[Bug 1779890] [NEW] gvfsd process does not have the KRB5CCNAME environment set
Launchpad Bug Tracker
1779890 at bugs.launchpad.net
Wed Mar 29 16:21:30 UTC 2023
You have been subscribed to a public bug by Ubuntu Foundations Team Bug Bot (crichton):
[ Impact ]
The KRB5CCNAME environment variable points to the Kerberos ticket of the current machine and this ticket is used for authentication in Active Directory servers.
This variable is set by pam_sss when the user authenticates and can be
used by other processes, such as gio, to skip the credentials input when
accessing network shares, for example.
Some services rely on gvfs-daemon in order to properly function, such as
tracker-extract-3.service and tracker-miner-fs-3.service, which means
they will ask for the gvfs-daemon to be initialized when they are
executed by systemd. This creates problems if one service that relies on
gvfsd is started too early, as it would result in gvfsd being started
too early as well.
As of version 3.1 of tracker-miners, the install target of tracker-
miners-fs-3.service was set to gnome-session.target:
https://gitlab.gnome.org/GNOME/tracker-miners/-/merge_requests/283
However, the tracker-extract-3.service was not updated and its target is
still default.target, which is too early for the service to start.
Starting tracker-extract too early is also starting gvfsd too early,
before the session environment gets fully updated. Which means that
gvfsd does not have the KRB5CCNAME variable and can not do any
operations with it.
Tracker-extract is supposed to be a helper service managed by tracker-
miner-fs-3.service. By using a [Install] section, we are actually
telling systemd that it should manage this service as well, when it
shouldn't.
So, by removing the [Install] section and having tracker-miner-
fs-3.service being tied to gnome-session.target, we fix the issue of
gvfsd starting too early without the updated session environment.
[ Test Plan ]
In order to test this issue, it's required to have an Active Directory server running.
1) Authenticate with an AD user (as this would set the KRB5CCNAME env);
2) Check gvfsd environment. This can be done by running:
cat /proc/$(pidof gvfsd)/environ | xargs --null -n1
You will be able to see that it does not have the variable listed.
3) Check that the information mentioned above about tracker-miner-fs-
3.service is true.
4) Disable tracker-extract-3.service (This is a bit tricky, since its
target was default.target. The easiest way is to remove the symlink that
systemd created when enabling the unit, located under
/etc/systemd/user/default.target.wants/tracker-extract-3.service
5) Reboot the machine;
6) Repeat steps 1 and 2.
This will show that gvfsd is now started with the proper environment.
Is not enough to look at ptree and the pids of the processes, instead
it's better to look into the session logs with:
journalctl --user -b
And check the order in which the services were started and when they
were triggered.
[ Where problems could occur ]
The tracker project is a search engine that speeds up search operations in Gnome. The tracker-miners is the indexing daemon that populates the database with information, so changing its start does not affect the system behavior.
This changes fix the startup of gvfs-daemon.service, which could delay
services that relied on it running to be executed.
## Original description ##
Nautilus prompts for username and password when accessing a Samba share on a network drive, despite having a perfectly valid unexpired Kerberos ticket. The Kerberos ticket is obtained automatically at logon by authentication against a Samba Active Directory server (Samba AD-DC).
Accessing the same Samba share with the same Kerberos ticket via
"smbclient //host/sharename -k" works fine.
One known workaround is: "nautilus -q", and then "killall gvfsd". After
that, accessing the Samba share with Nautilus works normally as it
should.
I did not experience this issue in Ubuntu 16.04. It appears that a
regression was introduced somewhere between 16.04 and 18.04.
The issue is quite annoying and confusing for the users who are used to
accessing Samba shares on the network drive without being prompted for
their username and password.
The issue appears to manifest itself usually not on the first access to
a Samba share, but on subsequent accesses after a system reboot or upon
user logout/login. Strangely, removing ~/.cache/ibus/bus/registry file
before user login appears to fix the issue for the current user session,
but then the problem reappears upon subsequent user logins or after a
system reboot.
Nemo appears to have the same problem as Nautilus.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: gvfs-daemons 1.36.1-0ubuntu1
ProcVersionSignature: Ubuntu 4.15.0-24.26-generic 4.15.18
Uname: Linux 4.15.0-24-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.9-0ubuntu7.2
Architecture: amd64
Date: Tue Jul 3 11:12:06 2018
ExecutablePath: /usr/lib/gvfs/gvfsd
InstallationDate: Installed on 2018-04-27 (66 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
ProcEnviron:
LANG=en_CA.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
XDG_RUNTIME_DIR=<set>
SourcePackage: gvfs
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: gvfs (Ubuntu)
Importance: Unknown
Status: New
** Affects: tracker-miners (Ubuntu)
Importance: High
Assignee: Denison Barbosa (justdenis)
Status: Fix Released
** Affects: gvfs (Ubuntu Jammy)
Importance: Undecided
Status: New
** Affects: tracker-miners (Ubuntu Jammy)
Importance: Undecided
Status: New
** Affects: gvfs (Ubuntu Kinetic)
Importance: Undecided
Status: New
** Affects: tracker-miners (Ubuntu Kinetic)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug bionic desktop-lts-wishlist dt-798 focal patch
--
gvfsd process does not have the KRB5CCNAME environment set
https://bugs.launchpad.net/bugs/1779890
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.
More information about the Ubuntu-sponsors
mailing list