Our family has a digital music collection. We have accumulated downloads and ripped CDs from a variety of family members. I recently aggregated it all and did some metadata and other cleanup. When I put it back out on the network attached storage (NAS), I started to run into the problems of working with consumer technology.
First, it sounds grand to say we have a NAS. It’s a Western Digital My Cloud consumer drive that you can attach to your home network. It’s great as a place to backup files that are low use but high value. It also has a somewhat janky music server (Twonky 7) so media on the device can be streamed to devices on the home network.
Most administration of the NAS occurs over a web interface. You can access the device’s administrative dashboard to create new shares (the default one is Public) and to create users (the default users are admin and the anonymous “nobody” which is a member of the “share” user group). I mention this because, as you add users and access the drive, this will matter.
Like many of my posts, this one is as much to share experience as to remind future me what I’ve just done. This may be a good point at which to cut your losses and move on to something more productive!
Access Denied
The goal was to replicate what some archives have with AIP, SIP, and DIP. I wanted one collection that was fixed – locked – as an archive. This would be copied out to the NAS, which could then be used by anyone on the network (downloaded and modified or used in place).
I fixed the collection and dropped it out on the NAS using Windows File Explorer. All good. Then I attempted to add some new music and to replace files with modified ones. Not so good. File Explorer provided me with an Access Denied message.
This is a common problem for WD My Cloud users. My guess is that it’s common for other consumer network storage customers. As far as I can tell, it becomes because you are trying to bridge two different systems.
Your Windows computer is … well, Windows. You have a user name and password on this device. It understands permissions on your system (probably NTFS these days). You may even be really comfortable using your File Explorer. So you right click on the folder out on the NAS – which looks like any other folder – and check the access rights. This is what I did first and I found that Windows thought I should be able to do what I wanted to do.
But the NAS is not running Windows. WD My Cloud’s are running a version of Debian Linux and use the EXT4 file system. When you create a user on the My Cloud dashboard, you are creating new user accounts in the “share” user group. I have one called, unsurprisingly, David. What user David:Share can access is determined by the Linux system on the NAS, not by what Windows shows in File Explorer. Windows relies on the SMB (Samba) file access provided by the Linux operating system on the NAS.
The WD My Cloud also has a user called root. It is the default super user on a Linux system (you can recreate this on Windows). You will use this account only if you access your NAS directly.
If you connect your NAS by mapping a network drive share, you will be prompted to use a username that exists on the NAS (admin, nobody, david, etc.). From that point on, everything you do via that mapped drive will be done using that user name. If you never disconnect (or have the drive disconnected) and never access the drive using a different user name, you probably won’t have any problems.
But I wasn’t always so careful. Or at least, my problem was because the user who owned the files on the NAS was different from the user who was connected to the drive.
SSH to the Drive
If you get the Access Denied error, you can connect to your drive in a command prompt and look to see if this is your problem. This doesn’t require you to make any technical changes to the drive. You log in, move down to the appropriate folder and look.
The first thing to do is to turn on SSH access on the WD My Cloud. This is a secure access method you will invoke at your command prompt. I keep SSH disabled on the WD My Cloud dashboard unless I’m actually using it at that moment.
When you turn on SSH, you will be given a warning. Check the box and note the information about the root user account. The default password is welc0me. If you have not used the account before, this will be the password you need to use.
When you are looking at the WD My Cloud dashboard, copy down your IP address on the Network Profile page (you can see where it would be on the picture above). You will use that to connet to the drive.
Then open up a Windows Command Prompt. Click your Windows key (Start Menu), type cmd and hit [Enter]. You should see a command prompt. As I mentioned earlier, there is a user called root. You are going to tell SSH to access your drive as root. Type:
ssh root@192.nnn.nnn.nnn
Replace your IP address where you see 192.nnn.nnn.nnn in this picture. You will be prompted for a password. If this is your first time, type welc0me (that’s w-e-l-c-zero-m-e). You won’t see anything when you type the password. Hit [ENTER] when you’re done. If you’re successful, you’ll see a bunch of new text and a new prompt ending in :~#.
You will land in the root user’s home folder, which is not where you want to be. You can use two commands to move and look around: cd (change directory) and either ls (list) or ls -la.
To get out of the root user’s folder, type cd .. The two dots tell the system to go up one level. You can also type cd / to go to the very top directory of the drive. It’s the same place in this case.
If you now type ls, you will see a file and folder listing for this level. You should see a folder called DataVolume. You will also see a folder called shares. If you go into DataVolume (cd DataVolume) you will also see a folder called shares. They are the same thing. In either case, type cd shares and you will see a list of the Shares you created on your WD My Cloud dashboard. One will be called Public but you may have others. Change directory and go into Public (cd Public).
Now you want to see who owns the files that are causing the access denied. List the files by adding a switch to the command to show more information: ls -la. (el-ess-space-dash-el-ay). You’ll see something like this. Root is the super user; nobody is the anonymous user. Share is the user group. The characters on the left are permissions equivalent to read, write, and execute on Windows.
Using cd and ls -la, you should now be able to locate the files that are causing your Access Denied problem. Use cd to move into and out of folders and ls to list the contents. Once you have identified the owner, you can go back to your Windows File Explorer. Disconnect your mapped drive to the NAS and reconnect as that user.
In my case, I found that there were a bunch of different owners. I had not been consistent in my logins. And other family members had also put content out on the network, so there were a bunch of usernames. I would need to disconnect and reconnect repeatedly if this occurred again.
I decided to just make everything in the Public share owned by nobody. We have private shares separate from Public for personal files. So everything in Public is already publicly accessible to anyone on the network. You should not do this to any other part of the system, especially outside the shares area. System files need to be owned by root or other system services.
At the prompt (it doesn’t matter if you’re at /shares/Public# or /shares), I typed:
chown -R nobody:share /shares/Public
When you hit enter, the command will change ownership (chown) recursively (-R) down through all of your files and folders starting at /shares/Public. Every user is in the share group other than root, so the new owner nobody:share could also be david:share or whatever user you want to change ownership to.
This process can take some time. We have over 100,000 files on the NAS and there is no indicator that anything is happening. Eventually it will return to a prompt and you can type ls -la again to see if your changes took.
You can then return to Windows File Explorer and see if the Access Denied error is gone. In my case I was using Microsoft’s SyncToy and so I ran one of my folder pairs. The access errors were gone.
Now all you have to do is type exit and hit [ENTER] (closes SSH) and exit and [ENTER] again (closes the command prompt window). Return to your WD My Cloud dashboard and turn off SSH and you’re finished.
If you have multiple people connected to your Public share, they can all log in as nobody (no password). It appears that if you have other, private shares, Windows will require you to log into all of them using the same user name. In which case, you should use the usernames other than nobody.