Automating usage of smbspool_krb5_wrapper

Mikhail Novosyolov m.novosyolov at rosalinux.ru
Mon Oct 28 06:32:13 UTC 2019 

Currently there are 2 alternatives for /var/lib/cups/backend/smb:
- /usr/bin/smbspool for printing to an SMB printer
- /usr/lib(64)/samba/smbspool_krb5_wrapper
for printing to an SMB printer with Kerberos authentication (e.g. inside 
Active Directory domain). It makes use of Kerberos ccache of a user who 
made the printing task instead of ccache of ldp daemon user.

In Fedora, as I could understand from samba.spec 
(https://src.fedoraproject.org/rpms/samba/blob/master/f/samba.spec), 
package samba-krb5-printing has to be installed when it is needed to 
switch from smbspool to smbspool_krb5_wrapper.

This has to be done manually. When a workstation is a member of an AD 
domain, printing with negotiate authorization in CUPS ("AuthInfoRequired 
negotiate" in /etc/cups/printers.conf) does not work, because 
/tmp/krb5cc_<UID_of_lp_user> is looked for instead of 
/tmp/krb5cc_<UID_of_printing_task_creator>. If access to printing server 
is restricted to domain users only, nothing can be printed. 
smbspool_krb5_wrapper is aimed to solve this problem and use Kerberos 
credentials cache (ccache) of a correct user, if I understood correctly.

Recently some work has been done on smbspool and krb5 wrapper 
(https://bugzilla.samba.org/show_bug.cgi?id=13939).

I tried to investigate if it can be automated (to eliminate need in 
installing samba-krb5-printing in other words).

source3/client/smbspool_krb5_wrapper.c has following code:

     /* Check if AuthInfoRequired is set to negotiate */
     env = getenv("AUTH_INFO_REQUIRED");

         /* If not set, then just call smbspool. */
     if (env == NULL || env[0] == 0) {
         CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
                    "execute smbspool");
         goto smbspool;

Can't /var/lib/cups/backend/smb be ALWAYS symlinked to 
smbspool_krb5_wrapper?

I think that checking for AUTH_INFO_REQUIRED being null or empty can be 
replaced with a check that it contains "negotiate". Currently this 
condition will not work in most cases, because AUTH_INFO_REQUIRED will 
be set to "none" or "username,password". Then /var/lib/cups/backend/smb 
can always be symlinked to smbspool_krb5_wrapper without 
update-alternatives.

What do you think?

More information about the samba-technical mailing list