gvfs-smb-browse can't browse samba/smb tree

Bug #1778322 reported by Sebastian Byczkowski on 2018-06-23
28
This bug affects 4 people
Affects Status Importance Assigned to Milestone
gvfs (Ubuntu)
High
Sebastien Bacher
Bionic
High
Sebastien Bacher
Cosmic
High
Sebastien Bacher
nautilus (Ubuntu)
Undecided
Unassigned
samba (Ubuntu)
High
Andreas Hasenack
Bionic
Undecided
Unassigned
Cosmic
High
Unassigned

Bug Description

[Impact]
The so called "browsing a windows network" made use of an SMB1 protocol version feature. Recent versions of samba, including the one released with bionic, default to a higher versions of the protocol which lacks this feature. As a result, the "other locations -> windows network" tab in Nautilus is empty even when there are windows or samba machines in the network.
Accessing such machines directly, via smb://<name-or-ip>/ type urls, continues to work.

The fix is two-fold:
- introduce a new samba API call that can be used to set the protocol version to use
- change applications to make use of this API call to set the protocol versio to SMB1/NT1 just for the network browsing

gvfs was updated to make use of this api call, if detected at build time. To complete this SRU, gvfs needs a no-change rebuild *after* samba was accepted into proposed.

[Test case]
* Launch a bionic desktop vm. You can start with a server one, and then install the "ubuntu-desktop" package. In the same command, also install the packages we need for this test:
$ sudo apt update
$ sudo apt install ubuntu-desktop samba smbclient

* set a password for the ubuntu user, so you can login at the graphical console
$ sudo passwd ubuntu

* set the same password for the ubuntu samba user:
sudo smbpasswd -a ubuntu

* add a simple [pub] share to samba:
$ printf "[pub]\n\tpath=/tmp\n\tguest ok = no\n" | sudo tee -a /etc/samba/smb.conf

* reboot
$ sudo reboot

* login at the graphical console as the ubuntu user. Go through the first-user-setup motions as you want.

* try to browse the windows network via "other locations -> windows network". You will get an empty folder.

* update the samba and gvfs packages
* logout and login again on the gui, browse the windows network again. This time it will show the "WORKGROUP" folder, and if you click through, you will see yourself (your VM) and the [pub] share, among others.

* click on the "pub" share, select registered user and login with the ubuntu credentials you created earlier with smbpasswd.

* in another terminal, run this command to confirm that the SMB protocol version that was used to connect to [pub] was not just NT1/SMB1, but higher:
$ sudo smbstatus
...
8779 ubuntu ubuntu 192.168.122.94 (ipv4:192.168.122.94:60818) SMB3_11 - partial(AES-128-CMAC)

Note "SMB3_11" above.

[Regression potential]
The samba update itself just introduces and exposes a new API call. It's up to other applications to make use of that. gvfs was patched to detect this call at build time and use it if it's detected.
Packages that are not rebuilt will not see the change, and packages that *are* rebuilt will only see the change if they make use of it.

[Other Info]
This update introduces a specific runtime dependency between gvfs and libsmbclient due to the new API call added to the latter. Any package that is rebuilt with libsmbclient and makes use of that API call will get this specific dependency. This is handled automatically by dh_mkshlibs.

To complete this SRU, gvfs will need a no-change rebuild after samba was accepted into proposed.

Disco's gvfs is already using the new call, as can be seen in this build log https://launchpadlibrarian.net/415424052/buildlog_ubuntu-disco-amd64.gvfs_1.40.0-1_BUILDING.txt.gz:
...
Dependency smbclient found: YES 0.5.0
Checking for function "smbc_setOptionProtocols" with dependency smbclient: YES

The smbc_setOptionProtocols() call is only used when the url is like "smb:///", or the server cannot be resolved. The downgrade overrides the setting in smb.conf, and is used just for this case: browsing the network. When connecting to a machine, the url is like "smb://<name>/", and then this function we are adding is not called.

I updated the test to actually click on the machine that shows up in the network browsing, and then check with "smbstatus" which version of the protocol was used when connecting to an actual share.

---

Nautilus should show smbtree and host on the smb network.

When inputing this command:
killall gvfsd-smb-browse && GVFS_DEBUG=1 /usr/lib/gvfs/gvfsd-smb-browse

You can see the error:
smb-network: Queued new job 0x55b19a2c9f40 (GVfsJobCreateMonitor)
smb-network: send_reply(0x55b19a2c9f40), failed=1 (Action not supported by the processing engine)
smb-network: backend_dbus_handler org.gtk.vfs.Mount:QueryFilesystemInfo (pid=5708)
smb-network: Queued new job 0x55b19a2e7820 (GVfsJobQueryFsInfo)
smb-network: send_reply(0x55b19a2e7820), failed=0 ()
smb-network: backend_dbus_handler org.gtk.vfs.Mount:Enumerate (pid=5708)
smb-network: Queued new job 0x55b19a2c30c0 (GVfsJobEnumerate)
smb-network: send_reply(0x55b19a2c30c0), failed=0 ()

Proposed solution:
Add gvfsbackendbrowse-switch-to-NT1.patch disscused on RedHat Bugzilla
[link]https://bugzilla.redhat.com/show_bug.cgi?id=1513394
which implements "change to NT1" in gvfs-smb-browse to browse smbtree to aviod adding "max client protocol" = NT1" to smb.conf to switch all samba to unsafe NT1 which most users are doing to correct this bug.

Related branches

CVE References

A patch for gvfs-smb-browse to switch to NT1

Simpler form of before posted patch.Ehh

The attachment "gvfs-smb-browse change to NT1 from RedHat Bugzilla" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gvfs (Ubuntu):
status: New → Confirmed
Changed in nautilus (Ubuntu):
status: New → Confirmed
Changed in nautilus (Ubuntu):
status: Confirmed → Invalid
Sebastien Bacher (seb128) wrote :

The fix is in https://launchpad.net/ubuntu/+source/gvfs/1.38.1-1ubuntu1

And being backported to cosmic and bionic

Changed in gvfs (Ubuntu):
importance: Undecided → Low
status: Confirmed → Fix Released
description: updated

Hello Sebastian, or anyone else affected,

Accepted gvfs into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gvfs/1.38.1-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in gvfs (Ubuntu Cosmic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-cosmic
Brian Murray (brian-murray) wrote :

Hello Sebastian, or anyone else affected,

Accepted gvfs into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gvfs/1.36.1-0ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in gvfs (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Brian Murray (brian-murray) wrote :

Hello Sebastian, or anyone else affected,

Accepted gvfs into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gvfs/1.38.1-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

I have checked bionic-proposed repo and listed packages have installed:
gvfs-backends/bionic-proposed,now 1.36.1-0ubuntu1.2 amd64 [installed]
gvfs-bin/bionic-proposed,now 1.36.1-0ubuntu1.2 amd64 [installed]
gvfs-common/bionic-proposed,now 1.36.1-0ubuntu1.2 all [installed]
gvfs-daemons/bionic-proposed,now 1.36.1-0ubuntu1.2 amd64 [installed]
gvfs-fuse/bionic-proposed,now 1.36.1-0ubuntu1.2 amd64 [installed]
gvfs-libs/bionic-proposed,now 1.36.1-0ubuntu1.2 amd64 [installed]
gvfs-libs/bionic-proposed,now 1.36.1-0ubuntu1.2 amd64 [installed]

But if I disable with # in smb.conf
max client protocol = NT1
or chane it to:
max client protocol = SMB3
Nautilus still shows me Empty Dir if I enter Windows Network and gvfs can't browse smbtree still.
So I assume the patch does not work as expected.

I'm sending Gvfs log.
Interesting part starts at line 173:

Starting GENSEC mechanism spnego
Server claims it's principal name is NONE
SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT
SPNEGO login failed: An invalid parameter was passed to a service or function.

And line 270 in Gvfs log:
Server connect ok: //TOMATO/IPC$: 0x7f72b4020fd0
smb-network: do_mount - [smb://DOMOWA; 0] dir = (nil), cancelled = 0, errno = [0] 'Succes'
smb-network: do_mount - (errno != EPERM && errno != EACCES), cancelled = 0, breaking
smb-network: send_reply(0x556b8fdb32b0), failed=1 (Downloading resources list from server failed: Succes)
Performing aggressive shutdown.
smb-network: purging server cache
Context 0x7f72b4010b60 successfully freed
Freeing parametrics:
network: Couldn't create directory monitor on smb://x-gnome-default-workgroup/. Error: given location is not mounted

Sebastien Bacher (seb128) wrote :

Thanks for the testing. Indeed there is a problem, from the build log

"Native dependency smbclient found: YES 0.3.1
Checking for function "smbc_setOptionProtocols" : NO"

The API needed is too new for our current libsmbclient version, we need to backport that one as well.
The other changes from the SRU are fine though and that one is just a no-change without the API so it probably makes sense to validate the current SRU anyway and do another round for libsmbclient/rebuild gvfs later

Changed in samba (Ubuntu):
importance: Undecided → High
Changed in gvfs (Ubuntu):
status: Fix Released → Triaged
importance: Low → High
Sebastien Bacher (seb128) wrote :
Changed in samba (Ubuntu):
status: New → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gvfs - 1.38.1-0ubuntu1.1

---------------
gvfs (1.38.1-0ubuntu1.1) cosmic; urgency=medium

  * debian/patches/series:
    - include git_invalid_autorun.patch which was mentioned in
      the previous upload but not added to the serie

gvfs (1.38.1-0ubuntu1) cosmic; urgency=medium

  * New upstream version (lp: #1803186)
   - smbbrowse: Force NT1 protocol version for workgroup support
     (lp: #1778322)
  * debian/patches/git_invalid_autorun.patch:
    - common: Prevent crashes on invalid autorun file (lp: #1798725)

 -- Sebastien Bacher <email address hidden> Wed, 21 Nov 2018 15:03:01 +0100

Changed in gvfs (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gvfs - 1.36.1-0ubuntu1.2

---------------
gvfs (1.36.1-0ubuntu1.2) bionic; urgency=medium

  * debian/patches/git_smb_writing.patch:
    - Use O_RDWR to fix fstat when writing (lp: #1803158)
  * debian/patches/git_invalid_autorun.patch:
    - common: Prevent crashes on invalid autorun file (lp: #1798725)
  * debian/patches/git_channel_lock.patch:
    - daemon: Prevent deadlock and invalid read when closing channels
      (lp: #1630905)
  * debian/patches/git_dav_lockups.patch:
    - workaround libsoup limitation to prevent dav lockups (lp: #1792878)
  * debian/patches/git_smb_nt1.patch:
    - smbbrowse: Force NT1 protocol version for workgroup support
      (lp: #1778322)
  * debian/patches/git_smb_directory.patch:
    - smb: Add workaround to fix removal of non-empty dir (lp: #1803190)

 -- Sebastien Bacher <email address hidden> Tue, 13 Nov 2018 17:09:03 +0100

Changed in gvfs (Ubuntu Bionic):
status: Fix Committed → Fix Released
Sebastien Bacher (seb128) wrote :

Reopening, the fix isn't working until we get the samba change

Changed in gvfs (Ubuntu Bionic):
status: Fix Released → Triaged
Changed in gvfs (Ubuntu Cosmic):
status: Fix Released → Triaged
Changed in gvfs (Ubuntu Bionic):
importance: Undecided → High
Changed in gvfs (Ubuntu Cosmic):
importance: Undecided → High
Will Cooke (willcooke) on 2019-01-29
Changed in gvfs (Ubuntu):
assignee: nobody → Sebastien Bacher (seb128)
Changed in gvfs (Ubuntu Cosmic):
assignee: nobody → Sebastien Bacher (seb128)
Changed in gvfs (Ubuntu Bionic):
assignee: nobody → Sebastien Bacher (seb128)
Andreas Hasenack (ahasenack) wrote :

Looking at this next.

Changed in samba (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
status: Triaged → In Progress
Andreas Hasenack (ahasenack) wrote :

Builds in a ppa look good:
...
Native dependency smbclient found: YES 0.2.3
Checking for function "smbc_setOptionProtocols": YES
...

Checking for real with a bionic desktop now.

Andreas Hasenack (ahasenack) wrote :

I just tried with my build from the ppa, but it's not working. When enabling debugging in gvfsd, I can see it setting the protocol to NT1:

network: Added new job source 0x559ce1b3e070 (GVfsBackendNetwork)
network: Queued new job 0x559ce1b4cab0 (GVfsJobMount)
smb-network: g_vfs_backend_smb_browse_init: default workgroup = 'NULL'
smb-network: Added new job source 0x564f06543070 (GVfsBackendSmbBrowse)
smb-network: Queued new job 0x564f06549ac0 (GVfsJobMount)
smb-network: Error resolving “EXAMPLE”: Name or service not known
smb-network: Forcing NT1 protocol version
smb-network: do_mount - URI = smb://EXAMPLE

That message, "Forcing NT1 protocol version", comes from the gvfs patch and confirms that it is using the new smbc_setOptionProtocols() call.

If somebody else wants to try in the meantime, the packages for bionic are at https://launchpad.net/~ahasenack/+archive/ubuntu/samba-browse-nt1-1778322/

Andreas Hasenack (ahasenack) wrote :

The original samba patch had a typo/error, this is the fix for that:

https://github.com/samba-team/samba/commit/885435e8a4dc561749b880f8be7a32041fa954ec

Andreas Hasenack (ahasenack) wrote :

It worked with the updated patch. Packages rebuilt in the PPA. I'll prepare a merge proposal and SRU this into bionic. We will have to rebuild gvfs there, though, after samba lands in proposed.

description: updated
description: updated
Brian Murray (brian-murray) wrote :

Does the samba task need fixing in disco at all?

Changed in samba (Ubuntu):
status: In Progress → Incomplete
description: updated
Brian Murray (brian-murray) wrote :

Hello Sebastian, or anyone else affected,

Accepted samba into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.8.4+dfsg-2ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in samba (Ubuntu Cosmic):
status: New → Fix Committed
Changed in samba (Ubuntu):
status: Incomplete → Fix Released
Changed in samba (Ubuntu Cosmic):
importance: Undecided → High
Brian Murray (brian-murray) wrote :

Hello Sebastian, or anyone else affected,

Accepted samba into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.7.6+dfsg~ubuntu-0ubuntu2.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in samba (Ubuntu Bionic):
status: New → Fix Committed
Andreas Hasenack (ahasenack) wrote :

For anyone wanting to test this bug, please note you will also have to wait for a gvfs rebuild with this new samba package.

Andreas Hasenack (ahasenack) wrote :

Bionic verification

Bug reproduced with the following packages:
ubuntu@ubuntu:~$ apt-cache policy samba gvfs-backends
samba:
...
 *** 2:4.7.6+dfsg~ubuntu-0ubuntu2.7 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        100 /var/lib/dpkg/status
...
gvfs-backends:
...
 *** 1.36.1-0ubuntu1.3 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://br.archive.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        100 /var/lib/dpkg/status
...

(see attached screenshot)

Andreas Hasenack (ahasenack) wrote :

Bionic verification (continued)

Now installing the new samba packages. Since I need a gvfs rebuild with the new samba packages, I'm doing that locally.

So in the end I now have:
samba from proposed:
 *** 2:4.7.6+dfsg~ubuntu-0ubuntu2.8 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages

gvfs built locally:
ubuntu@ubuntu:~/deb/gvfs/gvfs-1.36.1$ grep smbc_setOptionProtocol ../build.log
Checking for function "smbc_setOptionProtocols": YES
gvfs-backends:
  Installed: 1.36.1-0ubuntu1.4~andreas1
  Candidate: 1.36.1-0ubuntu1.4~andreas1
  Version table:
 *** 1.36.1-0ubuntu1.4~andreas1 100
        100 /var/lib/dpkg/status

I then reboot, login, and the windows network is populated with the workgroup and the host.

I then connect to the host, and the pub share, authenticate, and smbstatus confirms the connection and that SMB3_11 was used:
root@ubuntu:~# smbstatus

Samba version 4.7.6-Ubuntu
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
1828 nobody nogroup ubuntu (ipv4:192.168.122.28:35678) NT1 - -
2084 nobody nogroup ubuntu (ipv4:192.168.122.28:35694) NT1 - -
2093 ubuntu ubuntu 192.168.122.28 (ipv4:192.168.122.28:41040) SMB3_11 - partial(AES-128-CMAC)

Bionic verification succeeded.

Andreas Hasenack (ahasenack) wrote :

Bionic:

full smbstatus output, showing the connection to the pub share as well:
root@ubuntu:~# smbstatus

Samba version 4.7.6-Ubuntu
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
1828 nobody nogroup ubuntu (ipv4:192.168.122.28:35678) NT1 - -
2084 nobody nogroup ubuntu (ipv4:192.168.122.28:35694) NT1 - -
2093 ubuntu ubuntu 192.168.122.28 (ipv4:192.168.122.28:41040) SMB3_11 - partial(AES-128-CMAC)

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------
IPC$ 2084 ubuntu Fri Apr 5 15:33:26 2019 UTC - -
IPC$ 1828 ubuntu Fri Apr 5 15:31:23 2019 UTC - -
pub 2093 192.168.122.28 Fri Apr 5 15:33:32 2019 UTC - -

No locked files

tags: added: verification-done-cosmic
removed: verification-needed-cosmic
Andreas Hasenack (ahasenack) wrote :

Cosmic verification

Confirming the bug:
ubuntu@ubuntu:~$ apt-cache policy samba gvfs-backends
samba:
  Installed: 2:4.8.4+dfsg-2ubuntu2.1
  Candidate: 2:4.8.4+dfsg-2ubuntu2.1
  Version table:
 *** 2:4.8.4+dfsg-2ubuntu2.1 500
        500 http://br.archive.ubuntu.com/ubuntu cosmic-updates/main amd64 Packages
...
gvfs-backends:
  Installed: 1.38.1-0ubuntu1.2
  Candidate: 1.38.1-0ubuntu1.2
  Version table:
 *** 1.38.1-0ubuntu1.2 500
        500 http://br.archive.ubuntu.com/ubuntu cosmic-updates/main amd64 Packages
...

Bug reproduced, see attached screenshot. Windows network browsing is empty.

(continued)

Andreas Hasenack (ahasenack) wrote :

Cosmic verification (continued)

Now installing the updated samba packages, and rebuilding gvfs locally:

samba:
  Installed: 2:4.8.4+dfsg-2ubuntu2.2
  Candidate: 2:4.8.4+dfsg-2ubuntu2.2
  Version table:
 *** 2:4.8.4+dfsg-2ubuntu2.2 500
        500 http://br.archive.ubuntu.com/ubuntu cosmic-proposed/main amd64 Packages

gvfs:
ubuntu@ubuntu:~/deb/gvfs/gvfs-1.38.1$ grep smbc_setOptionProtocol ../build.log
Checking for function "smbc_setOptionProtocols" : YES

$ apt-cache policy gvfs-backends
gvfs-backends:
  Installed: 1.38.1-0ubuntu1.3~andreas1
  Candidate: 1.38.1-0ubuntu1.3
  Version table:
     1.38.1-0ubuntu1.3 500
        500 http://br.archive.ubuntu.com/ubuntu cosmic-proposed/main amd64 Packages
 *** 1.38.1-0ubuntu1.3~andreas1 100
        100 /var/lib/dpkg/status

Note: there is an old gvfs in proposed already, but it was NOT rebuilt with this samba version.

Reboot, login, access windows network, and the workgroup and computer are displayed (see attached screenshot).

Accessing the "pub" share works after authenticating, and in that case smbstatus shows SMB3.11 was used:
root@ubuntu:~# smbstatus

Samba version 4.8.4-Ubuntu
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
2033 nobody nogroup ubuntu (ipv4:192.168.122.79:51830) NT1 - -
2044 nobody nogroup ubuntu (ipv4:192.168.122.79:51834) NT1 - -
2240 nobody nogroup ubuntu (ipv4:192.168.122.79:51844) NT1 - -
2420 ubuntu ubuntu 192.168.122.79 (ipv4:192.168.122.79:48332) SMB3_11 - partial(AES-128-CMAC)

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------
IPC$ 2044 ubuntu Fri Apr 5 16:07:06 2019 UTC - -
IPC$ 2033 ubuntu Fri Apr 5 16:07:04 2019 UTC - -
pub 2420 192.168.122.79 Fri Apr 5 16:08:54 2019 UTC - -
IPC$ 2240 ubuntu Fri Apr 5 16:08:07 2019 UTC -

Cosmic verification succeeded.

tags: added: verification-done-bionic
removed: verification-needed-bionic
Andreas Hasenack (ahasenack) wrote :

I think I mixed the verification-done tags, but both are done now.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.8.4+dfsg-2ubuntu2.3

---------------
samba (2:4.8.4+dfsg-2ubuntu2.3) cosmic-security; urgency=medium

  * SECURITY UPDATE: save registry file outside share as unprivileged user
    - debian/patches/CVE-2019-3880.patch: remove implementations of
      SaveKey/RestoreKey in source3/rpc_server/winreg/srv_winreg_nt.c.
    - CVE-2019-3880

 -- Marc Deslauriers <email address hidden> Thu, 04 Apr 2019 14:05:09 -0400

Changed in samba (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.7.6+dfsg~ubuntu-0ubuntu2.9

---------------
samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.9) bionic-security; urgency=medium

  * SECURITY UPDATE: save registry file outside share as unprivileged user
    - debian/patches/CVE-2019-3880.patch: remove implementations of
      SaveKey/RestoreKey in source3/rpc_server/winreg/srv_winreg_nt.c.
    - CVE-2019-3880

 -- Marc Deslauriers <email address hidden> Thu, 04 Apr 2019 14:05:56 -0400

Changed in samba (Ubuntu Bionic):
status: Fix Committed → Fix Released
BloodyIron (bloodyiron) wrote :

I'm seeing this issue with Disco Dingo 19.04

Using samba/disco,now 2:4.10.0+dfsg-0ubuntu2 amd64 [installed]

Upgrade didn't install samba by default, and nautilus is still having issues with network share being SMB2 minimum

Solved by:
1. Killing PID of gvfsd-smb-browse
2. Running "GVFS_SMB_DEBUG=1 /usr/lib/gvfs/gvfsd-smb-browse"

Issue returns after reboot.

So, looks like was solved in 4.8, but since Disco Dingo 19.04 uses 4.10, looks like it didn't get the fix, not sure.

BloodyIron (bloodyiron) wrote :

Also, since samba package isn't installed by default (at least in my 18.10 to 19.04 upgrade), how do we fix this without the samba package installed?

To post a comment you must log in.