smbspool without authentication no longer works?

Mikhail Novosyolov m.novosyolov at
Thu Nov 28 20:02:59 UTC 2019

28.11.2019 21:11, Andreas Hasenack via samba-technical пишет:
> Hi,
> is smbspool supposed to work without authentication, in the case the
> printer is shared like that?
> I've been tracking some bug reports about printing no longer working
> with samba 4.8 or higher. The last one where I got this command below
> to work was 4.7.6:
> ubuntu at bionic-smb-printer:~$ /usr/lib/cups/backend/smb
> smb:// 34 root page 1 options .bashrc;echo
> Kerberos auth with 'root at WORKGROUP' (WORKGROUP\root) to access
> '' not possible
> ERROR: Session setup failed: NT_STATUS_ACCESS_DENIED
> DEBUG: get_exit_code(cli=0x561bb8db7d70,
> nt_status=NT_STATUS_ACCESS_DENIED [c0000022])
> ATTR: auth-info-required=negotiate
> DEBUG: Connected with NTLMSSP...
> ubuntu at bionic-smb-printer:~$ echo $?
> 0
> With, say, 4.10.7, I get:
> root at nsnx:~# /usr/lib/cups/backend/smb smb:// 34
> root page 1 options .bashrc; r=$?;echo;echo $r
> kerberos_ccache_is_valid: Failed to get default principal from ccache:
> FILE:/tmp/krb5cc_0
> DEBUG: This backend requires credentials!
> DEBUG: get_exit_code(nt_status=NT_STATUS_ACCESS_DENIED [c0000022])
> ATTR: auth-info-required=none
> DEBUG: Unable to connect to CIFS host: NT_STATUS_ACCESS_DENIED
> 2
> If I pass "anonymous" as the username, or even a blank space (!), then it works:
> root at nsnx:~# /usr/lib/cups/backend/smb smb://\ @
> 34 root page 1 options .bashrc; r=$?;echo;echo $r
> DEBUG: SMB connection established.
> 0
> I found several bug reports, but none seems to address this issue
> exactly. Some were about printing with kerberos.
It was fixed in Samba 4.10 but was not backported to samba 4.9:

Yes, people report that it worked in 4.7 and broke in 4.9. But now it 
works in 4.10.

"Failed to get default principal from ccache: FILE:/tmp/krb5cc_0" - this 
means that ccache of root user is being looked for. You should symlink 
/usr/lib/cups/backend/smb to smbspool_krb5_wrapper, then ccache of the 
printing task creator will be found and used.

Please read a recent thread 
"Automating usage of smbspool_krb5_wrapper" from start to end, in the 
first email problem is explained and in the last patches are attached. I 
would appreceate if you test them in Ubuntu: they allow to symlink 
/usr/lib/cups/backend/smb -> smbspool_krb5_wrapper instead of smbspool 
and make printing work out of the box both with and without Kerberos.

More information about the samba-technical mailing list