Comment 17 for bug 1779890
Revision history for this message
| Matthew Ruffell (mruffell) wrote Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share | #17 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
513534c
demo site
(Get the code!)
Hi everyone, Fady, renbag,
I have been working on this bug on and off for a little while now, but I am stuck because I can't reproduce what you are all seeing. Having a reproducer will greatly speed up getting a fix created for this issue.
In my client gvfsd is always started via systemd --user, so I must be configuring something differently. Can you try out my reproducer and let me know what you are configuring differently?
Instructions to reproduce:
You will need a 20.04 server instance, and a 20.04 Desktop instance.
To set up the server:
1) Create a fresh 20.04 server instance
2) sudo apt update
3) sudo apt upgrade
4) sudo hostnamectl set-hostname samba-dc
5) sudo vim /etc/hosts
Add an entry with its IP address, e.g.:
192.168.122.199 samba-dc samba-dc.
6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5
Note: skip config of kerberos KDC.
7) sudo rm /etc/krb5.conf
8) sudo rm /etc/samba/smb.conf
9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=
10) sudo cp /var/lib/
11) sudo systemctl mask smbd nmbd winbind
12) sudo systemctl disable smbd nmbd winbind
13) sudo systemctl stop smbd nmbd winbind
14) sudo systemctl unmask samba-ad-dc
15) sudo systemctl start samba-ad-dc
16) sudo systemctl enable samba-ad-dc
17) sudo reboot
18) sudo systemctl stop systemd-resolved
19) sudo systemctl disable systemd-resolved
20) cat << EOF >> /etc/resolv.conf
nameserver 192.168.122.199
search SAMBA
EOF
21) sudo reboot
22) host -t SRV _ldap._
_ldap._
23) $ smbclient -L localhost -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
sysvol Disk
netlogon Disk
IPC$ IPC IPC Service (Samba 4.13.17-Ubuntu)
SMB1 disabled -- no workgroup available
24) $ smbclient //localhost/
Enter SAMBA\Administr
. D 0 Mon Feb 28 04:23:22 2022
.. D 0 Mon Feb 28 04:23:27 2022
9983232 blocks of size 1024. 7995324 blocks available
25) kinit administrator
Password for <email address hidden>:
Warning: Your password will expire in 41 days on Mon Apr 11 04:23:27 2022
26) klist
Ticket cache: FILE:/tmp/
Default principal: <email address hidden>
Valid starting Expires Service principal
02/28/22 04:32:47 02/28/22 14:32:47 <email address hidden>
renew until 03/01/22 04:32:44
27)
Create a share:
28) sudo mkdir -p /srv/samba/Demo/
29) sudo vim /etc/samba/smb.conf
[Demo]
path = /srv/samba/Demo/
read only = no
30) sudo chmod 0770 /srv/samba/Demo/
Install a fresh 20.04.4 Desktop instance, and run the following:
31) sudo apt install realmd smbclient
32) sudo vim /etc/hosts
Add an entry with its IP address, e.g.:
192.168.122.199 samba-dc samba-dc.
33) sudo realm join --user=
$ smbclient -U Administrator //samba-
Enter WORKGROUP\
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Mar 7 15:20:30 2022
.. D 0 Mon Mar 7 15:20:30 2022
9983232 blocks of size 1024. 7686220 blocks available
$ smbclient //samba-
gensec_
session setup failed: NT_STATUS_
Now open Nautilus, add smb://samba-
be faced with a dialog box asking for username / password credentials. Close
Nautilus.
Let's get a kerberos ticket:
$ kinit <email address hidden>
Password for <email address hidden>:
Warning: Your password will expire in 11 days on Mon 11 Apr 2022 16:23:27
$ smbclient //samba-
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Mar 7 15:20:30 2022
.. D 0 Mon Mar 7 15:20:30 2022
9983232 blocks of size 1024. 7616832 blocks available
34) Open Nautilus, add smb://samba-
open correctly using kerberos credentials.
When I look at my process list, gvfsd is where it is suppose to be, under the
systemd user session:
$ ps auxf
...
ubuntu 1207 0.5 0.2 19008 10128 ? Ss 12:12 0:00 /lib/systemd/
ubuntu 1208 0.0 0.0 179632 3544 ? S 12:12 0:00 \_ (sd-pam)
ubuntu 1213 0.3 0.4 1220668 19360 ? S<sl 12:12 0:00 \_ /usr/bin/pulseaudio --daemonize=n
ubuntu 1216 0.2 0.6 511384 24280 ? SNsl 12:12 0:00 \_ /usr/libexec/
ubuntu 1218 0.6 0.1 19344 6472 ? Ss 12:12 0:00 \_ /usr/bin/
ubuntu 1222 0.0 0.1 239692 7640 ? Ssl 12:12 0:00 \_ /usr/libexec/gvfsd
...
Looking at /proc/1222/environ:
$ cat /proc/1222/environ
HOME=/home/
I don't seem to have KRB5CCNAME set, but yet, it works.
What am I doing that gvfsd starts later than it does in your environments? Do I need to use sssd to get the ticket instead?
I configured /etc/sssd/sssd.conf with the below:
[sssd]
domains = samba-dc.
config_file_version = 2
services = nss, pam
[domain/
default_shell = /bin/bash
ad_server = samba-dc.
krb5_store_
cache_credentials = True
krb5_realm = SAMBA-DC.
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = samba-dc.
use_fully_
ldap_id_mapping = True
access_provider = ad
simple_allow_users = administrator
and rebooted, but gvfsd is still started inside the systemd --user session, and not before.
Any ideas would be appreciated.
Thanks,
Matthew