Automating usage of smbspool_krb5_wrapper
Mikhail Novosyolov
m.novosyolov at rosalinux.ru
Mon Oct 28 06:32:13 UTC 2019
Currently there are 2 alternatives for /var/lib/cups/backend/smb:
- /usr/bin/smbspool for printing to an SMB printer
- /usr/lib(64)/samba/smbspool_krb5_wrapper
for printing to an SMB printer with Kerberos authentication (e.g. inside
Active Directory domain). It makes use of Kerberos ccache of a user who
made the printing task instead of ccache of ldp daemon user.
In Fedora, as I could understand from samba.spec
(https://src.fedoraproject.org/rpms/samba/blob/master/f/samba.spec),
package samba-krb5-printing has to be installed when it is needed to
switch from smbspool to smbspool_krb5_wrapper.
This has to be done manually. When a workstation is a member of an AD
domain, printing with negotiate authorization in CUPS ("AuthInfoRequired
negotiate" in /etc/cups/printers.conf) does not work, because
/tmp/krb5cc_<UID_of_lp_user> is looked for instead of
/tmp/krb5cc_<UID_of_printing_task_creator>. If access to printing server
is restricted to domain users only, nothing can be printed.
smbspool_krb5_wrapper is aimed to solve this problem and use Kerberos
credentials cache (ccache) of a correct user, if I understood correctly.
Recently some work has been done on smbspool and krb5 wrapper
(https://bugzilla.samba.org/show_bug.cgi?id=13939).
I tried to investigate if it can be automated (to eliminate need in
installing samba-krb5-printing in other words).
source3/client/smbspool_krb5_wrapper.c has following code:
/* Check if AuthInfoRequired is set to negotiate */
env = getenv("AUTH_INFO_REQUIRED");
/* If not set, then just call smbspool. */
if (env == NULL || env[0] == 0) {
CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
"execute smbspool");
goto smbspool;
Can't /var/lib/cups/backend/smb be ALWAYS symlinked to
smbspool_krb5_wrapper?
I think that checking for AUTH_INFO_REQUIRED being null or empty can be
replaced with a check that it contains "negotiate". Currently this
condition will not work in most cases, because AUTH_INFO_REQUIRED will
be set to "none" or "username,password". Then /var/lib/cups/backend/smb
can always be symlinked to smbspool_krb5_wrapper without
update-alternatives.
What do you think?
More information about the samba-technical
mailing list