Automating usage of smbspool_krb5_wrapper
Mikhail Novosyolov
m.novosyolov at rosalinux.ru
Mon Oct 28 07:44:57 UTC 2019
28.10.2019 10:12, Andreas Schneider пишет:
> On Monday, 28 October 2019 07:32:13 CET Mikhail Novosyolov via samba-technical
> wrote:
>> Currently there are 2 alternatives for /var/lib/cups/backend/smb:
>> - /usr/bin/smbspool for printing to an SMB printer
>> - /usr/lib(64)/samba/smbspool_krb5_wrapper
>> for printing to an SMB printer with Kerberos authentication (e.g. inside
>> Active Directory domain). It makes use of Kerberos ccache of a user who
>> made the printing task instead of ccache of ldp daemon user.
>>
>> In Fedora, as I could understand from samba.spec
>> (https://src.fedoraproject.org/rpms/samba/blob/master/f/samba.spec),
>> package samba-krb5-printing has to be installed when it is needed to
>> switch from smbspool to smbspool_krb5_wrapper.
> Samba only provides smbspool and smbspool_krb5_wrapper. Installing it as a
> CUPS backend is done by downstream, e.g. Fedora.
>
> You should discuss it there. However there is probably a historic reason for
> smbspool_krb5_wrapper being in a separate package. Maybe the package could be
> installed by default or as a recommondation.
>
> So open a bug downstream :-)
I want to do this in ROSA package of samba, not in Fedora. Currently it
has neither update-alternatives, nor something else. I wrote about
Fedora because many samba developers are familiar with it.
The question to this mailing list was how ready is smbspool_krb5_wrapper
for being the default for /usr/lib/cups/backend/smb for all systems,
both with and without Kerberos authentication. /usr/lib/cups/backend/smb
must be something, either smbspool or smbspool_krb5_wrapper, otherwise
CUPS will not understand where to find smb backend. Currently
smbspool_krb5_wrapper does:
/* Check if AuthInfoRequired is set to negotiate */
env = getenv("AUTH_INFO_REQUIRED");
/* If not set, then just call smbspool. */
if (env == NULL || env[0] == 0) {
CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
"execute smbspool");
goto smbspool;
But AuthInfoRequired (AUTH_INFO_REQUIRED) == "none" or
"username,password" in /etc/cups/printers.conf in most cases.
At least this check for AUTH_INFO_REQUIRED being null or empty but not
"none" or != "negotiate" makes smbspool_krb5_wrapper makes not ready to
be /usr/lib/cups/backend/smb for systems without kerberos authentication.
There are 2 possible solutions:
1) either patch source3/client/smbspool_krb5_wrapper.c to "goto
smbspool;" if env does not contain "negotiate" instead of chekcing to be
either null or 0 - how correct will this be?
2) or make a shell script /usr/lib/cups/backend/smb that will try to
guess when to call smbspool and when to call smbspool_krb5_wrapper
№1 is a seems to be a much better solution. I wanted to hear opinions
how right it seems to be.
More information about the samba-technical
mailing list