smbspool without authentication no longer works?

Mikhail Novosyolov m.novosyolov at rosalinux.ru
Thu Nov 28 20:02:59 UTC 2019


28.11.2019 21:11, Andreas Hasenack via samba-technical пишет:
> Hi,
>
> is smbspool supposed to work without authentication, in the case the
> printer is shared like that?
>
> I've been tracking some bug reports about printing no longer working
> with samba 4.8 or higher. The last one where I got this command below
> to work was 4.7.6:
>
> ubuntu at bionic-smb-printer:~$ /usr/lib/cups/backend/smb
> smb://10.10.1.6/ds216laser 34 root page 1 options .bashrc;echo
> Kerberos auth with 'root at WORKGROUP' (WORKGROUP\root) to access
> '10.10.1.6' not possible
> ERROR: Session setup failed: NT_STATUS_ACCESS_DENIED
> DEBUG: get_exit_code(cli=0x561bb8db7d70,
> nt_status=NT_STATUS_ACCESS_DENIED [c0000022])
> ATTR: auth-info-required=negotiate
> DEBUG: Connected with NTLMSSP...
>
> ubuntu at bionic-smb-printer:~$ echo $?
> 0
>
> With, say, 4.10.7, I get:
> root at nsnx:~# /usr/lib/cups/backend/smb smb://10.10.1.6/ds216laser 34
> root page 1 options .bashrc; r=$?;echo;echo $r
> kerberos_ccache_is_valid: Failed to get default principal from ccache:
> FILE:/tmp/krb5cc_0
> DEBUG: This backend requires credentials!
> DEBUG: get_exit_code(nt_status=NT_STATUS_ACCESS_DENIED [c0000022])
> ATTR: auth-info-required=none
> DEBUG: Unable to connect to CIFS host: NT_STATUS_ACCESS_DENIED
> 2
>
> If I pass "anonymous" as the username, or even a blank space (!), then it works:
> root at nsnx:~# /usr/lib/cups/backend/smb smb://\ @10.10.1.6/ds216laser
> 34 root page 1 options .bashrc; r=$?;echo;echo $r
> DEBUG: SMB connection established.
>
> 0
>
>
> I found several bug reports, but none seems to address this issue
> exactly. Some were about printing with kerberos.
> https://bugzilla.samba.org/show_bug.cgi?id=13832
> https://bugzilla.samba.org/show_bug.cgi?id=13939
> https://bugzilla.samba.org/show_bug.cgi?id=13970
> https://bugzilla.redhat.com/show_bug.cgi?id=1700791
> https://bugzilla.redhat.com/show_bug.cgi?id=1706090
>
It was fixed in Samba 4.10 but was not backported to samba 4.9: 
https://bugzilla.samba.org/show_bug.cgi?id=13939

Yes, people report that it worked in 4.7 and broke in 4.9. But now it 
works in 4.10.

"Failed to get default principal from ccache: FILE:/tmp/krb5cc_0" - this 
means that ccache of root user is being looked for. You should symlink 
/usr/lib/cups/backend/smb to smbspool_krb5_wrapper, then ccache of the 
printing task creator will be found and used.

Please read a recent thread 
https://lists.samba.org/archive/samba-technical/2019-October/134470.html 
"Automating usage of smbspool_krb5_wrapper" from start to end, in the 
first email problem is explained and in the last patches are attached. I 
would appreceate if you test them in Ubuntu: they allow to symlink 
/usr/lib/cups/backend/smb -> smbspool_krb5_wrapper instead of smbspool 
and make printing work out of the box both with and without Kerberos.




More information about the samba-technical mailing list