Bug 494981

Summary: Kerberos auth doesn't work since libsmbclient 4.21
Product: [Frameworks and Libraries] kio-extras Reporter: Fedor Piecka <piecka>
Component: SambaAssignee: Plasma Bugs List <plasma-bugs>
Status: REPORTED ---    
Severity: normal CC: adnan.akbas, luca.cavana, rpenny, sam, schmidicom, sergiu, sitter
Priority: NOR    
Version First Reported In: 24.08.2   
Target Milestone: ---   
Platform: Arch Linux   
OS: Linux   
See Also: https://bugs.kde.org/show_bug.cgi?id=453090
https://bugzilla.samba.org/show_bug.cgi?id=15789
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Fedor Piecka 2024-10-18 09:26:34 UTC 
SUMMARY


STEPS TO REPRODUCE
1. Get Kerberos TGT (i.e. run kinit)
2. Connect to a smb:// uri in KDE Dolphin, where the server supports Kerberos authentication

OBSERVED RESULT
 
The system asks for credentials (username, domain, password).

EXPECTED RESULT

Kerberos is used for authentication and no password is asked from the user.

SOFTWARE/OS VERSIONS
Linux: 6.11.3-arch1-1
KDE Plasma Version: 6.2.1
KDE Frameworks Version: 6.7.0
Qt Version: 6.8.0, 5.15.15

ADDITIONAL INFORMATION

Kerberos in KIO works when smbclient 4.20.4-1 is installed, but it doesn't work in anything newer (smbclient-2:4.21.*).

smbclient command in terminal correctly authenticates without password using Kerberos in all versions of smbclient. The problem seems to lie in the integration between kio smb worker and libsmbclient.

I tried to read through samba changelog+commit log since samba 4.20. No mentions of relevant changes in changelogs, but there are multiple commits touching Kerberos authentication for clients. Unfortunately, I'm not competent enough to understand the impact on kio smb worker.

I made a packet trace using Wireshark. The Samba server offers both Kerberos and NTLM in it's Negotiate protocol response:

mechTypes: 3 items
    MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
    MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
    MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)

The client then selects NTLMSSP immediately.

I've been used to mount a samba share with a headless script. Please see the output of kio smb worker debug log + pacman installation log:

okt 18 08:52:18 mylaptop kioworker[3795]: kf.kio.workers.smb: auth_initialize_smbc
okt 18 08:52:18 mylaptop kioworker[3795]: kf.kio.workers.smb: Setting debug level to: 0
okt 18 08:52:18 mylaptop kioworker[3795]: kf.kio.workers.smb: Using libsmbclient library version QVersionNumber(4.21.1)
okt 18 08:52:18 mylaptop kioworker[3795]: kf.kio.workers.smb: QUrl("smb://sambaserver.example.org/")
okt 18 08:52:18 mylaptop kioworker[3795]: kf.kio.workers.smb: checkURL  QUrl("smb://sambaserver.example.org/")
okt 18 08:52:18 mylaptop kioworker[3795]: kf.kio.workers.smb: checkURL return3  QUrl("smb://sambaserver.example.org/")
okt 18 08:52:18 mylaptop kioworker[3795]: kf.kio.workers.smb: updateCache  "/"
okt 18 08:52:18 mylaptop kioworker[3795]: kf.kio.workers.smb: QUrl("smb://sambaserver.example.org/")
okt 18 08:52:18 mylaptop kioworker[3795]: kf.kio.workers.smb: checkURL  QUrl("smb://sambaserver.example.org/")
okt 18 08:52:18 mylaptop kioworker[3795]: kf.kio.workers.smb: checkURL return3  QUrl("smb://sambaserver.example.org/")
okt 18 08:52:18 mylaptop kioworker[3795]: kf.kio.workers.smb: updateCache  "/"
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: QUrl("smb://sambaserver.example.org/")
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: checkURL  QUrl("smb://sambaserver.example.org/")
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: checkURL return3  QUrl("smb://sambaserver.example.org/")
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: updateCache  "/"
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: Starting discovery.
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: auth_smbc_get_dat: set user= mysername , workgroup= WORKGROUP  server= sambaserver.example.org , share= IPC$
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: updateCache  "/IPC$"
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: libsmb-auth-callback URL: QUrl("smb://sambaserver.example.org/IPC$")
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: auth_smbc_get_dat: set user= mysername , workgroup= WORKGROUP  server= sambaserver.example.org , share= IPC$
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: updateCache  "/IPC$"
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: libsmb-auth-callback URL: QUrl("smb://sambaserver.example.org/IPC$")
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: open "smb://sambaserver.example.org/" url-type: 2 dirfd: -1 errNum: 22
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: Discovery finished.
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: trying checkPassword
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: checkPassword for  QUrl("smb://sambaserver.example.org/")
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: call openPasswordDialog for  QUrl("smb://sambaserver.example.org/")
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: no value from openPasswordDialog; error: 1
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: user cancelled password request
okt 18 08:52:36 mylaptop kioworker[3795]: kf.kio.workers.smb: errNum 22
okt 18 09:06:15 mylaptop pacman[5240]: Running 'pacman -U https://archive.archlinux.org/packages/s/smbclient/smbclient-4.20.4-1-x86_64.pkg.tar.zst'
okt 18 09:06:16 mylaptop pacman[5240]: transaction started
okt 18 09:06:16 mylaptop pacman[5240]: downgraded smbclient (2:4.21.1-1 -> 4.20.4-1)
okt 18 09:06:16 mylaptop pacman[5240]: transaction completed
okt 18 09:06:16 mylaptop pacman[5240]: running '30-systemd-update.hook'...
okt 18 09:06:16 mylaptop pacman[5240]: running '90-packagekit-refresh.hook'...
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb: auth_initialize_smbc
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb: Setting debug level to: 0
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb: Using libsmbclient library version QVersionNumber(4.20.4)
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb: QUrl("smb://sambaserver.example.org/")
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb: checkURL  QUrl("smb://sambaserver.example.org/")
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb: checkURL return3  QUrl("smb://sambaserver.example.org/")
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb: updateCache  "/"
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb: Starting discovery.
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb: auth_smbc_get_dat: set user= mysername , workgroup= WORKGROUP  server= sambaserver.example.org , share= IPC$
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb: updateCache  "/IPC$"
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb: libsmb-auth-callback URL: QUrl("smb://sambaserver.example.org/IPC$")
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb: auth_smbc_get_dat: set user= mysername , workgroup= WORKGROUP  server= sambaserver.example.org , share= IPC$
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb: updateCache  "/IPC$"
okt 18 09:06:26 mylaptop kioworker[5287]: kf.kio.workers.smb: libsmb-auth-callback URL: QUrl("smb://sambaserver.example.org/IPC$")
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: open "smb://sambaserver.example.org/" url-type: 2 dirfd: 10000 errNum: 0
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: smbc_readdir
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: dirent  name: "ebooks" comment: "share1" type: 3
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: smbc_readdir
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: dirent  name: "software" comment: "share2" type: 3
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: smbc_readdir
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: dirent  name: "prevadzka" comment: "share3" type: 3
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: smbc_readdir
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: dirent  name: "projekty" comment: "share4" type: 3
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: smbc_readdir
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: dirent  name: "temporary" comment: "share5" type: 3
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: smbc_readdir
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: dirent  name: "archiv" comment: "share6" type: 3
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: smbc_readdir
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: dirent  name: "IPC$" comment: "IPC Service (sambaserver server)" type: 6
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: SMBC_UNKNOWN : "IPC$"
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: smbc_readdir
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: dirent  name: "mysername" comment: "Home Directories" type: 3
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: smbc_readdir
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: done with smbc
okt 18 09:06:27 mylaptop kioworker[5287]: kf.kio.workers.smb: Discovery finished.




The command generating the logs above:

    dbus-send --session --print-reply --type=method_call --dest=org.kde.KIOFuse /org/kde/KIOFuse org.kde.KIOFuse.VFS.mountUrl "string:smb://sambaserver.example.org/"
Comment 1 Harald Sitter 2024-10-18 12:06:09 UTC 
https://community.kde.org/Guidelines_and_HOWTOs/Debugging/Debugging_IOSlaves/Debugging_kio_smb#Reporting_Bugs

> 1. Get Kerberos TGT (i.e. run kinit)
> 2. Connect to a smb:// uri in KDE Dolphin, where the server supports Kerberos authentication

You seem to be skipping a bunch of steps there ;) notably how to setup the kerberos environment
Comment 2 Fedor Piecka 2024-10-23 12:05:00 UTC 
Please see the debug output as requested:

INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
  ldapsrv: 10
pm_process() returned Yes
lp_servicenumber: couldn't find homes
lp_load_ex: refreshing parameters
Freeing parametrics:
pm_process() returned No
lp_servicenumber: couldn't find homes
Could not append config file: /home/myusername/.smb/smb.conf.append
added interface br0 ip=10.76.2.1 bcast=10.76.2.255 netmask=255.255.255.0
added interface eth0 ip=192.168.205.151 bcast=192.168.205.255 netmask=255.255.255.0
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
  ldapsrv: 10
[     0.000](2847)/(kf.kio.workers.smb) unknown: auth_initialize_smbc
[     0.000](2847)/(kf.kio.workers.smb) unknown: Setting debug level to: 0
[     0.000](2847)/(kf.kio.workers.smb) unknown: Using libsmbclient library version QVersionNumber(4.21.1)
[     0.000](2847)/(kf.kio.workers.smb) unknown: QUrl("smb://sambaserver.example.org/share1")
[     0.000](2847)/(kf.kio.workers.smb) unknown: checkURL  QUrl("smb://sambaserver.example.org/share1")
[     0.000](2847)/(kf.kio.workers.smb) unknown: checkURL return3  QUrl("smb://sambaserver.example.org/share1")
[     0.000](2847)/(kf.kio.workers.smb) unknown: updateCache  "/share1"
[     0.000](2847)/(kf.kio.workers.smb) unknown: Starting discovery.
[     0.000](2847)/(kf.kio.workers.smb) unknown: auth_smbc_get_dat: set user= myusername , workgroup= WORKGROUP  server= sambaserver.example.org , share= share1
[     0.000](2847)/(kf.kio.workers.smb) unknown: updateCache  "/share1"
[     0.000](2847)/(kf.kio.workers.smb) unknown: libsmb-auth-callback URL: QUrl("smb://sambaserver.example.org/share1")
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
  ldapsrv: 10
pm_process() returned Yes
lp_servicenumber: couldn't find homes
lp_load_ex: refreshing parameters
Freeing parametrics:
pm_process() returned No
lp_servicenumber: couldn't find homes
Could not append config file: /home/myusername/.smb/smb.conf.append
added interface br0 ip=10.76.2.1 bcast=10.76.2.255 netmask=255.255.255.0
added interface eth0 ip=192.168.205.151 bcast=192.168.205.255 netmask=255.255.255.0
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
  ldapsrv: 10
[     0.000](2852)/(kf.kio.workers.smb) unknown: auth_initialize_smbc
[     0.000](2852)/(kf.kio.workers.smb) unknown: Setting debug level to: 0
[     0.000](2852)/(kf.kio.workers.smb) unknown: Using libsmbclient library version QVersionNumber(4.21.1)
[     0.001](2852)/(kf.kio.workers.smb) unknown: QUrl("smb://sambaserver.example.org/share1/")
[     0.001](2852)/(kf.kio.workers.smb) unknown: updateCache  "/share1"
[     0.001](2852)/(kf.kio.workers.smb) unknown: auth_smbc_get_dat: set user= myusername , workgroup= WORKGROUP  server= sambaserver.example.org , share= share1
[     0.001](2852)/(kf.kio.workers.smb) unknown: updateCache  "/share1"
[     0.001](2852)/(kf.kio.workers.smb) unknown: libsmb-auth-callback URL: QUrl("smb://sambaserver.example.org/share1")
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
  ldapsrv: 10
pm_process() returned Yes
lp_servicenumber: couldn't find homes
lp_load_ex: refreshing parameters
Freeing parametrics:
pm_process() returned No
lp_servicenumber: couldn't find homes
Could not append config file: /home/myusername/.smb/smb.conf.append
added interface br0 ip=10.76.2.1 bcast=10.76.2.255 netmask=255.255.255.0
added interface eth0 ip=192.168.205.151 bcast=192.168.205.255 netmask=255.255.255.0
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
  ldapsrv: 10
[     0.000](2856)/(kf.kio.workers.smb) unknown: auth_initialize_smbc
[     0.000](2856)/(kf.kio.workers.smb) unknown: Setting debug level to: 0
[     0.000](2856)/(kf.kio.workers.smb) unknown: Using libsmbclient library version QVersionNumber(4.21.1)
[     0.000](2856)/(kf.kio.workers.smb) unknown: QUrl("smb://sambaserver.example.org/share1/")
[     0.000](2856)/(kf.kio.workers.smb) unknown: checkURL  QUrl("smb://sambaserver.example.org/share1/")
[     0.000](2856)/(kf.kio.workers.smb) unknown: checkURL return3  QUrl("smb://sambaserver.example.org/share1/")
[     0.000](2856)/(kf.kio.workers.smb) unknown: updateCache  "/share1"
[     0.000](2856)/(kf.kio.workers.smb) unknown: auth_smbc_get_dat: set user= myusername , workgroup= WORKGROUP  server= sambaserver.example.org , share= share1
[     0.000](2856)/(kf.kio.workers.smb) unknown: updateCache  "/share1"
[     0.000](2856)/(kf.kio.workers.smb) unknown: libsmb-auth-callback URL: QUrl("smb://sambaserver.example.org/share1")
[     0.184](2847)/(kf.kio.workers.smb) unknown: open "smb://sambaserver.example.org/share1" url-type: 3 dirfd: -1 errNum: 22
[     0.184](2847)/(kf.kio.workers.smb) unknown: Discovery finished.
[     0.184](2847)/(kf.kio.workers.smb) unknown: trying checkPassword
[     0.184](2847)/(kf.kio.workers.smb) unknown: checkPassword for  QUrl("smb://sambaserver.example.org/share1")
[     0.186](2847)/(kf.kio.workers.smb) unknown: call openPasswordDialog for  QUrl("smb://sambaserver.example.org/share1")
[     0.122](2856)/(kf.kio.workers.smb) unknown: size  0
[     0.122](2856)/(kf.kio.workers.smb) unknown: stat() error 22 QUrl("smb://sambaserver.example.org/share1/")
[     0.122](2856)/(kf.kio.workers.smb) unknown: updateCache  "/share1"
[     0.122](2856)/(kf.kio.workers.smb) unknown: errNum 22
[     3.710](2847)/(kf.kio.workers.smb) unknown: no value from openPasswordDialog; error: 1
[     3.710](2847)/(kf.kio.workers.smb) unknown: user cancelled password request
[     3.710](2847)/(kf.kio.workers.smb) unknown: errNum 22



File server is Sernet Samba 4.18.11. Active Directory servers are Sernet Samba 4.19.9. Both on Debian 12.7.
Comment 3 Fedor Piecka 2024-10-23 12:08:46 UTC 
Client's /etc/krb5.conf:

[libdefaults]
        default_realm = AD.EXAMPLE.ORG
        dns_lookup_realm = false
        dns_lookup_kdc = false
        rdns=false
[realms]
AD.EXAMPLE.ORG = {
        default_domain = ad.example.org
        admin_server = 192.168.xxxxx
        kdc = 192.168.xxxxx
        kdc = 192.168.yyyyy
}

OTHERDOMAIN = {
        default_domain = otherdomain
        admin_server = 10.xxxxx
        kdc = 10.xxxxx
        kdc = 10.xxxxx
}

[domain_realm]
        .example.org = AD.EXAMPLE.ORG
        .otherdomain = OTHERDOMAIN

[logging]
        kdc = CONSOLE



The client is NOT joined to the domain, only krb5.conf is configured.
Comment 4 Fedor Piecka 2024-10-23 12:12:56 UTC 
smb.conf on client follows. It was shorter at the beginning. I added client use kerberos etc. in hope to workaround the reported kio problem. It hasn't helped.

$ cat /etc/samba/smb.conf 
[global]
client protection = encrypt
client min protocol = SMB3
client smb encrypt = desired
client use kerberos = required
client use spnego = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
show add printer wizard = no
deadtime = 30
use sendfile = yes
min receivefile size = 16384
socket options = IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT SO_RCVBUF=131072 SO_SNDBUF=131072
log level = 10




It doesn't work with the following smb.conf either:

[global]
client protection = encrypt
Comment 5 Harald Sitter 2024-10-23 13:23:23 UTC 
Still missing instructions on how to setup the server side.

I've looked at our code and I really don't see where we would be going wrong. I am rather thinking there's a regression in libsmbclient
Comment 6 Fedor Piecka 2024-10-23 13:48:44 UTC 
(In reply to Harald Sitter from comment #5)
> Still missing instructions on how to setup the server side.
> 
> I've looked at our code and I really don't see where we would be going
> wrong. I am rather thinking there's a regression in libsmbclient

I agree this is possibly a regression in libsmbclient. However, smbclient command works properly. I suspect some change is required in how to use libsmbclient in this case. Unfortunately, I haven't been able to identify any change required.

BTW another Bugzilla user contacted me about this bug report. That means its not only our specific environment's problem.

Our file server's configuration:

[global]
    restrict anonymous = 2
    disable netbios = yes
    smb ports = 445
    smb encrypt = required

    security = ADS
    workgroup = EXAMPLE
    realm = AD.EXAMPLE.ORG

    server string = %h server

    log level = 1 auth_audit:3 auth_json_audit:3
    logging = syslog file

    allow hosts = 127. 10.0.0.0/255.0.0.0
    os level = 60

    create mask = 0774
    directory mask = 0775

    idmap config * : backend = tdb
    idmap config * : range = 1200-2999

    idmap config EXAMPLE:backend = ad
    idmap config EXAMPLE:schema_mode = rfc2307
    idmap config EXAMPLE:range = 3000-9999
    idmap config EXAMPLE:unix_nss_info = yes
    idmap config EXAMPLE:unix_primary_group = yes

    winbind use default domain = yes
    winbind cache time = 30
    winbind expand groups = 10
    winbind enum users = yes
    winbind enum groups = yes

[share1]
   comment = share1
   path = /srv/share1
   read only = no
   public = yes
   writable = yes
   store dos attributes = yes
   map archive = no
   map system = no
   map hidden = no
   map readonly = no
   wide links = no
   map acl inherit = yes
   veto files = /._*/.DS_Store/Thumbs.db/
   delete veto files = yes
   vfs objects = audit


The file server is joined to a domain provided by a different set of Samba servers. I don't think it's important on how those are configured. The file server advertises Kerberos support, but the client doesn't initiate Kerberos auth. It doesn't contact Kerberos KDC at all.
Comment 7 Harald Sitter 2024-10-23 14:08:18 UTC 
Note that smbclient doesn't actually use libsmbclient.
Comment 8 Stefan Schmid 2024-11-04 10:46:47 UTC 
We have exactly the same problem.
Since the update to version 4.21, authentication with Kerberos no longer works on all servers in Dolphin. And no, it's not the servers' fault, because it works with other file managers like Nautilus.

The whole issue reminds me of bug 453090, where everything else was initially blamed before it was admitted that KIO did not handle the return values ​​of libsmbclient correctly.
Comment 9 Harald Sitter 2024-11-04 11:20:38 UTC 
That other issue libsmbclient literally broke compatibility.
Comment 10 Stefan Schmid 2024-11-04 11:31:12 UTC 
(In reply to Harald Sitter from comment #9)
> That other issue libsmbclient literally broke compatibility.

I won't discuss whether it was a bug fix or a compatibility break. It's just very noticeable that once again only Dolphin/KIO has a problem while all other programs work as expected.

If you don't want SMB support, that's OK, then remove it. If not, please do it right.
Comment 11 Harald Sitter 2024-11-04 11:32:12 UTC 
(In reply to Stefan Schmid from comment #10)
> If you don't want SMB support, that's OK, then remove it. If not, please do
> it right.

Feel free to do it better
Comment 12 Luca Cavana 2025-03-09 19:44:35 UTC 
Hello,
I'm experiencing the exact same issue, but on Fedora KDE 41 (which uses libsmbclient 4.21); on Fedora 40 (which uses libsmbclient 4.20) it was running correctly.

Our setup is a Windows AD domain and the file servers being accessed are a mix of Windows Server (2022) and Samba (4.21) machines, all using Kerberos authentication correctly either on the Windows clients (10/11) and on Linux clients (Fedora KDE 40, 41) that are not upgraded to libsmbclient 4.21.
Comment 13 Rowland Penny 2025-03-12 10:56:14 UTC 
I know what is going on here and it isn't a bug.

From Samba 4.21.0 security was increased, requiring that the kerberos ticket is owned by the Principal, this probably means that the computer must be domain joined and a domain user logged in.

What is happening now:

In the following scenario, the Samba server (what dolphin is connecting to) is called 'workstation' and is joined to an AD domain which has the workgroup name 'SAMDOM'.
There is a domain user called 'fred' who has a shared home directory on 'workstation'.

The client is a non domain joined computer with the default workgroup of 'WORKGROUP'.
The local user is called 'george' (it could also be called 'fred', but it will never be the same user as the domain user 'fred').

if you install krb5-user on the client and configure /etc/krb5.conf correctly, you can run 'kinit fred' and get a kerberos ticket in /tmp. The problem is that while the Principal in the ticket will be the domain 'SAMDOM' user 'fred' but the ticket will belong to the local user 'george', who is in the workgroup 'WORKGROUP'.

If you set up debugging correctly, amid the output you will find these two lines.

cli_session_setup_spnego_send: Connect to workstation as george@WORKGROUP using SPNEGO

gensec_gse_client_start: Not using kerberos to cifs/workstation as WORKGROUP\george: NT_STATUS_INVALID_PARAMETER

It is trying to use what appears to be a valid kerberos ticket, but is announcing itself as 'george' from 'WORKGROUP', Samba will now not allow this, for one thing, there will never be a  'cifs/workstation' SPN.

Because kerberos fails, it drops to NTLM and you get prompted for a username & password.

If you correctly domain join the computer and log in as 'SAMDOM\fred', it will work again

If you examine the kerberos ticket 

Ticket cache: FILE:/tmp/krb5cc_11104
Default principal: fred@SAMDOM.EXAMPLE.COM

Valid starting     Expires            Service principal
11/03/25 14:48:37  12/03/25 00:48:37  krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM
	renew until 12/03/25 14:48:37
11/03/25 14:48:37  12/03/25 00:48:37  WORKSTATION$@SAMDOM.EXAMPLE.COM
	renew until 12/03/25 14:48:37

You can see that the Principal is 'fred', the ticket name ends with the Unix ID for 'fred' and if you run 'ls -l /tmp/krb5cc_11104', you will find that the owner is 'fred' and only 'fred' can read and write to the ticket.

Hopes this helps
Comment 14 adnan.akbas 2025-03-12 12:19:06 UTC 
After the 4.21 update, "use-kerberos=desired" stopped working and NTLM is now forced. Since kioclient is affected by this bug and there is no way to change the default settings, it fails.

    # FAILS:
    smbclient -d10 --use-kerberos=desired -c 'dir' //SERVER/SHARE

    # WORKS:
    smbclient -d10 --use-kerberos=required -c 'dir' //SERVER/SHARE

Here is a good explanation of what is going on and  the attached patch fixes the problem:

https://bugzilla.samba.org/show_bug.cgi?id=15789
Comment 15 Sergiu Bivol 2025-08-30 00:15:41 UTC 
(In reply to adnan.akbas from comment #14)
> Here is a good explanation of what is going on and  the attached patch fixes
> the problem:
> https://bugzilla.samba.org/show_bug.cgi?id=15789

I have rebuilt Samba with that patch on Kubuntu 25.04 and it has indeed fixed the issue, now Dolphin opens Samba shares on domain joined computers without asking for a password.

(In reply to Harald Sitter from comment #5)
> Still missing instructions on how to setup the server side.

Would providing these instructions still be useful? If so, I can provide them.
 
> I've looked at our code and I really don't see where we would be going
> wrong. I am rather thinking there's a regression in libsmbclient

While the regression seems to be in Samba, other file managers are authenticating just fine on the same machine even without applying the patch above.
Works: Thunar, PCManFM, PCManFM-Qt
Asks for credentials: Dolphin, Krusader (anything using KIO)