gvfs-smb-browse can't browse samba/smb tree

Bug #1778322 reported by Sebastian Byczkowski on 2018-06-23
64
This bug affects 19 people
Affects Status Importance Assigned to Milestone
gvfs
Unknown
Unknown
samba
Unknown
Unknown
gvfs (Ubuntu)
High
Sebastien Bacher
Bionic
High
Sebastien Bacher
Cosmic
High
Sebastien Bacher
samba (Ubuntu)
High
Andreas Hasenack
Bionic
High
Unassigned
Cosmic
High
Unassigned

Bug Description

[Impact]
The so called "browsing a windows network" made use of an SMB1 protocol version feature. Recent versions of samba, including the one released with bionic, default to a higher versions of the protocol which lacks this feature. As a result, the "other locations -> windows network" tab in Nautilus is empty even when there are windows or samba machines in the network.
Accessing such machines directly, via smb://<name-or-ip>/ type urls, continues to work.

The fix is two-fold:
- introduce a new samba API call that can be used to set the protocol version to use
- change applications to make use of this API call to set the protocol versio to SMB1/NT1 just for the network browsing

gvfs was updated to make use of this api call, if detected at build time. To complete this SRU, gvfs needs a no-change rebuild *after* samba was accepted into proposed.

[Test case]
* Launch a bionic desktop vm. You can start with a server one, and then install the "ubuntu-desktop" package. In the same command, also install the packages we need for this test:
$ sudo apt update
$ sudo apt install ubuntu-desktop samba smbclient

* set a password for the ubuntu user, so you can login at the graphical console
$ sudo passwd ubuntu

* set the same password for the ubuntu samba user:
sudo smbpasswd -a ubuntu

* add a simple [pub] share to samba:
$ printf "[pub]\n\tpath=/tmp\n\tguest ok = no\n" | sudo tee -a /etc/samba/smb.conf

* reboot
$ sudo reboot

* login at the graphical console as the ubuntu user. Go through the first-user-setup motions as you want.

* try to browse the windows network via "other locations -> windows network". You will get an empty folder.

* update the samba and gvfs packages
* logout and login again on the gui, browse the windows network again. This time it will show the "WORKGROUP" folder, and if you click through, you will see yourself (your VM) and the [pub] share, among others.

* click on the "pub" share, select registered user and login with the ubuntu credentials you created earlier with smbpasswd.

* in another terminal, run this command to confirm that the SMB protocol version that was used to connect to [pub] was not just NT1/SMB1, but higher:
$ sudo smbstatus
...
8779 ubuntu ubuntu 192.168.122.94 (ipv4:192.168.122.94:60818) SMB3_11 - partial(AES-128-CMAC)

Note "SMB3_11" above.

[Regression potential]
The samba update itself just introduces and exposes a new API call. It's up to other applications to make use of that. gvfs was patched to detect this call at build time and use it if it's detected.
Packages that are not rebuilt will not see the change, and packages that *are* rebuilt will only see the change if they make use of it.

[Other Info]
This update introduces a specific runtime dependency between gvfs and libsmbclient due to the new API call added to the latter. Any package that is rebuilt with libsmbclient and makes use of that API call will get this specific dependency. This is handled automatically by dh_mkshlibs.

To complete this SRU, gvfs will need a no-change rebuild after samba was accepted into proposed.

Disco's gvfs is already using the new call, as can be seen in this build log https://launchpadlibrarian.net/415424052/buildlog_ubuntu-disco-amd64.gvfs_1.40.0-1_BUILDING.txt.gz:
...
Dependency smbclient found: YES 0.5.0
Checking for function "smbc_setOptionProtocols" with dependency smbclient: YES

The smbc_setOptionProtocols() call is only used when the url is like "smb:///", or the server cannot be resolved. The downgrade overrides the setting in smb.conf, and is used just for this case: browsing the network. When connecting to a machine, the url is like "smb://<name>/", and then this function we are adding is not called.

I updated the test to actually click on the machine that shows up in the network browsing, and then check with "smbstatus" which version of the protocol was used when connecting to an actual share.

---

Nautilus should show smbtree and host on the smb network.

When inputing this command:
killall gvfsd-smb-browse && GVFS_DEBUG=1 /usr/lib/gvfs/gvfsd-smb-browse

You can see the error:
smb-network: Queued new job 0x55b19a2c9f40 (GVfsJobCreateMonitor)
smb-network: send_reply(0x55b19a2c9f40), failed=1 (Action not supported by the processing engine)
smb-network: backend_dbus_handler org.gtk.vfs.Mount:QueryFilesystemInfo (pid=5708)
smb-network: Queued new job 0x55b19a2e7820 (GVfsJobQueryFsInfo)
smb-network: send_reply(0x55b19a2e7820), failed=0 ()
smb-network: backend_dbus_handler org.gtk.vfs.Mount:Enumerate (pid=5708)
smb-network: Queued new job 0x55b19a2c30c0 (GVfsJobEnumerate)
smb-network: send_reply(0x55b19a2c30c0), failed=0 ()

Proposed solution:
Add gvfsbackendbrowse-switch-to-NT1.patch disscused on RedHat Bugzilla
[link]https://bugzilla.redhat.com/show_bug.cgi?id=1513394
which implements "change to NT1" in gvfs-smb-browse to browse smbtree to aviod adding "max client protocol" = NT1" to smb.conf to switch all samba to unsafe NT1 which most users are doing to correct this bug.

Related branches

CVE References

A patch for gvfs-smb-browse to switch to NT1

Simpler form of before posted patch.Ehh

The attachment "gvfs-smb-browse change to NT1 from RedHat Bugzilla" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gvfs (Ubuntu):
status: New → Confirmed
Changed in nautilus (Ubuntu):
status: New → Confirmed
Changed in nautilus (Ubuntu):
status: Confirmed → Invalid
Sebastien Bacher (seb128) wrote :

The fix is in https://launchpad.net/ubuntu/+source/gvfs/1.38.1-1ubuntu1

And being backported to cosmic and bionic

Changed in gvfs (Ubuntu):
importance: Undecided → Low
status: Confirmed → Fix Released
description: updated

Hello Sebastian, or anyone else affected,

Accepted gvfs into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gvfs/1.38.1-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in gvfs (Ubuntu Cosmic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-cosmic
Brian Murray (brian-murray) wrote :

Hello Sebastian, or anyone else affected,

Accepted gvfs into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gvfs/1.36.1-0ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in gvfs (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Brian Murray (brian-murray) wrote :

Hello Sebastian, or anyone else affected,

Accepted gvfs into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gvfs/1.38.1-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

I have checked bionic-proposed repo and listed packages have installed:
gvfs-backends/bionic-proposed,now 1.36.1-0ubuntu1.2 amd64 [installed]
gvfs-bin/bionic-proposed,now 1.36.1-0ubuntu1.2 amd64 [installed]
gvfs-common/bionic-proposed,now 1.36.1-0ubuntu1.2 all [installed]
gvfs-daemons/bionic-proposed,now 1.36.1-0ubuntu1.2 amd64 [installed]
gvfs-fuse/bionic-proposed,now 1.36.1-0ubuntu1.2 amd64 [installed]
gvfs-libs/bionic-proposed,now 1.36.1-0ubuntu1.2 amd64 [installed]
gvfs-libs/bionic-proposed,now 1.36.1-0ubuntu1.2 amd64 [installed]

But if I disable with # in smb.conf
max client protocol = NT1
or chane it to:
max client protocol = SMB3
Nautilus still shows me Empty Dir if I enter Windows Network and gvfs can't browse smbtree still.
So I assume the patch does not work as expected.

I'm sending Gvfs log.
Interesting part starts at line 173:

Starting GENSEC mechanism spnego
Server claims it's principal name is NONE
SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT
SPNEGO login failed: An invalid parameter was passed to a service or function.

And line 270 in Gvfs log:
Server connect ok: //TOMATO/IPC$: 0x7f72b4020fd0
smb-network: do_mount - [smb://DOMOWA; 0] dir = (nil), cancelled = 0, errno = [0] 'Succes'
smb-network: do_mount - (errno != EPERM && errno != EACCES), cancelled = 0, breaking
smb-network: send_reply(0x556b8fdb32b0), failed=1 (Downloading resources list from server failed: Succes)
Performing aggressive shutdown.
smb-network: purging server cache
Context 0x7f72b4010b60 successfully freed
Freeing parametrics:
network: Couldn't create directory monitor on smb://x-gnome-default-workgroup/. Error: given location is not mounted

Sebastien Bacher (seb128) wrote :

Thanks for the testing. Indeed there is a problem, from the build log

"Native dependency smbclient found: YES 0.3.1
Checking for function "smbc_setOptionProtocols" : NO"

The API needed is too new for our current libsmbclient version, we need to backport that one as well.
The other changes from the SRU are fine though and that one is just a no-change without the API so it probably makes sense to validate the current SRU anyway and do another round for libsmbclient/rebuild gvfs later

Changed in samba (Ubuntu):
importance: Undecided → High
Changed in gvfs (Ubuntu):
status: Fix Released → Triaged
importance: Low → High
Sebastien Bacher (seb128) wrote :
Changed in samba (Ubuntu):
status: New → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gvfs - 1.38.1-0ubuntu1.1

---------------
gvfs (1.38.1-0ubuntu1.1) cosmic; urgency=medium

  * debian/patches/series:
    - include git_invalid_autorun.patch which was mentioned in
      the previous upload but not added to the serie

gvfs (1.38.1-0ubuntu1) cosmic; urgency=medium

  * New upstream version (lp: #1803186)
   - smbbrowse: Force NT1 protocol version for workgroup support
     (lp: #1778322)
  * debian/patches/git_invalid_autorun.patch:
    - common: Prevent crashes on invalid autorun file (lp: #1798725)

 -- Sebastien Bacher <email address hidden> Wed, 21 Nov 2018 15:03:01 +0100

Changed in gvfs (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gvfs - 1.36.1-0ubuntu1.2

---------------
gvfs (1.36.1-0ubuntu1.2) bionic; urgency=medium

  * debian/patches/git_smb_writing.patch:
    - Use O_RDWR to fix fstat when writing (lp: #1803158)
  * debian/patches/git_invalid_autorun.patch:
    - common: Prevent crashes on invalid autorun file (lp: #1798725)
  * debian/patches/git_channel_lock.patch:
    - daemon: Prevent deadlock and invalid read when closing channels
      (lp: #1630905)
  * debian/patches/git_dav_lockups.patch:
    - workaround libsoup limitation to prevent dav lockups (lp: #1792878)
  * debian/patches/git_smb_nt1.patch:
    - smbbrowse: Force NT1 protocol version for workgroup support
      (lp: #1778322)
  * debian/patches/git_smb_directory.patch:
    - smb: Add workaround to fix removal of non-empty dir (lp: #1803190)

 -- Sebastien Bacher <email address hidden> Tue, 13 Nov 2018 17:09:03 +0100

Changed in gvfs (Ubuntu Bionic):
status: Fix Committed → Fix Released
Sebastien Bacher (seb128) wrote :

Reopening, the fix isn't working until we get the samba change

Changed in gvfs (Ubuntu Bionic):
status: Fix Released → Triaged
Changed in gvfs (Ubuntu Cosmic):
status: Fix Released → Triaged
Changed in gvfs (Ubuntu Bionic):
importance: Undecided → High
Changed in gvfs (Ubuntu Cosmic):
importance: Undecided → High
Will Cooke (willcooke) on 2019-01-29
Changed in gvfs (Ubuntu):
assignee: nobody → Sebastien Bacher (seb128)
Changed in gvfs (Ubuntu Cosmic):
assignee: nobody → Sebastien Bacher (seb128)
Changed in gvfs (Ubuntu Bionic):
assignee: nobody → Sebastien Bacher (seb128)
Andreas Hasenack (ahasenack) wrote :

Looking at this next.

Changed in samba (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
status: Triaged → In Progress
Andreas Hasenack (ahasenack) wrote :

Builds in a ppa look good:
...
Native dependency smbclient found: YES 0.2.3
Checking for function "smbc_setOptionProtocols": YES
...

Checking for real with a bionic desktop now.

Andreas Hasenack (ahasenack) wrote :

I just tried with my build from the ppa, but it's not working. When enabling debugging in gvfsd, I can see it setting the protocol to NT1:

network: Added new job source 0x559ce1b3e070 (GVfsBackendNetwork)
network: Queued new job 0x559ce1b4cab0 (GVfsJobMount)
smb-network: g_vfs_backend_smb_browse_init: default workgroup = 'NULL'
smb-network: Added new job source 0x564f06543070 (GVfsBackendSmbBrowse)
smb-network: Queued new job 0x564f06549ac0 (GVfsJobMount)
smb-network: Error resolving “EXAMPLE”: Name or service not known
smb-network: Forcing NT1 protocol version
smb-network: do_mount - URI = smb://EXAMPLE

That message, "Forcing NT1 protocol version", comes from the gvfs patch and confirms that it is using the new smbc_setOptionProtocols() call.

If somebody else wants to try in the meantime, the packages for bionic are at https://launchpad.net/~ahasenack/+archive/ubuntu/samba-browse-nt1-1778322/

Andreas Hasenack (ahasenack) wrote :

The original samba patch had a typo/error, this is the fix for that:

https://github.com/samba-team/samba/commit/885435e8a4dc561749b880f8be7a32041fa954ec

Andreas Hasenack (ahasenack) wrote :

It worked with the updated patch. Packages rebuilt in the PPA. I'll prepare a merge proposal and SRU this into bionic. We will have to rebuild gvfs there, though, after samba lands in proposed.

description: updated
description: updated
Brian Murray (brian-murray) wrote :

Does the samba task need fixing in disco at all?

Changed in samba (Ubuntu):
status: In Progress → Incomplete
description: updated
Brian Murray (brian-murray) wrote :

Hello Sebastian, or anyone else affected,

Accepted samba into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.8.4+dfsg-2ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in samba (Ubuntu Cosmic):
status: New → Fix Committed
Changed in samba (Ubuntu):
status: Incomplete → Fix Released
Changed in samba (Ubuntu Cosmic):
importance: Undecided → High
Brian Murray (brian-murray) wrote :

Hello Sebastian, or anyone else affected,

Accepted samba into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.7.6+dfsg~ubuntu-0ubuntu2.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in samba (Ubuntu Bionic):
status: New → Fix Committed
Andreas Hasenack (ahasenack) wrote :

For anyone wanting to test this bug, please note you will also have to wait for a gvfs rebuild with this new samba package.

Andreas Hasenack (ahasenack) wrote :

Bionic verification

Bug reproduced with the following packages:
ubuntu@ubuntu:~$ apt-cache policy samba gvfs-backends
samba:
...
 *** 2:4.7.6+dfsg~ubuntu-0ubuntu2.7 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        100 /var/lib/dpkg/status
...
gvfs-backends:
...
 *** 1.36.1-0ubuntu1.3 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://br.archive.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        100 /var/lib/dpkg/status
...

(see attached screenshot)

Andreas Hasenack (ahasenack) wrote :

Bionic verification (continued)

Now installing the new samba packages. Since I need a gvfs rebuild with the new samba packages, I'm doing that locally.

So in the end I now have:
samba from proposed:
 *** 2:4.7.6+dfsg~ubuntu-0ubuntu2.8 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages

gvfs built locally:
ubuntu@ubuntu:~/deb/gvfs/gvfs-1.36.1$ grep smbc_setOptionProtocol ../build.log
Checking for function "smbc_setOptionProtocols": YES
gvfs-backends:
  Installed: 1.36.1-0ubuntu1.4~andreas1
  Candidate: 1.36.1-0ubuntu1.4~andreas1
  Version table:
 *** 1.36.1-0ubuntu1.4~andreas1 100
        100 /var/lib/dpkg/status

I then reboot, login, and the windows network is populated with the workgroup and the host.

I then connect to the host, and the pub share, authenticate, and smbstatus confirms the connection and that SMB3_11 was used:
root@ubuntu:~# smbstatus

Samba version 4.7.6-Ubuntu
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
1828 nobody nogroup ubuntu (ipv4:192.168.122.28:35678) NT1 - -
2084 nobody nogroup ubuntu (ipv4:192.168.122.28:35694) NT1 - -
2093 ubuntu ubuntu 192.168.122.28 (ipv4:192.168.122.28:41040) SMB3_11 - partial(AES-128-CMAC)

Bionic verification succeeded.

Andreas Hasenack (ahasenack) wrote :

Bionic:

full smbstatus output, showing the connection to the pub share as well:
root@ubuntu:~# smbstatus

Samba version 4.7.6-Ubuntu
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
1828 nobody nogroup ubuntu (ipv4:192.168.122.28:35678) NT1 - -
2084 nobody nogroup ubuntu (ipv4:192.168.122.28:35694) NT1 - -
2093 ubuntu ubuntu 192.168.122.28 (ipv4:192.168.122.28:41040) SMB3_11 - partial(AES-128-CMAC)

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------
IPC$ 2084 ubuntu Fri Apr 5 15:33:26 2019 UTC - -
IPC$ 1828 ubuntu Fri Apr 5 15:31:23 2019 UTC - -
pub 2093 192.168.122.28 Fri Apr 5 15:33:32 2019 UTC - -

No locked files

tags: added: verification-done-cosmic
removed: verification-needed-cosmic
Andreas Hasenack (ahasenack) wrote :

Cosmic verification

Confirming the bug:
ubuntu@ubuntu:~$ apt-cache policy samba gvfs-backends
samba:
  Installed: 2:4.8.4+dfsg-2ubuntu2.1
  Candidate: 2:4.8.4+dfsg-2ubuntu2.1
  Version table:
 *** 2:4.8.4+dfsg-2ubuntu2.1 500
        500 http://br.archive.ubuntu.com/ubuntu cosmic-updates/main amd64 Packages
...
gvfs-backends:
  Installed: 1.38.1-0ubuntu1.2
  Candidate: 1.38.1-0ubuntu1.2
  Version table:
 *** 1.38.1-0ubuntu1.2 500
        500 http://br.archive.ubuntu.com/ubuntu cosmic-updates/main amd64 Packages
...

Bug reproduced, see attached screenshot. Windows network browsing is empty.

(continued)

Andreas Hasenack (ahasenack) wrote :

Cosmic verification (continued)

Now installing the updated samba packages, and rebuilding gvfs locally:

samba:
  Installed: 2:4.8.4+dfsg-2ubuntu2.2
  Candidate: 2:4.8.4+dfsg-2ubuntu2.2
  Version table:
 *** 2:4.8.4+dfsg-2ubuntu2.2 500
        500 http://br.archive.ubuntu.com/ubuntu cosmic-proposed/main amd64 Packages

gvfs:
ubuntu@ubuntu:~/deb/gvfs/gvfs-1.38.1$ grep smbc_setOptionProtocol ../build.log
Checking for function "smbc_setOptionProtocols" : YES

$ apt-cache policy gvfs-backends
gvfs-backends:
  Installed: 1.38.1-0ubuntu1.3~andreas1
  Candidate: 1.38.1-0ubuntu1.3
  Version table:
     1.38.1-0ubuntu1.3 500
        500 http://br.archive.ubuntu.com/ubuntu cosmic-proposed/main amd64 Packages
 *** 1.38.1-0ubuntu1.3~andreas1 100
        100 /var/lib/dpkg/status

Note: there is an old gvfs in proposed already, but it was NOT rebuilt with this samba version.

Reboot, login, access windows network, and the workgroup and computer are displayed (see attached screenshot).

Accessing the "pub" share works after authenticating, and in that case smbstatus shows SMB3.11 was used:
root@ubuntu:~# smbstatus

Samba version 4.8.4-Ubuntu
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
2033 nobody nogroup ubuntu (ipv4:192.168.122.79:51830) NT1 - -
2044 nobody nogroup ubuntu (ipv4:192.168.122.79:51834) NT1 - -
2240 nobody nogroup ubuntu (ipv4:192.168.122.79:51844) NT1 - -
2420 ubuntu ubuntu 192.168.122.79 (ipv4:192.168.122.79:48332) SMB3_11 - partial(AES-128-CMAC)

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------
IPC$ 2044 ubuntu Fri Apr 5 16:07:06 2019 UTC - -
IPC$ 2033 ubuntu Fri Apr 5 16:07:04 2019 UTC - -
pub 2420 192.168.122.79 Fri Apr 5 16:08:54 2019 UTC - -
IPC$ 2240 ubuntu Fri Apr 5 16:08:07 2019 UTC -

Cosmic verification succeeded.

tags: added: verification-done-bionic
removed: verification-needed-bionic
Andreas Hasenack (ahasenack) wrote :

I think I mixed the verification-done tags, but both are done now.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.8.4+dfsg-2ubuntu2.3

---------------
samba (2:4.8.4+dfsg-2ubuntu2.3) cosmic-security; urgency=medium

  * SECURITY UPDATE: save registry file outside share as unprivileged user
    - debian/patches/CVE-2019-3880.patch: remove implementations of
      SaveKey/RestoreKey in source3/rpc_server/winreg/srv_winreg_nt.c.
    - CVE-2019-3880

 -- Marc Deslauriers <email address hidden> Thu, 04 Apr 2019 14:05:09 -0400

Changed in samba (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.7.6+dfsg~ubuntu-0ubuntu2.9

---------------
samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.9) bionic-security; urgency=medium

  * SECURITY UPDATE: save registry file outside share as unprivileged user
    - debian/patches/CVE-2019-3880.patch: remove implementations of
      SaveKey/RestoreKey in source3/rpc_server/winreg/srv_winreg_nt.c.
    - CVE-2019-3880

 -- Marc Deslauriers <email address hidden> Thu, 04 Apr 2019 14:05:56 -0400

Changed in samba (Ubuntu Bionic):
status: Fix Committed → Fix Released
BloodyIron (bloodyiron) wrote :

I'm seeing this issue with Disco Dingo 19.04

Using samba/disco,now 2:4.10.0+dfsg-0ubuntu2 amd64 [installed]

Upgrade didn't install samba by default, and nautilus is still having issues with network share being SMB2 minimum

Solved by:
1. Killing PID of gvfsd-smb-browse
2. Running "GVFS_SMB_DEBUG=1 /usr/lib/gvfs/gvfsd-smb-browse"

Issue returns after reboot.

So, looks like was solved in 4.8, but since Disco Dingo 19.04 uses 4.10, looks like it didn't get the fix, not sure.

BloodyIron (bloodyiron) wrote :

Also, since samba package isn't installed by default (at least in my 18.10 to 19.04 upgrade), how do we fix this without the samba package installed?

Andreas Hasenack (ahasenack) wrote :

I checked disco when I prepared these updates for bionic and cosmic, and it was allright. Let me re-check with a default install using the CD this time, now that it is released.

Andreas Hasenack (ahasenack) wrote :

It worked just fine on a disco desktop default install.

I brought up a bionic vm, which has samba running and set to a workgroup called "workgroup" and has a /pub share. On disco, I click on "other locations", then "windows network", and I see "WORKGROUP". I can click on "WORKGROUP", which then shows me the other server. If I click on that, I see the "pub" share.

The only samba packages you need for this network browsing are installed: libsmbclient, libwbclient0, samba-libs. I have these with version 4.10.0 as expected.

BloodyIron (bloodyiron) wrote :

@Andreas , I already have those installed. Still seeing the same effect each reboot.

Not sure why my result is different. I do have two workgroups in play though, so I wonder if that's it...

Andreas Hasenack (ahasenack) wrote :

Check your smb.conf, maybe you have some overriding setting in there. The default disco install I tested had no config file.

With gvfsd running in debug mode, there is also a specific message you can look for which will tell you if your gvfsd was rebuilt with the right samba version: "Forcing NT1 protocol version"

I followed steps 1 and 2 last time I checked this: https://wiki.gnome.org/Projects/gvfs/debugging

BloodyIron (bloodyiron) wrote :

Checked smb.conf so far only seeing "client min protocol = SMB2" which should not be causing this problem...

Morbius1 (morbius1) wrote :

There is an issue with this fix that makes it impossible to access a Windows 10 machine that has disabled SMB1 ( NT1 ):

smb-network: g_vfs_backend_smb_browse_init: default workgroup = 'NULL'
smb-network: Added new job source 0x55ebe2dd53d0 (GVfsBackendSmbBrowse)
smb-network: Queued new job 0x55ebe2ddf700 (GVfsJobMount)
smb-network: Error resolving “vwin10”: Temporary failure in name resolution
smb-network: Forcing NT1 protocol version
smb-network: do_mount - URI = smb://vwin10
smb-network: do_mount - try #0
smb-network: looking up cached server 'vwin10'\'IPC$', user 'WORKGROUP';'tester'
smb-network: returning (nil)
smb-network: auth_callback - anonymous pass
smb-network: auth_callback - out: last_user = 'tester', last_domain = 'WORKGROUP'
smb-network: looking up cached server 'vwin10'\'IPC$', user 'WORKGROUP';'tester'
smb-network: returning (nil)
smb-network: looking up cached server 'vwin10'\'IPC$', user 'WORKGROUP';'tester'
smb-network: returning (nil)
smb-network: auth_callback - anonymous pass
smb-network: auth_callback - out: last_user = 'tester', last_domain = 'WORKGROUP'
smb-network: looking up cached server 'vwin10'\'IPC$', user 'WORKGROUP';'tester'
smb-network: returning (nil)
smb-network: do_mount - [smb://vwin10; 0] dir = (nil), cancelled = 0, errno = [102] 'Network dropped connection on reset'
smb-network: do_mount - (errno != EPERM && errno != EACCES), cancelled = 0, breaking
smb-network: send_reply(0x55ebe2ddf700), failed=1 (Failed to retrieve share list from server: Network dropped connection on reset)

My interpretation of the results:

** Despite SMBv1 being disabled on the server end of Win10 it will still broadcast its NetBIOS name to the rest if the network.

** With this fix the Linux client will correctly discover the Win10 box.

** But it is now in the NT1 ( SMBv1 ) state when it tries to access Win10 and Win10 no longer understands SMBv1.

Win10 does not prompt for credentials and no negotiation of which smb protocol to use takes place so access is denied.

I have two choices at this point if I still want to use a gvfs ( gio ) mount:

[1] I can circumvent gvfsd-smb-browse and use Connect to Server to connect to the Win10 machine explicitly.

[2] I can enable SMBv1 on the server end of Win10 and then everything works.

Andreas Hasenack (ahasenack) wrote :

Does this also happen with Ubuntu Disco? I checked upstream and there were no other changes following this one in that file:

commit 6c8bc39f570ea82cf14e83ce7d1dbdbe569d09d1
Author: Ondrej Holy <email address hidden>
Date: Wed Sep 12 15:28:51 2018 +0200

    smbbrowse: Force NT1 protocol version for workgroup support

    "Windows Network" doesn't work with recent samba versions, because
    "client max protocol" has been changed from NT1 to SMB3 recently.
    NT1 is mandatory for workgroup support. Let's force NT1 using the
    newly added smbc_setOptionProtocols API if available. But force this
    only when neither hostname, nor IP address is used. This among others
    prevents complete breakage if NT1 is disabled on server. Use GResolver
    to implement this heuristic.

    https://bugzilla.gnome.org/show_bug.cgi?id=780958

In the SRU test, smbstatus does show some NT1 connections, but in the end the share connection is using SMB3.11, which is what we want.

Since the machine now shows up, and it wasn't before, this may warrant a new separate bug.

Morbius1 (morbius1) wrote :

My post concerns Ubuntu Disco. I'm guessing Win10 sees the SMBv1 connection, rejects it outright, and never gets to the protocol negotiation phase.

As I said this only involves the gvfsd-smb-browse process: Nautilus > Other Locations > Windows Network > Workgroup ....

If I use Connect to Server I can access the Win10 box without changing anything on the WIn10 side.

Morbius1 (morbius1) wrote :

Your reference to the Linux Samba Server command: smbstatus got me thinking what would happen if I disabled NT1 on a Linux Samba server by stipulating "server min protocol = SMB2" and using Windows Network > ... to connect.

The exact same thing happens as when trying to connect to a Win10 machine that's disabled SMBv1.

It a different error message: Invalid Argument ( Linux Server ) vs Network dropped connection on reset ( Windows Server ) but the affect is the same. Connection to the host isn't possible through gvfsd-smb-browse. If I reset the Linux server by removing server min protocol = SMB2 it all works because now NT1 was restored.

Maybe I'm reading too much into your quote:
"Let's force NT1 using the
newly added smbc_setOptionProtocols API if available. But force this
only when neither hostname, nor IP address is used. This among others
prevents complete breakage if NT1 is disabled on server."

Is it possible they knew this would happen?

Linux doesn't disable SMB1 by default in its server but Windows 10 does on new builds.

Andreas Hasenack (ahasenack) wrote :

I indeed think interacting with a server that has disabled SMB1 entirely is a related, but different problem. Can you get smbclient -L to work with such a server, using the netbios hostname, or does it fail when listing the shares?

Morbius1 (morbius1) wrote :

smbclient -L, "gio mount smb://server/share ', even just specifying smb://server/share in the location bar in Nautilus works just like you would expect.

It's only the gvfsd-smb-browse process that's messed up.

As far as it being a related but different problem .... Well I reckon it all depends on what you mean by fixed.

The original issue was you couldn't get a listing of samba hosts in Nautilus so yes that issue is fixed.

But why did we want to get the list in the first place? I would argue so that you could gain access to those hosts from the same process and here it only applies to hosts that still allow NT1 / SMB1.

Morbius1 (morbius1) wrote :

Here's a different perspective. Accessing the Win10 machine again:

tester@vub1904:~$ smbclient -L vwin10 -U smbuser
Unable to initialize messaging context
Enter WORKGROUP\smbuser's password:

 Sharename Type Comment
 --------- ---- -------
 ADMIN$ Disk Remote Admin
 C$ Disk Default share
 Documents Disk
 IPC$ IPC Remote IPC
 print$ Disk Printer Drivers
 Shared Disk
 Users Disk
Reconnecting with SMB1 for workgroup listing.
protocol negotiation failed: NT_STATUS_CONNECTION_RESET
Unable to connect with SMB1 -- no workgroup available

tester@vub1904:~$ smbclient //vwin10/Shared -U smbuser
Unable to initialize messaging context
Enter WORKGROUP\smbuser's password:
Try "help" to get a list of possible commands.
smb: \>

And the equivalent of smbstatus on Windows:
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\WINDOWS\system32> Get-SmbSession | Select Dialect,ClientComputerName

Dialect ClientComputerName
------- ------------------
3.1.1 192.168.1.177

smbclient -L automatically goes to SMB1 to get the share listing then tells me it cannot connect to these which makes sense in that state.

Yet I can use smbclient itself to access the share if I specify it. This is what gvfsd-smb-browse needs to do. Drop down to NT1 to get the share list which it's doing now then release it and allow the normal smb negotiation to take place.

Andreas Hasenack (ahasenack) wrote :

I think it's exactly getting the share list using NT1 that is failing. I will look at this tomorrow, see what smbclient -L is doing wrt NT1 temporary downgrade.

I don't know if it's related, it probably isn't, but I'll mention it just in case.. I noticed a regression in smbclient and I'm wondering if that's affecting gvfs as well.

After setting up an open share (RW access to everyone, no password) on the Windows 10 box, I can access it with Ubuntu 16.04 (samba 4.3.11):

$ smbclient -L 192.168.0.104 -N
WARNING: The "syslog" option is deprecated
OS=[Windows 10 Home 17134] Server=[Windows 10 Home 6.3]

 Sharename Type Comment
 --------- ---- -------
 ADMIN$ Disk Remote Admin
 C$ Disk Default share
 IPC$ IPC Remote IPC
 MySharedFolder Disk
 print$ Disk Printer Drivers
 Users Disk
Connection to 192.168.0.104 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
NetBIOS over TCP disabled -- no workgroup available

I get that successful result also if I set the min protocol to NT1, SMB2 or SMB3 using the -m argument.

But if I try to access it in Ubuntu 18.04 (samba 4.7.6), I get an ACCESS_DENIED error:

$ smbclient -L 192.168.0.104 -N
WARNING: The "syslog" option is deprecated
session setup failed: NT_STATUS_ACCESS_DENIED

Specifying the protocol to SMB2 or SMB3 doesn't change anything:

$ smbclient -L 192.168.0.104 -N -m SMB2
WARNING: The "syslog" option is deprecated
session setup failed: NT_STATUS_ACCESS_DENIED

Interestingly enough, changing it to NT1 doesn't solve the issue but note how smbclient reports a successful anonymous login:

$ smbclient -L 192.168.0.104 -N -m NT1
WARNING: The "syslog" option is deprecated
Anonymous login successful

 Sharename Type Comment
 --------- ---- -------
Error returning browse list: NT_STATUS_ACCESS_DENIED
Reconnecting with SMB1 for workgroup listing.
Connection to 192.168.0.104 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available

And finally, what solves the issue is to set a username to something, anything. In the example below I use the string "dummy", which doesn't correspond to any username in the Windows or in the Linux box:

smbclient -L 192.168.0.104 -N -U dummy
WARNING: The "syslog" option is deprecated

 Sharename Type Comment
 --------- ---- -------
 ADMIN$ Disk Remote Admin
 C$ Disk Default share
 IPC$ IPC Remote IPC
 MySharedFolder Disk
 print$ Disk Printer Drivers
 Users Disk
Reconnecting with SMB1 for workgroup listing.
Connection to 192.168.0.104 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available

If you think this regression is specific to smbclient, please ignore this, we can open a new bug report. The reason I mention it is that I'm wondering if gvfs isn't failing in a similar manner.

Andreas Hasenack (ahasenack) wrote :

Yes, please open a separate bug report, and attach your smb.conf there please.

Thanks Andreas and sorry for posting it here. I was hoping it could be related. Here's the new bug report: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1827041.

Do we need a new rebuild of gvfs in bionic or did the 1.36.1-0ubuntu1.3 update pick up the samba change when it was built?

Using samba 4.7.6+dfsg~ubuntu-0ubuntu2.9, I rebuilt gvfs 1.36.1-0ubuntu1.3 locally.

I then restarted gvfsd-smb-browse without success..

killall gvfsd-smb-browse && GVFS_DEBUG=1 /usr/lib/gvfs/gvfsd-smb-browse

still nothing in Network neighbourhood.. and no sign of "smb-network: Forcing NT1 protocol version" in the output.

I then killed the file manager and gvfsd-smb-browse, and typed:

pkill gvfs
GVFS_DEBUG=1 /usr/lib/gvfs/gvfsd-smb-browse

I restarted the file manager and this time, I could see "smb-network: Forcing NT1 protocol version" and Workgroup when browsing network:///.

What I don't understand though, is that after each new reboot, with this locally built gvfs installed, I end up not seeing workgroup within network:///, nor "smb-network: Forcing NT1 protocol version" in the gvfsd-smb-browse output until after I pkill gvfs.

Going back to the repository version of gvfs, and I can't see workgroup, nor "smb-network: Forcing NT1 protocol version" anymore, even after "pkill gvfs".

Andreas Hasenack (ahasenack) wrote :

A new rebuild is needed. To verify in another way, check the Depends line of the gvfs-backends package:

$ dpkg -s gvfs-backends|grep Depends|grep smbclient
Depends: libarchive13 (>= 3.0.4), ...., libsmbclient (>= 2:4.0.3+dfsg1)

versus

$ dpkg -s gvfs-backends|grep Depends|grep smbclient
Depends: libarchive13 (>= 3.0.4), ...., libsmbclient (>= 2:4.7.6+dfsg~ubuntu-0ubuntu2.8~)

It must require a newer libsmbclient like in the second case above.

The old windows network is a bit brittle. Elections need to take place, a master browser has to be elected, etc. Even getting a name can take a while, as the network needs to be checked for collisions. Usually it's a matter of time until the computers show up.

Andreas Hasenack (ahasenack) wrote :

> The original issue was you couldn't get a listing of samba hosts in Nautilus so
> yes that issue is fixed.

The original problem also affected linux samba boxes, which do allow smb1 by default still. You couldn't even see them in nautilus. Now you can, and you can browse their shares and connect to them.

> But why did we want to get the list in the first place? I would argue so that
> you could gain access to those hosts from the same process and here it only
> applies to hosts that still allow NT1 / SMB1.

I agree, and the fix we have here is a step in that direction. But the whole premise of being able to seamlessly connect to boxes that have SMB1 disabled is not where this started, and might require more troubleshooting. Depending on how complicated that is, I just wouldn't want to prevent users from getting this particular fix while the other part is being looked at.

That being said, I'll do some experiments with boxes that have SMB1 disabled and perhaps file a new upstream bug with gvfsd. But I think this very particular bug here in launchpad is fixed with the changes to samba and gvfsd that exist today.

Morbius1 (morbius1) wrote :

I understand.

I would however like to make a final note about Linux to Linux samba use - at least in a home network.

If the server is running Ubuntu 17.10 or later ( with avahi-daemon installed ) this bug is not relevant because the samba client isn't using gvfsd-smb-browse. The sever automatically publishes its presence with the default "multicast dns register = yes" parameter in samba. All Linux machines as well as any MacOS box will see the host automatically using Avahi / Bonjour under "Other Locations" directly without having to go through Windows Network.

Under these conditions the client can use SMB3 to connect not SMB1 because gvfsd-smb-browse isn't getting in the way.

Andreas Hasenack (ahasenack) wrote :

Nice, that's good to know, thanks for pointing it out.

Sebastien Bacher (seb128) wrote :

@Morbius1, the testcase from Andreas showed empty nautilus views though

@Andreas, what sort of shares did you use for your testcase?

Andreas Hasenack (ahasenack) wrote :

@seb128, the test case uses a localhost samba server, with a non-guest pub share pointing at /tmp. Not even that was visible in gnome before this fix.

Morbius1 (morbius1) wrote :

@seb128, If the samba share was created on Ubuntu Server and not on Ubuntu Desktop then without the fix you will not see the samba server through Nautilus.

That's because Ubuntu Server does not install avahi-daemon by default. Once installed it's visible outside of "Windows Network" because of avahi:

I can see it when I run "avahi-browse -at" and when I select it in Nautilus it resolves to vubsrv1804.local:

tester@vub1804:~$ ls -al /run/user/1000/gvfs | grep vubsrv
drwx------ 1 tester tester 0 Mar 21 07:37 smb-share:server=vubsrv1804.local,share=public

Andreas Hasenack (ahasenack) wrote :

@morbius1, how did you disable smb1 on your test samba server? "server min protocol = SMB2"?

Andreas Hasenack (ahasenack) wrote :

Ah, you said so, sorry

Is a rebuild/version-bump planned for gvfs Bionic?

Sebastien Bacher (seb128) wrote :

> Is a rebuild/version-bump planned for gvfs Bionic?

Yes, that was blocked by another SRU which was accepted but turned out to be problematic (building the nfs backend which requires libnfs promoted). The other SRU has been deleted for now so we are going to move forward with this rebuild

Andreas Hasenack (ahasenack) wrote :

It is, that's all that's needed now. I heard another, unrelated, gvfs SRU was in the works and was hitting problems, though.

I have a no-change rebuild in this PPA for bionic: https://launchpad.net/~ahasenack/+archive/ubuntu/gvfs-rebuild-1778322/

BloodyIron (bloodyiron) wrote :

Um, what about Disco Dingo? 19.04, still having the bug.

Andreas Hasenack (ahasenack) wrote :

Disco shouldn't have this bug. It (gvfs) will have issues connecting to smb servers that have disabled SMB1, just like bionic and everything in between.

Andreas Hasenack (ahasenack) wrote :

I found an upstream issue about not being able to get a share list from a machine that has SMB1 disabled: https://gitlab.gnome.org/GNOME/gvfs/issues/307

Andreas Hasenack (ahasenack) wrote :

I filed https://bugs.launchpad.net/gvfs/+bug/1828107 for the remaining issue of connecting to machines in the windows network tab that have disabled SMB1. Note that a connection made specifically to the machine/ip still works (smb://<ip|name>/)

BloodyIron (bloodyiron) wrote :

I have the issue in Disco... and have since I upgraded to it, as I mentioned https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1778322/comments/35.

Sebastien Bacher (seb128) wrote :

(bionic rebuild SRU in the queue now)

Changed in gvfs (Ubuntu Bionic):
status: Triaged → Fix Committed
Sebastien Bacher (seb128) wrote :

Cosmic uploaded as well

Changed in gvfs (Ubuntu Cosmic):
status: Triaged → Fix Committed
Changed in gvfs (Ubuntu):
status: Triaged → Fix Committed
Sebastien Bacher (seb128) wrote :

The bug should be fixed in Disco, samba 2.4.10 includes the function and gvfs there has the patch and was rebuilt with it

Changed in gvfs (Ubuntu):
status: Fix Committed → Fix Released
Andreas Hasenack (ahasenack) wrote :

The "windows network" tab depends on an election to happen between the smb servers, and a master browser being elected. It's the master browser that is contacted for the list of machines in the network. If that machine has smb1 disabled, for example, then this won't work, because it will hit #1828107 (that's my understanding).

I suggest to focus on the test case presented in the bug description. If there are still cases where it doesn't work, then it's a separate bug, because disco has the same fix in place as we are applying here.

BloodyIron (bloodyiron) wrote :

Okay but it isn't fixed in Dingo. I still get it. What more do you want me to do, not say it's happening for me in Disco Dingo? Because it is...

Andreas Hasenack (ahasenack) wrote :

Try the test case in a disco vm

Brian Murray (brian-murray) wrote :

Hello Sebastian, or anyone else affected,

Accepted gvfs into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gvfs/1.38.1-0ubuntu1.3.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed-cosmic
removed: verification-done-cosmic
tags: added: verification-needed-bionic
removed: verification-done-bionic
Brian Murray (brian-murray) wrote :

Hello Sebastian, or anyone else affected,

Accepted gvfs into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gvfs/1.36.1-0ubuntu1.3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

BloodyIron (bloodyiron) wrote :

I'm using Disco as my daily driver and I still have this issue every time I reboot. I also update nearly daily from the main repos, so any fixes that may have rolled out, thus-far, aren't fixing it.

no longer affects: nautilus (Ubuntu)
Changed in samba (Ubuntu Bionic):
importance: Undecided → High
Andreas Hasenack (ahasenack) wrote :

@Bloodyiron, please run "nmblookup -M <yourworkgroupname>" and check if the machine that is listed has SMB1 disabled or not. If it has SMB1 disabled, then it's https://bugs.launchpad.net/gvfs/+bug/1828107

BloodyIron (bloodyiron) wrote :

Well I know for a fact it has SMB1 disabled, as I disabled it myself. Ran the test you asked, didn't output any info that seemed to conclusively say which protocols were visible. I'm intentionally disabling SMB1 for the very public security concerns. In this case, the "server" has a minimum protocol set to SMB2.

Andreas Hasenack (ahasenack) wrote :

Bionic desktop verification

With gvfs-backends from the release pocket:
ubuntu@bionic-desktop:~$ apt-cache policy gvfs-backends
gvfs-backends:
  Installed: 1.36.1-0ubuntu1.3
  Candidate: 1.36.1-0ubuntu1.3
  Version table:
 *** 1.36.1-0ubuntu1.3 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages

I get an empty "windows network" tab in the desktop (see attached screenshot empty-windows-network-before-test.png).

After updating to this package from proposed:
  Version table:
 *** 1.36.1-0ubuntu1.3.2 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages

And logging out and back in, I get a populated windows network tab (see screenshot populated-windows-network-after-test.png).

I can then connect to the pub share on localhost (see screenshot connecting-to-pub-after-test.png) and, once that is done, smbstatus shows this output:
ubuntu@bionic-desktop:~$ sudo smbstatus

Samba version 4.7.6-Ubuntu
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
3771 nobody nogroup bionic-desktop (ipv4:192.168.122.213:56026) NT1 - -
3874 ubuntu ubuntu 192.168.122.213 (ipv4:192.168.122.213:32800) SMB3_11 - partial(AES-128-CMAC)
3807 nobody nogroup bionic-desktop (ipv4:192.168.122.213:56028) NT1 - -
3762 nobody nogroup bionic-desktop (ipv4:192.168.122.213:56022) NT1 - -

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------
IPC$ 3762 bionic-desktop Fri Jun 21 21:07:33 2019 UTC - -
IPC$ 3807 bionic-desktop Fri Jun 21 21:08:09 2019 UTC - -
IPC$ 3771 bionic-desktop Fri Jun 21 21:07:37 2019 UTC - -
pub 3874 192.168.122.213 Fri Jun 21 21:08:30 2019 UTC - -

No locked files

The connection to the pub share is using SMB3_11.

The connections using NT1 show why https://bugs.launchpad.net/gvfs/+bug/1828107 is still relevant, but it's a separate bug. See comment #55 for my reasoning. I think releasing this update is a step in the right direction.

Bionic verification succeeded.

Andreas Hasenack (ahasenack) wrote :
tags: added: verification-done-bionic
removed: verification-needed-bionic
Andreas Hasenack (ahasenack) wrote :

Cosmic verification

First reproducing the bug with these packages:
  Version table:
 *** 1.38.1-0ubuntu1.2 500
        500 http://br.archive.ubuntu.com/ubuntu cosmic-updates/main amd64 Packages

windows network tab is empty (see screenshot cosmic-empty-windows-network-before-test.png)

Now with these packages:
 *** 1.38.1-0ubuntu1.3.1 500
        500 http://br.archive.ubuntu.com/ubuntu cosmic-proposed/main amd64 Packages

After a logout and new login, the windows network tab is populated (see cosmic-populated-windows-network-after-test.png) and I can connect to the displayed pub share (see cosmic-connecting-to-pub-after-test.png).

After I'm connected, smbstatus shows that smb3.11 was used for the connection to pub:
ubuntu@cosmic-desktop:~$ sudo smbstatus

Samba version 4.8.4-Ubuntu
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
5812 nobody nogroup cosmic-desktop (ipv4:192.168.122.27:57330) NT1 - -
5821 nobody nogroup cosmic-desktop (ipv4:192.168.122.27:57334) NT1 - -
5880 ubuntu ubuntu 192.168.122.27 (ipv4:192.168.122.27:47898) SMB3_11 - partial(AES-128-CMAC)
5828 nobody nogroup cosmic-desktop (ipv4:192.168.122.27:57336) NT1 - -

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------
IPC$ 5828 cosmic-desktop Fri Jun 21 21:36:38 2019 UTC - -
IPC$ 5812 cosmic-desktop Fri Jun 21 21:36:18 2019 UTC - -
pub 5880 192.168.122.27 Fri Jun 21 21:37:00 2019 UTC - -
IPC$ 5821 cosmic-desktop Fri Jun 21 21:36:21 2019 UTC - -

No locked files

As stated in the bionic verification, a fix for https://bugs.launchpad.net/gvfs/+bug/1828107 is still relevant.

cosmic verification succeeded.

Andreas Hasenack (ahasenack) wrote :
tags: added: verification-done-cosmic
removed: verification-needed-cosmic
BloodyIron (bloodyiron) wrote :

Can we also get this bug marked as Disco to? Not just Bionic and Cosmic? I'm _still_ getting the issue with a fully updated Disco (19.04).

tags: removed: browse browsing verification-needed

The verification of the Stable Release Update for gvfs has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gvfs - 1.38.1-0ubuntu1.3.1

---------------
gvfs (1.38.1-0ubuntu1.3.1) cosmic; urgency=medium

  * No change rebuild to pick up the current samba version.
    The patch git_smb_nt1.patch added to fix smb browsing requires a new
    libsmb api to work and that's checked for at build time (lp: #1778322)

 -- Sebastien Bacher <email address hidden> Wed, 08 May 2019 11:17:32 +0200

Changed in gvfs (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gvfs - 1.36.1-0ubuntu1.3.2

---------------
gvfs (1.36.1-0ubuntu1.3.2) bionic; urgency=medium

  * No change rebuild to pick up the current samba version.
    The patch git_smb_nt1.patch added to fix smb browsing requires a new
    libsmb api to work and that's checked for at build time (lp: #1778322)

 -- Sebastien Bacher <email address hidden> Wed, 08 May 2019 10:48:17 +0200

Changed in gvfs (Ubuntu Bionic):
status: Fix Committed → Fix Released
Andreas Hasenack (ahasenack) wrote :

Disco works out of the box wrt this bug specifically. Which is expected since it has the same fix.

windows network tab is populated (see disco-windows-network-populated.png)

Connecting to the pub share (see disco-connect-to-pub.png).

smbstatus shows smb3.11 in the pub connection, and NT1 for IPC$:
ubuntu@disco-desktop:~$ sudo smbstatus

Samba version 4.10.0-Ubuntu
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
3969 ubuntu ubuntu 127.0.0.1 (ipv4:127.0.0.1:43370) SMB3_11 - partial(AES-128-CMAC)
3752 nobody nogroup disco-desktop (ipv4:192.168.122.70:53276) NT1 - -
3721 nobody nogroup disco-desktop (ipv4:127.0.0.1:40552) NT1 - -
3805 nobody nogroup disco-desktop (ipv4:127.0.0.1:40562) NT1 - -
3731 nobody nogroup disco-desktop (ipv4:192.168.122.70:53270) NT1 - -

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------
IPC$ 3721 disco-desktop seg jun 24 10:35:20 2019 -03 - -
pub 3969 127.0.0.1 seg jun 24 10:36:16 2019 -03 - -
IPC$ 3752 disco-desktop seg jun 24 10:35:31 2019 -03 - -
IPC$ 3805 disco-desktop seg jun 24 10:35:54 2019 -03 - -
IPC$ 3731 disco-desktop seg jun 24 10:35:23 2019 -03 - -

No locked files

If you have NT1 disabled in your network, then the windows network tab will be empty, and that's https://bugs.launchpad.net/gvfs/+bug/1828107 and it affects all releases still.

Andreas Hasenack (ahasenack) wrote :
BloodyIron (bloodyiron) wrote :

The bug still exists for me on Disco, so I don't see how you arrive at the position that it "works" out of the box. It does not "work" for me, the bug exists on Disco for me. And I've regularly kept my system up to date. I've reported this multiple times in this thread and seem to be ignored.

BloodyIron (bloodyiron) wrote :

In fact I literally just tried it again, and get the same issue, where it does not prompt for login, and the related gvfs process needs to be killed.

Andreas Hasenack (ahasenack) wrote :

@bloodyiron, you said in https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1778322/comments/81 that you had SMB1 disabled in your network, and I confirmed that with SMB1 disabled there is still a bug, and that bug is https://bugs.launchpad.net/gvfs/+bug/1828107, and it affects all ubuntu releases. I don't know what else to tell you, sorry, it sounds like you are ignoring that open bug.

BloodyIron (bloodyiron) wrote :

@andreas oops I think I got muddled up, sorry about that! I'm going to unsub from this bug (which I should have done earlier).

Andreas Hasenack (ahasenack) wrote :

No worries, thanks for following up

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.