GVFS SMB Kerberos fix - Request for code freeze break

From: Tomas Bzatek <tbzatek redhat com>
To: release-team gnome org
Cc: Matthias Clasen <mclasen redhat com>, gicmo gnome org, Alexander Larsson <alexl redhat com>
Subject: GVFS SMB Kerberos fix - Request for code freeze break
Date: Tue, 16 Sep 2008 17:44:55 +0200

Hello release-team,

kindly asking for permission to break the Hard Code Freeze and commit
the attached patch to gvfs/branches/gnome-2-24.

Bug 524498 – display authentification dialog rather than just using
kerberos credentials
http://bugzilla.gnome.org/show_bug.cgi?id=524498

This patch fixes Kerberos authentication in the SMB backend, where user
connecting to a Samba share and holding valid Kerberos ticket was
repeatedly asked for credentials and connection succeeded only when the
login dialog was cancelled.

Due to general bad shape of the GVFS SMB backend I recommend to include
this fix in the upcoming 2.24 release.

The maintainer of the GVFS library (Christian Kellner <gicmo gnome org>)
has reviewed the patch and agrees with the commit.

Patch has been tested on a pool of Samba servers with various
configuration, including Windows 2003 Server configured as Active
Directory Domain Controller and Kerberos server.

This is a functional fix, affecting all Gnome modules using GIO. No
strings have been changed.

Thanks,
-- 
Tomas Bzatek <tbzatek redhat com>

Index: daemon/gvfsbackendsmb.c
===================================================================
--- daemon/gvfsbackendsmb.c	(revision 1992)
+++ daemon/gvfsbackendsmb.c	(revision 1993)
@@ -175,10 +175,7 @@
       backend->user == NULL &&
       backend->domain == NULL)
     {
-      /* Try anon login */
-      strncpy (username_out, "", unmaxlen);
-      strncpy (password_out, "", pwmaxlen);
-      /* Try again if anon login fails */
+      /* Try again if kerberos login + anonymous fallback fails */
       backend->mount_try_again = TRUE;
     }
   else
@@ -495,9 +492,15 @@
   smb_context->flags = 0;
 #endif
   
+  /* Initial settings:
+   *   - use Kerberos (always)
+   *   - in case of no username specified, try anonymous login
+   */
   smbc_setOptionUseKerberos (smb_context, 1);
-  smbc_setOptionFallbackAfterKerberos (smb_context, 1);  
-  smbc_setOptionNoAutoAnonymousLogin (smb_context, 1);
+  smbc_setOptionFallbackAfterKerberos (smb_context,
+                                       op_backend->user != NULL);
+  smbc_setOptionNoAutoAnonymousLogin (smb_context,
+                                      op_backend->user != NULL);
 
   
 #if 0
@@ -540,6 +543,8 @@
 
   uri = create_smb_uri (op_backend->server, op_backend->share, NULL);
 
+
+  /*  Samba mount loop  */
   op_backend->mount_source = mount_source;
   op_backend->mount_try = 0;
   op_backend->password_save = G_PASSWORD_SAVE_NEVER;
@@ -554,8 +559,17 @@
       if (res == 0 ||
 	  (errno != EACCES && errno != EPERM))
 	break;
-      
-      op_backend->mount_try ++;      
+
+      /* The first round is Kerberos-only.  Only if this fails do we enable
+       * NTLMSSP fallback (turning off anonymous fallback, which we've
+       * already tried and failed with).
+       */
+      if (op_backend->mount_try == 0)
+        {
+          smbc_setOptionFallbackAfterKerberos (op_backend->smb_context, 1);
+          smbc_setOptionNoAutoAnonymousLogin (op_backend->smb_context, 1);
+        }
+      op_backend->mount_try ++;
     }
   while (op_backend->mount_try_again);

Follow-Ups:
- Re: GVFS SMB Kerberos fix - Request for code freeze break
  - From: Matthias Clasen

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]