"Files" does not correctly handle DNS REFUSED messages
Affected version
- Nightly flatpak: Yes
- Other: Qubes OS / Fedora 33, Files 3.38.2-stable
- Connect to an SMB share in Files which requires user authentication.
- Enter Username and password, keep the "Domain" default value (SAMBA) untouched.
- Wait for the share connection to be established.
Current behavior
Files starts to issue DNS queries to search for a Kerberos server (_kerberos._udp.SAMBA
, _kerberos._tcp.SAMBA
, _kerberos-master._[udp|tcp].SAMBA
). In our network we use pfSense to limit DNS to internal domain names for our Intranet (technically, this is based on BIND DNS server and its ACL feature). This results in non-local DNS requests being answered with "Refused (5)".
Apparently, Files (or whatever part in the gnome libraries is responsible for handling DNS) does not interpret this correctly and just tries the same DNS query after five seconds. This goes on for two minutes and then Files aborts the connection attempt.
Expected behavior
Without DNS restrictions, or if the "domain" field is filled with a correct internal DNS name, the DNS queries for Kerberos are answered with "No such name" in an environment which does not use Kerberos. This is interpreted correctly and Files immediately switches to NTLM authentication, resulting in a successful connection.
This should also be possible with restricted DNS. I guess the best approach would be to interpret a DNS "Refused" response the same way as a "traditional" negative response. One could also ask if it is useful to check for Kerberos at all if no domain (apart from the dummy value "SAMBA") is provided.