[patch] CUPS auth-info-required support in smbspool
James Peach
jpeach at apple.com
Wed Jun 11 19:01:10 GMT 2008
On Jun 11, 2008, at 2:21 AM, Tim Waugh wrote:
> On Mon, 2008-04-21 at 11:26 -0700, James Peach wrote:
>> ok, it's these commits:
>>
>> <http://git.samba.org/?p=samba.git;a=commit;h=8c12c5cea01d9b801fe80c2a87b8139c488a62a5
>>>
>> <http://git.samba.org/?p=samba.git;a=commit;h=8eff35bc4acc13807c895af43b52db79ee195cb5
>>>
>
> Hi James,
>
> Thanks for letting me know. I've tested it out and found that it does
> not work correctly with (at least) Windows Vista when a password is
> set
> and Kerberos is not in use. What happens is that the CUPS backend
> sets
> auth-info-required to 'negotiate' (for Kerberos) even though
> Kerberos is
> not in use.
>
> This patch fixes it for me, although I have not been able to test it
> with a Kerberos environment.
>
> Tim.
> */
>
> <0001-Fix-smbspool-not-to-assume-kerberos.patch>
Thanks Tim. It seems that we have run into the same problem :)
However, the CAP_EXTENDED_SECURITY bit just means that you have a
security blob in the negotiate response. Inside the security blob
there is a list of server supported mechanisms, usually Kerberos and
NTLMSSP.
Now, libsmbclient will only do Kerberos if use_kerberos is set and the
Kerberos mech was supported by the server. At the point where we exit
with an auth error, use_kerberos only means that our last connection
attempt tried to use Kerberos and failed.
So I think the condition should be:
if (cli->use_kerberos && cli->got_kerberos_mechanism)
So if we requested kerberos, and the server supported kerberos, and
our connection failed, then we should emit the "auth-info-
required=negotiate" to tell CUPS that there was a problem with our
Kerberos credentials.
We would have to update libsmbclient to somehow propagate the
got_kerberos_mechanism somehow.
James
More information about the samba-technical
mailing list