Automating usage of smbspool_krb5_wrapper

Mikhail Novosyolov m.novosyolov at rosalinux.ru
Mon Oct 28 07:44:57 UTC 2019 

28.10.2019 10:12, Andreas Schneider пишет:
> On Monday, 28 October 2019 07:32:13 CET Mikhail Novosyolov via samba-technical
> wrote:
>> Currently there are 2 alternatives for /var/lib/cups/backend/smb:
>> - /usr/bin/smbspool for printing to an SMB printer
>> - /usr/lib(64)/samba/smbspool_krb5_wrapper
>> for printing to an SMB printer with Kerberos authentication (e.g. inside
>> Active Directory domain). It makes use of Kerberos ccache of a user who
>> made the printing task instead of ccache of ldp daemon user.
>>
>> In Fedora, as I could understand from samba.spec
>> (https://src.fedoraproject.org/rpms/samba/blob/master/f/samba.spec),
>> package samba-krb5-printing has to be installed when it is needed to
>> switch from smbspool to smbspool_krb5_wrapper.
> Samba only provides smbspool and smbspool_krb5_wrapper. Installing it as a
> CUPS backend is done by downstream, e.g. Fedora.
>
> You should discuss it there. However there is probably a historic reason for
> smbspool_krb5_wrapper being in a separate package. Maybe the package could be
> installed by default or as a recommondation.
>
> So open a bug downstream :-)

I want to do this in ROSA package of samba, not in Fedora. Currently it 
has neither update-alternatives, nor something else. I wrote about 
Fedora because many samba developers are familiar with it.

The question to this mailing list was how ready is smbspool_krb5_wrapper 
for being the default for /usr/lib/cups/backend/smb for all systems, 
both with and without Kerberos authentication. /usr/lib/cups/backend/smb 
must be something, either smbspool or smbspool_krb5_wrapper, otherwise 
CUPS will not understand where to find smb backend. Currently 
smbspool_krb5_wrapper does:

     /* Check if AuthInfoRequired is set to negotiate */
     env = getenv("AUTH_INFO_REQUIRED");

         /* If not set, then just call smbspool. */
     if (env == NULL || env[0] == 0) {
         CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
                    "execute smbspool");
         goto smbspool;

But AuthInfoRequired (AUTH_INFO_REQUIRED) == "none" or 
"username,password" in /etc/cups/printers.conf in most cases.

At least this check for  AUTH_INFO_REQUIRED being null or empty but not 
"none" or != "negotiate" makes smbspool_krb5_wrapper makes not ready to 
be /usr/lib/cups/backend/smb for systems without kerberos authentication.

There are 2 possible solutions:

1) either patch source3/client/smbspool_krb5_wrapper.c to "goto 
smbspool;" if env does not contain "negotiate" instead of chekcing to be 
either null or 0 - how correct will this be?

2) or make a shell script /usr/lib/cups/backend/smb that will try to 
guess when to call smbspool and when to call smbspool_krb5_wrapper

№1 is a seems to be a much better solution. I wanted to hear opinions 
how right it seems to be.

More information about the samba-technical mailing list