.tdb and samba-addomain.sh to Volume_1 root
#Using PuTTY, telnet to /mnt/HD_a2
chmod 777 secrets.tdb and samba-addomain.sh
cp -p secrets/tdb /mnt/HD_a2/ffp/etc/secrets.tdb
cp -p samba-addomain.sh /mnt/HD_a2/ffp/start/samba-addomain.sh
cp -p /etc/samba/smb.conf /mnt/HD_a2/ffp/etc/smb.conf
rm secrets.tdb
rm samba-addomain.sh

#reboot NAS (using web admin)
_________________________________________________________
#Login to NAS (Web)
#Verify device name and workgroup are correct
#(workgroup may contain a space at the end of it, and if so, delete it)
_______________________________________________________

#create users, name them exactly the same as the AD users logon name.
#Create a random 5+ digit password and ignore it.
#Share out folders as necessary, and bind them to just one user
#Remove default share (Volume_1)

#Using Putty, telnet into DNS323 and edit /etc/samba/smb.conf
#Scroll down and add additional users as necessary to each share, separated by a space.
#NOTE: Spell the accounts correctly, as it will accept without verifying! SAMBA names map to Linux names
save smb.conf
smbd stop
smbd start
cp /etc/samba/smb.conf /mnt/HD_a2/ffp/etc

_______________________________________________________
#Add root password, turn on SSH, turn off Telnet

pwconv
passwd
usermod -s /ffp/bin/sh root

pwck
grpck
#You may ignore warnings about missing home directories and invalid group names.
#If asked to remove a duplicate user, say 'yes' to remove one of them. Rerun the commands to check that it's fixed

#Test your changes with the login program:

login
#If that worked, save the password files to flash memory:

store-passwd.sh

#test ssh login:
cd /ffp/start
sh sshd.sh start

#Use PuTTY, switch to SSH, and attempt to login
#If successful, shut down telnet, and have SSH start on reboot

cd /ffp/start
chmod a-x telnetd.sh
chmod a+x sshd.sh


##/END GO-BY##

Things I am still working on next:
- The editing of SMB.conf is unnecessarily complex.  I'd like to use SWAT, but it seems SWAT is only available if you install the full SAMBA, which updates the SAMBA on the box.

Offline

 

#2 2011-01-27 22:59:32

pnin
Member
Registered: 2010-03-12
Posts: 15

Re: Successfully connected DNS323 to Active Directory Domain

Great work, ShrewLWD12. This will allow for use of the DNS-323 in my work environment. (If I am able to replicate everything, that is...)

Last edited by pnin (2011-01-27 23:00:09)

Offline

 

#3 2011-01-28 16:59:07

vschlenk
Member
Registered: 2011-01-27
Posts: 25

Re: Successfully connected DNS323 to Active Directory Domain

Absolutely great ....now I [or someone more proficient than me] will have to try out the steps involved with using Open LDAP :-) AD worked. But I am at the point of moving from AD to Open LDAP - that's why :-)

Cheers,
Volker

Offline

 

#4 2011-04-22 22:03:08

papa dragon
New member
Registered: 2011-04-22
Posts: 4

Re: Successfully connected DNS323 to Active Directory Domain

I am working right now on using a DNS-323 as the data fault in a AD. I want to join it the domain and use AD user authentication.
So basically exactly what is described above.
The question I have is: Why setting up a linux laptop and using this samba.conf instead of copying the samba.conf that is found in /etc/samba on the DNS-323? Am I missing something and do not understand a portion of the idea behind it? Or would this just be too simple?

Thanks.

Offline

 

#5 2011-04-24 06:11:41

papa dragon
New member
Registered: 2011-04-22
Posts: 4

Re: Successfully connected DNS323 to Active Directory Domain

Ok,
I did the whole thing including running the second copy of linux on a laptop to get the secrets.tdb file.
I had a bit of struggle with the samba.sh script, but got this to work. Will post my solution once everything is working.
I now have the following problem: I am running windows 2008R2 (enterprise edition) DCs. When trying to authenticate against these machines, I am getting an error message. On the DC, I have error log # 5722 and 5805. Looking these up, I find that 2008R2 prevents by design weak encryption algorithms like (Windows NT 4.0, Network Storage Systems).
So, in short, samba on my DNS-323 can't encrypt strong enough for 2008R2 to accept.

Any ideas?

By the way: this behavior is 2008R2 only. Microsoft changed this behavior between 2008 and 2008R2.

Offline

 

#6 2011-12-02 00:42:33

mfcoburn
New member
Registered: 2011-12-02
Posts: 1

Re: Successfully connected DNS323 to Active Directory Domain

papa dragon wrote:

Ok,
I did the whole thing including running the second copy of linux on a laptop to get the secrets.tdb file.
I had a bit of struggle with the samba.sh script, but got this to work. Will post my solution once everything is working.
I now have the following problem: I am running windows 2008R2 (enterprise edition) DCs. When trying to authenticate against these machines, I am getting an error message. On the DC, I have error log # 5722 and 5805. Looking these up, I find that 2008R2 prevents by design weak encryption algorithms like (Windows NT 4.0, Network Storage Systems).
So, in short, samba on my DNS-323 can't encrypt strong enough for 2008R2 to accept.

Any ideas?

By the way: this behavior is 2008R2 only. Microsoft changed this behavior between 2008 and 2008R2.

I have the same setup.  Were you able to get this to work?

Offline

 

#7 2017-05-30 13:15:15

slobato
New member
Registered: 2017-05-11
Posts: 2

Re: Successfully connected DNS323 to Active Directory Domain

This How to, works with DNS-320L? Thanks.

Last edited by slobato (2017-05-31 22:11:29)

Offline

 

Board footer

Powered by PunBB
© Copyright 2002–2010 PunBB