** Description changed: [Impact] The so called "browsing a windows network" made use of an SMB1 protocol version feature. Recent versions of samba, including the one released with bionic, default to a higher versions of the protocol which lacks this feature. As a result, the "other locations -> windows network" tab in Nautilus is empty even when there are windows or samba machines in the network. Accessing such machines directly, via smb://<name-or-ip>/ type urls, continues to work. The fix is two-fold: - introduce a new samba API call that can be used to set the protocol version to use - change applications to make use of this API call to set the protocol versio to SMB1/NT1 just for the network browsing gvfs was updated to make use of this api call, if detected at build time. To complete this SRU, gvfs needs a no-change rebuild *after* samba was accepted into proposed. [Test case] * Launch a bionic desktop vm. You can start with a server one, and then install the "ubuntu-desktop" package. In the same command, also install the packages we need for this test: $ sudo apt update $ sudo apt install ubuntu-desktop samba smbclient * set a password for the ubuntu user, so you can login at the graphical console $ sudo passwd ubuntu + * set the same password for the ubuntu samba user: + sudo smbpasswd -a ubuntu + + * add a simple [pub] share to samba: + $ printf "[pub]\n\tpath=/tmp\n\tguest ok = no\n" | sudo tee -a /etc/samba/smb.conf + * reboot $ sudo reboot * login at the graphical console as the ubuntu user. Go through the first-user-setup motions as you want. * try to browse the windows network via "other locations -> windows network". You will get an empty folder. * update the samba and gvfs packages - * logout and login again on the gui, browse the windows network again. This time it will show the "WORKGROUP" folder, and if you click through, you will see yourself (your VM). + * logout and login again on the gui, browse the windows network again. This time it will show the "WORKGROUP" folder, and if you click through, you will see yourself (your VM) and the [pub] share, among others. + + * click on the "pub" share, select registered user and login with the + ubuntu credentials you created earlier with smbpasswd. + + * in another terminal, run this command to confirm that the SMB protocol version that was used to connect to [pub] was not just NT1/SMB1, but higher: + $ sudo smbstatus + ... + 8779 ubuntu ubuntu 192.168.122.94 (ipv4:192.168.122.94:60818) SMB3_11 - partial(AES-128-CMAC) + + Note "SMB3_11" above. + [Regression potential] The samba update itself just introduces and exposes a new API call. It's up to other applications to make use of that. gvfs was patched to detect this call at build time and use it if it's detected. Packages that are not rebuilt will not see the change, and packages that *are* rebuilt will only see the change if they make use of it. [Other Info] This update introduces a specific runtime dependency between gvfs and libsmbclient due to the new API call added to the latter. Any package that is rebuilt with libsmbclient and makes use of that API call will get this specific dependency. This is handled automatically by dh_mkshlibs. To complete this SRU, gvfs will need a no-change rebuild after samba was accepted into proposed. + Disco's gvfs is already using the new call, as can be seen in this build log https://launchpadlibrarian.net/415424052/buildlog_ubuntu-disco-amd64.gvfs_1.40.0-1_BUILDING.txt.gz: + ... + Dependency smbclient found: YES 0.5.0 + Checking for function "smbc_setOptionProtocols" with dependency smbclient: YES + + The smbc_setOptionProtocols() call is only used when the url is like + "smb:///", or the server cannot be resolved. The downgrade overrides the + setting in smb.conf, and is used just for this case: browsing the + network. When connecting to a machine, the url is like "smb://<name>/", + and then this function we are adding is not called. + + I updated the test to actually click on the machine that shows up in the + network browsing, and then check with "smbstatus" which version of the + protocol was used when connecting to an actual share. --- - Nautilus should show smbtree and host on the smb network. When inputing this command: killall gvfsd-smb-browse && GVFS_DEBUG=1 /usr/lib/gvfs/gvfsd-smb-browse You can see the error: smb-network: Queued new job 0x55b19a2c9f40 (GVfsJobCreateMonitor) smb-network: send_reply(0x55b19a2c9f40), failed=1 (Action not supported by the processing engine) smb-network: backend_dbus_handler org.gtk.vfs.Mount:QueryFilesystemInfo (pid=5708) smb-network: Queued new job 0x55b19a2e7820 (GVfsJobQueryFsInfo) smb-network: send_reply(0x55b19a2e7820), failed=0 () smb-network: backend_dbus_handler org.gtk.vfs.Mount:Enumerate (pid=5708) smb-network: Queued new job 0x55b19a2c30c0 (GVfsJobEnumerate) smb-network: send_reply(0x55b19a2c30c0), failed=0 () Proposed solution: Add gvfsbackendbrowse-switch-to-NT1.patch disscused on RedHat Bugzilla [link]https://bugzilla.redhat.com/show_bug.cgi?id=1513394 which implements "change to NT1" in gvfs-smb-browse to browse smbtree to aviod adding "max client protocol" = NT1" to smb.conf to switch all samba to unsafe NT1 which most users are doing to correct this bug.
-- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1778322 Title: gvfs-smb-browse can't browse samba/smb tree To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1778322/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
