smbspool without authentication no longer works?

Andreas Hasenack andreas at canonical.com
Fri Nov 29 12:51:30 UTC 2019 

Hello Mikhail,

thanks for your reply!


On Thu, Nov 28, 2019 at 5:03 PM Mikhail Novosyolov
<m.novosyolov at rosalinux.ru> wrote:
>
> 28.11.2019 21:11, Andreas Hasenack via samba-technical пишет:
> > Hi,
> >
> > is smbspool supposed to work without authentication, in the case the
> > printer is shared like that?

> It was fixed in Samba 4.10 but was not backported to samba 4.9:
> https://bugzilla.samba.org/show_bug.cgi?id=13939

The commits in master, and the provided patches for older releases,
don't seem to address the unauthenticated case, i.e., guest printing,
which worked in 4.7.6.


> Yes, people report that it worked in 4.7 and broke in 4.9. But now it
> works in 4.10.

Maybe there are many similar scenarios here. What I was testing is
unauthenticated printing with smbspool, i.e., no username or password
specified in the URL or any env variable. cups is also set to allow
printing from anyone, i.e., AuthInfoRequired is none. I tested that
with 4.10.7 and debian's 4.11.1 and it doesn't work.

> "Failed to get default principal from ccache: FILE:/tmp/krb5cc_0" - this
> means that ccache of root user is being looked for. You should symlink
> /usr/lib/cups/backend/smb to smbspool_krb5_wrapper, then ccache of the
> printing task creator will be found and used.

I'm not trying to use kerberos authentication. Since
auth_info_required is none/NULL, the code skips these (and username is
NULL too):
    if (strcmp(auth_info_required, "negotiate") == 0) {
...
    } else if (strcmp(auth_info_required, "username,password") == 0) {
...
    } else {
        if (username != NULL) {
...
        } else if (kerberos_ccache_is_valid()) { <--- no kerberos ticket
...
        } else {
            fprintf(stderr,
                "DEBUG: This backend requires credentials!\n");
            return NT_STATUS_ACCESS_DENIED;

So it doesn't even get to try passwordless NTLMSSP later on:
    /* give a chance for a passwordless NTLMSSP session setup */
    pwd = getpwuid(geteuid());
    if (pwd == NULL) {
        return NT_STATUS_ACCESS_DENIED;
    }

    nt_status = smb_complete_connection(&cli,
...

or guest/anonymous:
    /*
         * last try. Use anonymous authentication
         */

    nt_status = smb_complete_connection(&cli,
                        myname,
                        server,
                        port,
                        "", <--- username
                        "", <--- password
                        workgroup,



>
> Please read a recent thread
> https://lists.samba.org/archive/samba-technical/2019-October/134470.html
> "Automating usage of smbspool_krb5_wrapper" from start to end, in the
> first email problem is explained and in the last patches are attached. I
> would appreceate if you test them in Ubuntu: they allow to symlink
> /usr/lib/cups/backend/smb -> smbspool_krb5_wrapper instead of smbspool
> and make printing work out of the box both with and without Kerberos.

Thanks for the pointer.

https://git.samba.org/?p=asn/samba.git;a=commitdiff;h=d5e8813b1f8219da231e82735780e3e6c35c66e2

and

https://git.samba.org/?p=asn/samba.git;a=commitdiff;h=20dd0308aa072ed656550af487338b50cda9b59f

Seem to be going in the direction of fixing the present issue. Has
anybody tried those yet, or what is their state?

More information about the samba-technical mailing list