Ubuntu
gvfs package

gio mount asks for password despite valid kerberos ticket

Asked by Maxime Accadia

Hi,

I'd like to use nautilus to mount a SMB share with kerberos without password prompt, but gvfs / nautilus asks for password even if a valid kerberos ticket exists.

$ kinit username

$ smbclient //server/share -k # works

$ gio mount smb://DOMAIN;username@server/share
Authentification Required
Enter password for share "share" on "server":
Password:^C # here I press CTRL+C but `gio mount` proceeds with the mount using kerberos cached ticket

$ gio mount smb://DOMAIN;username@server/share
gio: smb://DOMAIN;username@server/share: Location is already mounted

Using nautilus, the password is asked but clicking "Unlock" without entering a password mounts the share using the Kerberos ticket.

I had a look to https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1779890 and https://gitlab.gnome.org/GNOME/gvfs/-/issues/481 but I'm not sure this is the same issue since the workaround[1] does not work.

Is there any way to disable the password prompt ? Do I have a misconfiguration somewhere (server side maybe ?) ? I tried adding `client use kerberos = required` to smb.conf without results. Should I file a bug ?

Best regards,

Maxime

System informations :
Ubuntu 22.04 - gvfs 1.48.2 - nautilus 42.2
I noted the same issue on Ubuntu 20.04
CIFS server is NetApp configured with Active Directory authentification.

[1] : https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1779890/comments/5

--
Below the log from gvfsd when `gio mount smb://DOMAIN;username@server/share` ask for the password despite the presence of a valid kerberos ticket and I press CTRL+C when asked for password.

$ pkill gvfs; pkill nautilus; LANG=C GVFS_DEBUG=1 GVFS_SMB_DEBUG=10 $(find /usr/lib* -name gvfsd 2>/dev/null) --replace 2>&1 | tee gvfsd.log
smb: g_vfs_backend_smb_init: default workgroup = 'NULL'
smb: Added new job source 0x5639ebefc080 (GVfsBackendSmb)
smb: Queued new job 0x5639ebefd960 (GVfsJobMount)
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
Using netbios name UBUNTU-JAMMY.
Using workgroup DOMAIN.
smb: do_mount - URI = smb://server.tld/username
smb: do_mount - try #0
smbc_stat(smb://server.tld/username)
smb: auth_callback - normal pass
smb: auth_callback - asking for password...
smb: auth_callback - out: last_user = 'username', last_domain = 'DOMAIN'
SMBC_server: server_n=[server.tld] server=[server.tld]
 -> server_n=[server.tld] server=[server.tld]
Opening cache file at /run/samba/gencache.tdb
tdb(/run/samba/gencache.tdb): tdb_open_ex: could not open file /run/samba/gencache.tdb: Permission denied
gencache_init: Opening user cache file /home/vagrant/.cache/samba/gencache.tdb.
sitename_fetch: No stored sitename for realm ''
internal_resolve_name: looking up server.tld#20 (sitename (null))
namecache_fetch: name server.tld#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to 152.77.141.18 at port 445
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0
cli_session_setup_spnego_send: Connect to server.tld as username@DOMAIN using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gensec_update_send: gse_krb5[0x7f6cc002ae00]: subreq: 0x7f6cc0005100
gensec_update_send: spnego[0x7f6cc00275a0]: subreq: 0x7f6cc002a9f0
gensec_update_done: gse_krb5[0x7f6cc002ae00]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x7f6cc0005100/../../source3/librpc/crypto/gse.c:848]: state[2] error[0 (0x0)] state[struct gensec_gse_update_state (0x7f6cc00052c0)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:859]
gensec_update_done: spnego[0x7f6cc00275a0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x7f6cc002a9f0/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x7f6cc002abb0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
gensec_update_send: gse_krb5[0x7f6cc002ae00]: subreq: 0x7f6cc00263f0
gensec_update_send: spnego[0x7f6cc00275a0]: subreq: 0x7f6cc0034180
gensec_update_done: gse_krb5[0x7f6cc002ae00]: NT_STATUS_OK tevent_req[0x7f6cc00263f0/../../source3/librpc/crypto/gse.c:848]: state[2] error[0 (0x0)] state[struct gensec_gse_update_state (0x7f6cc00265b0)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:866]
gensec_update_done: spnego[0x7f6cc00275a0]: NT_STATUS_OK tevent_req[0x7f6cc0034180/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x7f6cc0034340)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
 session setup ok
signed SMB2 message (sign_algo_id=1)
signed SMB2 message (sign_algo_id=1)
signed SMB2 message (sign_algo_id=1)
signed SMB2 message (sign_algo_id=1)
 tconx ok
signed SMB2 message (sign_algo_id=1)
signed SMB2 message (sign_algo_id=1)
signed SMB2 message (sign_algo_id=1)
Case sensitive: True
Server connect ok: //server.tld/username: 0x7f6cc0029e70
SMBC_getatr: sending qpathinfo
signed SMB2 message (sign_algo_id=1)
signed SMB2 message (sign_algo_id=1)
signed SMB2 message (sign_algo_id=1)
signed SMB2 message (sign_algo_id=1)
signed SMB2 message (sign_algo_id=1)
smb: do_mount - [smb://server.tld/username; 0] res = 0, cancelled = 0, errno = [0] 'Success'
smb: do_mount - login successful
smb: send_reply(0x5639ebefd960), failed=0 ()

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu gvfs Edit question
Assignee:
No assignee Edit question
Solved by:
Maxime Accadia
Solved:
Last query:
Last reply:
Revision history for this message
Maxime Accadia (maxacc) said : 		#1

It turns out, preventing password prompt is as simple as omitting user / domain from URI :

$ gio mount smb://server/share

See https://gitlab.gnome.org/GNOME/gvfs/-/blob/master/daemon/gvfsbackendsmb.c#L479

Revision history for this message
Hiroyuki Sakano (harukayuca) said : 		#2

This will increase further as the 2nm process is being studied in Japan, where there are many hallucinatory books like the scp foundation. What these trivial bugs are maggots for is to compile as much as possible and use chips with thicker wire widths.