#553335 nautilus: Asks passwd for CIFS share when kerberos ticket available

Package:
gvfs-backends
Source:
gvfs
Description:
userspace virtual filesystem - backends
Submitter:
Vincent Zweije
Date:
2015-03-16 17:27:36 UTC
Severity:
minor
#553335#5
Date:
2009-10-30 12:00:28 UTC
From:
To:
When connecting to a (Windows) CIFS share, nautilus asks for a password,
even when an applicable kerberos ticket is available.

Clicking away the password dialog box (cancel) shows the share without
problems.

I'd expect nautilus to try using the kerberos ticket before asking for
a password, so I don't have to click away the password window.

Ciao.                                                        Vincent.

#553335#10
Date:
2009-11-02 11:26:03 UTC
From:
To:
reassign 553335 gvfs-backends 1.2.3-3
thanks

Le vendredi 30 octobre 2009 à 13:00 +0100, Vincent Zweije a écrit :

Does it still happen with gvfs-backends 1.4 from unstable?

Cheers,

#553335#21
Date:
2009-11-02 14:57:28 UTC
From:
To:
On Mon, Nov 02, 2009 at 12:26:03PM +0100, Josselin Mouette wrote:

||  reassign 553335 gvfs-backends 1.2.3-3
||  thanks
||
||  Le vendredi 30 octobre 2009 à 13:00 +0100, Vincent Zweije a écrit :
||  > When connecting to a (Windows) CIFS share, nautilus asks for a password,
||  > even when an applicable kerberos ticket is available.
||  >
||  > Clicking away the password dialog box (cancel) shows the share without
||  > problems.
||  >
||  > I'd expect nautilus to try using the kerberos ticket before asking for
||  > a password, so I don't have to click away the password window.
||
||  Does it still happen with gvfs-backends 1.4 from unstable?

Unfortunately, yes.

After apt-get -t unstable install gvfs-backends (pulling in gvfs as well),
passwords are still asked.

    Desired=Unknown/Install/Remove/Purge/Hold
    | Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
    |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
    ||/ Name           Version        Description
    +++-==============-==============-============================================
    ii  gvfs           1.4.1-2        userspace virtual filesystem - server
    ii  gvfs-backends  1.4.1-2        userspace virtual filesystem - backends

By the way, when closing the share browser and bringing it back up again,
no password dialog box is shown.

Ciao.                                                             Vincent.

#553335#28
Date:
2014-03-13 00:19:52 UTC
From:
To:
Hey,

Could you please still reproduce this issue with newer version
like 1.12.3-4 or 1.16.3-2 ?

thanks
regards
althaser

#553335#33
Date:
2014-03-13 08:48:53 UTC
From:
To:
On Thu, Mar 13, 2014 at 12:19:52AM +0000, althaser wrote:

||  Could you please still reproduce this issue with newer version
||  likeA 1.12.3-4 orA 1.16.3-2 ?

Unforunately, the problem persists.

    ~$ dpkg -l gvfs-backends
    Desired=Unknown/Install/Remove/Purge/Hold
    | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
    |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
    ||/ Name                                 Version                 Architecture            Description
    +++-====================================-=======================-=======================-==============================================================================
    ii  gvfs-backends                        1.16.3-2                amd64                   userspace virtual filesystem - backends
    ~$ klist
    Ticket cache: FILE:/tmp/krb5cc_1000_FwHFwc
    Default principal: vzweije@<realm>

    Valid starting     Expires            Service principal
    03/13/14 09:03:15  03/13/14 19:03:15  krbtgt/<realm>@<realm>
	    renew until 03/14/14 02:03:15
    ~$

Starting nautilus through openbox menu, selecting a previously unused
CIFS share, asks for password. Clicking cancel shows the share without
problems. After that:

    ~$ klist
    Ticket cache: FILE:/tmp/krb5cc_1000_FwHFwc
    Default principal: vzweije@<realm>

    Valid starting     Expires            Service principal
    03/13/14 09:03:15  03/13/14 19:03:15  krbtgt/<realm>@<realm>
	    renew until 03/14/14 02:03:15
    03/13/14 09:31:21  03/13/14 19:03:15  cifs/file01.<domain>@<realm>
	    renew until 03/14/14 02:03:15
    03/13/14 09:31:30  03/13/14 19:03:15  cifs/file01@<realm>
	    renew until 03/14/14 02:03:15
    ~$

So two cifs tickets have been added in this interaction.

Starting nautilus from the command line makes no difference -- this
excludes environment variable problems.

After stopping and starting nautilus the problem is gone -- if the cifs
tickets are already there, the cifs backend will use them.

It appears that the cifs backend checks the presence of the ticket,
but does not try to request it from the kerberos server, before asking
the password. Then when the password box is canceled, it still requests
the ticket from the kerberos server.

If so, it should try to request the cifs ticket if it's not there before
asking for the password.

Don't think it matters, but the kerberos server in question is a windows
active directory server.

Vincent.