gvfs-smb-browse can't browse samba/smb tree

Bug #1778322 reported by Sebastian Byczkowski
70
This bug affects 20 people
Affects Status Importance Assigned to Milestone
gvfs
Unknown
Unknown
samba
Unknown
Unknown
gvfs (Ubuntu)
Fix Released
High
Sebastien Bacher
Bionic
Fix Released
High
Sebastien Bacher
Cosmic
Fix Released
High
Sebastien Bacher
samba (Ubuntu)
Fix Released
High
Andreas Hasenack
Bionic
Fix Released
High
Unassigned
Cosmic
Fix Released
High
Unassigned

Bug Description

[Impact]
The so called "browsing a windows network" made use of an SMB1 protocol version feature. Recent versions of samba, including the one released with bionic, default to a higher versions of the protocol which lacks this feature. As a result, the "other locations -> windows network" tab in Nautilus is empty even when there are windows or samba machines in the network.
Accessing such machines directly, via smb://<name-or-ip>/ type urls, continues to work.

The fix is two-fold:
- introduce a new samba API call that can be used to set the protocol version to use
- change applications to make use of this API call to set the protocol versio to SMB1/NT1 just for the network browsing

gvfs was updated to make use of this api call, if detected at build time. To complete this SRU, gvfs needs a no-change rebuild *after* samba was accepted into proposed.

[Test case]
* Launch a bionic desktop vm. You can start with a server one, and then install the "ubuntu-desktop" package. In the same command, also install the packages we need for this test:
$ sudo apt update
$ sudo apt install ubuntu-desktop samba smbclient

* set a password for the ubuntu user, so you can login at the graphical console
$ sudo passwd ubuntu

* set the same password for the ubuntu samba user:
sudo smbpasswd -a ubuntu

* add a simple [pub] share to samba:
$ printf "[pub]\n\tpath=/tmp\n\tguest ok = no\n" | sudo tee -a /etc/samba/smb.conf

* reboot
$ sudo reboot

* login at the graphical console as the ubuntu user. Go through the first-user-setup motions as you want.

* try to browse the windows network via "other locations -> windows network". You will get an empty folder.

* update the samba and gvfs packages
* logout and login again on the gui, browse the windows network again. This time it will show the "WORKGROUP" folder, and if you click through, you will see yourself (your VM) and the [pub] share, among others.

* click on the "pub" share, select registered user and login with the ubuntu credentials you created earlier with smbpasswd.

* in another terminal, run this command to confirm that the SMB protocol version that was used to connect to [pub] was not just NT1/SMB1, but higher:
$ sudo smbstatus
...
8779 ubuntu ubuntu 192.168.122.94 (ipv4:192.168.122.94:60818) SMB3_11 - partial(AES-128-CMAC)

Note "SMB3_11" above.

[Regression potential]
The samba update itself just introduces and exposes a new API call. It's up to other applications to make use of that. gvfs was patched to detect this call at build time and use it if it's detected.
Packages that are not rebuilt will not see the change, and packages that *are* rebuilt will only see the change if they make use of it.

[Other Info]
This update introduces a specific runtime dependency between gvfs and libsmbclient due to the new API call added to the latter. Any package that is rebuilt with libsmbclient and makes use of that API call will get this specific dependency. This is handled automatically by dh_mkshlibs.

To complete this SRU, gvfs will need a no-change rebuild after samba was accepted into proposed.

Disco's gvfs is already using the new call, as can be seen in this build log https://launchpadlibrarian.net/415424052/buildlog_ubuntu-disco-amd64.gvfs_1.40.0-1_BUILDING.txt.gz:
...
Dependency smbclient found: YES 0.5.0
Checking for function "smbc_setOptionProtocols" with dependency smbclient: YES

The smbc_setOptionProtocols() call is only used when the url is like "smb:///", or the server cannot be resolved. The downgrade overrides the setting in smb.conf, and is used just for this case: browsing the network. When connecting to a machine, the url is like "smb://<name>/", and then this function we are adding is not called.

I updated the test to actually click on the machine that shows up in the network browsing, and then check with "smbstatus" which version of the protocol was used when connecting to an actual share.

---

Nautilus should show smbtree and host on the smb network.

When inputing this command:
killall gvfsd-smb-browse && GVFS_DEBUG=1 /usr/lib/gvfs/gvfsd-smb-browse

You can see the error:
smb-network: Queued new job 0x55b19a2c9f40 (GVfsJobCreateMonitor)
smb-network: send_reply(0x55b19a2c9f40), failed=1 (Action not supported by the processing engine)
smb-network: backend_dbus_handler org.gtk.vfs.Mount:QueryFilesystemInfo (pid=5708)
smb-network: Queued new job 0x55b19a2e7820 (GVfsJobQueryFsInfo)
smb-network: send_reply(0x55b19a2e7820), failed=0 ()
smb-network: backend_dbus_handler org.gtk.vfs.Mount:Enumerate (pid=5708)
smb-network: Queued new job 0x55b19a2c30c0 (GVfsJobEnumerate)
smb-network: send_reply(0x55b19a2c30c0), failed=0 ()

Proposed solution:
Add gvfsbackendbrowse-switch-to-NT1.patch disscused on RedHat Bugzilla
[link]https://bugzilla.redhat.com/show_bug.cgi?id=1513394
which implements "change to NT1" in gvfs-smb-browse to browse smbtree to aviod adding "max client protocol" = NT1" to smb.conf to switch all samba to unsafe NT1 which most users are doing to correct this bug.

Related branches

CVE References

Revision history for this message
Sebastian Byczkowski (s-byczkowski) wrote :

A patch for gvfs-smb-browse to switch to NT1

Revision history for this message
Sebastian Byczkowski (s-byczkowski) wrote :

Simpler form of before posted patch.Ehh

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "gvfs-smb-browse change to NT1 from RedHat Bugzilla" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gvfs (Ubuntu):
status: New → Confirmed
Changed in nautilus (Ubuntu):
status: New → Confirmed
Changed in nautilus (Ubuntu):
status: Confirmed → Invalid
1 comments hidden view all 101 comments
Revision history for this message
Sebastien Bacher (seb128) wrote :

The fix is in https://launchpad.net/ubuntu/+source/gvfs/1.38.1-1ubuntu1

And being backported to cosmic and bionic

Changed in gvfs (Ubuntu):
importance: Undecided → Low
status: Confirmed → Fix Released
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Sebastian, or anyone else affected,

Accepted gvfs into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gvfs/1.38.1-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in gvfs (Ubuntu Cosmic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-cosmic
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Sebastian, or anyone else affected,

Accepted gvfs into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gvfs/1.36.1-0ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in gvfs (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Sebastian, or anyone else affected,

Accepted gvfs into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gvfs/1.38.1-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Sebastian Byczkowski (s-byczkowski) wrote :

I have checked bionic-proposed repo and listed packages have installed:
gvfs-backends/bionic-proposed,now 1.36.1-0ubuntu1.2 amd64 [installed]
gvfs-bin/bionic-proposed,now 1.36.1-0ubuntu1.2 amd64 [installed]
gvfs-common/bionic-proposed,now 1.36.1-0ubuntu1.2 all [installed]
gvfs-daemons/bionic-proposed,now 1.36.1-0ubuntu1.2 amd64 [installed]
gvfs-fuse/bionic-proposed,now 1.36.1-0ubuntu1.2 amd64 [installed]
gvfs-libs/bionic-proposed,now 1.36.1-0ubuntu1.2 amd64 [installed]
gvfs-libs/bionic-proposed,now 1.36.1-0ubuntu1.2 amd64 [installed]

But if I disable with # in smb.conf
max client protocol = NT1
or chane it to:
max client protocol = SMB3
Nautilus still shows me Empty Dir if I enter Windows Network and gvfs can't browse smbtree still.
So I assume the patch does not work as expected.

Revision history for this message
Sebastian Byczkowski (s-byczkowski) wrote :

I'm sending Gvfs log.
Interesting part starts at line 173:

Starting GENSEC mechanism spnego
Server claims it's principal name is NONE
SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT
SPNEGO login failed: An invalid parameter was passed to a service or function.

Revision history for this message
Sebastian Byczkowski (s-byczkowski) wrote :

And line 270 in Gvfs log:
Server connect ok: //TOMATO/IPC$: 0x7f72b4020fd0
smb-network: do_mount - [smb://DOMOWA; 0] dir = (nil), cancelled = 0, errno = [0] 'Succes'
smb-network: do_mount - (errno != EPERM && errno != EACCES), cancelled = 0, breaking
smb-network: send_reply(0x556b8fdb32b0), failed=1 (Downloading resources list from server failed: Succes)
Performing aggressive shutdown.
smb-network: purging server cache
Context 0x7f72b4010b60 successfully freed
Freeing parametrics:
network: Couldn't create directory monitor on smb://x-gnome-default-workgroup/. Error: given location is not mounted

Revision history for this message
Sebastien Bacher (seb128) wrote :

Thanks for the testing. Indeed there is a problem, from the build log

"Native dependency smbclient found: YES 0.3.1
Checking for function "smbc_setOptionProtocols" : NO"

The API needed is too new for our current libsmbclient version, we need to backport that one as well.
The other changes from the SRU are fine though and that one is just a no-change without the API so it probably makes sense to validate the current SRU anyway and do another round for libsmbclient/rebuild gvfs later

Changed in samba (Ubuntu):
importance: Undecided → High
Changed in gvfs (Ubuntu):
status: Fix Released → Triaged
importance: Low → High
Revision history for this message
Sebastien Bacher (seb128) wrote :
Changed in samba (Ubuntu):
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gvfs - 1.38.1-0ubuntu1.1

---------------
gvfs (1.38.1-0ubuntu1.1) cosmic; urgency=medium

  * debian/patches/series:
    - include git_invalid_autorun.patch which was mentioned in
      the previous upload but not added to the serie

gvfs (1.38.1-0ubuntu1) cosmic; urgency=medium

  * New upstream version (lp: #1803186)
   - smbbrowse: Force NT1 protocol version for workgroup support
     (lp: #1778322)
  * debian/patches/git_invalid_autorun.patch:
    - common: Prevent crashes on invalid autorun file (lp: #1798725)

 -- Sebastien Bacher <email address hidden> Wed, 21 Nov 2018 15:03:01 +0100

Changed in gvfs (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gvfs - 1.36.1-0ubuntu1.2

---------------
gvfs (1.36.1-0ubuntu1.2) bionic; urgency=medium

  * debian/patches/git_smb_writing.patch:
    - Use O_RDWR to fix fstat when writing (lp: #1803158)
  * debian/patches/git_invalid_autorun.patch:
    - common: Prevent crashes on invalid autorun file (lp: #1798725)
  * debian/patches/git_channel_lock.patch:
    - daemon: Prevent deadlock and invalid read when closing channels
      (lp: #1630905)
  * debian/patches/git_dav_lockups.patch:
    - workaround libsoup limitation to prevent dav lockups (lp: #1792878)
  * debian/patches/git_smb_nt1.patch:
    - smbbrowse: Force NT1 protocol version for workgroup support
      (lp: #1778322)
  * debian/patches/git_smb_directory.patch:
    - smb: Add workaround to fix removal of non-empty dir (lp: #1803190)

 -- Sebastien Bacher <email address hidden> Tue, 13 Nov 2018 17:09:03 +0100

Changed in gvfs (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Sebastien Bacher (seb128) wrote :

Reopening, the fix isn't working until we get the samba change

Changed in gvfs (Ubuntu Bionic):
status: Fix Released → Triaged
Changed in gvfs (Ubuntu Cosmic):
status: Fix Released → Triaged
Changed in gvfs (Ubuntu Bionic):
importance: Undecided → High
Changed in gvfs (Ubuntu Cosmic):
importance: Undecided → High
Will Cooke (willcooke)
Changed in gvfs (Ubuntu):
assignee: nobody → Sebastien Bacher (seb128)
Changed in gvfs (Ubuntu Cosmic):
assignee: nobody → Sebastien Bacher (seb128)
Changed in gvfs (Ubuntu Bionic):
assignee: nobody → Sebastien Bacher (seb128)
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Looking at this next.

Changed in samba (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
status: Triaged → In Progress
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Builds in a ppa look good:
...
Native dependency smbclient found: YES 0.2.3
Checking for function "smbc_setOptionProtocols": YES
...

Checking for real with a bionic desktop now.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I just tried with my build from the ppa, but it's not working. When enabling debugging in gvfsd, I can see it setting the protocol to NT1:

network: Added new job source 0x559ce1b3e070 (GVfsBackendNetwork)
network: Queued new job 0x559ce1b4cab0 (GVfsJobMount)
smb-network: g_vfs_backend_smb_browse_init: default workgroup = 'NULL'
smb-network: Added new job source 0x564f06543070 (GVfsBackendSmbBrowse)
smb-network: Queued new job 0x564f06549ac0 (GVfsJobMount)
smb-network: Error resolving “EXAMPLE”: Name or service not known
smb-network: Forcing NT1 protocol version
smb-network: do_mount - URI = smb://EXAMPLE

That message, "Forcing NT1 protocol version", comes from the gvfs patch and confirms that it is using the new smbc_setOptionProtocols() call.

If somebody else wants to try in the meantime, the packages for bionic are at https://launchpad.net/~ahasenack/+archive/ubuntu/samba-browse-nt1-1778322/

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The original samba patch had a typo/error, this is the fix for that:

https://github.com/samba-team/samba/commit/885435e8a4dc561749b880f8be7a32041fa954ec

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

It worked with the updated patch. Packages rebuilt in the PPA. I'll prepare a merge proposal and SRU this into bionic. We will have to rebuild gvfs there, though, after samba lands in proposed.

description: updated
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote :

Does the samba task need fixing in disco at all?

Changed in samba (Ubuntu):
status: In Progress → Incomplete
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Sebastian, or anyone else affected,

Accepted samba into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.8.4+dfsg-2ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in samba (Ubuntu Cosmic):
status: New → Fix Committed
Changed in samba (Ubuntu):
status: Incomplete → Fix Released
Changed in samba (Ubuntu Cosmic):
importance: Undecided → High
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Sebastian, or anyone else affected,

Accepted samba into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.7.6+dfsg~ubuntu-0ubuntu2.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in samba (Ubuntu Bionic):
status: New → Fix Committed
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

For anyone wanting to test this bug, please note you will also have to wait for a gvfs rebuild with this new samba package.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Bionic verification

Bug reproduced with the following packages:
ubuntu@ubuntu:~$ apt-cache policy samba gvfs-backends
samba:
...
 *** 2:4.7.6+dfsg~ubuntu-0ubuntu2.7 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        100 /var/lib/dpkg/status
...
gvfs-backends:
...
 *** 1.36.1-0ubuntu1.3 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://br.archive.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        100 /var/lib/dpkg/status
...

(see attached screenshot)

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Bionic verification (continued)

Now installing the new samba packages. Since I need a gvfs rebuild with the new samba packages, I'm doing that locally.

So in the end I now have:
samba from proposed:
 *** 2:4.7.6+dfsg~ubuntu-0ubuntu2.8 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages

gvfs built locally:
ubuntu@ubuntu:~/deb/gvfs/gvfs-1.36.1$ grep smbc_setOptionProtocol ../build.log
Checking for function "smbc_setOptionProtocols": YES
gvfs-backends:
  Installed: 1.36.1-0ubuntu1.4~andreas1
  Candidate: 1.36.1-0ubuntu1.4~andreas1
  Version table:
 *** 1.36.1-0ubuntu1.4~andreas1 100
        100 /var/lib/dpkg/status

I then reboot, login, and the windows network is populated with the workgroup and the host.

I then connect to the host, and the pub share, authenticate, and smbstatus confirms the connection and that SMB3_11 was used:
root@ubuntu:~# smbstatus

Samba version 4.7.6-Ubuntu
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
1828 nobody nogroup ubuntu (ipv4:192.168.122.28:35678) NT1 - -
2084 nobody nogroup ubuntu (ipv4:192.168.122.28:35694) NT1 - -
2093 ubuntu ubuntu 192.168.122.28 (ipv4:192.168.122.28:41040) SMB3_11 - partial(AES-128-CMAC)

Bionic verification succeeded.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Bionic:

full smbstatus output, showing the connection to the pub share as well:
root@ubuntu:~# smbstatus

Samba version 4.7.6-Ubuntu
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
1828 nobody nogroup ubuntu (ipv4:192.168.122.28:35678) NT1 - -
2084 nobody nogroup ubuntu (ipv4:192.168.122.28:35694) NT1 - -
2093 ubuntu ubuntu 192.168.122.28 (ipv4:192.168.122.28:41040) SMB3_11 - partial(AES-128-CMAC)

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------
IPC$ 2084 ubuntu Fri Apr 5 15:33:26 2019 UTC - -
IPC$ 1828 ubuntu Fri Apr 5 15:31:23 2019 UTC - -
pub 2093 192.168.122.28 Fri Apr 5 15:33:32 2019 UTC - -

No locked files

tags: added: verification-done-cosmic
removed: verification-needed-cosmic
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Cosmic verification

Confirming the bug:
ubuntu@ubuntu:~$ apt-cache policy samba gvfs-backends
samba:
  Installed: 2:4.8.4+dfsg-2ubuntu2.1
  Candidate: 2:4.8.4+dfsg-2ubuntu2.1
  Version table:
 *** 2:4.8.4+dfsg-2ubuntu2.1 500
        500 http://br.archive.ubuntu.com/ubuntu cosmic-updates/main amd64 Packages
...
gvfs-backends:
  Installed: 1.38.1-0ubuntu1.2
  Candidate: 1.38.1-0ubuntu1.2
  Version table:
 *** 1.38.1-0ubuntu1.2 500
        500 http://br.archive.ubuntu.com/ubuntu cosmic-updates/main amd64 Packages
...

Bug reproduced, see attached screenshot. Windows network browsing is empty.

(continued)

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Cosmic verification (continued)

Now installing the updated samba packages, and rebuilding gvfs locally:

samba:
  Installed: 2:4.8.4+dfsg-2ubuntu2.2
  Candidate: 2:4.8.4+dfsg-2ubuntu2.2
  Version table:
 *** 2:4.8.4+dfsg-2ubuntu2.2 500
        500 http://br.archive.ubuntu.com/ubuntu cosmic-proposed/main amd64 Packages

gvfs:
ubuntu@ubuntu:~/deb/gvfs/gvfs-1.38.1$ grep smbc_setOptionProtocol ../build.log
Checking for function "smbc_setOptionProtocols" : YES

$ apt-cache policy gvfs-backends
gvfs-backends:
  Installed: 1.38.1-0ubuntu1.3~andreas1
  Candidate: 1.38.1-0ubuntu1.3
  Version table:
     1.38.1-0ubuntu1.3 500
        500 http://br.archive.ubuntu.com/ubuntu cosmic-proposed/main amd64 Packages
 *** 1.38.1-0ubuntu1.3~andreas1 100
        100 /var/lib/dpkg/status

Note: there is an old gvfs in proposed already, but it was NOT rebuilt with this samba version.

Reboot, login, access windows network, and the workgroup and computer are displayed (see attached screenshot).

Accessing the "pub" share works after authenticating, and in that case smbstatus shows SMB3.11 was used:
root@ubuntu:~# smbstatus

Samba version 4.8.4-Ubuntu
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
2033 nobody nogroup ubuntu (ipv4:192.168.122.79:51830) NT1 - -
2044 nobody nogroup ubuntu (ipv4:192.168.122.79:51834) NT1 - -
2240 nobody nogroup ubuntu (ipv4:192.168.122.79:51844) NT1 - -
2420 ubuntu ubuntu 192.168.122.79 (ipv4:192.168.122.79:48332) SMB3_11 - partial(AES-128-CMAC)

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------
IPC$ 2044 ubuntu Fri Apr 5 16:07:06 2019 UTC - -
IPC$ 2033 ubuntu Fri Apr 5 16:07:04 2019 UTC - -
pub 2420 192.168.122.79 Fri Apr 5 16:08:54 2019 UTC - -
IPC$ 2240 ubuntu Fri Apr 5 16:08:07 2019 UTC -

Cosmic verification succeeded.

tags: added: verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I think I mixed the verification-done tags, but both are done now.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.8.4+dfsg-2ubuntu2.3

---------------
samba (2:4.8.4+dfsg-2ubuntu2.3) cosmic-security; urgency=medium

  * SECURITY UPDATE: save registry file outside share as unprivileged user
    - debian/patches/CVE-2019-3880.patch: remove implementations of
      SaveKey/RestoreKey in source3/rpc_server/winreg/srv_winreg_nt.c.
    - CVE-2019-3880

 -- Marc Deslauriers <email address hidden> Thu, 04 Apr 2019 14:05:09 -0400

Changed in samba (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.7.6+dfsg~ubuntu-0ubuntu2.9

---------------
samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.9) bionic-security; urgency=medium

  * SECURITY UPDATE: save registry file outside share as unprivileged user
    - debian/patches/CVE-2019-3880.patch: remove implementations of
      SaveKey/RestoreKey in source3/rpc_server/winreg/srv_winreg_nt.c.
    - CVE-2019-3880

 -- Marc Deslauriers <email address hidden> Thu, 04 Apr 2019 14:05:56 -0400

Changed in samba (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
BloodyIron (bloodyiron) wrote :

I'm seeing this issue with Disco Dingo 19.04

Using samba/disco,now 2:4.10.0+dfsg-0ubuntu2 amd64 [installed]

Upgrade didn't install samba by default, and nautilus is still having issues with network share being SMB2 minimum

Solved by:
1. Killing PID of gvfsd-smb-browse
2. Running "GVFS_SMB_DEBUG=1 /usr/lib/gvfs/gvfsd-smb-browse"

Issue returns after reboot.

So, looks like was solved in 4.8, but since Disco Dingo 19.04 uses 4.10, looks like it didn't get the fix, not sure.

Revision history for this message
BloodyIron (bloodyiron) wrote :

Also, since samba package isn't installed by default (at least in my 18.10 to 19.04 upgrade), how do we fix this without the samba package installed?

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I checked disco when I prepared these updates for bionic and cosmic, and it was allright. Let me re-check with a default install using the CD this time, now that it is released.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

It worked just fine on a disco desktop default install.

I brought up a bionic vm, which has samba running and set to a workgroup called "workgroup" and has a /pub share. On disco, I click on "other locations", then "windows network", and I see "WORKGROUP". I can click on "WORKGROUP", which then shows me the other server. If I click on that, I see the "pub" share.

The only samba packages you need for this network browsing are installed: libsmbclient, libwbclient0, samba-libs. I have these with version 4.10.0 as expected.

Revision history for this message
BloodyIron (bloodyiron) wrote :

@Andreas , I already have those installed. Still seeing the same effect each reboot.

Not sure why my result is different. I do have two workgroups in play though, so I wonder if that's it...

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Check your smb.conf, maybe you have some overriding setting in there. The default disco install I tested had no config file.

With gvfsd running in debug mode, there is also a specific message you can look for which will tell you if your gvfsd was rebuilt with the right samba version: "Forcing NT1 protocol version"

I followed steps 1 and 2 last time I checked this: https://wiki.gnome.org/Projects/gvfs/debugging

21 comments hidden view all 101 comments
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Ah, you said so, sorry

Revision history for this message
Clement Lefebvre (clementlefebvre) wrote :

Is a rebuild/version-bump planned for gvfs Bionic?

Revision history for this message
Sebastien Bacher (seb128) wrote :

> Is a rebuild/version-bump planned for gvfs Bionic?

Yes, that was blocked by another SRU which was accepted but turned out to be problematic (building the nfs backend which requires libnfs promoted). The other SRU has been deleted for now so we are going to move forward with this rebuild

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

It is, that's all that's needed now. I heard another, unrelated, gvfs SRU was in the works and was hitting problems, though.

I have a no-change rebuild in this PPA for bionic: https://launchpad.net/~ahasenack/+archive/ubuntu/gvfs-rebuild-1778322/

Revision history for this message
BloodyIron (bloodyiron) wrote :

Um, what about Disco Dingo? 19.04, still having the bug.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Disco shouldn't have this bug. It (gvfs) will have issues connecting to smb servers that have disabled SMB1, just like bionic and everything in between.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I found an upstream issue about not being able to get a share list from a machine that has SMB1 disabled: https://gitlab.gnome.org/GNOME/gvfs/issues/307

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I filed https://bugs.launchpad.net/gvfs/+bug/1828107 for the remaining issue of connecting to machines in the windows network tab that have disabled SMB1. Note that a connection made specifically to the machine/ip still works (smb://<ip|name>/)

Revision history for this message
BloodyIron (bloodyiron) wrote :

I have the issue in Disco... and have since I upgraded to it, as I mentioned https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1778322/comments/35.

Revision history for this message
Sebastien Bacher (seb128) wrote :

(bionic rebuild SRU in the queue now)

Changed in gvfs (Ubuntu Bionic):
status: Triaged → Fix Committed
Revision history for this message
Sebastien Bacher (seb128) wrote :

Cosmic uploaded as well

Changed in gvfs (Ubuntu Cosmic):
status: Triaged → Fix Committed
Changed in gvfs (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Sebastien Bacher (seb128) wrote :

The bug should be fixed in Disco, samba 2.4.10 includes the function and gvfs there has the patch and was rebuilt with it

Changed in gvfs (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The "windows network" tab depends on an election to happen between the smb servers, and a master browser being elected. It's the master browser that is contacted for the list of machines in the network. If that machine has smb1 disabled, for example, then this won't work, because it will hit #1828107 (that's my understanding).

I suggest to focus on the test case presented in the bug description. If there are still cases where it doesn't work, then it's a separate bug, because disco has the same fix in place as we are applying here.

Revision history for this message
BloodyIron (bloodyiron) wrote :

Okay but it isn't fixed in Dingo. I still get it. What more do you want me to do, not say it's happening for me in Disco Dingo? Because it is...

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Try the test case in a disco vm

Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Sebastian, or anyone else affected,

Accepted gvfs into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gvfs/1.38.1-0ubuntu1.3.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed-cosmic
removed: verification-done-cosmic
tags: added: verification-needed-bionic
removed: verification-done-bionic
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Sebastian, or anyone else affected,

Accepted gvfs into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gvfs/1.36.1-0ubuntu1.3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
BloodyIron (bloodyiron) wrote :

I'm using Disco as my daily driver and I still have this issue every time I reboot. I also update nearly daily from the main repos, so any fixes that may have rolled out, thus-far, aren't fixing it.

Mathew Hodson (mhodson)
no longer affects: nautilus (Ubuntu)
Changed in samba (Ubuntu Bionic):
importance: Undecided → High
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

@Bloodyiron, please run "nmblookup -M <yourworkgroupname>" and check if the machine that is listed has SMB1 disabled or not. If it has SMB1 disabled, then it's https://bugs.launchpad.net/gvfs/+bug/1828107

Revision history for this message
BloodyIron (bloodyiron) wrote :

Well I know for a fact it has SMB1 disabled, as I disabled it myself. Ran the test you asked, didn't output any info that seemed to conclusively say which protocols were visible. I'm intentionally disabling SMB1 for the very public security concerns. In this case, the "server" has a minimum protocol set to SMB2.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Bionic desktop verification

With gvfs-backends from the release pocket:
ubuntu@bionic-desktop:~$ apt-cache policy gvfs-backends
gvfs-backends:
  Installed: 1.36.1-0ubuntu1.3
  Candidate: 1.36.1-0ubuntu1.3
  Version table:
 *** 1.36.1-0ubuntu1.3 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages

I get an empty "windows network" tab in the desktop (see attached screenshot empty-windows-network-before-test.png).

After updating to this package from proposed:
  Version table:
 *** 1.36.1-0ubuntu1.3.2 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages

And logging out and back in, I get a populated windows network tab (see screenshot populated-windows-network-after-test.png).

I can then connect to the pub share on localhost (see screenshot connecting-to-pub-after-test.png) and, once that is done, smbstatus shows this output:
ubuntu@bionic-desktop:~$ sudo smbstatus

Samba version 4.7.6-Ubuntu
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
3771 nobody nogroup bionic-desktop (ipv4:192.168.122.213:56026) NT1 - -
3874 ubuntu ubuntu 192.168.122.213 (ipv4:192.168.122.213:32800) SMB3_11 - partial(AES-128-CMAC)
3807 nobody nogroup bionic-desktop (ipv4:192.168.122.213:56028) NT1 - -
3762 nobody nogroup bionic-desktop (ipv4:192.168.122.213:56022) NT1 - -

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------
IPC$ 3762 bionic-desktop Fri Jun 21 21:07:33 2019 UTC - -
IPC$ 3807 bionic-desktop Fri Jun 21 21:08:09 2019 UTC - -
IPC$ 3771 bionic-desktop Fri Jun 21 21:07:37 2019 UTC - -
pub 3874 192.168.122.213 Fri Jun 21 21:08:30 2019 UTC - -

No locked files

The connection to the pub share is using SMB3_11.

The connections using NT1 show why https://bugs.launchpad.net/gvfs/+bug/1828107 is still relevant, but it's a separate bug. See comment #55 for my reasoning. I think releasing this update is a step in the right direction.

Bionic verification succeeded.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :
Revision history for this message
Andreas Hasenack (ahasenack) wrote :
Revision history for this message
Andreas Hasenack (ahasenack) wrote :
tags: added: verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Cosmic verification

First reproducing the bug with these packages:
  Version table:
 *** 1.38.1-0ubuntu1.2 500
        500 http://br.archive.ubuntu.com/ubuntu cosmic-updates/main amd64 Packages

windows network tab is empty (see screenshot cosmic-empty-windows-network-before-test.png)

Now with these packages:
 *** 1.38.1-0ubuntu1.3.1 500
        500 http://br.archive.ubuntu.com/ubuntu cosmic-proposed/main amd64 Packages

After a logout and new login, the windows network tab is populated (see cosmic-populated-windows-network-after-test.png) and I can connect to the displayed pub share (see cosmic-connecting-to-pub-after-test.png).

After I'm connected, smbstatus shows that smb3.11 was used for the connection to pub:
ubuntu@cosmic-desktop:~$ sudo smbstatus

Samba version 4.8.4-Ubuntu
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
5812 nobody nogroup cosmic-desktop (ipv4:192.168.122.27:57330) NT1 - -
5821 nobody nogroup cosmic-desktop (ipv4:192.168.122.27:57334) NT1 - -
5880 ubuntu ubuntu 192.168.122.27 (ipv4:192.168.122.27:47898) SMB3_11 - partial(AES-128-CMAC)
5828 nobody nogroup cosmic-desktop (ipv4:192.168.122.27:57336) NT1 - -

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------
IPC$ 5828 cosmic-desktop Fri Jun 21 21:36:38 2019 UTC - -
IPC$ 5812 cosmic-desktop Fri Jun 21 21:36:18 2019 UTC - -
pub 5880 192.168.122.27 Fri Jun 21 21:37:00 2019 UTC - -
IPC$ 5821 cosmic-desktop Fri Jun 21 21:36:21 2019 UTC - -

No locked files

As stated in the bionic verification, a fix for https://bugs.launchpad.net/gvfs/+bug/1828107 is still relevant.

cosmic verification succeeded.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :
Revision history for this message
Andreas Hasenack (ahasenack) wrote :
Revision history for this message
Andreas Hasenack (ahasenack) wrote :
tags: added: verification-done-cosmic
removed: verification-needed-cosmic
Revision history for this message
BloodyIron (bloodyiron) wrote :

Can we also get this bug marked as Disco to? Not just Bionic and Cosmic? I'm _still_ getting the issue with a fully updated Disco (19.04).

Mathew Hodson (mhodson)
tags: removed: browse browsing verification-needed
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for gvfs has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gvfs - 1.38.1-0ubuntu1.3.1

---------------
gvfs (1.38.1-0ubuntu1.3.1) cosmic; urgency=medium

  * No change rebuild to pick up the current samba version.
    The patch git_smb_nt1.patch added to fix smb browsing requires a new
    libsmb api to work and that's checked for at build time (lp: #1778322)

 -- Sebastien Bacher <email address hidden> Wed, 08 May 2019 11:17:32 +0200

Changed in gvfs (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gvfs - 1.36.1-0ubuntu1.3.2

---------------
gvfs (1.36.1-0ubuntu1.3.2) bionic; urgency=medium

  * No change rebuild to pick up the current samba version.
    The patch git_smb_nt1.patch added to fix smb browsing requires a new
    libsmb api to work and that's checked for at build time (lp: #1778322)

 -- Sebastien Bacher <email address hidden> Wed, 08 May 2019 10:48:17 +0200

Changed in gvfs (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Disco works out of the box wrt this bug specifically. Which is expected since it has the same fix.

windows network tab is populated (see disco-windows-network-populated.png)

Connecting to the pub share (see disco-connect-to-pub.png).

smbstatus shows smb3.11 in the pub connection, and NT1 for IPC$:
ubuntu@disco-desktop:~$ sudo smbstatus

Samba version 4.10.0-Ubuntu
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
3969 ubuntu ubuntu 127.0.0.1 (ipv4:127.0.0.1:43370) SMB3_11 - partial(AES-128-CMAC)
3752 nobody nogroup disco-desktop (ipv4:192.168.122.70:53276) NT1 - -
3721 nobody nogroup disco-desktop (ipv4:127.0.0.1:40552) NT1 - -
3805 nobody nogroup disco-desktop (ipv4:127.0.0.1:40562) NT1 - -
3731 nobody nogroup disco-desktop (ipv4:192.168.122.70:53270) NT1 - -

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------
IPC$ 3721 disco-desktop seg jun 24 10:35:20 2019 -03 - -
pub 3969 127.0.0.1 seg jun 24 10:36:16 2019 -03 - -
IPC$ 3752 disco-desktop seg jun 24 10:35:31 2019 -03 - -
IPC$ 3805 disco-desktop seg jun 24 10:35:54 2019 -03 - -
IPC$ 3731 disco-desktop seg jun 24 10:35:23 2019 -03 - -

No locked files

If you have NT1 disabled in your network, then the windows network tab will be empty, and that's https://bugs.launchpad.net/gvfs/+bug/1828107 and it affects all releases still.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :
Revision history for this message
BloodyIron (bloodyiron) wrote :

The bug still exists for me on Disco, so I don't see how you arrive at the position that it "works" out of the box. It does not "work" for me, the bug exists on Disco for me. And I've regularly kept my system up to date. I've reported this multiple times in this thread and seem to be ignored.

Revision history for this message
BloodyIron (bloodyiron) wrote :

In fact I literally just tried it again, and get the same issue, where it does not prompt for login, and the related gvfs process needs to be killed.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

@bloodyiron, you said in https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1778322/comments/81 that you had SMB1 disabled in your network, and I confirmed that with SMB1 disabled there is still a bug, and that bug is https://bugs.launchpad.net/gvfs/+bug/1828107, and it affects all ubuntu releases. I don't know what else to tell you, sorry, it sounds like you are ignoring that open bug.

Revision history for this message
BloodyIron (bloodyiron) wrote :

@andreas oops I think I got muddled up, sorry about that! I'm going to unsub from this bug (which I should have done earlier).

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

No worries, thanks for following up

Revision history for this message
BloodyIron (bloodyiron) wrote :

Still having to kill gvfsd-smb-browse each time I reboot just so I can browse network shares. Clearly the fix didn't actually fix this. This is going on 4-ish years now.

Additional thread: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1828107

Displaying first 40 and last 40 comments. View all 101 comments or add a comment.