Feature Request: File share authentication

[whitestrat13 33]

I'll preface this by saying I'm a security nut and I trust no one.

 

Are there any plans to allow the server to authenticate to a network share? I really hate using the everyone account, and I'd prefer to use a dedicated service account for MBS. I have a lot of personal data on my server and I want to lock it down.

 

It would be sweet if something could be built into the api that could encrypt a credential and pass it as a token or something to clients to enable direct play. That way, if you can authenticate to MB, you can browse as the dedicated MB user.

 

I think this is something that could help both Windows users, and those who want to authenticate to a NAS from MBS.

 

I get that I may be the only one who wants to lock down a home network. I'm more curious than anything.

 

As always, I appreciate all the hard work the devs put in, and I'm extremely grateful.

 

Have a great day,

Whitestrat13

[spootdev 56]

Don't you already have the share locked down to the accounts that you're signed into in windows?

[whitestrat13 33]

I do, but I'd much prefer that the "everyone" user has no rights on the server. Period.  Anonymous user access is inherently a security risk. 

[fraenhawk 58]

I'm confused by your statement. I thought that the server shares went by who you have MBS running as and whether that account has access to the shares. I double-checked and I do not have the everyone account or even the Users group added to any of my network shares and everything works as intended. Everything I've always had configured on my server (which goes back to pre-MB3) has always been done through explicit user permissions per share.

[whitestrat13 33]

I run my server heedless, and mbs as a service.

The wiki (granted the post is old) said to give the everyone account read permissions, so that's what I did. Clarification by the devlopers would be helpful.

 

I just looked and MBS is running as the local system account. This allows MBS to read and write to the directories.

 

For direct play, the client has to be able to browse the share. I believe this is why they suggest the everyone account should be given read permissions. I would like clients to authenticate to the share as a specified user. I'm less concerned about the application, as it runs on the same same machine as my file shares. I just don't want anonymous users able to access anything on my file server.

[whitestrat13 33]

My understanding is that the server will direct stream or encode the file if the client can't access the share.

[Luke 37106]

i'm sure it's something we can eventually look into. the issue is when we launch external programs, if those programs are going to access the media then they need to be able to support it as well. so at the very least, ffmpeg, and we'll have to look at others. i would imagine they do but we have to figure out how, and if they don't then that's a problem. So that's why at present it's easier to leave it up to OS-level control.

[whitestrat13 33]

Thanks @@Luke for the reply.

 

Is the everyone account still necessary for direct play? Or is there another recommended way?

[fraenhawk 58]

Ahh, I run my server headless as well, but I still have MBS run on interactive login rather than as a service (I don't let windows update reboot the machine ever and just remote in when I want to do updates/reboots so that I'm sure to log it right back in after). That's the part that through me off, that you're running as a service. Good luck

[ebr 14926]

The only time you should need to enable access to the Everyone account is if you have Windows Extenders.  I believe that is the only time we recommend that.  The reason being that they use Windows accounts with passwords you cannot know.

[Deathsquirrel 741]

If you're concerned about limiting the service's access to the system you can create a user account for thatservice, give that account access to only the MB folders and library folders,and use that account for the service.  Should work fine so long as you grant it rights to all the folders used by the app.

 

Haven't bothered myself, but should work.