Kerberos support for smbspool
Rodrigo Fernandez-Vizarra
Rodrigo.Fernandez-Vizarra at Sun.COM
Tue Apr 5 15:33:58 GMT 2005
Hi Jerry,
I'm using a setenv call to set the value of KRB5CCNAME and now smbspool
reads the appropriate user kerberos cache, but for some yet unknown
reason a call to spnego_gen_negTokenTarg fails :-(
#0 spnego_gen_negTokenTarg (principal=0x81782c8
"apocad1$@APOC.NODOMAIN.ORG",
time_offset=0, targ=0xbfffd700, session_key_krb5=0xbfffd6f0)
at clispnego.c:332
#1 0x0806aca6 in cli_session_setup_kerberos (cli=0x8156fe0,
principal=0x81782c8 "apocad1$@APOC.NODOMAIN.ORG",
workgroup=0x81145c0 "APOC") at cliconnect.c:536
#2 0x0806b6de in cli_session_setup_spnego (cli=0x8156fe0,
user=0x80dd233 "rf96881", pass=0x80dd074 "", domain=0x81145c0 "APOC")
at cliconnect.c:766
#3 0x0806ba9c in cli_session_setup (cli=0x8156fe0, user=0x80dd233
"rf96881",
pass=0x80dd074 "", passlen=0, ntpass=0x80dd074 "", ntpasslen=0,
workgroup=0x81145c0 "APOC") at cliconnect.c:859
#4 0x0805db65 in smb_connect (workgroup=0x81145c0 "APOC",
server=0xbfffdec6 "apocad1.apoc.nodomain.org", port=0,
share=0xbfffdee0 "LexmarkO", username=0x80dd233 "rf96881",
password=0x80dd074 "") at smbspool.c:371
#5 0x0805d8e1 in main (argc=6, argv=0xbfffe364) at smbspool.c:216
I think I'm missing something about kerberos, it seems that to point to
the right cache is not enough because if I run the same code under the
user who is issuing the print job it works, but If I run it as root it
fails.
The problem can also be reproduced with the following steps
# id -u
0
# export KRB5CCNAME=/tmp/krb5cc_97881
cdetest24:~ # klist
klist: krb5_cc_get_principal: open(/tmp/krb5cc_97881): Permission denied
of course I have done a kinit with the user rf96881 (uid=97881) before.
Any kerberos expert around?
As a workaround to this problem I'm thinking in switching the efective
userid during the connection setup to see if in that way everything
works ok.
Regards,
Rodrigo
Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Rodrigo Fernandez-Vizarra wrote:
>
> | 1.- If the $DEVICE_URI contains user credentials, they will be used to
> | deliver the print job ( nothing new here)
> | 2.- Else if the kerberos cache for the user contains valid credentials
> | for the REALM they will be used to deliver the print job
>
> You might want to use a wrapper script to set the KRB5_CCNAME
> environment variable for the user's ticket cache. Maybe jra
> has a better idea though.
>
> | 3.- Else the backend will try to deliver the job without credentials
> | (anonymous?) and will probably fail. (nothing new here)
> |
> | So what should be added is the code to get the user credentials and the
> | code to use those credentials to establish the connection with the
> print
> | server.
>
>
>
>
>
>
> cheers, jerry
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFCUWKqIR7qMdg1EfYRAsK7AJ9y29dxbDzZF8ZAD3KHPjrT2WfsswCg1+Fv
> s/BO7hU5RsUr8VJXNNCNmN0=
> =5LeQ
> -----END PGP SIGNATURE-----
More information about the samba-technical
mailing list