Hi everyone, Fady, renbag,
I have been working on this bug on and off for a little while now, but I
am stuck because I can't reproduce what you are all seeing. Having a
reproducer will greatly speed up getting a fix created for this issue.
In my client gvfsd is always started via systemd --user, so I must be
configuring something differently. Can you try out my reproducer and let
me know what you are configuring differently?
Instructions to reproduce:
You will need a 20.04 server instance, and a 20.04 Desktop instance.
To set up the server:
1) Create a fresh 20.04 server instance
2) sudo apt update
3) sudo apt upgrade
4) sudo hostnamectl set-hostname samba-dc
5) sudo vim /etc/hosts
Add an entry with its IP address, e.g.:
192.168.122.199 samba-dc samba-dc.example.com
6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind
krb5-kdc libpam-krb5
Note: skip config of kerberos KDC.
7) sudo rm /etc/krb5.conf
8) sudo rm /etc/samba/smb.conf
9) sudo samba-tool domain provision --server-role=dc --use-rfc2307
--dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA
--adminpass=Password1
10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
11) sudo systemctl mask smbd nmbd winbind
12) sudo systemctl disable smbd nmbd winbind
13) sudo systemctl stop smbd nmbd winbind
14) sudo systemctl unmask samba-ad-dc
15) sudo systemctl start samba-ad-dc
16) sudo systemctl enable samba-ad-dc
17) sudo reboot
18) sudo systemctl stop systemd-resolved
19) sudo systemctl disable systemd-resolved
20) cat << EOF >> /etc/resolv.conf
nameserver 192.168.122.199
search SAMBA
EOF
21) sudo reboot
22) host -t SRV _ldap._tcp.samba-dc.example.com
_ldap._tcp.samba-dc.example.com has SRV record 0 100 389
samba-dc.samba-dc.example.com.
23) $ smbclient -L localhost -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
sysvol Disk
netlogon Disk
IPC$ IPC IPC Service (Samba 4.13.17-Ubuntu)
SMB1 disabled -- no workgroup available
24) $ smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter SAMBA\Administrator's password:
. D 0 Mon Feb 28 04:23:22 2022
.. D 0 Mon Feb 28 04:23:27 2022
9983232 blocks of size 1024. 7995324 blocks available
25) kinit administrator
Password for administra...@samba-dc.example.com:
Warning: Your password will expire in 41 days on Mon Apr 11 04:23:27 2022
26) klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administra...@samba-dc.example.com
Valid starting Expires Service principal
02/28/22 04:32:47 02/28/22 14:32:47
krbtgt/samba-dc.example....@samba-dc.example.com
renew until 03/01/22 04:32:44
27)
Create a share:
28) sudo mkdir -p /srv/samba/Demo/
29) sudo vim /etc/samba/smb.conf
[Demo]
path = /srv/samba/Demo/
read only = no
30) sudo chmod 0770 /srv/samba/Demo/
Install a fresh 20.04.4 Desktop instance, and run the following:
31) sudo apt install realmd smbclient
32) sudo vim /etc/hosts
Add an entry with its IP address, e.g.:
192.168.122.199 samba-dc samba-dc.example.com
33) sudo realm join --user=Administrator SAMBA-DC.EXAMPLE.COM
$ smbclient -U Administrator //samba-dc.example.com/demo
Enter WORKGROUP\Administrator's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Mar 7 15:20:30 2022
.. D 0 Mon Mar 7 15:20:30 2022
9983232 blocks of size 1024. 7686220 blocks available
$ smbclient //samba-dc.example.com/demo -k
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in
NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER
Now open Nautilus, add smb://samba-dc.example.com/demo as a share, and you will
be faced with a dialog box asking for username / password credentials. Close
Nautilus.
Let's get a kerberos ticket:
$ kinit administra...@samba-dc.example.com
Password for administra...@samba-dc.example.com:
Warning: Your password will expire in 11 days on Mon 11 Apr 2022 16:23:27
$ smbclient //samba-dc.example.com/demo -k
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Mar 7 15:20:30 2022
.. D 0 Mon Mar 7 15:20:30 2022
9983232 blocks of size 1024. 7616832 blocks available
34) Open Nautilus, add smb://samba-dc.example.com/demo as a share, and it will
open correctly using kerberos credentials.
When I look at my process list, gvfsd is where it is suppose to be, under the
systemd user session:
$ ps auxf
...
ubuntu 1207 0.5 0.2 19008 10128 ? Ss 12:12 0:00
/lib/systemd/systemd --user
ubuntu 1208 0.0 0.0 179632 3544 ? S 12:12 0:00 \_ (sd-pam)
ubuntu 1213 0.3 0.4 1220668 19360 ? S<sl 12:12 0:00 \_
/usr/bin/pulseaudio --daemonize=n
ubuntu 1216 0.2 0.6 511384 24280 ? SNsl 12:12 0:00 \_
/usr/libexec/tracker-miner-fs
ubuntu 1218 0.6 0.1 19344 6472 ? Ss 12:12 0:00 \_
/usr/bin/dbus-daemon --session --
ubuntu 1222 0.0 0.1 239692 7640 ? Ssl 12:12 0:00 \_
/usr/libexec/gvfsd
...
Looking at /proc/1222/environ:
$ cat /proc/1222/environ
HOME=/home/ubuntuLANG=en_NZ.UTF-8LANGUAGE=en_NZ:enLOGNAME=ubuntuPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/snap/binSHELL=/bin/bashUSER=ubuntuXDG_RUNTIME_DIR=/run/user/1000GTK_MODULES=gail:atk-bridgeQT_ACCESSIBILITY=1XDG_DATA_DIRS=/usr/local/share/:/usr/share/:/var/lib/snapd/desktopDBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/busMANAGERPID=1207INVOCATION_ID=a9b1a819b2e9444ba10b97de7d446b8eJOURNAL_STREAM=8:35057
I don't seem to have KRB5CCNAME set, but yet, it works.
What am I doing that gvfsd starts later than it does in your
environments? Do I need to use sssd to get the ticket instead?
I configured /etc/sssd/sssd.conf with the below:
[sssd]
domains = samba-dc.example.com
config_file_version = 2
services = nss, pam
[domain/samba-dc.example.com]
default_shell = /bin/bash
ad_server = samba-dc.example.com
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = SAMBA-DC.EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = samba-dc.example.com
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
simple_allow_users = administrator
and rebooted, but gvfsd is still started inside the systemd --user
session, and not before.
Any ideas would be appreciated.
Thanks,
Matthew
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gvfs in Ubuntu.
https://bugs.launchpad.net/bugs/1779890
Title:
Nautilus does not use a valid Kerberos ticket when accessing Samba
share
Status in gvfs:
Unknown
Status in gvfs package in Ubuntu:
Triaged
Bug description:
Nautilus prompts for username and password when accessing a Samba
share on a network drive, despite having a perfectly valid unexpired
Kerberos ticket. The Kerberos ticket is obtained automatically at
logon by authentication against a Samba Active Directory server (Samba
AD-DC).
Accessing the same Samba share with the same Kerberos ticket via
"smbclient //host/sharename -k" works fine.
One known workaround is: "nautilus -q", and then "killall gvfsd".
After that, accessing the Samba share with Nautilus works normally as
it should.
I did not experience this issue in Ubuntu 16.04. It appears that a
regression was introduced somewhere between 16.04 and 18.04.
The issue is quite annoying and confusing for the users who are used
to accessing Samba shares on the network drive without being prompted
for their username and password.
The issue appears to manifest itself usually not on the first access
to a Samba share, but on subsequent accesses after a system reboot or
upon user logout/login. Strangely, removing ~/.cache/ibus/bus/registry
file before user login appears to fix the issue for the current user
session, but then the problem reappears upon subsequent user logins or
after a system reboot.
Nemo appears to have the same problem as Nautilus.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: gvfs-daemons 1.36.1-0ubuntu1
ProcVersionSignature: Ubuntu 4.15.0-24.26-generic 4.15.18
Uname: Linux 4.15.0-24-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.9-0ubuntu7.2
Architecture: amd64
Date: Tue Jul 3 11:12:06 2018
ExecutablePath: /usr/lib/gvfs/gvfsd
InstallationDate: Installed on 2018-04-27 (66 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
ProcEnviron:
LANG=en_CA.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
XDG_RUNTIME_DIR=<set>
SourcePackage: gvfs
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
