Automating usage of smbspool_krb5_wrapper

L. van Belle belle at samba.org
Fri Nov 22 10:31:42 UTC 2019 


> -----Oorspronkelijk bericht-----
> Van: samba-technical 
> [mailto:samba-technical-bounces at lists.samba.org] Namens 
> Rowland penny via samba-technical
> Verzonden: vrijdag 22 november 2019 10:19
> Aan: samba-technical at lists.samba.org
> Onderwerp: Re: Automating usage of smbspool_krb5_wrapper
> 
> On 22/11/2019 02:22, Mikhail Novosyolov via samba-technical wrote:
> > 14.11.2019 12:51, Andreas Schneider ?????:
> >> On Sunday, 3 November 2019 01:03:43 CET Mikhail Novosyolov wrote:
> >>> 29.10.2019 10:29, Andreas Schneider ?????:
> >>>> On Monday, 28 October 2019 20:38:08 CET Mikhail Novosyolov wrote:
> >>>>> 28.10.2019 11:47, Andreas Schneider ?????:
> >>>>>> On Monday, 28 October 2019 08:58:26 CET Mikhail Novosyolov via
> >>>>>> samba-technical>
> >>>>>>
> >>>>>> wrote:
> >>>>>>> 28.10.2019 10:44, Mikhail Novosyolov ?????:
> >>>>>>>> <...>
> >>>>>>>> There are 2 possible solutions:
> >>>>>>>>
> >>>>>>>> 1) either patch 
> source3/client/smbspool_krb5_wrapper.c to "goto
> >>>>>>>> smbspool;" if env does not contain "negotiate" instead of 
> >>>>>>>> chekcing to
> >>>>>>>> be either null or 0 - how correct will this be?
> >>>>>>> I mean this:
> >>>>>>>
> >>>>>>> diff --git a/source3/client/smbspool_krb5_wrapper.c
> >>>>>>> b/source3/client/smbspool_krb5_wrapper.c
> >>>>>>> index bff1df417e8..000a613291e 100644
> >>>>>>> --- a/source3/client/smbspool_krb5_wrapper.c
> >>>>>>> +++ b/source3/client/smbspool_krb5_wrapper.c
> >>>>>>> @@ -149,7 +149,7 @@ int main(int argc, char *argv[])
> >>>>>>>
> >>>>>>>             env = getenv("AUTH_INFO_REQUIRED");
> >>>>>>>                          /* If not set, then just 
> call smbspool. */
> >>>>>>>
> >>>>>>> -       if (env == NULL || env[0] == 0) {
> >>>>>>> +       if (env == NULL || env == "none" || env[0] == 0) {
> >>>>>>>
> >>>>>>>                     CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not 
> >>>>>>> set - "
> >>>>>>> "execute smbspool");
> >>>>>>>                                         goto smbspool;
> >>>>>> This is obviously wrong :-)
> >>>>>>
> >>>>>> Did you see the code below? The question is if we should map
> >>>>>>
> >>>>>> AUTH_INFO_REQUIRED=none
> >>>>>>
> >>>>>> to anonymous. I've created a patchset you can find here:
> >>>>>>
> >>>>>> 
> https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads
/master-sm 
> >>>>>>
> >>>>>> bs
> >>>>>> pool
> >>>>>>
> >>>>>>
> >>>>>> However you need to try all combinations, username/password, 
> >>>>>> kerberos
> >>>>>> and
> >>>>>> none for anonymous.
> >>>>> Thank you! I did not test these patches yet, first tried to 
> >>>>> understand
> >>>>> how it works.
> >>>>>
> >>>>> Could you please explain a bit how it works?
> >>>> That's a good question as documentation from CUPS side 
> is missing. 
> >>>> So we
> >>>> need to find out what CUPS does and then try to write 
> tests for it if
> >>>> possible. This allows us to make sure we work correctly. 
> The repo 
> >>>> above
> >>>> shows you where the test is in the samba source code. 
> I've tried to 
> >>>> add
> >>>> more tests in the past to avoid regressions and verify we work 
> >>>> correctly.
> >>>> This needs to be extended as much as possible.
> >>>>
> >>>>
> >>>> The two patches were just a quick shot.
> >>> CUPS developer has clearified documentation:
> >>>
> >>>    * https://github.com/apple/cups/issues/5674
> >>>    *
> >>> 
> https://github.com/apple/cups/commit/025b8ce8f637009f0df7a5bb5
> fa0a460dbb32b 
> >>>
> >>> 10
> >>>
> >>> "'negotiate': Kerberos is required - this keyword can 
> only appear by
> >>> itself and causes cupsd to collect the UID of the printing user."
> >>>
> >>> I've switched smbspool_krb5_wrapper from failing if value of
> >>> AUTH_INFO_REQUIRED is something not known to just 
> ignoring that and
> >>> passing the task to smbspool. smbspool will fail itself. 
> Added a test
> >>> for that. Patches on top of asn/samba.git/master-smbspool 
> are attached.
> >>>
> >>> I've not tested those changes yet, just checked 
> buildability. Testing
> >>> will require making a complex set up, I will try.
> >>
> >> They look fine, let me know if it works!
> >>
> >>
> >> Thanks.
> >
> > How to make Samba AD domain controller make all local printers 
> > available only to domain members? I've made a local PDF 
> printer which 
> > writes to PDF files in CUPS and want to use it for testing 
> and be sure 
> > that Kerberos authorization is used to access the printer.
> >
> > [printers]
> >     path = /var/spool/samba/
> >     printable = yes
> >     #guest ok=yes
> >     security = domain
> >
> > Is it correct? I am not sure about "security = domain".
> >
> >
> Sorry, but it isn't,  the 'security' parameter is only valid 
> in [global] 
> and if you read 'man smb.conf' it tells you this:
> 
> PARAMETERS
> 
> Parameters define the specific attributes of sections.
> 
> Some parameters are specific to the [global] section (e.g., security).
> 
> Not being a printing expert, ( Louis will know this ) but is 
> it possible  to deny access by Windows ACLs ?

Yes, and Deny preffers over Allow, always.. 


In this not related to: 
https://github.com/samba-team/samba/blob/8c833470fc52332c62220ec9cc38c8a4fd7
721f1/source3/client/smbspool.c#L120 

Where andreas fix things in 4.8.0
(https://bugzilla.redhat.com/show_bug.cgi?id=1574177) 
The other i noticed : https://bugzilla.redhat.com/show_bug.cgi?id=1772450 

And I did notice something in the cups protocol parts.
(seen on arch linux: https://bugs.archlinux.org/task/58247 ) 
There is currently a bug in cups, that gives problems with logins. 
I can confirm this also is on Debian 10. 

This fix works, so before a lot of code is changed, i might be handy if cups
fixes this first. 

Edit "/etc/cups/cupsd.conf"

Change:
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class
CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>

To:
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class
CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
AuthType None
# AuthType Default
# Require user @SYSTEM
Order deny,allow
</Limit>

I hope above help you guys.
Lot is going on in cups/kerberos/smb areas, it hard for me to track them
all.. 


Greetz, 

Louis

More information about the samba-technical mailing list