GNOME Bugzilla – Bug 524485
nautilus does not display samba shares for machines inside an ADS network.
Last modified: 2014-05-29 06:24:58 UTC
The bug has been opened on https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/207072 "Using hardy beta, when I browse with nautilus other machines in an Active Directory (ADS) network, some of them do not show their shared folders. The ADS integration of the hardy box was done using winbind, kerberos and PAM libraries, essentially as described here: https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto The network contains mostly windows clients, but also several linux boxes, which were joined to the ADS domain with the command: 'net ads join'. Machines running windows XP, windows 2003 and samba show '0 objects' in nautilus, but after inserting the complete path (eg.: smb://server/share) the folders can be accessed after the password prompt. Machines running windows 2000 show their folders regularly. Here is a detailed description of what happens: Case 1 --------------------------------------------------------------------------------- Browsing from hardy-beta a machine running ubuntu-gutsy server. In a terminal window: renbag@vm-hardy:~$ smbclient -L gutsy-server Password: (password inserted here) Domain=[LAB] OS=[Unix] Server=[Samba 3.0.26a] Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (gutsy-server (Samba 3.0.26a, Ubuntu)) share Disk gutsy-server_share Domain=[LAB] OS=[Unix] Server=[Samba 3.0.26a] In Nautilus: Open Network --> Double-click on the 'LAB' icon (Domain) --> All machines are displayed; Double-click on the 'gutsy-server' icon --> after a while, Nautilus returns '0 objects', without asking for a password; Insert the full address (smb://gutsy-server/share) --> a password is requested and the share content is displayed. Case 2 --------------------------------------------------------------------------------- Browsing from hardy-beta a machine running Windows XP In a terminal window: renbag@vm-hardy:~$ smbclient -L XP-ACQ Password: (password inserted here) Domain=[LAB] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager] Sharename Type Comment --------- ---- ------- IPC$ IPC Remote IPC Data Disk Domain=[LAB] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager] In Nautilus: Same behaviour as in case 1. smb://XP-ACQ --> '0 objects'; smb://XP-ACQ/Data --> content displayed after password. Case 3 --------------------------------------------------------------------------------- Browsing from hardy-beta a machine running Windows 2000 In a terminal window: renbag@vm-hardy:~$ smbclient -L TF-2000 Password: (password inserted here) Domain=[LAB] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] Sharename Type Comment --------- ---- ------- IPC$ IPC Remote IPC Data Disk Domain=[LAB] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] In Nautilus: Open Network --> Double-click on the 'LAB' icon (Domain) --> All machines are displayed; Double-click on the 'TF-2000' icon --> All the shared folders are displayed, without asking for a password; Double-click on the 'Data' folder icon --> a password is requested and the content is displayed. (This is the correct and the expected behaviour). Using ubuntu-gutsy boxes, with exactly the same samba configuration (smb.conf), to browse the same machines I never observed Nautilus return '0 objects' as in case 1 and 2. Such a behaviour in hardy will make a normal user think that browsing an ADS network does not work at all. http://launchpadlibrarian.net/12893752/smb.conf smb.conf (892 bytes, text/plain)"
When using an old nautilus version (2.20.0, in ubuntu gutsy) a password is requested for browsing the machines in cases 1 and 2, but not in case 3. So the problem in new nautilus, which uses gvfs, is that it does not ask for a password. In case 3 it shows the shares because they are browseable without password.
A patch for this bug has been reported here: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/207072/comments/7
I can confirm that this bug exists using Nautilus 2.22.2 on Ubuntu Hardy Heron for any smb server that requires authentication to retrieve the list of shares (in my case it is not ADS, but is a simple Windows Home Server (WHS). I can also confirm that building gvfs from trunk (as of today ~10:00A EDT) with the patch (above) from Renzo Bagnati sucessfully solves this issue by prompting the user for credentials when needed to show shares. If anyone wants to see all of my troubleshooting steps, look here: https://answers.launchpad.net/ubuntu/+source/nautilus/+question/31217
The patch was not made by me, but by 'darkrain42'. See the link in comment 2.
Ping, what's the status on this bug? A user asked us to add that patch to our gentoo package, but I'd rather see it blessed by gvfs devs first. Thanks
Please upload the patch here for review.
Created attachment 111629 [details] [review] patch from lp-user:darkrain42 This is the patch in question from Launchpad, however there was some discussion of it on IRC... I need to find the log, but I think it was decided it needs some work before it is totally blessed. The person who made this patch is interested in working on this though, so if we give him some feedback I'm sure he'd be willing to update it.
i also can confirm this bug with nautlius 2.22.2 on a Fedora 9 machine. browsing the domain works. browsing a server doesn't work
bug #522494 and this one seems like duplicates. Maybe we should close one of these.
An updated patch has been published in Launchpad: http://launchpadlibrarian.net/15336233/91_samba_authenticated_browsing.patch See also the discussion in the relative bug comment: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/207072/comments/68
Where can I find information about applying this patch?
To apply the patch see the bug report in launchpad: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/207072/ in particular comment 54 and following.
Created attachment 113050 [details] [review] gvfs-smbbrowse-auth.patch OK, few notes on the patch by darkrain42 (plus the latter update) and in general: - gvfs trunk had some changes in mount_spec attributes setting recently (setting after successful smbc_stat()). Would be great to incorporate the changes since most of the code is duplicated and to keep consistency. Note that applies to trunk only, stable branch doesn't have these changes. Needs testing though! Not sure if the mountspec changes are right since we modify the URI and end-user apps might be confused then (i.e. duplicate mounts and getting Not available errors). - code duplication is an issue but as temporary solution I'm fine with this. There are more design changes underway and users can't wait anymore. Later I plan to rip out some code and clean the code for both backends. - the patch as is is bad due to recent kerberos change - yes, libsmbclient expects *some* username, otherwise it refuses to do kerberos tries. However removing anonymous auth attempt is preventing me to get list of workgroups and machines at all. - sharing active login credentials with the smbbrowse and the smb backend can be partially handled by gnome-keyring, in case when user saves password to keyring. This needs more work still. I'm attaching updated patch, doing authentication tries in three stages: 1. kerberos (current username, no password) 2. anonymous 3. ask for password and loop until success or cancelled However I'm little afraid here due to number of tries we do before asking user for credentials. This can cause account or machine being locked out or banned for some time. Partial solution might be to look at krb5 api and somehow detect active ticket for the particular machine we're trying to connect to. Browsing samba network is slow due to number of attempts we do (each attempt can take 5-10 seconds or more). Please test this updated patch, I will backport some changes made here to smb backend then.
One more note: if kerberos auth fails and anonymous succeeds, we still don't present user a chance to log in under different user. List of shares might be different when authenticated. See my comments on http://mail.gnome.org/archives/gvfs-list/2008-May/msg00005.html I would like to hear opinion on the UI from users (please reply to the list).
Tomas, your patch ( http://bugzilla.gnome.org/attachment.cgi?id=113050&action=view ) was acceptet unchanged in Ubuntu's hardy-proposed repository (that's a testing repo). It causes a regression there that's probably not limited to Ubuntu: Bookmarks to unreachable smb shares freeze gnome. Please see http://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/207072 , comment 78 and below.
new ubuntu comment " The patch to gvfs causes an automatic retry if kerberos authentication or anonymous connections fail - without looking at why the connection failed. That means that in the event of a network timeout, the user has to wait through three separate network timeouts! So we need to be checking the value of errno here, to make sure it's set to EPERM and not to some other value before retrying. Attached is a revised patch that fixes this particular problem. I've tested it with a simple nautilus smb://non-existent-server/ command, but I'm not a nautilus power user - could you describe to me exactly how you set up your shortcuts, so that I can test with that scenario as well? I am also seeing an issue where I'm being prompted for a password when connecting to servers that do allow anonymous share lists, so evidently there's another bug here that still needs to be tracked down"
Created attachment 113246 [details] [review] updated patch version that Steve Langasek attach to the ubuntu bug the corresponding comment " Yet another updated patch; the counter in the auth callback assumed that the callback would only be called once for each smbc_opendir() attempt, which means that each authentication method (kerberos, anonymous, password) was being tried twice for no reason. In traces, I still see a problem that the first time do_mount is called, it loops through without ever prompting the user for a username and password, so it still takes us twice as long to get to a password prompt as it should (i.e., 4 connections to the server instead of 2). I'm not sure if this is a problem with the patch or a pre-existing problem with gvfs-smb-browse; will investigate further. WRT my earlier comment about being prompted for a password when connecting to servers that do allow anonymous share lists - I'm not now able to reproduce this problem, so I guess we should consider that part "resolved"."
This patch looks fine to me, good catch. Passes my tests incl. kerberos. Freezes/lags are probably caused by blocking calls to g_file_query_info() and affected applications should be fixed to use async calls. There are no guarantees how long the operations would take.
The affected application is gnome-panel! Either this patch has to be altered or gnome-panel fixed, this patch as it is makes gnome as a whole unusable for many people. Why doesn't gnome-panel hang on unreachable shares before the patch?
Jakob: You refer to the patch in comment #17? You applied it in Ubuntu 8.04? And why do you think that gnome-panel is the problem? More information and background would be really helpful, the last comment is quite vague.
Adre: I applied the patch from comment #13 in ubuntu 8.04. I didn't test the improved version from Steve Langasek (comment #17) yet, but from what he said (see ubuntu tracker http://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/207072 ) it doesn't fix the hangs (yet, he is working on it). This patch causes gnome-panel to hang when you have an unreachable smb server in your bookmarks. This has been reproduced by several people. "Freezes/lags are probably caused by blocking calls to g_file_query_info() and affected applications should be fixed to use async calls." (comment #18) => gnome-panel should be fixed.
new launchpad comments "- my earlier attempt at reducing the number of authentication attempts was a red herring. The authentication callback is called twice for each connection attempt, for some reason, so my suggested patch could actually cause problems for kerberos auth. - the auth callback is called regardless of whether Kerberos tickets are currently available. This is, arguably, a bug in libsmbclient; since the callback deals only in domain/username/password, the current method of "forcing" kerberos authentication results in a spurious username-based authentication attempt. We can work around this by playing with smbc_setOptionFallbackAfterKerberos() before and after the first connection attempt. - after far too much time looking at this code, I now have a handle on how to try to move the connection out of the mount operation. Patch to follow shortly (I think). http://launchpadlibrarian.net/15554213/80_samba_browsing_authentification.patch updated patch to more efficiently iterate through auth options (7.4 KiB, text/plain) So that patch was a failure; it successfully postpones the authentication, but a) nautilus will open an empty window and spin if you try to connect to a server, before the authentication is completed and therefore leaves a blank window behind, and b) it will never give you a password prompt so the only authentication methods available are kerberos and anonymous - putting us back where we were at the beginning anyway. The lack of password prompt may be the dbus ID issue mentioned earlier, which prevents the password request from being passed up correctly. I'm going to hang on to this patch in case someone wants it, but I'm not going to pursue that approach any further myself; I don't even know where to begin on the dbus ID question (though that seems like it's also an important bug to fix), and I think the empty-nautilus-window-on-failure issue is probably inherent to this solution, which is undesirable. Sebastien, you mentioned that the mounting is being done in order to query the display name. Is there somewhere I could read up on exactly what's happening here when querying the display name, that might suggest another solution? From what I see, the do_mount call is setting the display name, but I guess gnome-panel isn't satisfied with that because the mount job as a whole fails. At any rate, attached is a replacement version of the 80_samba_browsing_authentification.patch, which incrementally improves on the previous versions by reducing the number of TCP connections needed to complete password authentication. It doesn't improve things enough to be worth pushing to -proposed on its own, though, without some resolution of the gnome-panel issue."
Created attachment 113328 [details] [review] updated patch version
so, 2.22.3 on monday. is it realistic to see some improvement committed here? :-/
2.22.3 still has this bug! any target version for solution? also to be most accurate this not happen only in ads but also in share mode.
(In reply to comment #25) > 2.22.3 still has this bug! Yes, obviously correct, otherwise this report would have been closed already. No need to add another comment. > any target version for solution? No. Hopefully 2.24.0.
*ping* Hardcode Freeze on next Monday.
This is really urgent for me. At work I'm stuck with Fedora 8 because I need to browse SMB shares on daily basis. If this is fixed I will be able to upgrade to Fedora 10.
Same for all Mandriva Gnome users... We'd like this bug to be fixed for Mandriva 2009.0. Thanks.
Everybody wants this fixed, so such comments are not that helpful.
Just testing the patch and it seems that libsmbclient doesn't call auth_callback anymore in case of expired kerberos ticket. It should fall back to asking but only does for the first attempt (anonymous + kerberos). It seems that libsmbclient caches credentials somehow (also when add_cached_server() and other callbacks were temporarily disabled of course) - a bug in samba? The solution might be to recreate smb_context and set all parameters in each iteration of the login loop. That's of course taking more time and causing lags. With the current state I don't recommend including the patch for upcoming release.
Applications "hanging/freezing" on smb browse uris is partially due to the smb-browsing backend set to automount. Only backends that are "quick" are supposed to be marked as such (i.e. they don't need authentication and don't generally block for a long time, such as trash:, computer:, etc). Smb browsing is currently set to automount, but if we change it to authenticate we must disable this and let apps handle ENOTMOUNTED.
After upgrading to Nautilus 2.24 (Ubuntu 8.10 beta) the bug still exists :-(
Joerg: Sure. Otherwise this report would be in RESOLVED state. No need to comment at all.
Created attachment 121144 [details] [review] gvfs-smb-browse-auth.patch Updated version of the patch, fixing login loop when having expired kerberos ticket. Also contains minor modifications in preparation for non-automounted backend. The patch passes my testing on several Windows machines including domain authentication. Tested on samba 3.0.28 and 3.2.0pre2 clients. Browsing is very slow however, setting GVFS_SMB_DEBUG env. variable to something higher than 2 will give you idea what's going on on smbclient side. Most time consuming part is name resolving through broadcasts on all interfaces. Also noticed that reliability of workgroup discovery is quite low, I blame samba for the design of master browser election and multiple subnets (incl. virtuals networks) here. This is the last update wrt samba issues, before we start making deeper changes and turn automount off.
Tomas, I tested your latest gvfs-smb-browse-auth.patch in a virtual machine running Ubuntu intrepid inside an AD network. The samba configuration of the machine is reported in a comment of the launchpad bug report: https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/207072/comments/67 I tried with a domain user with kerberos ticket and the patched gvfs behaves normally, as the non patched version (1.02-0ubuntu1). When I destroy the kerberos ticket (or login as a local user) and try to browse in nautilus a domain machine, a user/password prompt is presented. After entering the credentials, the user/password window disappears, but nautilus does not open the chosen machine to display the shares (it stays with the original listing of all the domain machines). To actually open the machine I have to double click again on the icon. After that I can immediately browse also the other machines I am allowed. However I also tried to add in nautilus an unreachable smb bookmark, as described by Jakob Unterwurzacher here: https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/207072/comments/78 and this still causes much troubles to the gnome desktop. Browsing of machines is much more slower and if I try to open the main menu in the gnome panel this causes a complete freeze of the desktop. These problems disappear as soon as I remove the unreachable bookmark or restore the non-patched gvfs.
That's correct. This updated patch fixes only the authentication process itself, both your issues are well known and will be addressed during transformation to non-automounted backend.
I built and installed your latest patch against my Ubuntu 8.10 Beta (Nautilus 2.24.1), and tested against my Windows Server 2003 configuration - WHS (Authenticated Browse), and my samba 3.0 configuration (Unauthenticated Browse), and my XP SP3 configuration (Unauthenticated Browse). This patch {from comment #35} works for me as well (within the scope of what it is supposed to fix). Keyring integration also seems to be working fine for me.
Bug confirmed, no patches tried, but from the launchpad bug; removing the comment before a certain smb.conf line did not help.
Created attachment 122511 [details] [review] nautilus_new_windows_after_mount.patch Mandatory Nautilus patch to make it working correctly with non-automounted smb-browse backend. Should also fix an old phenomenon new windows not appearing after successful mount in certain cases (when a mount operation takes long time). The only major piece left is the optimization of network backend (#555439) combined with required smb-browse changes.
Does this mean that the update is in the repos now? Thank you Tomas for this patch, but the question is is this patch now added to the repos and therefore available for installations via update-manager? Thanks again. Glad people are working on this! Thanks Tomas.
Thats an Ubuntu question. Those are not answered here.
Another question, distro agnostic : Against which Gnome releases this patch can be applied ?
We're working on 2.24 and 2.25.
Another piece of work for full integration: bug 561494 (this is optional, only affects GtkFileChooser)
Created attachment 123737 [details] [review] gvfs-smb-browse-auth.patch near-final patch, smb-browse is not automounted anymore. With previously posted patches, both Nautilus and GtkFileChooser work fine. About the internals: - [smb-browse] cache is filled during mount, reusing active connection. Connection initiation here takes a lot of time, enumeration itself is fast. Cache expires after 10 seconds, can be changed by the DEFAULT_CACHE_EXPIRATION_TIME constant. Because of this design, it's hard to speedup the network backend (by enumerating later and be able to authenticate). - smb-browse backend now utilizes second mutex, used to wait until cache refresh is complete and to avoid extra network traffic caused by several enumeration requests at the same time. - the network backend lacks support for authentication from smb-browse at the moment, I've encountered some deadlocks in gvfs daemon code. This feature is generally never used (no use case found) Please test the patch, code review is welcomed as well.
Tomas, I have tested the latest patch on ubuntu intrepid 32-bit, recompiling from gvfs source 1.0.2. It looks good to me: now nautilus asks for a password when no kerberos tickets are present and I do not see the problems with unreachable bookmarks. The only problem I see is that the choosen share is actually opened at the second try, as I already reported in comment 36. This is true also when a kerberos ticket has been acquired (and there is not the necessity to ask for a password), so, when double clicking a share the first time, nothing happens and I have to double click again to open the share. In such a situation this may be considered a regression, but once this problem has been addressed the patch looks very good to me.
Renzo, thanks for testing the patch. Your issue is addressed by the nautilus patch posted in comment 40. For full smb browsing support, you'll have to patch gvfs, nautilus and gtk. That's the reason I want to push the fixes to unstable branches only.
(In reply to comment #48) > For full smb browsing support, you'll have to patch gvfs, nautilus and gtk. > That's the reason I want to push the fixes to unstable branches only. Uh... how intrusive are these changes? Where is the gtk part? This could receive some testing in trunk and *maybe* get also in for 2.24.3 on Jan 12, 2009. :-/
About intrusiveness: - gvfs part: depending on how well are the GIO applications written. So far haven't found any issues with some of the backends being not automounted anymore. - Nautilus part (comment 40): if not applied, browsing smb will look like a regression, just like described above - GtkFileChooser part (bug 561494): not working at all in previous releases, commit will improve things, not required to have other patches applied. But it's a quite large patch changing filechooser internals.
> - smb-browse backend now utilizes second mutex, used to wait until cache > refresh is complete and to avoid extra network traffic caused by several > enumeration requests at the same time. If those several enumeration requests are for the same directory, wouldn't it be better to just drop them all but one ? Or maybe maintain a queue of directories to enumerate and drop duplicates ? Not sure I understand the design here sufficiently...
Retest of smb-browse and nautilus patches (from comment #40 and comment #46) successful against Ubuntu 8.10 (x64) and my personal failcase. - Tested: authenticated browse against Windows Server 2003/WHS - Tested: unauthenticated browse against Samba 3.0 - Tested: with and without keychain credentials saved Everything is working as expected. Looks Good. Thanks!
Tested again the gvfs-smb-browse-auth.patch with the additional nautilus_new_windows_after_mount.patch, in ubuntu 8.10. I confirm that everything is working very well inside an AD network, with and without kerberos tickets. Thank you very much Tomas for your work. Did not test the gtk+2.0 patch, because it is not essential for my needs. (Actually I tried to apply all the patches, but some of the hunks failed against the gtk+2.0-2.14.4 sources in ubuntu intrepid).
(In reply to comment #51) > > - smb-browse backend now utilizes second mutex, used to wait until cache > > refresh is complete and to avoid extra network traffic caused by several > > enumeration requests at the same time. > > If those several enumeration requests are for the same directory, wouldn't it > be better to just drop them all but one ? Or maybe maintain a queue of > directories to enumerate and drop duplicates ? > Not sure I understand the design here sufficiently... > Sorry if my description wasn't clear on first sight. The smb-browse backend has a directory cache (with default expiration time 10 sec.) which is automatically refreshed on any access when expired. Cache is locked during that time and other calls accessing it are blocked. Once the cache refresh is done, all blocked calls can immediatelly retrieve the data. Usually several QueryInfo or enumeration requests are spawned async at the same time and without the mutex, each call would spawn separate cache refresh request (potentially leading to race condition at the global cacbe fill), thus generating an extra network traffic.
So can anyone come up with a .deb for this... just for testing. I am not comfortable compiling this software (b/c it is relatively essential).
I tested applying these patches to our openSUSE RPMs: gvfs-smb-browse-auth.patch, nautilus-new_windows_after_mount.patch, and the two GTK+ patches. I had two identical VMWare VMs where one got the new packages and the other the old ones, and tried to access a Samba server on the LAN from both. This is a fairly plain setup without AD and Kerberos. Using Nautilus in the updated VM, I was unable to browse to smb:/// or smb://hostname/. smb://10.0.0.2/ (the host's IP) worked, however. The VM with the unpatched packages worked as expected in all three cases. The message I'm getting is "Error: Failed to retrieve share list from server\nPlease select another viewer and try again."
I have built from scratch a virtual machine running ubuntu 8.04.1 (with hardy-updates) to test the gvfs and nautilus patches. The patches can be applied to gvfs-0.2.5 and nautilus-2.22.5.1 and work as in ubuntu 8.10. However, having started to test them before joining the machine to our AD domain I found some problem here. This is schematically what I found. 1) machine not joined to AD domain and patches not applied (login as local user): - opening the Netwok Servers icon puts me in network:///, showing the "Windows Network" icon - clicking on "Windows Network" I enter smb:/// where I can see several domains or workgroups, including the AD one ("LAB") - clicking on the LAB icon puts me in smb://LAB/, where I can see the list of the machines (without password) - there are here the known problems for share browsing 2) machine not joined to AD domain and patches applied, (login as local user): - opening the Netwok Servers icon puts me in network:///, showing the "Windows Network" icon - clicking on "Windows Network" I enter smb:/// where I can see a few domains or workgroups, but not the AD one ("LAB") - inserting manually smb://LAB/ in the location bar I am asked for a password and after inserting the credentials of a domain user I can access the list of the machines - share browsing can be done without problems 3) machine joined to AD domain ("LAB") and patches not applied (login as local user or as a domain user, with kerberos ticket): - opening the Netwok Servers icon puts me directly in smb://LAB - there are then the known problems for share browsing 4a) machine joined to AD domain ("LAB") and patches applied (login as local user): - opening the Netwok Servers icon puts me in network:///, showing the "Windows Network" icon - the situation then is as in point 2) 4b) machine joined to AD domain ("LAB") and patches applied (login as domain user, with kerberos ticket): - opening the Netwok Servers icon puts me directly in smb://LAB - all is working well here for share browsing It seems that after applying the patches there are problems in browsing the Windows Network (smb:///) with machines not joined to an AD domain or in the absence of kerberos tickets. Some of the smb:// domains or workgroups are not shown and are accessible only after entering domain credentials, which should not be necessary, I think. Our AD network is controlled by a Windows 2003 server. The previous tests I made with ubuntu 8.10 were always with a real machine already joined to the LAB domain.
Nice! Thanks for this extensive test. (In reply to comment #57) > - clicking on "Windows Network" I enter smb:/// where I can see a few > domains or workgroups, but not the AD one ("LAB") > - inserting manually smb://LAB/ in the location bar I am asked for a > password and after inserting the credentials of a domain user I can access the > list of the machines Is LAB a domain name or a name of the computer? I'm looking for cases when authentication is required in order to get list of machines in the domain. Can you please post a little bit more details here? > It seems that after applying the patches there are problems in browsing the > Windows Network (smb:///) with machines not joined to an AD domain or in the > absence of kerberos tickets. Some of the smb:// domains or workgroups are not > shown and are accessible only after entering domain credentials, which should > not be necessary, I think. What do you have in gconf, key /system/smb/workgroup ? (can be viewed with gconf-editor) Is your system (client machine) joined to a domain when you don't see computers outside the domain?
(In reply to comment #58) > Is LAB a domain name or a name of the computer? I'm looking for cases when > authentication is required in order to get list of machines in the domain. Can > you please post a little bit more details here? LAB is the name of the domain. I don't think that getting the list of its machines requires authentication, because in case 1) I was able to get it before joining the domain and as a local user. The details of my smb.conf are reported here: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/207072/comments/67 The krb5.conf is like this: [logging] default = FILE:/var/log/krb5.log [libdefaults] default_realm = MYDOMAIN.COM kdc_timesync = 1 ccache_type = 4 forwardable = true [realms] MYDOMAIN.COM = { kdc = dhcpias1.mydomain.com kdc = dhcpias2.mydomain.com admin_server = dhcpias1.mydomain.com } [domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM I can post other additional configuration files, if necessary (PAM, etc.). > What do you have in gconf, key /system/smb/workgroup ? (can be viewed with > gconf-editor) I'm not in the AD network now, I will be able to tell next week. I think it should be: LAB, though. > Is your system (client machine) joined to a domain when you don't see computers > outside the domain? I didn't see the domain icon and other workgroups/computers either when joined to the domain (case 2) and when not joined (case 4a). In both cases only when the patches were applied.
(In reply to comment #58) > What do you have in gconf, key /system/smb/workgroup ? (can be viewed with > gconf-editor) Actually the key is always empty, both before and after joining the machine to the LAB domain.
Created attachment 124810 [details] [review] gvfs-smb-browse-auth-debug.patch Posting updated patch. No changes, I've just turned libsmbclient debug printouts on (value 4) but since those are often useless not containing the information I need, I've also put some silly debug printfs inside the gvfs code which should help me to understand what's going on. Thanks everybody for testing, I've received mostly positive feedback with only few fail cases (hpj and Renzo) which I hope will be revealed by this patch. If you experience a regression, please check the following: - to avoid issues in the network backend, try to reproduce it in smb:///. It should give you the same results without dns-sd browser results mixed in. - try to describe your network in detail, especially: - Kerberos usage? (should be working at all conditions) - is client included in the ADS domain? - `smbclient -V` - domain server settings (any paranoic specialties?)
Hi Tomas, I would like to try this patch, but I do not know how to install it. Could be of assistance please, I know nothing about linux but I would like to fix the problem between my linux machine and my vista shares. Thanks Dwane
If you know nothing about Linux then I definitely don't recommend this. Instead, wait for your distribution to provide pacakges for you.
I tested the latest patch in ubuntu 8.10, in all the cases described in comment #57. All is working very well here and I found no problems. In ubuntu 8.04.1 I'm now able to see the LAB domain in cases 2) and 4a). So, although there is some unreproducible behaviour, I can say that the patch is fairly working in this case also. Ubuntu 8.04.1: gvfs 0.2.5 nautilus 2.22.5.1 samba 3.0.28a Ubuntu 8.10: gvfs 1.0.2 nautilus 2.24.1 samba 3.2.3 (I think I have already posted all my relevant configuration files). Thanks again Tomas for your work, I have now the patches applied in my personal workstation.
I am just wondering; has the patch been let out mainstream yet? Or is it still in the works? Regardless of this, I would like to try to use the patch. I saw on the Ubuntu bug to use 'patch' to get it to work, but what would the exact command be? Thanks for everyone's hard work.
Patch in comment 61 currently has "needs-work" status and not "committed" status, hence it is not in any GNOME gvfs release. Don't know about Ubuntu distro - though I expect that they don't ship it yet (implied by comment 64) as the patch is not even included in an unstable GNOME release. Same answer to you: Read comment 63 - if you want to compile packages (like gvfs) yourself (e.g. in order to test a patch), please ask in a forum instead. Thanks.
I've decided to commit the patch to trunk (rev. 2158) since there were no serious issues after few weeks in testing. Patch is included in gvfs-1.1.3 2009-01-06 Tomas Bzatek <tbzatek {at} redhat.com> * daemon/gvfsbackendnetwork.c: * daemon/gvfsbackendsmbbrowse.c: * daemon/smb-browse.mount.in: SMB browsing authentication support (#524485) Make smb-browse backend not automounted Mount smb root on network backend automount I know there are some minor unsolved issues left, please test the new release and open separate bugs to me if it's not working.
bug #568851 is a new issue due to this change
Thanks to everyone involved for the great work on this. Does anyone happen to have found a patch which also works for gvfs 0.2.5, i. e. for 2.22, which avoids the regressions pointed out in comment 57?
*** Bug 545885 has been marked as a duplicate of this bug. ***