Hi everyone, Fady, renbag, I have been working on this bug on and off for a little while now, but I am stuck because I can't reproduce what you are all seeing. Having a reproducer will greatly speed up getting a fix created for this issue.
In my client gvfsd is always started via systemd --user, so I must be configuring something differently. Can you try out my reproducer and let me know what you are configuring differently? Instructions to reproduce: You will need a 20.04 server instance, and a 20.04 Desktop instance. To set up the server: 1) Create a fresh 20.04 server instance 2) sudo apt update 3) sudo apt upgrade 4) sudo hostnamectl set-hostname samba-dc 5) sudo vim /etc/hosts Add an entry with its IP address, e.g.: 192.168.122.199 samba-dc samba-dc.example.com 6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5 Note: skip config of kerberos KDC. 7) sudo rm /etc/krb5.conf 8) sudo rm /etc/samba/smb.conf 9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA --adminpass=Password1 10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf 11) sudo systemctl mask smbd nmbd winbind 12) sudo systemctl disable smbd nmbd winbind 13) sudo systemctl stop smbd nmbd winbind 14) sudo systemctl unmask samba-ad-dc 15) sudo systemctl start samba-ad-dc 16) sudo systemctl enable samba-ad-dc 17) sudo reboot 18) sudo systemctl stop systemd-resolved 19) sudo systemctl disable systemd-resolved 20) cat << EOF >> /etc/resolv.conf nameserver 192.168.122.199 search SAMBA EOF 21) sudo reboot 22) host -t SRV _ldap._tcp.samba-dc.example.com _ldap._tcp.samba-dc.example.com has SRV record 0 100 389 samba-dc.samba-dc.example.com. 23) $ smbclient -L localhost -N Anonymous login successful Sharename Type Comment --------- ---- ------- sysvol Disk netlogon Disk IPC$ IPC IPC Service (Samba 4.13.17-Ubuntu) SMB1 disabled -- no workgroup available 24) $ smbclient //localhost/netlogon -UAdministrator -c 'ls' Enter SAMBA\Administrator's password: . D 0 Mon Feb 28 04:23:22 2022 .. D 0 Mon Feb 28 04:23:27 2022 9983232 blocks of size 1024. 7995324 blocks available 25) kinit administrator Password for administra...@samba-dc.example.com: Warning: Your password will expire in 41 days on Mon Apr 11 04:23:27 2022 26) klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: administra...@samba-dc.example.com Valid starting Expires Service principal 02/28/22 04:32:47 02/28/22 14:32:47 krbtgt/samba-dc.example....@samba-dc.example.com renew until 03/01/22 04:32:44 27) Create a share: 28) sudo mkdir -p /srv/samba/Demo/ 29) sudo vim /etc/samba/smb.conf [Demo] path = /srv/samba/Demo/ read only = no 30) sudo chmod 0770 /srv/samba/Demo/ Install a fresh 20.04.4 Desktop instance, and run the following: 31) sudo apt install realmd smbclient 32) sudo vim /etc/hosts Add an entry with its IP address, e.g.: 192.168.122.199 samba-dc samba-dc.example.com 33) sudo realm join --user=Administrator SAMBA-DC.EXAMPLE.COM $ smbclient -U Administrator //samba-dc.example.com/demo Enter WORKGROUP\Administrator's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Mon Mar 7 15:20:30 2022 .. D 0 Mon Mar 7 15:20:30 2022 9983232 blocks of size 1024. 7686220 blocks available $ smbclient //samba-dc.example.com/demo -k gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT session setup failed: NT_STATUS_INVALID_PARAMETER Now open Nautilus, add smb://samba-dc.example.com/demo as a share, and you will be faced with a dialog box asking for username / password credentials. Close Nautilus. Let's get a kerberos ticket: $ kinit administra...@samba-dc.example.com Password for administra...@samba-dc.example.com: Warning: Your password will expire in 11 days on Mon 11 Apr 2022 16:23:27 $ smbclient //samba-dc.example.com/demo -k Try "help" to get a list of possible commands. smb: \> ls . D 0 Mon Mar 7 15:20:30 2022 .. D 0 Mon Mar 7 15:20:30 2022 9983232 blocks of size 1024. 7616832 blocks available 34) Open Nautilus, add smb://samba-dc.example.com/demo as a share, and it will open correctly using kerberos credentials. When I look at my process list, gvfsd is where it is suppose to be, under the systemd user session: $ ps auxf ... ubuntu 1207 0.5 0.2 19008 10128 ? Ss 12:12 0:00 /lib/systemd/systemd --user ubuntu 1208 0.0 0.0 179632 3544 ? S 12:12 0:00 \_ (sd-pam) ubuntu 1213 0.3 0.4 1220668 19360 ? S<sl 12:12 0:00 \_ /usr/bin/pulseaudio --daemonize=n ubuntu 1216 0.2 0.6 511384 24280 ? SNsl 12:12 0:00 \_ /usr/libexec/tracker-miner-fs ubuntu 1218 0.6 0.1 19344 6472 ? Ss 12:12 0:00 \_ /usr/bin/dbus-daemon --session -- ubuntu 1222 0.0 0.1 239692 7640 ? Ssl 12:12 0:00 \_ /usr/libexec/gvfsd ... Looking at /proc/1222/environ: $ cat /proc/1222/environ HOME=/home/ubuntuLANG=en_NZ.UTF-8LANGUAGE=en_NZ:enLOGNAME=ubuntuPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/snap/binSHELL=/bin/bashUSER=ubuntuXDG_RUNTIME_DIR=/run/user/1000GTK_MODULES=gail:atk-bridgeQT_ACCESSIBILITY=1XDG_DATA_DIRS=/usr/local/share/:/usr/share/:/var/lib/snapd/desktopDBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/busMANAGERPID=1207INVOCATION_ID=a9b1a819b2e9444ba10b97de7d446b8eJOURNAL_STREAM=8:35057 I don't seem to have KRB5CCNAME set, but yet, it works. What am I doing that gvfsd starts later than it does in your environments? Do I need to use sssd to get the ticket instead? I configured /etc/sssd/sssd.conf with the below: [sssd] domains = samba-dc.example.com config_file_version = 2 services = nss, pam [domain/samba-dc.example.com] default_shell = /bin/bash ad_server = samba-dc.example.com krb5_store_password_if_offline = True cache_credentials = True krb5_realm = SAMBA-DC.EXAMPLE.COM realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%u@%d ad_domain = samba-dc.example.com use_fully_qualified_names = True ldap_id_mapping = True access_provider = ad simple_allow_users = administrator and rebooted, but gvfsd is still started inside the systemd --user session, and not before. Any ideas would be appreciated. Thanks, Matthew -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs