Kerberos support for smbspool on Mac OS X 10.4

Terry Brady terrybrady at gmail.com
Tue Jun 14 03:59:37 GMT 2005 

Hi all,

it's been reported publicly [1] that Mac OS X 10.4 ("Tiger") has
issues printing to an authenticated SMB print queue. The printing path
is via CUPS and smbspool, and the user just gets
"NT_STATUS_ACCESS_DENIED" displayed in the graphical print monitoring
tools. I've seen this problem myself, and it is especially aggravating
in an Active Directory environment where not only do we get single
sign-on to file and web services, but now Tiger's Printer Setup
Utility will display a complete list of the print queues defined in AD
and even correctly auto-configure the PPD for them.

The only workaround I know of at present is to embed a username and
password into the URI of the queue in printers.conf. Not likely to be
a viable option in most cases.

I had a chat with the Apple printing team and Michael Sweet at WWDC
last week. They suggested I should have a look at the recent work
which has been done on adding Kerberos support to smbspool. So I have,
and it's cool to see it's being worked on, but I have a bad feeling
that it's going to be useless for Mac OS X.

The basic reason is that instead of using file-based ticket caches,
Mac OS X keeps Kerberos credentials in memory [2]. And because of the
way that Mach (on which the Mac OS X kernel is based) partitions
memory, I suspect that standard CUPS backends which run as root cannot
access those tickets. Changing your effective UID is not a sufficient
workaround: you actually have to be launched in the user's context to
get the data.

I was hoping to develop a workaround a bit like the following:
    1. Write a replacement 'smb' backend for CUPS which dumped the
spool file and relevant metadata into a user-specific directory,
possibly inside the user's home or in some subdirectory of /tmp or
/var/spool/.
    2. Set up a LaunchAgent [3] to watch that path.
    3. Use the LaunchAgent to invoke a Kerberized 'smbspool' in the
user's context which would have access to the in-memory ticket cache.
    
Unfortunately the recent patches to smbspool.c seem to be heading in a
rather different direction by explicitly relying on file-based ticket
caches.

Now it may be that somebody more familiar with Kerberos than I will
know a way to dump tickets from the in-memory cache to files which
smbspool can use. But I just wanted to put the situation in front of
the people currently working on the code in the hope that a more
general solution to the Kerberized printing problem might be possible.

Thanks for your time,
Terry


[1] eg, <http://www.macwindows.com/tiger.html>
[2] <http://www.informit.com/guides/content.asp?g=security&seqNum=38&rl=1>
[3] <http://www.macosxhints.com/comment.php?mode=display&sid=20050517210406483&title=RE%3A+launchd&type=article&order=&pid=58225>

More information about the samba-technical mailing list