Kerberos support for smbspool

Rodrigo Fernandez-Vizarra Rodrigo.Fernandez-Vizarra at Sun.COM
Tue Apr 5 15:33:58 GMT 2005

Hi Jerry,

I'm using a setenv call to set the value of KRB5CCNAME and now smbspool 
reads the appropriate user kerberos cache, but for some yet unknown 
reason a call to spnego_gen_negTokenTarg fails :-(

#0  spnego_gen_negTokenTarg (principal=0x81782c8 
    time_offset=0, targ=0xbfffd700, session_key_krb5=0xbfffd6f0)
    at clispnego.c:332
#1  0x0806aca6 in cli_session_setup_kerberos (cli=0x8156fe0,
    principal=0x81782c8 "apocad1$@APOC.NODOMAIN.ORG",
    workgroup=0x81145c0 "APOC") at cliconnect.c:536
#2  0x0806b6de in cli_session_setup_spnego (cli=0x8156fe0,
    user=0x80dd233 "rf96881", pass=0x80dd074 "", domain=0x81145c0 "APOC")
    at cliconnect.c:766
#3  0x0806ba9c in cli_session_setup (cli=0x8156fe0, user=0x80dd233 
    pass=0x80dd074 "", passlen=0, ntpass=0x80dd074 "", ntpasslen=0,
    workgroup=0x81145c0 "APOC") at cliconnect.c:859
#4  0x0805db65 in smb_connect (workgroup=0x81145c0 "APOC",
    server=0xbfffdec6 "", port=0,
    share=0xbfffdee0 "LexmarkO", username=0x80dd233 "rf96881",
    password=0x80dd074 "") at smbspool.c:371
#5  0x0805d8e1 in main (argc=6, argv=0xbfffe364) at smbspool.c:216

I think I'm missing something about kerberos, it seems that to point to 
the right cache is not enough because if I run the same code under the 
user who is issuing the print job it works, but If I run it as root it 

The problem can also be reproduced with the following steps
# id -u
# export KRB5CCNAME=/tmp/krb5cc_97881
cdetest24:~ # klist
klist: krb5_cc_get_principal: open(/tmp/krb5cc_97881): Permission denied

of course I have done a kinit with the user rf96881 (uid=97881) before.

Any kerberos expert around?

As a workaround to this problem I'm thinking in switching the efective 
userid during the connection setup to see if in that way everything 
works ok.


Gerald (Jerry) Carter wrote:

> Hash: SHA1
> Rodrigo Fernandez-Vizarra wrote:
> | 1.- If the $DEVICE_URI contains user credentials, they will be used to
> | deliver the print job ( nothing new here)
> | 2.- Else if the kerberos cache for the user contains valid credentials
> | for the REALM they will be used to deliver the print job
> You might want to use a wrapper script to set the KRB5_CCNAME
> environment variable for the user's ticket cache.  Maybe jra
> has a better idea though.
> | 3.- Else the backend will try to deliver the job without credentials
> | (anonymous?) and will probably fail. (nothing new here)
> |
> | So what should be added is the code to get the user credentials and the
> | code to use those credentials to establish the connection with the 
> print
> | server.
> cheers, jerry
> Version: GnuPG v1.2.5 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird -
> iD8DBQFCUWKqIR7qMdg1EfYRAsK7AJ9y29dxbDzZF8ZAD3KHPjrT2WfsswCg1+Fv
> s/BO7hU5RsUr8VJXNNCNmN0=
> =5LeQ

More information about the samba-technical mailing list