[PATCH] Bug#1780 smbspool can't use kerberos authentication
Rodrigo Fernandez-Vizarra
Rodrigo.Fernandez-Vizarra at Sun.COM
Mon May 9 15:23:06 GMT 2005
Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Rodrigo Fernandez-Vizarra wrote:
>
> | Attached you will find two patches.
> |
> | The first one samba3-smbspool-krb.patch allows
> | the smbspool cups backend to use the kerberos credentials
> | of the user who issued the print job.
> |
> | The second one does the same but also works in those
> | systems, as SuSE SLES 9.0 where root processes are
> | not allowed to read user kerberos ticket
> | cache (don't know if this is a bug or a feature).
> |
> | Of course, for this patch to work you have to have
> | a kerberos ticket available ( kinit, or pam_krb5 configured).
> |
> | It first try to use the username:password (if any )
> | encoded in the DEVICE_URL, if it fails it tries to use
> | kerberos, if that fails tries an anonymous authentication.
> |
> | Any feedback will be welcomed.
>
> Rodrigo,
>
> I'm trying to remember the original discussions
> we had so I can check this patch in. What was the
> drawback (if any) of using the second patch?
Hi Jerry,
There is not really a drawback (as far as I can tell) with that second
patch other that sometimes (if kerberos is used) the smbspool will
switch the users at some time during the execution. Given that smspool
is not a daemon I don't see any problem with this, but of course I could
be wrong :-)
Switching users is a workaround for the following problem that I found
with SuSE and Heimdal: You can get a kerberos ticket for a given user,
let say User1. Then as root you can define KRB5CCNAME to point to the
User1 ticket cache and then use that ticket, in that way root can
impersonate user1.
This last step (defining KRB5CCNAME as root and then using User1
tickets) is not working in SuSE. That I don't know if it's a bug or a
SuSE feature. It does work in Debian an Solaris. I would say it's a bug
but I'm not a security expert to say that. With the setuid this always
works as the process is owned by the user who issued the print job and
so it's able to read his own ticket cache.
Hope I managed to explain myself
Best regards,
Rodrigo
>
> - --- smbspool.c.krb5 2005-05-09 08:36:58.857396000 -0500
> +++ smbspool.c.setuid 2005-05-09 08:37:33.095806000 -0500
> @@ -408,6 +408,13 @@
> ~ return NULL;
> ~ }
> ~ free(cache_file);
> +
> + /*
> + * Change the UID of the process to be able to read the kerberos
> + * ticket cache
> + */
> + setuid(passwd.pw_uid);
> +
> ~ }
>
>
>
>
>
> cheers, jerry
> =====================================================================
> Alleviating the pain of Windows(tm) ------- http://www.samba.org
> GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc
> "I never saved anything for the swim back." Ethan Hawk in Gattaca
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFCf3haIR7qMdg1EfYRAgibAKDTr6Me+fBO20G495igLmI77Zrd6wCfQpKN
> F6RrWJBnu1bof7xfmcxTnC0=
> =oPIX
> -----END PGP SIGNATURE-----
More information about the samba-technical
mailing list