Automating usage of smbspool_krb5_wrapper
Mikhail Novosyolov
m.novosyolov at rosalinux.ru
Mon Nov 25 23:49:08 UTC 2019
22.11.2019 17:33, Andreas Schneider пишет:
> On Friday, 22 November 2019 03:22:29 CET Mikhail Novosyolov via samba-
> technical wrote:
>> 14.11.2019 12:51, Andreas Schneider пишет:
>>> On Sunday, 3 November 2019 01:03:43 CET Mikhail Novosyolov wrote:
>>>> 29.10.2019 10:29, Andreas Schneider пишет:
>>>>> On Monday, 28 October 2019 20:38:08 CET Mikhail Novosyolov wrote:
>>>>>> 28.10.2019 11:47, Andreas Schneider пишет:
>>>>>>> On Monday, 28 October 2019 08:58:26 CET Mikhail Novosyolov via
>>>>>>> samba-technical>
>>>>>>>
>>>>>>> wrote:
>>>>>>>> 28.10.2019 10:44, Mikhail Novosyolov пишет:
>>>>>>>>> <...>
>>>>>>>>> There are 2 possible solutions:
>>>>>>>>>
>>>>>>>>> 1) either patch source3/client/smbspool_krb5_wrapper.c to "goto
>>>>>>>>> smbspool;" if env does not contain "negotiate" instead of chekcing
>>>>>>>>> to
>>>>>>>>> be either null or 0 - how correct will this be?
>>>>>>>> I mean this:
>>>>>>>>
>>>>>>>> diff --git a/source3/client/smbspool_krb5_wrapper.c
>>>>>>>> b/source3/client/smbspool_krb5_wrapper.c
>>>>>>>> index bff1df417e8..000a613291e 100644
>>>>>>>> --- a/source3/client/smbspool_krb5_wrapper.c
>>>>>>>> +++ b/source3/client/smbspool_krb5_wrapper.c
>>>>>>>> @@ -149,7 +149,7 @@ int main(int argc, char *argv[])
>>>>>>>>
>>>>>>>> env = getenv("AUTH_INFO_REQUIRED");
>>>>>>>>
>>>>>>>> /* If not set, then just call smbspool. */
>>>>>>>>
>>>>>>>> - if (env == NULL || env[0] == 0) {
>>>>>>>> + if (env == NULL || env == "none" || env[0] == 0) {
>>>>>>>>
>>>>>>>> CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
>>>>>>>>
>>>>>>>> "execute smbspool");
>>>>>>>>
>>>>>>>> goto smbspool;
>>>>>>> This is obviously wrong :-)
>>>>>>>
>>>>>>> Did you see the code below? The question is if we should map
>>>>>>>
>>>>>>> AUTH_INFO_REQUIRED=none
>>>>>>>
>>>>>>> to anonymous. I've created a patchset you can find here:
>>>>>>>
>>>>>>> https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-> >>>>> sm
>>>>>>> bs
>>>>>>> pool
>>>>>>>
>>>>>>>
>>>>>>> However you need to try all combinations, username/password, kerberos
>>>>>>> and
>>>>>>> none for anonymous.
>>>>>> Thank you! I did not test these patches yet, first tried to understand
>>>>>> how it works.
>>>>>>
>>>>>> Could you please explain a bit how it works?
>>>>> That's a good question as documentation from CUPS side is missing. So we
>>>>> need to find out what CUPS does and then try to write tests for it if
>>>>> possible. This allows us to make sure we work correctly. The repo above
>>>>> shows you where the test is in the samba source code. I've tried to add
>>>>> more tests in the past to avoid regressions and verify we work
>>>>> correctly.
>>>>> This needs to be extended as much as possible.
>>>>>
>>>>>
>>>>> The two patches were just a quick shot.
>>>> CUPS developer has clearified documentation:
>>>> * https://github.com/apple/cups/issues/5674
>>>> *
>>>>
>>>> https://github.com/apple/cups/commit/025b8ce8f637009f0df7a5bb5fa0a460dbb3
>>>> 2b
>>>> 10
>>>>
>>>> "'negotiate': Kerberos is required - this keyword can only appear by
>>>> itself and causes cupsd to collect the UID of the printing user."
>>>>
>>>> I've switched smbspool_krb5_wrapper from failing if value of
>>>> AUTH_INFO_REQUIRED is something not known to just ignoring that and
>>>> passing the task to smbspool. smbspool will fail itself. Added a test
>>>> for that. Patches on top of asn/samba.git/master-smbspool are attached.
>>>>
>>>> I've not tested those changes yet, just checked buildability. Testing
>>>> will require making a complex set up, I will try.
>>> They look fine, let me know if it works!
>>>
>>>
>>> Thanks.
>> How to make Samba AD domain controller make all local printers available
>> only to domain members? I've made a local PDF printer which writes to
>> PDF files in CUPS and want to use it for testing and be sure that
>> Kerberos authorization is used to access the printer.
>>
>> [printers]
>> path = /var/spool/samba/
>> printable = yes
>> #guest ok=yes
>> security = domain
>>
>> Is it correct? I am not sure about "security = domain".
> 'secruity = domain' means it is a NT4-style member :-) That also wont work on
> shares.
>
> If you don't specify anything, it requires authentication. You can use 'valid
> users' to restrict the share to certain users or groups.
I have tested those 4 patches (2 yours, Andreas, and 2 mine that I sent
here previously). Behaviour of /usr/lib/cups/backend/smb symlinked to
patched smbspool_krb5_wrapper seems to be correct: it passes printing
tasks from printers without "AuthInfoRequired negotiate" directly to
smbspool and correctly finds /tmp/krb5cc_$UID for printers with
"AuthInfoRequired negotiate", where UID is a local ID of a domain user.
I clearly see this in /var/log/cups/error_log when it is "LogLevel
debug2" in /etc/cups/cupsd.conf.
So, these patches are ready to be merged, I think.
---------------------------------------------------------------------------
However, smbspool returns 2 due one of these authentication errors
happening dut to problems in my configuration. I will investigate this
later, may be some will point to mistakes.
That's a problem on the samba domain controller, I don't know why it
rejects authentication. I see in cups/error_log:
"Try to connect using Kerberos..." (from smbspool.c)
"Kerberos auth with user at REALM <...> to access <IP_address_of_DC> not
possible" (from samba's source3/libsmb/cliconnect.c)
smb.conf on domain controller is:
[root at dc1 samba]# cat /etc/samba/smb.conf
# Global parameters
[global]
dns forwarder = 8.8.8.8
netbios name = DC1
realm = ROSA.LOC
server role = active directory domain controller
workgroup = ROSA
idmap_ldb:use rfc2307 = yes
printing = CUPS
log level = 9
[netlogon]
path = /var/lib/samba/sysvol/rosa.loc/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[printers]
path = /var/spool/samba/
printable = yes
#guest ok=yes
#valid users = Administrator root @adm
#vfs objects = full_audit
More information about the samba-technical
mailing list