Automating usage of smbspool_krb5_wrapper
Andreas Schneider
asn at samba.org
Fri Nov 22 14:33:16 UTC 2019
On Friday, 22 November 2019 03:22:29 CET Mikhail Novosyolov via samba-
technical wrote:
> 14.11.2019 12:51, Andreas Schneider пишет:
> > On Sunday, 3 November 2019 01:03:43 CET Mikhail Novosyolov wrote:
> >> 29.10.2019 10:29, Andreas Schneider пишет:
> >>> On Monday, 28 October 2019 20:38:08 CET Mikhail Novosyolov wrote:
> >>>> 28.10.2019 11:47, Andreas Schneider пишет:
> >>>>> On Monday, 28 October 2019 08:58:26 CET Mikhail Novosyolov via
> >>>>> samba-technical>
> >>>>>
> >>>>> wrote:
> >>>>>> 28.10.2019 10:44, Mikhail Novosyolov пишет:
> >>>>>>> <...>
> >>>>>>> There are 2 possible solutions:
> >>>>>>>
> >>>>>>> 1) either patch source3/client/smbspool_krb5_wrapper.c to "goto
> >>>>>>> smbspool;" if env does not contain "negotiate" instead of chekcing
> >>>>>>> to
> >>>>>>> be either null or 0 - how correct will this be?
> >>>>>>
> >>>>>> I mean this:
> >>>>>>
> >>>>>> diff --git a/source3/client/smbspool_krb5_wrapper.c
> >>>>>> b/source3/client/smbspool_krb5_wrapper.c
> >>>>>> index bff1df417e8..000a613291e 100644
> >>>>>> --- a/source3/client/smbspool_krb5_wrapper.c
> >>>>>> +++ b/source3/client/smbspool_krb5_wrapper.c
> >>>>>> @@ -149,7 +149,7 @@ int main(int argc, char *argv[])
> >>>>>>
> >>>>>> env = getenv("AUTH_INFO_REQUIRED");
> >>>>>>
> >>>>>> /* If not set, then just call smbspool. */
> >>>>>>
> >>>>>> - if (env == NULL || env[0] == 0) {
> >>>>>> + if (env == NULL || env == "none" || env[0] == 0) {
> >>>>>>
> >>>>>> CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
> >>>>>>
> >>>>>> "execute smbspool");
> >>>>>>
> >>>>>> goto smbspool;
> >>>>>
> >>>>> This is obviously wrong :-)
> >>>>>
> >>>>> Did you see the code below? The question is if we should map
> >>>>>
> >>>>> AUTH_INFO_REQUIRED=none
> >>>>>
> >>>>> to anonymous. I've created a patchset you can find here:
> >>>>>
> >>>>> https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-> >>>>> sm
> >>>>> bs
> >>>>> pool
> >>>>>
> >>>>>
> >>>>> However you need to try all combinations, username/password, kerberos
> >>>>> and
> >>>>> none for anonymous.
> >>>>
> >>>> Thank you! I did not test these patches yet, first tried to understand
> >>>> how it works.
> >>>>
> >>>> Could you please explain a bit how it works?
> >>>
> >>> That's a good question as documentation from CUPS side is missing. So we
> >>> need to find out what CUPS does and then try to write tests for it if
> >>> possible. This allows us to make sure we work correctly. The repo above
> >>> shows you where the test is in the samba source code. I've tried to add
> >>> more tests in the past to avoid regressions and verify we work
> >>> correctly.
> >>> This needs to be extended as much as possible.
> >>>
> >>>
> >>> The two patches were just a quick shot.
> >>
> >> CUPS developer has clearified documentation:
> >> * https://github.com/apple/cups/issues/5674
> >> *
> >>
> >> https://github.com/apple/cups/commit/025b8ce8f637009f0df7a5bb5fa0a460dbb3
> >> 2b
> >> 10
> >>
> >> "'negotiate': Kerberos is required - this keyword can only appear by
> >> itself and causes cupsd to collect the UID of the printing user."
> >>
> >> I've switched smbspool_krb5_wrapper from failing if value of
> >> AUTH_INFO_REQUIRED is something not known to just ignoring that and
> >> passing the task to smbspool. smbspool will fail itself. Added a test
> >> for that. Patches on top of asn/samba.git/master-smbspool are attached.
> >>
> >> I've not tested those changes yet, just checked buildability. Testing
> >> will require making a complex set up, I will try.
> >
> > They look fine, let me know if it works!
> >
> >
> > Thanks.
>
> How to make Samba AD domain controller make all local printers available
> only to domain members? I've made a local PDF printer which writes to
> PDF files in CUPS and want to use it for testing and be sure that
> Kerberos authorization is used to access the printer.
>
> [printers]
> path = /var/spool/samba/
> printable = yes
> #guest ok=yes
> security = domain
>
> Is it correct? I am not sure about "security = domain".
'secruity = domain' means it is a NT4-style member :-) That also wont work on
shares.
If you don't specify anything, it requires authentication. You can use 'valid
users' to restrict the share to certain users or groups.
Andreas
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the samba-technical
mailing list