[PATCH] Bug#1780 smbspool can't use kerberos authentication

Rodrigo Fernandez-Vizarra Rodrigo.Fernandez-Vizarra at Sun.COM
Mon May 9 15:23:06 GMT 2005


Gerald (Jerry) Carter wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Rodrigo Fernandez-Vizarra wrote:
>
> | Attached you will find two patches.
> |
> | The first one samba3-smbspool-krb.patch allows
> | the smbspool cups  backend to use the kerberos credentials
> | of the user who issued the print job.
> |
> | The second one does the same but also works in those
> | systems, as SuSE  SLES 9.0 where root processes are
> | not allowed to read user kerberos  ticket
> | cache (don't know if this is a bug or a feature).
> |
> | Of course, for this patch to work you have to have
> | a kerberos ticket available ( kinit, or pam_krb5 configured).
> |
> | It first try to use the username:password (if any )
> | encoded in the  DEVICE_URL, if it fails it tries to use
> | kerberos, if that fails tries an anonymous authentication.
> |
> | Any feedback will be welcomed.
>
> Rodrigo,
>
> I'm trying to remember the original discussions
> we had so I can check this patch in.  What was the
> drawback (if any) of using the second patch?

Hi Jerry,

There is not really a drawback (as far as I can tell)  with that second 
patch other that sometimes (if kerberos is used) the smbspool will 
switch the users at some time during the execution. Given that smspool 
is not a daemon I don't see any problem with this, but of course I could 
be wrong :-)

Switching users is a workaround for the following problem that I found 
with SuSE and Heimdal: You can get a kerberos ticket for a given user, 
let say User1. Then as root you can define KRB5CCNAME to point to the 
User1 ticket cache and then use that ticket, in that way root can 
impersonate user1.

This last step (defining KRB5CCNAME as root and then using User1 
tickets) is not working in SuSE. That I don't know if it's a bug or a 
SuSE feature. It does work in Debian an Solaris. I would say it's a bug 
but I'm not a security expert to say that. With the setuid this always 
works as the process is owned by the user who issued the print job and 
so it's able to read his own ticket cache.

Hope I managed to explain myself

Best regards,
Rodrigo

>
> - --- smbspool.c.krb5     2005-05-09 08:36:58.857396000 -0500
> +++ smbspool.c.setuid   2005-05-09 08:37:33.095806000 -0500
> @@ -408,6 +408,13 @@
> ~       return NULL;
> ~     }
> ~     free(cache_file);
> +
> +    /*
> +     * Change the UID of the process to be able to read the kerberos
> +     * ticket cache
> +     */
> +    setuid(passwd.pw_uid);
> +
> ~   }
>
>
>
>
>
> cheers, jerry
> =====================================================================
> Alleviating the pain of Windows(tm)      ------- http://www.samba.org
> GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
> "I never saved anything for the swim back."     Ethan Hawk in Gattaca
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFCf3haIR7qMdg1EfYRAgibAKDTr6Me+fBO20G495igLmI77Zrd6wCfQpKN
> F6RrWJBnu1bof7xfmcxTnC0=
> =oPIX
> -----END PGP SIGNATURE-----




More information about the samba-technical mailing list