gvfs-smb-browse can't browse samba/smb tree
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gvfs |
Unknown
|
Unknown
|
|||
samba |
Unknown
|
Unknown
|
|||
gvfs (Ubuntu) |
Fix Released
|
High
|
Sebastien Bacher | ||
Bionic |
Fix Released
|
High
|
Sebastien Bacher | ||
Cosmic |
Fix Released
|
High
|
Sebastien Bacher | ||
samba (Ubuntu) |
Fix Released
|
High
|
Andreas Hasenack | ||
Bionic |
Fix Released
|
High
|
Unassigned | ||
Cosmic |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
The so called "browsing a windows network" made use of an SMB1 protocol version feature. Recent versions of samba, including the one released with bionic, default to a higher versions of the protocol which lacks this feature. As a result, the "other locations -> windows network" tab in Nautilus is empty even when there are windows or samba machines in the network.
Accessing such machines directly, via smb://<name-or-ip>/ type urls, continues to work.
The fix is two-fold:
- introduce a new samba API call that can be used to set the protocol version to use
- change applications to make use of this API call to set the protocol versio to SMB1/NT1 just for the network browsing
gvfs was updated to make use of this api call, if detected at build time. To complete this SRU, gvfs needs a no-change rebuild *after* samba was accepted into proposed.
[Test case]
* Launch a bionic desktop vm. You can start with a server one, and then install the "ubuntu-desktop" package. In the same command, also install the packages we need for this test:
$ sudo apt update
$ sudo apt install ubuntu-desktop samba smbclient
* set a password for the ubuntu user, so you can login at the graphical console
$ sudo passwd ubuntu
* set the same password for the ubuntu samba user:
sudo smbpasswd -a ubuntu
* add a simple [pub] share to samba:
$ printf "[pub]\
* reboot
$ sudo reboot
* login at the graphical console as the ubuntu user. Go through the first-user-setup motions as you want.
* try to browse the windows network via "other locations -> windows network". You will get an empty folder.
* update the samba and gvfs packages
* logout and login again on the gui, browse the windows network again. This time it will show the "WORKGROUP" folder, and if you click through, you will see yourself (your VM) and the [pub] share, among others.
* click on the "pub" share, select registered user and login with the ubuntu credentials you created earlier with smbpasswd.
* in another terminal, run this command to confirm that the SMB protocol version that was used to connect to [pub] was not just NT1/SMB1, but higher:
$ sudo smbstatus
...
8779 ubuntu ubuntu 192.168.122.94 (ipv4:192.
Note "SMB3_11" above.
[Regression potential]
The samba update itself just introduces and exposes a new API call. It's up to other applications to make use of that. gvfs was patched to detect this call at build time and use it if it's detected.
Packages that are not rebuilt will not see the change, and packages that *are* rebuilt will only see the change if they make use of it.
[Other Info]
This update introduces a specific runtime dependency between gvfs and libsmbclient due to the new API call added to the latter. Any package that is rebuilt with libsmbclient and makes use of that API call will get this specific dependency. This is handled automatically by dh_mkshlibs.
To complete this SRU, gvfs will need a no-change rebuild after samba was accepted into proposed.
Disco's gvfs is already using the new call, as can be seen in this build log https:/
...
Dependency smbclient found: YES 0.5.0
Checking for function "smbc_setOption
The smbc_setOptionP
I updated the test to actually click on the machine that shows up in the network browsing, and then check with "smbstatus" which version of the protocol was used when connecting to an actual share.
---
Nautilus should show smbtree and host on the smb network.
When inputing this command:
killall gvfsd-smb-browse && GVFS_DEBUG=1 /usr/lib/
You can see the error:
smb-network: Queued new job 0x55b19a2c9f40 (GVfsJobCreateM
smb-network: send_reply(
smb-network: backend_
smb-network: Queued new job 0x55b19a2e7820 (GVfsJobQueryFs
smb-network: send_reply(
smb-network: backend_
smb-network: Queued new job 0x55b19a2c30c0 (GVfsJobEnumerate)
smb-network: send_reply(
Proposed solution:
Add gvfsbackendbrow
[link]https:/
which implements "change to NT1" in gvfs-smb-browse to browse smbtree to aviod adding "max client protocol" = NT1" to smb.conf to switch all samba to unsafe NT1 which most users are doing to correct this bug.
Related branches
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 105 lines (+72/-0)4 files modifieddebian/changelog (+9/-0)
debian/libsmbclient.symbols (+1/-0)
debian/patches/add-smbc_setOptionProtocols.patch (+61/-0)
debian/patches/series (+1/-0)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 105 lines (+72/-0)4 files modifieddebian/changelog (+9/-0)
debian/libsmbclient.symbols (+1/-0)
debian/patches/add-smbc_setOptionProtocols.patch (+61/-0)
debian/patches/series (+1/-0)
CVE References
Changed in nautilus (Ubuntu): | |
status: | Confirmed → Invalid |
Changed in gvfs (Ubuntu Bionic): | |
importance: | Undecided → High |
Changed in gvfs (Ubuntu Cosmic): | |
importance: | Undecided → High |
Changed in gvfs (Ubuntu): | |
assignee: | nobody → Sebastien Bacher (seb128) |
Changed in gvfs (Ubuntu Cosmic): | |
assignee: | nobody → Sebastien Bacher (seb128) |
Changed in gvfs (Ubuntu Bionic): | |
assignee: | nobody → Sebastien Bacher (seb128) |
description: | updated |
description: | updated |
description: | updated |
no longer affects: | nautilus (Ubuntu) |
Changed in samba (Ubuntu Bionic): | |
importance: | Undecided → High |
tags: | removed: browse browsing verification-needed |
A patch for gvfs-smb-browse to switch to NT1