Results 1 to 7 of 7

Thread: Buzzkill

  1. #1

    Default Buzzkill

    2 months of testing. 8 DLNA servers. 2 platforms.
    The winner that should have been: Mezzmo, hands down
    And the winner is: TVersity

    Now, if you wonder what this is about look no further than "FAQ: Why is Mezzmo asking for my Windows user name and password?" sticky.

    I can't help but wonder how developers capable of writing such a great software failed to figure out a way to deliver customized content from a service running under Local System Account.

    Furthermore, how can you seriously promote Network Media Single Source and per-user servers at the same time? "The family member would simply choose their own media server"... Why can't they connect to the single server (with NMSS!) and then simly choose their own library? All parental controls and privacy issues can be resolved by software, not by a way how software is installed.

    Even if you don't know how to do it yet, there is one thing that you can do right now. Install service under Local System Account and explain customers how to configure service Log On in the control panel. But don't ask for user name/password. No sane user would use program downloaded from internet that does this. And I am not alone in this, seeing as the mentioned FAQ got sticky status and there are comments on CNET download page expressing security concerns.

    So, in short, my question is this - are you going to do something about this issue? If yes I would be your most devoted customer.
    Last edited by wwwoholic; 01-14-2012 at 03:23 AM.

  2. #2

    Default

    Actually, I'd like to expand the question above. It might be that I was wrong to dismiss the approach too soon.

    Service running under limited account is obviously more secure than local system account. So the second question would be - is it possible to run Mezzmo under limited account? My off hand guess is it is not, since the program needs permission to install a service, usually not available to limited accounts. It also tries to configure firewall, another permission not available to limited user accounts.

    Is there a way to do all this without asking for credentials? I honestly don't know. What I do know is that I'd rather see single server on a network (with NMSS) hosting several personalized libraries than many servers hosting one library each. It would also be great if it runs as service under dedicated limited account, but only if name/password is not asked during setup.
    Last edited by wwwoholic; 01-14-2012 at 07:09 AM.

  3. #3

    Default

    ... still talking to myself, lol.

    Tried an experiment tonight. Logged as administrative account, started Mezzmo and when prompted for user name/password entered another, limited account. Server started OK and was recognized by my WD TV Live box. Hurray!

    Wait a second, where are my files? Apparently adding them to library had nothing to do with a library served by the server on another account. Why do you allow to edit user name then? It is misleading and pointless.

    But the main goal of this experiment was to check if server can work under limited account. And apparently it can just fine! Unfortunately, the Mezzmo itself requires administrative account to be run (only to be able to register service and adjust firewall settings).

    So, entire beautiful scenario (found all over the web and documentation) where each family member maintains his/her library simply does not work. Who will give kid's account administrative privilegies?

    It makes much more sence to run installer program from administrative account and set up service (running under any account. limited is actually better) and firewall. Then Mezzmo would not need administrative privilegies, because service is already running. All that you need is configure it, and this can be done per-user, with one service serving all libraries.

    By the way, IMPORTANT QUESTION:

    How to uninstall one or all services? While experimenting with Mezzmo I have created way too many instances which now load at startup under different accounts even though all but one are stopped.
    Last edited by wwwoholic; 01-15-2012 at 02:55 PM.

  4. #4
    Join Date
    Nov 2007
    Location
    Melbourne, Australia
    Posts
    11,642

    Default

    The main reason for the service to be user-based is to be able to access files with permissions set for that particular user. If a user has his files with specific permissions, then the service needs to be using that user's credentials or administrator's credentials. In the latter case, a non-admin user won't be able to start/stop the service.

    We will consider allowing the service to be run under a local service account as an option (it's on our to-do list for future development).

    To delete a service use the "sc delete" command (see this: http://technet.microsoft.com/en-us/l...=ws.10%29.aspx).

    Mezzmo Android: Install it on your tablet, smartphone, Android TV or Amazon Fire to browse and stream files from your Mezzmo library to all your devices. Full details at http://www.conceiva.com/products/mez...mo_android.asp
    Mezzmo for Kodi Add-on: Install it into Kodi to stream files from your Mezzmo library directly in Kodi. Full details at http://www.mezzmo.com/wiki/doku.php?...odi_user_guide
    Mezzmo for Roku App: Install it onto your Roku to stream files from your Mezzmo library. Full details at http://www.mezzmo.com/wiki/doku.php?...oku_user_guide
    Wiki: User Guides & Reference Manual at http://www.mezzmo.com/wiki
    Facebook: http://www.facebook.com/Mezzmo.DLNA.Server
    Twitter: https://twitter.com/conceiva_mezzmo
    Web: http://www.mezzmo.com

  5. #5

    Default

    Quote Originally Posted by Dennis View Post
    The main reason for the service to be user-based is to be able to access files with permissions set for that particular user. If a user has his files with specific permissions, then the service needs to be using that user's credentials or administrator's credentials. In the latter case, a non-admin user won't be able to start/stop the service.

    We will consider allowing the service to be run under a local service account as an option (it's on our to-do list for future development).
    I don't think local service account will be able to read protected user data. You need local system account for that. Anyway, far from presuming I can do better than you did, here is how I would design this application:

    1. Split Mezzmo GUI into 2 parts: Configuration and Maintenance.
    - Configuration GUI must be run under administrative account for the purpose of starting/stopping service, firewall configuration, changing settings for Media Server (including working and transcoding directories, device profiles etc.)
    - Maintenance GUI can be run under any account for the sole purpose of library content management for this particular user. The libraries become third kind of data nodes (in addition to folders and playlists) and used exactly to tie the library to the user. Maintenance GUI makes calls to Media Server service and notifies it about changes in library content. Since this call is always made from user account the service knows which user's library has to be updated.
    - this basically makes media management application safe for use by kids and easy to comprehend for non technically-savvy.

    2. Make the service running under local system account, one instance per PC serving all the libraries. Access control is done on per-library basis, as in "this device can see these libraries" and is set from Configuration GUI. So each device would only see the libraries it is entitled to.
    - this allows Media Server to use same transcoded media, thumbnails etc for all users, eliminating huge problem of polluting drives with identical files again and again.
    - significantly reduces processor/memory requirements in case of multiple users.

    3. Eliminate the need for restarting service. Basically the service is only a wrapper around Media Server. It responds to commands from Configuration and Maintenance GUI and shuts down the Server when it is necessary. But there is no need for starting/stopping the service itself all the time, so no need for Maintenance GUI to be run under administrative account.
    - prompt for user credentials that was the reason for this thread is no longer necessary.

    Edit: What's interesting, is that you already have all the pieces for what I am describing... I just shuffled them around a bit

    Oh, and I went ahead and bought it anyway... so you are stuck with me now
    Last edited by wwwoholic; 01-17-2012 at 08:46 AM.

  6. #6
    Join Date
    Nov 2007
    Location
    Melbourne, Australia
    Posts
    11,642

    Default

    Thank you for the suggestions.

    We'll be looking at allowing Mezzmo to run as one of the system accounts and we'll take your notes into account. Some of the service accounts are limited in what they can do (e.g. cannot access the domain or the network, for example), so there needs to be some good research done (as well as testing).

    Also, mapped drives are user-based, so a service running under a system-wide account won't be able to access those properly either.

    Mezzmo Android: Install it on your tablet, smartphone, Android TV or Amazon Fire to browse and stream files from your Mezzmo library to all your devices. Full details at http://www.conceiva.com/products/mez...mo_android.asp
    Mezzmo for Kodi Add-on: Install it into Kodi to stream files from your Mezzmo library directly in Kodi. Full details at http://www.mezzmo.com/wiki/doku.php?...odi_user_guide
    Mezzmo for Roku App: Install it onto your Roku to stream files from your Mezzmo library. Full details at http://www.mezzmo.com/wiki/doku.php?...oku_user_guide
    Wiki: User Guides & Reference Manual at http://www.mezzmo.com/wiki
    Facebook: http://www.facebook.com/Mezzmo.DLNA.Server
    Twitter: https://twitter.com/conceiva_mezzmo
    Web: http://www.mezzmo.com

  7. #7

    Default

    Yes, mapped drives would be a problem, although UNC can help with that. Won't help with network resources secured with user account though, which is typical for home networks. Local system account has a right to impersonate but for that you probably would need user credentials again, besides I am not sure if it would work for the network.

    Well, it works for me at the moment as I am the only one who manages libraries anyway. There are some problems, like unnecessary transcoding, but they are not for this thread.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •