[patch] CUPS auth-info-required support in smbspool

James Peach jpeach at apple.com
Wed Jun 11 19:01:10 GMT 2008


On Jun 11, 2008, at 2:21 AM, Tim Waugh wrote:

> On Mon, 2008-04-21 at 11:26 -0700, James Peach wrote:
>> ok, it's these commits:
>>
>> <http://git.samba.org/?p=samba.git;a=commit;h=8c12c5cea01d9b801fe80c2a87b8139c488a62a5
>>>
>> <http://git.samba.org/?p=samba.git;a=commit;h=8eff35bc4acc13807c895af43b52db79ee195cb5
>>>
>
> Hi James,
>
> Thanks for letting me know.  I've tested it out and found that it does
> not work correctly with (at least) Windows Vista when a password is  
> set
> and Kerberos is not in use.  What happens is that the CUPS backend  
> sets
> auth-info-required to 'negotiate' (for Kerberos) even though  
> Kerberos is
> not in use.
>
> This patch fixes it for me, although I have not been able to test it
> with a Kerberos environment.
>
> Tim.
> */
>
> <0001-Fix-smbspool-not-to-assume-kerberos.patch>

Thanks Tim. It seems that we have run into the same problem :)

However, the CAP_EXTENDED_SECURITY bit just means that you have a  
security blob in the negotiate response. Inside the security blob  
there is a list of server supported mechanisms, usually Kerberos and  
NTLMSSP.

Now, libsmbclient will only do Kerberos if use_kerberos is set and the  
Kerberos mech was supported by the server. At the point where we exit  
with an auth error, use_kerberos only means that our last connection  
attempt tried to use Kerberos and failed.

So I think the condition should be:

	if (cli->use_kerberos && cli->got_kerberos_mechanism)

So if we requested kerberos, and the server supported kerberos, and  
our connection failed, then we should emit the "auth-info- 
required=negotiate" to tell CUPS that there was a problem with our  
Kerberos credentials.

We would have to update libsmbclient to somehow propagate the  
got_kerberos_mechanism somehow.

James


More information about the samba-technical mailing list