[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share

Matthew Ruffell Wed, 30 Mar 2022 17:05:54 -0700

Hi everyone, Fady, renbag,

I have been working on this bug on and off for a little while now, but I
am stuck because I can't reproduce what you are all seeing. Having a
reproducer will greatly speed up getting a fix created for this issue.


In my client gvfsd is always started via systemd --user, so I must be
configuring something differently. Can you try out my reproducer and let
me know what you are configuring differently?

Instructions to reproduce:

You will need a 20.04 server instance, and a 20.04 Desktop instance.

To set up the server:

1) Create a fresh 20.04 server instance
2) sudo apt update
3) sudo apt upgrade
4) sudo hostnamectl set-hostname samba-dc
5) sudo vim /etc/hosts
Add an entry with its IP address, e.g.:
192.168.122.199    samba-dc samba-dc.example.com
6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind 
krb5-kdc libpam-krb5
Note: skip config of kerberos KDC.
7) sudo rm /etc/krb5.conf
8) sudo rm /etc/samba/smb.conf
9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 
--dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA 
--adminpass=Password1
10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
11) sudo systemctl mask smbd nmbd winbind
12) sudo systemctl disable smbd nmbd winbind
13) sudo systemctl stop smbd nmbd winbind
14) sudo systemctl unmask samba-ad-dc
15) sudo systemctl start samba-ad-dc
16) sudo systemctl enable samba-ad-dc
17) sudo reboot
18) sudo systemctl stop systemd-resolved
19) sudo systemctl disable systemd-resolved
20) cat << EOF >> /etc/resolv.conf
nameserver 192.168.122.199
search SAMBA
EOF
21) sudo reboot
22) host -t SRV _ldap._tcp.samba-dc.example.com
_ldap._tcp.samba-dc.example.com has SRV record 0 100 389 
samba-dc.samba-dc.example.com.
23) $ smbclient -L localhost -N
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        sysvol          Disk      
        netlogon        Disk      
        IPC$            IPC       IPC Service (Samba 4.13.17-Ubuntu)
SMB1 disabled -- no workgroup available
24) $ smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter SAMBA\Administrator's password: 
  .                                   D        0  Mon Feb 28 04:23:22 2022
  ..                                  D        0  Mon Feb 28 04:23:27 2022

                9983232 blocks of size 1024. 7995324 blocks available
25) kinit administrator
Password for administra...@samba-dc.example.com: 
Warning: Your password will expire in 41 days on Mon Apr 11 04:23:27 2022
26) klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administra...@samba-dc.example.com

Valid starting     Expires            Service principal
02/28/22 04:32:47  02/28/22 14:32:47  
krbtgt/samba-dc.example....@samba-dc.example.com
        renew until 03/01/22 04:32:44
27)


Create a share:
28) sudo mkdir -p /srv/samba/Demo/
29) sudo vim /etc/samba/smb.conf
[Demo]
        path = /srv/samba/Demo/
        read only = no
30) sudo chmod 0770 /srv/samba/Demo/


Install a fresh 20.04.4 Desktop instance, and run the following:

31) sudo apt install realmd smbclient
32) sudo vim /etc/hosts
Add an entry with its IP address, e.g.:
192.168.122.199    samba-dc samba-dc.example.com
33) sudo realm join --user=Administrator SAMBA-DC.EXAMPLE.COM
$ smbclient -U Administrator //samba-dc.example.com/demo
Enter WORKGROUP\Administrator's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Mar  7 15:20:30 2022
  ..                                  D        0  Mon Mar  7 15:20:30 2022

                9983232 blocks of size 1024. 7686220 blocks available
$ smbclient //samba-dc.example.com/demo -k
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in 
NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER

Now open Nautilus, add smb://samba-dc.example.com/demo as a share, and you will
be faced with a dialog box asking for username / password credentials. Close
Nautilus.

Let's get a kerberos ticket:

$ kinit administra...@samba-dc.example.com
Password for administra...@samba-dc.example.com: 
Warning: Your password will expire in 11 days on Mon 11 Apr 2022 16:23:27
$ smbclient //samba-dc.example.com/demo -k
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Mar  7 15:20:30 2022
  ..                                  D        0  Mon Mar  7 15:20:30 2022

                9983232 blocks of size 1024. 7616832 blocks available

34) Open Nautilus, add smb://samba-dc.example.com/demo as a share, and it will
open correctly using kerberos credentials.

When I look at my process list, gvfsd is where it is suppose to be, under the
systemd user session:

$ ps auxf
...
ubuntu      1207  0.5  0.2  19008 10128 ?        Ss   12:12   0:00 
/lib/systemd/systemd --user
ubuntu      1208  0.0  0.0 179632  3544 ?        S    12:12   0:00  \_ (sd-pam)
ubuntu      1213  0.3  0.4 1220668 19360 ?       S<sl 12:12   0:00  \_ 
/usr/bin/pulseaudio --daemonize=n
ubuntu      1216  0.2  0.6 511384 24280 ?        SNsl 12:12   0:00  \_ 
/usr/libexec/tracker-miner-fs
ubuntu      1218  0.6  0.1  19344  6472 ?        Ss   12:12   0:00  \_ 
/usr/bin/dbus-daemon --session --
ubuntu      1222  0.0  0.1 239692  7640 ?        Ssl  12:12   0:00  \_ 
/usr/libexec/gvfsd
...

Looking at /proc/1222/environ:

$ cat /proc/1222/environ 
HOME=/home/ubuntuLANG=en_NZ.UTF-8LANGUAGE=en_NZ:enLOGNAME=ubuntuPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/snap/binSHELL=/bin/bashUSER=ubuntuXDG_RUNTIME_DIR=/run/user/1000GTK_MODULES=gail:atk-bridgeQT_ACCESSIBILITY=1XDG_DATA_DIRS=/usr/local/share/:/usr/share/:/var/lib/snapd/desktopDBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/busMANAGERPID=1207INVOCATION_ID=a9b1a819b2e9444ba10b97de7d446b8eJOURNAL_STREAM=8:35057

I don't seem to have KRB5CCNAME set, but yet, it works.

What am I doing that gvfsd starts later than it does in your
environments? Do I need to use sssd to get the ticket instead?

I configured /etc/sssd/sssd.conf with the below:

[sssd]
domains = samba-dc.example.com
config_file_version = 2
services = nss, pam

[domain/samba-dc.example.com]
default_shell = /bin/bash
ad_server = samba-dc.example.com
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = SAMBA-DC.EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli 
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = samba-dc.example.com
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
simple_allow_users = administrator

and rebooted, but gvfsd is still started inside the systemd --user
session, and not before.

Any ideas would be appreciated.

Thanks,
Matthew

-- 
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to gvfs in Ubuntu.
https://bugs.launchpad.net/bugs/1779890

Title:
  Nautilus does not use a valid Kerberos ticket when accessing Samba
  share

To manage notifications about this bug go to:
https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions


-- 
desktop-bugs mailing list
desktop-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/desktop-bugs

[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share

Reply via email to