[kio-extras] [Bug 494981] New: Kerberos auth doesn't work since libsmbclient 4.21

Fri, 18 Oct 2024 03:43:57 -0700 

https://bugs.kde.org/show_bug.cgi?id=494981

            Bug ID: 494981
           Summary: Kerberos auth doesn't work since libsmbclient 4.21
    Classification: Frameworks and Libraries
           Product: kio-extras
           Version: 24.08.2
          Platform: Arch Linux
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: Samba
          Assignee: plasma-b...@kde.org
          Reporter: pie...@neviem.eu
                CC: sit...@kde.org
  Target Milestone: ---

SUMMARY


STEPS TO REPRODUCE
1. Get Kerberos TGT (i.e. run kinit)
2. Connect to a smb:// uri in KDE Dolphin, where the server supports Kerberos
authentication

OBSERVED RESULT

The system asks for credentials (username, domain, password).

EXPECTED RESULT

Kerberos is used for authentication and no password is asked from the user.

SOFTWARE/OS VERSIONS
Linux: 6.11.3-arch1-1
KDE Plasma Version: 6.2.1
KDE Frameworks Version: 6.7.0
Qt Version: 6.8.0, 5.15.15

ADDITIONAL INFORMATION

Kerberos in KIO works when smbclient 4.20.4-1 is installed, but it doesn't work
in anything newer (smbclient-2:4.21.*).

smbclient command in terminal correctly authenticates without password using
Kerberos in all versions of smbclient. The problem seems to lie in the
integration between kio smb worker and libsmbclient.

I tried to read through samba changelog+commit log since samba 4.20. No
mentions of relevant changes in changelogs, but there are multiple commits
touching Kerberos authentication for clients. Unfortunately, I'm not competent
enough to understand the impact on kio smb worker.

I made a packet trace using Wireshark. The Samba server offers both Kerberos
and NTLM in it's Negotiate protocol response:

mechTypes: 3 items
    MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
    MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
    MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support
Provider)

The client then selects NTLMSSP immediately.

I've been used to mount a samba share with a headless script. Please see the
output of kio smb worker debug log + pacman installation log:

okt 18 08:52:18 mylaptop kioworker[3795]: kf.kio.workers.smb:
auth_initialize_smbc
okt 18 08:52:18 mylaptop kioworker[3795]: kf.kio.workers.smb: Setting debug
level to: 0
okt 18 08:52:18 mylaptop kioworker[3795]: kf.kio.workers.smb: Using
libsmbclient library version QVersionNumber(4.21.1)
okt 18 08:52:18 mylaptop kioworker[3795]: kf.kio.workers.smb:
QUrl("smb://sambaserver.example.org/")
okt 18 08:52:18 mylaptop kioworker[3795]: kf.kio.workers.smb: checkURL 
QUrl("smb://sambaserver.example.org/")
okt 18 08:52:18 mylaptop kioworker[3795]: kf.kio.workers.smb: checkURL return3 
QUrl("smb://sambaserver.example.org/")
okt 18 08:52:18 mylaptop kioworker[3795]: kf.kio.workers.smb: updateCache  "/"
okt 18 08:52:18 mylaptop kioworker[3795]: kf.kio.workers.smb:
QUrl("smb://sambaserver.example.org/")
okt 18 08:52:18 mylaptop kioworker[3795]: kf.kio.workers.smb: checkURL 
QUrl("smb://sambaserver.example.org/")
okt 18 08:52:18 mylaptop kioworker[3795]: kf.kio.workers.smb: checkURL return3 
QUrl("smb://sambaserver.example.org/")
okt 18 08:52:18 mylaptop kioworker[3795]: kf.kio.workers.smb: updateCache  "/"
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb:
QUrl("smb://sambaserver.example.org/")
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: checkURL 
QUrl("smb://sambaserver.example.org/")
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: checkURL return3 
QUrl("smb://sambaserver.example.org/")
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: updateCache  "/"
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: Starting
discovery.
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb:
auth_smbc_get_dat: set user= mysername , workgroup= WORKGROUP  server=
sambaserver.example.org , share= IPC$
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: updateCache 
"/IPC$"
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb:
libsmb-auth-callback URL: QUrl("smb://sambaserver.example.org/IPC$")
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb:
auth_smbc_get_dat: set user= mysername , workgroup= WORKGROUP  server=
sambaserver.example.org , share= IPC$
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: updateCache 
"/IPC$"
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb:
libsmb-auth-callback URL: QUrl("smb://sambaserver.example.org/IPC$")
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: open
"smb://sambaserver.example.org/" url-type: 2 dirfd: -1 errNum: 22
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: Discovery
finished.
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: trying
checkPassword
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: checkPassword for
 QUrl("smb://sambaserver.example.org/")
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: call
openPasswordDialog for  QUrl("smb://sambaserver.example.org/")
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: no value from
openPasswordDialog; error: 1
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: user cancelled
password request
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: errNum 22
okt 18 09:06:15 mylaptop pacman[5240]: Running 'pacman -U
https://archive.archlinux.org/packages/s/smbclient/smbclient-4.20.4-1-x86_64.pkg.tar.zst'
okt 18 09:06:16 mylaptop pacman[5240]: transaction started
okt 18 09:06:16 mylaptop pacman[5240]: downgraded smbclient (2:4.21.1-1 ->
4.20.4-1)
okt 18 09:06:16 mylaptop pacman[5240]: transaction completed
okt 18 09:06:16 mylaptop pacman[5240]: running '30-systemd-update.hook'...
okt 18 09:06:16 mylaptop pacman[5240]: running '90-packagekit-refresh.hook'...
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb:
auth_initialize_smbc
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb: Setting debug
level to: 0
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb: Using
libsmbclient library version QVersionNumber(4.20.4)
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb:
QUrl("smb://sambaserver.example.org/")
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb: checkURL 
QUrl("smb://sambaserver.example.org/")
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb: checkURL return3 
QUrl("smb://sambaserver.example.org/")
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb: updateCache  "/"
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb: Starting
discovery.
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb:
auth_smbc_get_dat: set user= mysername , workgroup= WORKGROUP  server=
sambaserver.example.org , share= IPC$
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb: updateCache 
"/IPC$"
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb:
libsmb-auth-callback URL: QUrl("smb://sambaserver.example.org/IPC$")
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb:
auth_smbc_get_dat: set user= mysername , workgroup= WORKGROUP  server=
sambaserver.example.org , share= IPC$
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb: updateCache 
"/IPC$"
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb:
libsmb-auth-callback URL: QUrl("smb://sambaserver.example.org/IPC$")
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: open
"smb://sambaserver.example.org/" url-type: 2 dirfd: 10000 errNum: 0
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: smbc_readdir
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: dirent  name:
"ebooks" comment: "share1" type: 3
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: smbc_readdir
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: dirent  name:
"software" comment: "share2" type: 3
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: smbc_readdir
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: dirent  name:
"prevadzka" comment: "share3" type: 3
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: smbc_readdir
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: dirent  name:
"projekty" comment: "share4" type: 3
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: smbc_readdir
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: dirent  name:
"temporary" comment: "share5" type: 3
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: smbc_readdir
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: dirent  name:
"archiv" comment: "share6" type: 3
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: smbc_readdir
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: dirent  name:
"IPC$" comment: "IPC Service (sambaserver server)" type: 6
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: SMBC_UNKNOWN :
"IPC$"
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: smbc_readdir
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: dirent  name:
"mysername" comment: "Home Directories" type: 3
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: smbc_readdir
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: done with smbc
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: Discovery
finished.




The command generating the logs above:

    dbus-send --session --print-reply --type=method_call --dest=org.kde.KIOFuse
/org/kde/KIOFuse org.kde.KIOFuse.VFS.mountUrl
"string:smb://sambaserver.example.org/"

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to