[SCM] Samba Shared Repository - branch master updated
Günther Deschner
gd at samba.org
Mon Dec 9 14:19:02 UTC 2019
The branch, master has been updated
via 67f455c3d57 s3:smbspool: Leave early if we print as root
via c95d32f685d s3:smbspool: print a hint about smbspool_krb5_wrapper
via 58a90358e2e s3:smbspool_krb5_wrapper: ignore unknown values of AUTH_INFO_REQUIRED
via 6201b30421f s3:smbspool_krb5_wrapper: Map AUTH_INFO_REQUIRED=none to anonymous
via 1b42ccfc23e s3:smbspool: Map AUTH_INFO_REQUIRED=none to anonymous connection
from 8987d7eef4f s3:selfest: Do not print the env twice
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 67f455c3d576a0bc3174fd10cf4f3244621b6b13
Author: Andreas Schneider <asn at samba.org>
Date: Fri Nov 29 08:28:28 2019 +0100
s3:smbspool: Leave early if we print as root
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Mon Dec 9 14:18:11 UTC 2019 on sn-devel-184
commit c95d32f685d989c91e62a734229d2bd241291315
Author: Mikhail Novosyolov <m.novosyolov at rosalinux.ru>
Date: Sun Nov 3 01:47:51 2019 +0300
s3:smbspool: print a hint about smbspool_krb5_wrapper
When I first met with the situation that Kerberos kredentials cache of root
user was looked for instead of the one of the printing task creator,
it took a lot of time to understand that smbspool_krb5_wrapper will resolve this.
Signed-off-by: Mikhail Novosyolov <m.novosyolov at rosalinux.ru>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 58a90358e2e8ff70c65eb49a21d00c5ce775ba54
Author: Mikhail Novosyolov <m.novosyolov at rosalinux.ru>
Date: Sun Nov 3 01:28:13 2019 +0300
s3:smbspool_krb5_wrapper: ignore unknown values of AUTH_INFO_REQUIRED
To make smbspool_krb5_wrapper usable as a default destination for symlink
/usr/lib/cups/backend/smb in Linux ditros, it has to be well-prepared
for any possible values of AUTH_INFO_REQUIRED set by cupsd and correctly
pass printing tasks to smbspool if it sees that Kerberos authentication
is not needed.
Discussed here: https://lists.samba.org/archive/samba-technical/2019-October/134470.html
Signed-off-by: Mikhail Novosyolov <m.novosyolov at rosalinux.ru>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 6201b30421f616ec3f118321fd2998435792a4cc
Author: Andreas Schneider <asn at samba.org>
Date: Mon Oct 28 09:38:08 2019 +0100
s3:smbspool_krb5_wrapper: Map AUTH_INFO_REQUIRED=none to anonymous
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 1b42ccfc23eaa8f5b007928bc8bb65b944359f36
Author: Andreas Schneider <asn at samba.org>
Date: Mon Oct 28 09:35:34 2019 +0100
s3:smbspool: Map AUTH_INFO_REQUIRED=none to anonymous connection
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
-----------------------------------------------------------------------
Summary of changes:
selftest/target/Samba4.pm | 3 ++
source3/client/smbspool.c | 13 ++++++---
source3/client/smbspool_krb5_wrapper.c | 53 +++++++++++++++++++++++++++-------
source3/script/tests/test_smbspool.sh | 37 ++++++++++++++++++++----
4 files changed, 85 insertions(+), 21 deletions(-)
Changeset truncated at 500 lines:
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 1310e2ff09f..23dafba1574 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1845,6 +1845,9 @@ sub provision_ad_dc($$$$$$)
copy = print1
[print3]
copy = print1
+[print4]
+ copy = print1
+ guest ok = yes
[lp]
copy = print1
";
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 36f7f67ca94..5e2d230ab8b 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -287,7 +287,7 @@ main(int argc, /* I - Number of command-line arguments */
auth_info_required = getenv("AUTH_INFO_REQUIRED");
if (auth_info_required == NULL) {
- auth_info_required = "none";
+ auth_info_required = "samba";
}
/*
@@ -699,8 +699,8 @@ smb_connect(struct cli_state **output_cli,
if (strcmp(auth_info_required, "negotiate") == 0) {
if (!kerberos_ccache_is_valid()) {
fprintf(stderr,
- "ERROR: No valid Kerberos credential cache "
- "found!\n");
+ "ERROR: No valid Kerberos credential cache found! "
+ "Using smbspool_krb5_wrapper may help.\n");
return NT_STATUS_LOGON_FAILURE;
}
user = jobusername;
@@ -718,7 +718,9 @@ smb_connect(struct cli_state **output_cli,
fprintf(stderr,
"DEBUG: Try to connect using username/password ...\n");
- } else {
+ } else if (strcmp(auth_info_required, "none") == 0) {
+ goto anonymous;
+ } else if (strcmp(auth_info_required, "samba") == 0) {
if (username != NULL) {
flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
} else if (kerberos_ccache_is_valid()) {
@@ -731,6 +733,8 @@ smb_connect(struct cli_state **output_cli,
"DEBUG: This backend requires credentials!\n");
return NT_STATUS_ACCESS_DENIED;
}
+ } else {
+ return NT_STATUS_ACCESS_DENIED;
}
nt_status = smb_complete_connection(&cli,
@@ -780,6 +784,7 @@ smb_connect(struct cli_state **output_cli,
* last try. Use anonymous authentication
*/
+anonymous:
nt_status = smb_complete_connection(&cli,
myname,
server,
diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
index bff1df417e8..6a3e444f480 100644
--- a/source3/client/smbspool_krb5_wrapper.c
+++ b/source3/client/smbspool_krb5_wrapper.c
@@ -145,36 +145,62 @@ int main(int argc, char *argv[])
snprintf(device_uri, sizeof(device_uri), "%s", env);
}
- /* Check if AuthInfoRequired is set to negotiate */
+ /* We must handle the following values of AUTH_INFO_REQUIRED:
+ * none: Anonymous/guest printing
+ * username,password: A username (of the form "username" or "DOMAIN\username")
+ * and password are required
+ * negotiate: Kerberos authentication
+ * NULL (not set): will never happen when called from cupsd
+ * https://www.cups.org/doc/spec-ipp.html#auth-info-required
+ * https://github.com/apple/cups/issues/5674
+ */
env = getenv("AUTH_INFO_REQUIRED");
/* If not set, then just call smbspool. */
if (env == NULL || env[0] == 0) {
CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
- "execute smbspool");
+ "executing smbspool");
+ /* Pass this printing task to smbspool without Kerberos auth */
goto smbspool;
} else {
CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED=%s", env);
- snprintf(auth_info_required,
- sizeof(auth_info_required),
- "%s",
- env);
+ /* First test the value of AUTH_INFO_REQUIRED
+ * against known possible values
+ */
+ cmp = strcmp(env, "none");
+ if (cmp == 0) {
+ CUPS_SMB_DEBUG("Authenticate using none (anonymous) - "
+ "executing smbspool");
+ goto smbspool;
+ }
cmp = strcmp(env, "username,password");
if (cmp == 0) {
CUPS_SMB_DEBUG("Authenticate using username/password - "
- "execute smbspool");
+ "executing smbspool");
goto smbspool;
}
- /* if AUTH_INFO_REQUIRED=none */
+ /* Now, if 'goto smbspool' still has not happened,
+ * there are only two variants left:
+ * 1) AUTH_INFO_REQUIRED is "negotiate" and then
+ * we have to continue working
+ * 2) or it is something not known to us, then Kerberos
+ * authentication is not required, so just also pass
+ * this task to smbspool
+ */
cmp = strcmp(env, "negotiate");
if (cmp != 0) {
- CUPS_SMB_ERROR("Authentication unsupported");
- fprintf(stderr, "ATTR: auth-info-required=negotiate\n");
- return CUPS_BACKEND_AUTH_REQUIRED;
+ CUPS_SMB_DEBUG("Value of AUTH_INFO_REQUIRED is not known "
+ "to smbspool_krb5_wrapper, executing smbspool");
+ goto smbspool;
}
+
+ snprintf(auth_info_required,
+ sizeof(auth_info_required),
+ "%s",
+ env);
}
uid = getuid();
@@ -208,6 +234,11 @@ int main(int argc, char *argv[])
}
uid = (uid_t)tmp;
+ /* If we are printing as the root user, we're done here. */
+ if (uid == 0) {
+ goto smbspool;
+ }
+
pwd = getpwuid(uid);
if (pwd == NULL) {
CUPS_SMB_ERROR("Failed to find system user: %u - %s",
diff --git a/source3/script/tests/test_smbspool.sh b/source3/script/tests/test_smbspool.sh
index 7ba03f01fc7..ae4ac989e55 100755
--- a/source3/script/tests/test_smbspool.sh
+++ b/source3/script/tests/test_smbspool.sh
@@ -48,7 +48,7 @@ test_smbspool_noargs()
test_smbspool_authinforequired_none()
{
- cmd='$samba_smbspool_krb5 smb://$SERVER_IP/print1 200 $USERNAME "Testprint" 1 "options" $SRCDIR/testdata/printing/example.ps 2>&1'
+ cmd='$samba_smbspool_krb5 smb://$SERVER_IP/print4 200 $USERNAME "Testprint" 1 "options" $SRCDIR/testdata/printing/example.ps 2>&1'
AUTH_INFO_REQUIRED="none"
export AUTH_INFO_REQUIRED
@@ -60,14 +60,35 @@ test_smbspool_authinforequired_none()
if [ $ret != 0 ]; then
echo "$out"
echo "failed to execute $smbspool_krb5"
+ return 1
fi
- echo "$out" | grep 'ATTR: auth-info-required=negotiate'
+ return 0
+}
+
+test_smbspool_authinforequired_unknown()
+{
+ cmd='$samba_smbspool_krb5 smb://$SERVER_IP/print4 200 $USERNAME "Testprint" 1 "options" $SRCDIR/testdata/printing/example.ps 2>&1'
+
+ # smbspool_krb5_wrapper must ignore AUTH_INFO_REQUIRED unknown to him and pass the task to smbspool
+ # smbspool must fail with NT_STATUS_ACCESS_DENIED (22)
+ # "jjf4wgmsbc0" is just a random string
+ AUTH_INFO_REQUIRED="jjf4wgmsbc0"
+ export AUTH_INFO_REQUIRED
+ eval echo "$cmd"
+ out=$(eval $cmd)
ret=$?
- if [ $ret != 0 ] ; then
- echo "$out"
- return 1
- fi
+ unset AUTH_INFO_REQUIRED
+
+ case "$ret" in
+ 2 ) return 0 ;;
+ * )
+ echo "ret=$ret"
+ echo "$out"
+ echo "failed to test $smbspool_krb5 against unknown value of AUTH_INFO_REQUIRED"
+ return 1
+ ;;
+ esac
}
#
@@ -191,6 +212,10 @@ testit "smbspool_krb5_wrapper AuthInfoRequired=none" \
test_smbspool_authinforequired_none || \
failed=$(expr $failed + 1)
+testit "smbspool_krb5_wrapper AuthInfoRequired=(sth unknown)" \
+ test_smbspool_authinforequired_unknown || \
+ failed=$(expr $failed + 1)
+
testit "smbspool print example.ps" \
$samba_smbspool smb://$USERNAME:$PASSWORD@$SERVER_IP/print1 200 $USERNAME "Testprint" 1 "options" $SRCDIR/testdata/printing/example.ps || \
failed=$(expr $failed + 1)
--
Samba Shared Repository
More information about the samba-cvs
mailing list