Automating usage of smbspool_krb5_wrapper

Andreas Schneider asn at samba.org
Fri Nov 22 14:33:16 UTC 2019 

On Friday, 22 November 2019 03:22:29 CET Mikhail Novosyolov via samba-
technical wrote:
> 14.11.2019 12:51, Andreas Schneider пишет:
> > On Sunday, 3 November 2019 01:03:43 CET Mikhail Novosyolov wrote:
> >> 29.10.2019 10:29, Andreas Schneider пишет:
> >>> On Monday, 28 October 2019 20:38:08 CET Mikhail Novosyolov wrote:
> >>>> 28.10.2019 11:47, Andreas Schneider пишет:
> >>>>> On Monday, 28 October 2019 08:58:26 CET Mikhail Novosyolov via
> >>>>> samba-technical>
> >>>>> 
> >>>>> wrote:
> >>>>>> 28.10.2019 10:44, Mikhail Novosyolov пишет:
> >>>>>>> <...>
> >>>>>>> There are 2 possible solutions:
> >>>>>>> 
> >>>>>>> 1) either patch source3/client/smbspool_krb5_wrapper.c to "goto
> >>>>>>> smbspool;" if env does not contain "negotiate" instead of chekcing
> >>>>>>> to
> >>>>>>> be either null or 0 - how correct will this be?
> >>>>>> 
> >>>>>> I mean this:
> >>>>>> 
> >>>>>> diff --git a/source3/client/smbspool_krb5_wrapper.c
> >>>>>> b/source3/client/smbspool_krb5_wrapper.c
> >>>>>> index bff1df417e8..000a613291e 100644
> >>>>>> --- a/source3/client/smbspool_krb5_wrapper.c
> >>>>>> +++ b/source3/client/smbspool_krb5_wrapper.c
> >>>>>> @@ -149,7 +149,7 @@ int main(int argc, char *argv[])
> >>>>>> 
> >>>>>>             env = getenv("AUTH_INFO_REQUIRED");
> >>>>>>             
> >>>>>>              /* If not set, then just call smbspool. */
> >>>>>> 
> >>>>>> -       if (env == NULL || env[0] == 0) {
> >>>>>> +       if (env == NULL || env == "none" || env[0] == 0) {
> >>>>>> 
> >>>>>>                     CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
> >>>>>>                     
> >>>>>>                                    "execute smbspool");
> >>>>>>                     
> >>>>>>                     goto smbspool;
> >>>>> 
> >>>>> This is obviously wrong :-)
> >>>>> 
> >>>>> Did you see the code below? The question is if we should map
> >>>>> 
> >>>>> AUTH_INFO_REQUIRED=none
> >>>>> 
> >>>>> to anonymous. I've created a patchset you can find here:
> >>>>> 
> >>>>> https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-> >>>>> sm
> >>>>> bs
> >>>>> pool
> >>>>> 
> >>>>> 
> >>>>> However you need to try all combinations, username/password, kerberos
> >>>>> and
> >>>>> none for anonymous.
> >>>> 
> >>>> Thank you! I did not test these patches yet, first tried to understand
> >>>> how it works.
> >>>> 
> >>>> Could you please explain a bit how it works?
> >>> 
> >>> That's a good question as documentation from CUPS side is missing. So we
> >>> need to find out what CUPS does and then try to write tests for it if
> >>> possible. This allows us to make sure we work correctly. The repo above
> >>> shows you where the test is in the samba source code. I've tried to add
> >>> more tests in the past to avoid regressions and verify we work
> >>> correctly.
> >>> This needs to be extended as much as possible.
> >>> 
> >>> 
> >>> The two patches were just a quick shot.
> >> 
> >> CUPS developer has clearified documentation:
> >>    * https://github.com/apple/cups/issues/5674
> >>    *
> >> 
> >> https://github.com/apple/cups/commit/025b8ce8f637009f0df7a5bb5fa0a460dbb3
> >> 2b
> >> 10
> >> 
> >> "'negotiate': Kerberos is required - this keyword can only appear by
> >> itself and causes cupsd to collect the UID of the printing user."
> >> 
> >> I've switched smbspool_krb5_wrapper from failing if value of
> >> AUTH_INFO_REQUIRED is something not known to just ignoring that and
> >> passing the task to smbspool. smbspool will fail itself. Added a test
> >> for that. Patches on top of asn/samba.git/master-smbspool are attached.
> >> 
> >> I've not tested those changes yet, just checked buildability. Testing
> >> will require making a complex set up, I will try.
> > 
> > They look fine, let me know if it works!
> > 
> > 
> > Thanks.
> 
> How to make Samba AD domain controller make all local printers available
> only to domain members? I've made a local PDF printer which writes to
> PDF files in CUPS and want to use it for testing and be sure that
> Kerberos authorization is used to access the printer.
> 
> [printers]
>      path = /var/spool/samba/
>      printable = yes
>      #guest ok=yes
>      security = domain
> 
> Is it correct? I am not sure about "security = domain".

'secruity = domain' means it is a NT4-style member :-) That also wont work on 
shares.

If you don't specify anything, it requires authentication. You can use 'valid 
users' to restrict the share to certain users or groups.


	Andreas

-- 
Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the samba-technical mailing list