Automating usage of smbspool_krb5_wrapper
Mikhail Novosyolov
m.novosyolov at rosalinux.ru
Fri Nov 22 02:22:29 UTC 2019
14.11.2019 12:51, Andreas Schneider пишет:
> On Sunday, 3 November 2019 01:03:43 CET Mikhail Novosyolov wrote:
>> 29.10.2019 10:29, Andreas Schneider пишет:
>>> On Monday, 28 October 2019 20:38:08 CET Mikhail Novosyolov wrote:
>>>> 28.10.2019 11:47, Andreas Schneider пишет:
>>>>> On Monday, 28 October 2019 08:58:26 CET Mikhail Novosyolov via
>>>>> samba-technical>
>>>>>
>>>>> wrote:
>>>>>> 28.10.2019 10:44, Mikhail Novosyolov пишет:
>>>>>>> <...>
>>>>>>> There are 2 possible solutions:
>>>>>>>
>>>>>>> 1) either patch source3/client/smbspool_krb5_wrapper.c to "goto
>>>>>>> smbspool;" if env does not contain "negotiate" instead of chekcing to
>>>>>>> be either null or 0 - how correct will this be?
>>>>>> I mean this:
>>>>>>
>>>>>> diff --git a/source3/client/smbspool_krb5_wrapper.c
>>>>>> b/source3/client/smbspool_krb5_wrapper.c
>>>>>> index bff1df417e8..000a613291e 100644
>>>>>> --- a/source3/client/smbspool_krb5_wrapper.c
>>>>>> +++ b/source3/client/smbspool_krb5_wrapper.c
>>>>>> @@ -149,7 +149,7 @@ int main(int argc, char *argv[])
>>>>>>
>>>>>> env = getenv("AUTH_INFO_REQUIRED");
>>>>>>
>>>>>> /* If not set, then just call smbspool. */
>>>>>>
>>>>>> - if (env == NULL || env[0] == 0) {
>>>>>> + if (env == NULL || env == "none" || env[0] == 0) {
>>>>>>
>>>>>> CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
>>>>>>
>>>>>> "execute smbspool");
>>>>>>
>>>>>> goto smbspool;
>>>>> This is obviously wrong :-)
>>>>>
>>>>> Did you see the code below? The question is if we should map
>>>>>
>>>>> AUTH_INFO_REQUIRED=none
>>>>>
>>>>> to anonymous. I've created a patchset you can find here:
>>>>>
>>>>> https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-sm
>>>>> bs
>>>>> pool
>>>>>
>>>>>
>>>>> However you need to try all combinations, username/password, kerberos
>>>>> and
>>>>> none for anonymous.
>>>> Thank you! I did not test these patches yet, first tried to understand
>>>> how it works.
>>>>
>>>> Could you please explain a bit how it works?
>>> That's a good question as documentation from CUPS side is missing. So we
>>> need to find out what CUPS does and then try to write tests for it if
>>> possible. This allows us to make sure we work correctly. The repo above
>>> shows you where the test is in the samba source code. I've tried to add
>>> more tests in the past to avoid regressions and verify we work correctly.
>>> This needs to be extended as much as possible.
>>>
>>>
>>> The two patches were just a quick shot.
>> CUPS developer has clearified documentation:
>>
>> * https://github.com/apple/cups/issues/5674
>> *
>> https://github.com/apple/cups/commit/025b8ce8f637009f0df7a5bb5fa0a460dbb32b
>> 10
>>
>> "'negotiate': Kerberos is required - this keyword can only appear by
>> itself and causes cupsd to collect the UID of the printing user."
>>
>> I've switched smbspool_krb5_wrapper from failing if value of
>> AUTH_INFO_REQUIRED is something not known to just ignoring that and
>> passing the task to smbspool. smbspool will fail itself. Added a test
>> for that. Patches on top of asn/samba.git/master-smbspool are attached.
>>
>> I've not tested those changes yet, just checked buildability. Testing
>> will require making a complex set up, I will try.
>
> They look fine, let me know if it works!
>
>
> Thanks.
How to make Samba AD domain controller make all local printers available
only to domain members? I've made a local PDF printer which writes to
PDF files in CUPS and want to use it for testing and be sure that
Kerberos authorization is used to access the printer.
[printers]
path = /var/spool/samba/
printable = yes
#guest ok=yes
security = domain
Is it correct? I am not sure about "security = domain".
More information about the samba-technical
mailing list