Asked for password on a kerberos accessible DFS share when mounting with the smb backend of gvfs
Hi!
I've seen bugs similar to this one and all seem resolved, the problem I face here is that I'm accessing a Microsoft DFS, and this is typically done using kerberos tokens without any problem if you access the server directly, but if you use the DFSN or Namespaces, gvfs will fail to access with kerberos tokens.
The problem is that DFSN involves aliases, so, when you access smb://domain/prettyname to end up on smb://server1/othername, this means that you have to access one of the domain controllers asking for prettyname so that it tells you that prettyname is served by server1 as othername, and that is done ok except that when we access with kerberos we are accessing the domain controller, let's say controller1, but with the name domain, which is the one smbfs is trying to use, so the kerberos token is not ok for that.
What happens in this scenario is that when we access smb://domain/prettyname on nautilus or using gio mount we are asked for a password, but if instead we try to access smb://controller1/prettyname everything works as expected, we end up accessing smb://server1/othername without any password being asked.
I have logged debug on gvfsd first when gio tries to mount //controller1/prettyname, which works, and then when it tries to mount //domain/prettyname which asks for password.
$ LANG=C GVFS_DEBUG=1 GVFS_SMB_DEBUG=3 /usr/lib/gvfs/gvfsd -r
smb: g_vfs_backend_smb_init: default workgroup = 'NULL'
smb: Added new job source 0x55a5416ca100 (GVfsBackendSmb)
smb: Queued new job 0x55a5416cc190 (GVfsJobMount)
Using netbios name CLIENT.
Using workgroup DOMAIN.
smb: do_mount - URI = smb://controller1/prettyname
smb: do_mount - try #0
smb: auth_callback - kerberos pass
smb: auth_callback - out: last_user = 'username', last_domain = 'DOMAIN'
tdb(/var/cache/samba/gencache.tdb): tdb_open_ex: could not open file /var/cache/samba/gencache.tdb: Permission denied
resolve_lmhosts: Attempting lmhosts lookup for name controller1<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name controller<0x20>
Connecting to 192.168.1.5 at port 445
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Server connect ok: //controller1/prettyname: 0x7f2854024740
smb: do_mount - [smb://controller1/prettyname; 0] res = 0, cancelled = 0, errno = [17] 'File exists'
smb: do_mount - login successful
smb: send_reply(0x55a5416cc190), failed=0 ()
smb: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=1892)
smb: Queued new job 0x55a5416b6370 (GVfsJobQueryInfo)
smb: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=1892)
smb: Queued new job 0x55a5416b6410 (GVfsJobQueryInfo)
smb: send_reply(0x55a5416b6370), failed=0 ()
smb: backend_dbus_handler org.gtk.vfs.Mount:QueryFilesystemInfo (pid=1892)
smb: Queued new job 0x7f2854013d00 (GVfsJobQueryFsInfo)
smb: send_reply(0x55a5416b6410), failed=0 ()
smb: backend_dbus_handler org.gtk.vfs.Mount:QueryFilesystemInfo (pid=1892)
smb: Queued new job 0x7f2854013d90 (GVfsJobQueryFsInfo)
smb: send_reply(0x7f2854013d00), failed=0 ()
smb: backend_dbus_handler org.gtk.vfs.Mount:QuerySettableAttributes (pid=1892)
smb: Queued new job 0x7f2854013e20 (GVfsJobQueryAttributes)
smb: send_reply(0x7f2854013e20), failed=0 ()
smb: send_reply(0x7f2854013d90), failed=0 ()
smb: backend_dbus_handler org.gtk.vfs.Mount:QuerySettableAttributes (pid=1892)
smb: Queued new job 0x7f2854013eb0 (GVfsJobQueryAttributes)
smb: send_reply(0x7f2854013eb0), failed=0 ()
smb: backend_dbus_handler org.gtk.vfs.Mount:Unmount (pid=1892)
smb: g_vfs_job_unmount_new request: 0x7f286400adf0
smb: Queued new job 0x55a5416eb0d0 (GVfsJobUnmount)
smb: gvfsjobunmount progress timeout start
Performing aggressive shutdown.
smbc_remove_usused_server: 0x7f2854024740 removed.
Context 0x7f2854011b70 successfully freed
smb: unregister_mount_callback
smb: send_reply(0x55a5416eb0d0), failed=0 ()
smb: g_vfs_backend_smb_init: default workgroup = 'NULL'
smb: Added new job source 0x55ef0275d100 (GVfsBackendSmb)
smb: Queued new job 0x55ef0275f190 (GVfsJobMount)
Using netbios name CLIENT.
Using workgroup DOMAIN.
smb: do_mount - URI = smb://domain/prettyname
smb: do_mount - try #0
smb: auth_callback - kerberos pass
smb: auth_callback - out: last_user = 'username', last_domain = 'DOMAIN'
tdb(/var/cache/samba/gencache.tdb): tdb_open_ex: could not open file /var/cache/samba/gencache.tdb: Permission denied
resolve_lmhosts: Attempting lmhosts lookup for name domain<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name domain<0x20>
Connecting to 192.168.1.6 at port 445
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
gse_get_client_auth_token: Server principal not found
gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/domain failed (next[(null)]): NT_STATUS_INVALID_PARAMETER
SPNEGO login failed: An invalid parameter was passed to a service or function.
smb: do_mount - [smb://domain/prettyname; 0] res = -1, cancelled = 0, errno = [1] 'Operation not permitted'
smb: do_mount - after anon, enabling NTLMSSP fallback
smb: do_mount - try #1
smb: auth_callback - normal pass
** (process:2494): WARNING **: 14:26:26.613: Global default SecretService instance out of sync with the watch for its DBus name
smb: auth_callback - asking for password...
This was done on a Debian Buster machine with version 1.38.1-5 of gvfs, if any other info or testing is needed I can try to provide it without any problem.
Regards.