Bug 334875

Summary: User should be prompted to enter a Samba password if necessary when that user first creates a share
Product: [Frameworks and Libraries] kdenetwork-filesharing Reporter: Ian Proudler <i.proudler>
Component: generalAssignee: Nate Graham <nate>
Status: RESOLVED FIXED    
Severity: grave CC: ae, alexkde, bugseforuns, dklais, frank78ac, hoperidesalone, jey.and.key, kdelibs-bugs, nate, postix, sitter, uzunov
Priority: VHI Keywords: usability
Version: unspecified   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In: 20.12
Sentry Crash Report:

Description Ian Proudler 2014-05-16 11:45:43 UTC
Clean install of Kubuntu. Try to share a folder: Right click on folder, properties, share: says samba needs to be installed. Click on button. Samba installed. Set up share properies. Folder visible over network. Try to open share from remonte machine, asks for user id and password but will not accept them. Fill out Sysyem Settings - > sharing with same user id and password as for share. Remote machine still cannot gain access. Issue command  'sudo smbpasswd -a <user>' in terminal. Share now works.


Reproducible: Didn't try

Steps to Reproduce:
1. Clean install
2. Try to share folder
3.
Actual Results:  
Remote machine asks for user id and password but will not accept them.

Expected Results:  
 user id and password accepted ans share made available.
Comment 1 Frank Reininghaus 2014-05-16 12:15:54 UTC
Thanks for the bug report. The Properties dialog is not provided by Dolphin itself, but by a library in kdelibs. I'll reassign your report there (even though I'm not sure if the problem is somewhere else in the stack, like some library that is used for the handling of smb shares).
Comment 2 Nate Graham 2018-06-15 01:45:09 UTC
*** Bug 381688 has been marked as a duplicate of this bug. ***
Comment 3 Nate Graham 2019-05-17 22:16:11 UTC
*** Bug 381301 has been marked as a duplicate of this bug. ***
Comment 4 Nate Graham 2019-05-17 22:16:22 UTC
*** Bug 339787 has been marked as a duplicate of this bug. ***
Comment 5 Nate Graham 2019-05-17 22:16:28 UTC
*** Bug 403385 has been marked as a duplicate of this bug. ***
Comment 6 Nate Graham 2019-05-20 17:47:26 UTC
For comparison: the way macOS handles this is by hiding the fact that the Samba serve's user account is completely independent of your own user account on the computer. It automatically creates a Samba server user with the same name as the currently logged-in user, then prompts the user to enter their own password, as though authenticating to something. In reality, the user is entering their current password as the password for the new Samba server user's account.

This is clever, but non-ideal for the following reasons:
- Sharing a password between your user account and Samba account is a security risk
- If you change your user account's password, the Samba sharing user's password doesn't get updated automatically (or maybe it does now?)

Either way we should probably prompt the user to enter a username/password combination when creating a share.
Comment 7 Nate Graham 2019-11-01 15:09:01 UTC
*** Bug 413679 has been marked as a duplicate of this bug. ***
Comment 8 Alexander Ewering 2019-11-01 15:26:15 UTC
Sorry to say, but I'm surprised that this issue has appearently been known for five years and despite being marked as "grave", being totally unsolvable for the average user, and the solution even being mentioned here and relatively trivial... should fixing this not have priority over any newly added features?
Comment 9 Nate Graham 2019-11-01 16:13:32 UTC
Indeed it is, and you might notice that the kdenetwork-filesharing module hasn't gotten any new features either. :)

KDE is just short-staffed for developers capable of fixing this issue, unfortunately. I've done some work on this module but my prior attempts to resolve this particular bug have not been successful yet. Patches are welcome if anyone passing by wants to take a crack at it.
Comment 10 Alexander Ewering 2019-11-01 16:24:36 UTC
Understood... would help if I had any solid footing in the whole Qt/KDE ecosystem, but I almost exclusively do iOS / Hybrid App development nowadays. Oh well! :) Sorry for the complaints.
Comment 11 Nate Graham 2020-01-28 16:52:52 UTC
*** Bug 178187 has been marked as a duplicate of this bug. ***
Comment 12 Harald Sitter 2020-02-27 11:32:06 UTC
Turns out this is rocket science. The only way to get a list of users known to samba and can be assumed to have a password set is to use pdbedit it seems. That tool has no separate access control so it needs running as a user with suitable access or won't work (i.e. needs an elevated kauth helper to query as root).

Possible design: testparm backend==tdbsam && elevate to check if pdbedit knows about the user. If a different auth backend from tdbsam is used we can't really do much. I am also not sure what exactly happens when the computer is a domain member, but I guess it's best to guard against with testparm security==AUTO|USER

That only gets us as far as knowing if a given user is in the password database. If it is not then further complications await!
smbdpasswd needs either running as the currently authenticated user but then it can only add that user, or as root in which case it can add arbitrary users. So, another kauth helper is needed there since we'll want to also allow other uses access. Trouble is we'd then send passwords over dbus, which I think we'd like to avoid very much :|
I suppose we could also ignore the problem of other users, working under the assumption that they'll have been set up properly already.
Comment 13 Harald Sitter 2020-03-17 14:33:49 UTC
proof of concept https://invent.kde.org/sitter/kdenetwork-filesharing/-/commits/work/smbpasswd

UX needs figuring out
Comment 14 Bug Janitor Service 2020-08-19 13:01:59 UTC
A possibly relevant merge request was started @ https://invent.kde.org/network/kdenetwork-filesharing/-/merge_requests/4
Comment 15 Harald Sitter 2020-08-21 19:14:19 UTC
Git commit d9692b4cd8109bbf459e4a532df93b0b90fabff2 by Harald Sitter.
Committed on 21/08/2020 at 11:43.
Pushed by sitter into branch 'master'.

add smb user management support

this rejiggers the model a bit and splits out user mapping logic into a
usermanager. the usermanager loads all users and models their samba
state. to do this it uses samba's pbedit tool. since this is a database
editor tool actually it needs a kauth helper to carry out the lookups.
this allows modelling of whether a user is enabled in samba or not (an
actual GUI for this is not part of this commit)

in addition to looking up the state this adds a new page for the page
stack for when the current user is not enabled in samba. this is to
prevent users from setting up shares but then not being able to access
them (assuming guest access is not possible - as is the case by default
without a smb.conf enabling support for it)

this new page sports a simple password setting UI that then again turns
to the auth helper for help. the auth helper runs smbpasswd, also a
samba CLI tool, to set a password for the user

all of this is conditional on samba actually having been configured to
use a local pdb instance as authentication database. other options would
be ldap or some such and will likely never be supported because they'd
only be used in corporate/managed environments where the user at hand
wouldn't be able to manage users anyway
FIXED-IN: 20.12

M  +15   -1    samba/filepropertiesplugin/CMakeLists.txt
A  +72   -0    samba/filepropertiesplugin/authhelper.cpp     [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]
A  +21   -0    samba/filepropertiesplugin/authhelper.h     [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]
M  +8    -47   samba/filepropertiesplugin/model.cpp
M  +4    -3    samba/filepropertiesplugin/model.h
A  +20   -0    samba/filepropertiesplugin/org.kde.filesharing.samba.actions
A  +131  -0    samba/filepropertiesplugin/qml/ChangePassword.qml     [License: LGPL(3+eV) LGPL(v3.0) LGPL(v2.1)]
A  +84   -0    samba/filepropertiesplugin/qml/UserPage.qml     [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]
M  +4    -4    samba/filepropertiesplugin/qml/main.qml
M  +2    -0    samba/filepropertiesplugin/qml/qml.qrc
M  +31   -2    samba/filepropertiesplugin/sambausershareplugin.cpp
M  +13   -3    samba/filepropertiesplugin/sambausershareplugin.h
A  +184  -0    samba/filepropertiesplugin/usermanager.cpp     [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]
A  +58   -0    samba/filepropertiesplugin/usermanager.h     [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]

https://invent.kde.org/network/kdenetwork-filesharing/commit/d9692b4cd8109bbf459e4a532df93b0b90fabff2
Comment 16 Nate Graham 2020-08-21 19:36:45 UTC
<3 <3