gio mount smb share needs password when not required
Hi,
I am running Debian Buster (samba 4.9.5, libglib2.0 2.58.3, gvfs 1.38.1) with an empty /etc/samba/smb.conf: I know it is a bit outdated but I think my issue still applies. Also, I hope I report this issue in the right place (maybe it should be against glib I don't know).
I have a Windows 10 host that provides a share called "share", which has modification rights for group "Everyone" (share and NTFS ACLs). In the "network and sharing center" I have tick the "Turn Off password protect sharing" option (without that, it is not possible to mount the share without identifying has a local user). I believe this is a common setup, but I might be wrong.
I can mount the share with mount.cifs:
$ LANG=C sudo mount.cifs //192.168.122.201/share /mnt
Password for root@//192.168.122.201/share:
Note that I am still asked for a password: providing an empty password (hitting Enter) is however sufficient.
The issue is that when I try to mount using gio
or Nautilus, providing an empty password does not work:
$ gio mount smb://192.168.122.201/share
Password required for share share on 192.168.122.201
User [yvan]:
Domain [WORKGROUP]:
Password:
Password required for share share on 192.168.122.201
User [yvan]: ^C
Mounting works only if the provided password is not empty, whatever the user or workgroup provided. It is even more confusing for users when using Nautilus:
- hitting enter to validate default credentials does not work
- choose anonymous login does not work either
Could you make login with an empty password work in this setup, like mount.cifs does?
Thanks for your work, Yvan
In case it is helpful, here is the debug log corresponding to the "gio mount":
$ pkill gvfs; pkill nautilus; LANG=C GVFS_DEBUG=1 GVFS_SMB_DEBUG=10 $(find /usr/lib* -name gvfsd 2>/dev/null) --replace 2>&1 | tee gvfsd.log
smb: g_vfs_backend_smb_init: default workgroup = 'NULL'
smb: Added new job source 0x55e557cd1130 (GVfsBackendSmb)
smb: Queued new job 0x55e557cd2940 (GVfsJobMount)
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
smb2: 10
smb2_credits: 10
dsdb_audit: 10
dsdb_json_audit: 10
dsdb_password_audit: 10
dsdb_password_json_audit: 10
dsdb_transaction_audit: 10
dsdb_transaction_json_audit: 10
dsdb_group_audit: 10
dsdb_group_json_audit: 10
Using netbios name E7440.
Using workgroup WORKGROUP.
smb: do_mount - URI = smb://192.168.122.201/share
smb: do_mount - try #0
smbc_stat(smb://192.168.122.201/share)
smb: auth_callback - kerberos pass
smb: auth_callback - out: last_user = 'yvan', last_domain = 'WORKGROUP'
SMBC_server: server_n=[192.168.122.201] server=[192.168.122.201]
-> server_n=[192.168.122.201] server=[192.168.122.201]
Connecting to 192.168.122.201 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 87040
SO_RCVBUF = 372480
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.3.6.1.4.1.311.2.2.10
Kerberos auth with 'yvan@WORKGROUP' (WORKGROUP\yvan) to access '192.168.122.201' not possible
SPNEGO login failed: {Access Denied} A process has requested access to an object but has not been granted those access rights.
smb: do_mount - [smb://192.168.122.201/share; 0] res = -1, cancelled = 0, errno = [1] 'Operation not permitted'
smb: do_mount - after anon, enabling NTLMSSP fallback
smb: do_mount - try #1
smbc_stat(smb://192.168.122.201/share)
smb: auth_callback - normal pass
smb: auth_callback - asking for password...
smb: auth_callback - out: last_user = 'yvan', last_domain = 'WORKGROUP'
SMBC_server: server_n=[192.168.122.201] server=[192.168.122.201]
-> server_n=[192.168.122.201] server=[192.168.122.201]
Connecting to 192.168.122.201 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 87040
SO_RCVBUF = 372480
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.3.6.1.4.1.311.2.2.10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
negotiate: struct NEGOTIATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmNegotiate (1)
NegotiateFlags : 0x62088215 (1644724757)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
DomainNameLen : 0x0000 (0)
DomainNameMaxLen : 0x0000 (0)
DomainName : *
DomainName : ''
WorkstationLen : 0x0000 (0)
WorkstationMaxLen : 0x0000 (0)
Workstation : *
Workstation : ''
Version: struct ntlmssp_VERSION
ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
ProductBuild : 0x0000 (0)
Reserved: ARRAY(3)
[0] : 0x00 (0)
[1] : 0x00 (0)
[2] : 0x00 (0)
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
gensec_update_send: ntlmssp[0x7f7bf0027ce0]: subreq: 0x7f7bf0018350
gensec_update_send: spnego[0x7f7bf0019d00]: subreq: 0x7f7bf00274d0
gensec_update_done: ntlmssp[0x7f7bf0027ce0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x7f7bf0018350/../auth/ntlmssp/ntlmssp.c:181]: state[2] error[0 (0x0)] state[struct gensec_ntlmssp_update_state (0x7f7bf0018500)] timer[(nil)] finish[../auth/ntlmssp/ntlmssp.c:215]
gensec_update_done: spnego[0x7f7bf0019d00]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x7f7bf00274d0/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x7f7bf0027680)] timer[(nil)] finish[../auth/gensec/spnego.c:2070]
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_SERVER
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
gensec_update_send: ntlmssp[0x7f7bf0027ce0]: subreq: 0x7f7bf0018690
gensec_update_send: spnego[0x7f7bf0019d00]: subreq: 0x7f7bf0029f90
gensec_update_done: ntlmssp[0x7f7bf0027ce0]: NT_STATUS_WRONG_CREDENTIAL_HANDLE tevent_req[0x7f7bf0018690/../auth/ntlmssp/ntlmssp.c:181]: state[3] error[-7963671676338568462 (0x917B5ACDC00002F2)] state[struct gensec_ntlmssp_update_state (0x7f7bf0018840)] timer[(nil)] finish[../auth/ntlmssp/ntlmssp.c:218]
gensec_spnego_client_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_WRONG_CREDENTIAL_HANDLE
gensec_update_done: spnego[0x7f7bf0019d00]: NT_STATUS_WRONG_CREDENTIAL_HANDLE tevent_req[0x7f7bf0029f90/../auth/gensec/spnego.c:1601]: state[3] error[-7963671676338568462 (0x917B5ACDC00002F2)] state[struct gensec_spnego_update_state (0x7f7bf002a140)] timer[(nil)] finish[../auth/gensec/spnego.c:1993]
SPNEGO login failed: The supplied credential handle does not match the credential that is associated with the security context.
smb: do_mount - [smb://192.168.122.201/share; 1] res = -1, cancelled = 0, errno = [1] 'Operation not permitted'
smb: do_mount - try #2
smbc_stat(smb://192.168.122.201/share)
smb: auth_callback - normal pass
smb: auth_callback - asking for password...