smbspool without authentication no longer works?

Andreas Hasenack andreas at
Fri Nov 29 12:51:30 UTC 2019

Hello Mikhail,

thanks for your reply!

On Thu, Nov 28, 2019 at 5:03 PM Mikhail Novosyolov
<m.novosyolov at> wrote:
> 28.11.2019 21:11, Andreas Hasenack via samba-technical пишет:
> > Hi,
> >
> > is smbspool supposed to work without authentication, in the case the
> > printer is shared like that?

> It was fixed in Samba 4.10 but was not backported to samba 4.9:

The commits in master, and the provided patches for older releases,
don't seem to address the unauthenticated case, i.e., guest printing,
which worked in 4.7.6.

> Yes, people report that it worked in 4.7 and broke in 4.9. But now it
> works in 4.10.

Maybe there are many similar scenarios here. What I was testing is
unauthenticated printing with smbspool, i.e., no username or password
specified in the URL or any env variable. cups is also set to allow
printing from anyone, i.e., AuthInfoRequired is none. I tested that
with 4.10.7 and debian's 4.11.1 and it doesn't work.

> "Failed to get default principal from ccache: FILE:/tmp/krb5cc_0" - this
> means that ccache of root user is being looked for. You should symlink
> /usr/lib/cups/backend/smb to smbspool_krb5_wrapper, then ccache of the
> printing task creator will be found and used.

I'm not trying to use kerberos authentication. Since
auth_info_required is none/NULL, the code skips these (and username is
NULL too):
    if (strcmp(auth_info_required, "negotiate") == 0) {
    } else if (strcmp(auth_info_required, "username,password") == 0) {
    } else {
        if (username != NULL) {
        } else if (kerberos_ccache_is_valid()) { <--- no kerberos ticket
        } else {
                "DEBUG: This backend requires credentials!\n");
            return NT_STATUS_ACCESS_DENIED;

So it doesn't even get to try passwordless NTLMSSP later on:
    /* give a chance for a passwordless NTLMSSP session setup */
    pwd = getpwuid(geteuid());
    if (pwd == NULL) {

    nt_status = smb_complete_connection(&cli,

or guest/anonymous:
         * last try. Use anonymous authentication

    nt_status = smb_complete_connection(&cli,
                        "", <--- username
                        "", <--- password

> Please read a recent thread
> "Automating usage of smbspool_krb5_wrapper" from start to end, in the
> first email problem is explained and in the last patches are attached. I
> would appreceate if you test them in Ubuntu: they allow to symlink
> /usr/lib/cups/backend/smb -> smbspool_krb5_wrapper instead of smbspool
> and make printing work out of the box both with and without Kerberos.

Thanks for the pointer.;a=commitdiff;h=d5e8813b1f8219da231e82735780e3e6c35c66e2


Seem to be going in the direction of fixing the present issue. Has
anybody tried those yet, or what is their state?

More information about the samba-technical mailing list