[Investigating] RoonOS 3.0 (272) anonymous SMB access still possible

Roland_von_Unruh · May 7, 2026, 5:13pm

Just installed RoonOS 3.0 (272) EA to try out the new SMB security features.

Aparrantly, anonymous access still works. I can log in (Client OS: MacOS 26.4.1):

as guest (anonymously, without user/pw)
as registered user “guest” without password
as registered user “guest” with a random password
as registered user “guest” with password “guest”

According to the release notes, only the last option should be possible.

smbutil statshares -a via terminal gives the follwoing results:

                              SMB_NEGOTIATE                 SMBV_NEG_SMB1_ENABLED
                              SMB_NEGOTIATE                 SMBV_NEG_SMB2_ENABLED
                              SMB_NEGOTIATE                 SMBV_NEG_SMB3_ENABLED
                              SMB_VERSION                   SMB_3.1.1
                              SMB_CURR_ENCRYPT_ALGORITHM    OFF
                              SMB_CURR_SIGN_ALGORITHM       AES_128_GMAC

This means a SMBv3 connection has been enabled, connection is not encrypted but signed.

BUT: SMB v1, which is considered insecure, is still allowed. Shouldn’t at least SMB v2 be forced as minimum SMB version for security reasons?

Also: There doesn’t seem to be any option to manually set the login credentials through the ROCK web GUI. “guest” / “guest” is quite simple and no big step uo from anonymous access IMHO. It would be nice, if users could set an individual password to enhance security.

Roland_von_Unruh · May 20, 2026, 5:30pm

I just installed the new Early Access build 274 and can confirm that the issue pointed out above still is present.

This was to be expected because the release notes don’t mention this bug having been fixed yet.

Suedkiez · May 21, 2026, 9:21pm

I have this, too. I just reinstalled ROCK with UEFI / OS 3.0, and when I connected from my MacBook (macOS 26.5) > Finder > Network to ROCK/Data, I was never asked to supply the guest/guest credentials.

It does say “Connected as: Guest”, though:

According to Apple, this only occurs when “guest” connections are allowed:

Select how you want to connect to the Mac:

Guest: You can connect as a Guest user if the shared computer permits guest access.

Registered User: Connect to the other Mac using a valid login name and password. If “Only these users” is selected on the other Mac, make sure the login name you’re using is on the list of allowed users.