Automating usage of smbspool_krb5_wrapper

Mikhail Novosyolov m.novosyolov at
Mon Oct 28 19:38:08 UTC 2019

28.10.2019 11:47, Andreas Schneider пишет:
> On Monday, 28 October 2019 08:58:26 CET Mikhail Novosyolov via samba-technical
> wrote:
>> 28.10.2019 10:44, Mikhail Novosyolov пишет:
>>> <...>
>>> There are 2 possible solutions:
>>> 1) either patch source3/client/smbspool_krb5_wrapper.c to "goto
>>> smbspool;" if env does not contain "negotiate" instead of chekcing to
>>> be either null or 0 - how correct will this be?
>> I mean this:
>> diff --git a/source3/client/smbspool_krb5_wrapper.c
>> b/source3/client/smbspool_krb5_wrapper.c
>> index bff1df417e8..000a613291e 100644
>> --- a/source3/client/smbspool_krb5_wrapper.c
>> +++ b/source3/client/smbspool_krb5_wrapper.c
>> @@ -149,7 +149,7 @@ int main(int argc, char *argv[])
>>           env = getenv("AUTH_INFO_REQUIRED");
>>            /* If not set, then just call smbspool. */
>> -       if (env == NULL || env[0] == 0) {
>> +       if (env == NULL || env == "none" || env[0] == 0) {
>>                   CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
>>                                  "execute smbspool");
>>                   goto smbspool;
> This is obviously wrong :-)
> Did you see the code below? The question is if we should map
> to anonymous. I've created a patchset you can find here:
> However you need to try all combinations, username/password, kerberos and none
> for anonymous.

Thank you! I did not test these patches yet, first tried to understand 
how it works.

Could you please explain a bit how it works?

About smbspool.

I see that AUTH_INFO_REQUIRED == NULL (not set) and 
AUTH_INFO_REQUIRED="none" are treated differently.

Code of smbspool seems to try to guess authentication method if 
AUTH_INFO_REQUIRED == NULL. If username for authentication was provide, 
it will do the same as in case of  AUTH_INFO_REQUIRED == "username, 
[ but will not print "DEBUG: Try to connect using username/password 
...\n", maybe also print it? ].

If AUTH_INFO_REQUIRED == NULL && ( username == NULL || usernames's 
kerberos ccache is not valid ), then NT_STATUS_ACCESS_DENIED will be 
returned. Why are you sure that it is not an anonymous connection if 
AUTH_INFO_REQUIRED was not set? Does a situation with not set 
AUTH_INFO_REQUIRED ever happen in CUPS? If it does, when does it happen? 
I could not find any documentation and source code is not very clear.

As for smbspool_krb5_wrapper.

cmp = strcmp(env, "negotiate");
if (cmp != 0) {
      CUPS_SMB_ERROR("Authentication unsupported");
      fprintf(stderr, "ATTR: auth-info-required=negotiate\n");

If I understood corretly, this code will be executed after all other 
_known_ possible values of variable AUTH_INFO_REQUIRED were tried. 
to a not known value. And this value seems to be possible not know, e.g. 
job.c ( 
in cups can work with situations when it hasup up to 4 comma-separated 
components, I don't know examples, but now smpspool_krb5_wrapper will 

If we intend to make smbspool_krb5_wrapper universal, I think "goto 
smbspool;" should be done in cases of not clear AUTH_INFO_REQUIRED, not 
exit with error.

Sorry if I misunderstood something. Thank you for quick patches!

More information about the samba-technical mailing list