Automating usage of smbspool_krb5_wrapper

Andreas Schneider asn at samba.org
Fri Dec 6 06:56:32 UTC 2019 

On Friday, 6 December 2019 07:36:50 CET Mikhail Novosyolov wrote:
> 06.12.2019 09:30, Andreas Schneider пишет:
> > On Thursday, 5 December 2019 22:27:59 CET Mikhail Novosyolov wrote:
> >> 26.11.2019 19:20, Andreas Schneider пишет:
> >>> On Tuesday, 26 November 2019 00:49:08 CET Mikhail Novosyolov via samba-
> >>> 
> >>>> I have tested those 4 patches (2 yours, Andreas, and 2 mine that I sent
> >>>> here previously). Behaviour of /usr/lib/cups/backend/smb symlinked to
> >>>> patched smbspool_krb5_wrapper seems to be correct: it passes printing
> >>>> tasks from printers without "AuthInfoRequired negotiate" directly to
> >>>> smbspool and correctly finds /tmp/krb5cc_$UID for printers with
> >>>> "AuthInfoRequired negotiate", where UID is a local ID of a domain user.
> >>>> I clearly see this in /var/log/cups/error_log when it is "LogLevel
> >>>> debug2" in /etc/cups/cupsd.conf.
> >>>> 
> >>>> So, these patches are ready to be merged, I think.
> >>> 
> >>> I'm not able to apply your patches. Could you please send patches
> >>> created
> >>> with 'git format-patch' or point me to a git repo where I could pick
> >>> them?
> >> 
> >> Hello Andreas,
> >> I have recently read how it is recommended to send patches to Linux
> >> kernel
> >> and it is recommended to send them as plain text, not as attachments, so
> >> I'm resending them as plain text emails in the following emails.
> > 
> > For samba we prefer one attachment as a patchset or a merge request.
> 
> Ok, thanks.
> 
> > I opened one here:
> > 
> > https://gitlab.com/samba-team/samba/merge_requests/961
> 
> Why are you sure that the root user cannot print using Kerberos
> authorization? There should be no problem to get a kerberos ticket from
> root and sometimes it can be needed, for example if system-config-printer
> GTK+ GUI is run from root via consolekit or if a crappy proprietary
> applications works from root and requires printing.

If we are root and have a valid kerberos ticket and we want to print a doc, 
there is no need to do any uid changing and trying to find the credential 
cache. We should just call smbspool directly.

Rembember: smbspool_krb5_wrapper is there to switch to the uid of the user 
printing the document, so that we get access to the krb5 credential cache. If 
we're already root:

a) we already are the right user
b) we have access to the krb5 credential cache

-- 
Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the samba-technical mailing list