Automating usage of smbspool_krb5_wrapper

Rowland penny rpenny at samba.org
Fri Nov 22 09:18:36 UTC 2019


On 22/11/2019 02:22, Mikhail Novosyolov via samba-technical wrote:
> 14.11.2019 12:51, Andreas Schneider пишет:
>> On Sunday, 3 November 2019 01:03:43 CET Mikhail Novosyolov wrote:
>>> 29.10.2019 10:29, Andreas Schneider пишет:
>>>> On Monday, 28 October 2019 20:38:08 CET Mikhail Novosyolov wrote:
>>>>> 28.10.2019 11:47, Andreas Schneider пишет:
>>>>>> On Monday, 28 October 2019 08:58:26 CET Mikhail Novosyolov via
>>>>>> samba-technical>
>>>>>>
>>>>>> wrote:
>>>>>>> 28.10.2019 10:44, Mikhail Novosyolov пишет:
>>>>>>>> <...>
>>>>>>>> There are 2 possible solutions:
>>>>>>>>
>>>>>>>> 1) either patch source3/client/smbspool_krb5_wrapper.c to "goto
>>>>>>>> smbspool;" if env does not contain "negotiate" instead of 
>>>>>>>> chekcing to
>>>>>>>> be either null or 0 - how correct will this be?
>>>>>>> I mean this:
>>>>>>>
>>>>>>> diff --git a/source3/client/smbspool_krb5_wrapper.c
>>>>>>> b/source3/client/smbspool_krb5_wrapper.c
>>>>>>> index bff1df417e8..000a613291e 100644
>>>>>>> --- a/source3/client/smbspool_krb5_wrapper.c
>>>>>>> +++ b/source3/client/smbspool_krb5_wrapper.c
>>>>>>> @@ -149,7 +149,7 @@ int main(int argc, char *argv[])
>>>>>>>
>>>>>>>             env = getenv("AUTH_INFO_REQUIRED");
>>>>>>>                          /* If not set, then just call smbspool. */
>>>>>>>
>>>>>>> -       if (env == NULL || env[0] == 0) {
>>>>>>> +       if (env == NULL || env == "none" || env[0] == 0) {
>>>>>>>
>>>>>>>                     CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not 
>>>>>>> set - "
>>>>>>> "execute smbspool");
>>>>>>>                                         goto smbspool;
>>>>>> This is obviously wrong :-)
>>>>>>
>>>>>> Did you see the code below? The question is if we should map
>>>>>>
>>>>>> AUTH_INFO_REQUIRED=none
>>>>>>
>>>>>> to anonymous. I've created a patchset you can find here:
>>>>>>
>>>>>> https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-sm 
>>>>>>
>>>>>> bs
>>>>>> pool
>>>>>>
>>>>>>
>>>>>> However you need to try all combinations, username/password, 
>>>>>> kerberos
>>>>>> and
>>>>>> none for anonymous.
>>>>> Thank you! I did not test these patches yet, first tried to 
>>>>> understand
>>>>> how it works.
>>>>>
>>>>> Could you please explain a bit how it works?
>>>> That's a good question as documentation from CUPS side is missing. 
>>>> So we
>>>> need to find out what CUPS does and then try to write tests for it if
>>>> possible. This allows us to make sure we work correctly. The repo 
>>>> above
>>>> shows you where the test is in the samba source code. I've tried to 
>>>> add
>>>> more tests in the past to avoid regressions and verify we work 
>>>> correctly.
>>>> This needs to be extended as much as possible.
>>>>
>>>>
>>>> The two patches were just a quick shot.
>>> CUPS developer has clearified documentation:
>>>
>>>    * https://github.com/apple/cups/issues/5674
>>>    *
>>> https://github.com/apple/cups/commit/025b8ce8f637009f0df7a5bb5fa0a460dbb32b 
>>>
>>> 10
>>>
>>> "'negotiate': Kerberos is required - this keyword can only appear by
>>> itself and causes cupsd to collect the UID of the printing user."
>>>
>>> I've switched smbspool_krb5_wrapper from failing if value of
>>> AUTH_INFO_REQUIRED is something not known to just ignoring that and
>>> passing the task to smbspool. smbspool will fail itself. Added a test
>>> for that. Patches on top of asn/samba.git/master-smbspool are attached.
>>>
>>> I've not tested those changes yet, just checked buildability. Testing
>>> will require making a complex set up, I will try.
>>
>> They look fine, let me know if it works!
>>
>>
>> Thanks.
>
> How to make Samba AD domain controller make all local printers 
> available only to domain members? I've made a local PDF printer which 
> writes to PDF files in CUPS and want to use it for testing and be sure 
> that Kerberos authorization is used to access the printer.
>
> [printers]
>     path = /var/spool/samba/
>     printable = yes
>     #guest ok=yes
>     security = domain
>
> Is it correct? I am not sure about "security = domain".
>
>
Sorry, but it isn't,  the 'security' parameter is only valid in [global] 
and if you read 'man smb.conf' it tells you this:

PARAMETERS

Parameters define the specific attributes of sections.

Some parameters are specific to the [global] section (e.g., security).

Not being a printing expert, ( Louis will know this ) but is it possible 
to deny access by Windows ACLs ?

Rowland





More information about the samba-technical mailing list