Automating usage of smbspool_krb5_wrapper
Mikhail Novosyolov
m.novosyolov at rosalinux.ru
Mon Oct 28 19:38:08 UTC 2019
28.10.2019 11:47, Andreas Schneider пишет:
> On Monday, 28 October 2019 08:58:26 CET Mikhail Novosyolov via samba-technical
> wrote:
>> 28.10.2019 10:44, Mikhail Novosyolov пишет:
>>> <...>
>>> There are 2 possible solutions:
>>>
>>> 1) either patch source3/client/smbspool_krb5_wrapper.c to "goto
>>> smbspool;" if env does not contain "negotiate" instead of chekcing to
>>> be either null or 0 - how correct will this be?
>> I mean this:
>>
>> diff --git a/source3/client/smbspool_krb5_wrapper.c
>> b/source3/client/smbspool_krb5_wrapper.c
>> index bff1df417e8..000a613291e 100644
>> --- a/source3/client/smbspool_krb5_wrapper.c
>> +++ b/source3/client/smbspool_krb5_wrapper.c
>> @@ -149,7 +149,7 @@ int main(int argc, char *argv[])
>> env = getenv("AUTH_INFO_REQUIRED");
>>
>> /* If not set, then just call smbspool. */
>> - if (env == NULL || env[0] == 0) {
>> + if (env == NULL || env == "none" || env[0] == 0) {
>> CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
>> "execute smbspool");
>> goto smbspool;
> This is obviously wrong :-)
>
> Did you see the code below? The question is if we should map
>
> AUTH_INFO_REQUIRED=none
>
> to anonymous. I've created a patchset you can find here:
>
> https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-smbspool
>
>
> However you need to try all combinations, username/password, kerberos and none
> for anonymous.
Thank you! I did not test these patches yet, first tried to understand
how it works.
Could you please explain a bit how it works?
About smbspool.
I see that AUTH_INFO_REQUIRED == NULL (not set) and
AUTH_INFO_REQUIRED="none" are treated differently.
Code of smbspool seems to try to guess authentication method if
AUTH_INFO_REQUIRED == NULL. If username for authentication was provide,
it will do the same as in case of AUTH_INFO_REQUIRED == "username,
password"
[ but will not print "DEBUG: Try to connect using username/password
...\n", maybe also print it? ].
If AUTH_INFO_REQUIRED == NULL && ( username == NULL || usernames's
kerberos ccache is not valid ), then NT_STATUS_ACCESS_DENIED will be
returned. Why are you sure that it is not an anonymous connection if
AUTH_INFO_REQUIRED was not set? Does a situation with not set
AUTH_INFO_REQUIRED ever happen in CUPS? If it does, when does it happen?
I could not find any documentation and source code is not very clear.
As for smbspool_krb5_wrapper.
cmp = strcmp(env, "negotiate");
if (cmp != 0) {
CUPS_SMB_ERROR("Authentication unsupported");
fprintf(stderr, "ATTR: auth-info-required=negotiate\n");
return CUPS_BACKEND_AUTH_REQUIRED;
}
If I understood corretly, this code will be executed after all other
_known_ possible values of variable AUTH_INFO_REQUIRED were tried.
CUPS_BACKEND_AUTH_REQUIRED will be returned if AUTH_INFO_REQUIRED is set
to a not known value. And this value seems to be possible not know, e.g.
job.c (https://github.com/apple/cups/blob/master/scheduler/job.c#L1017)
in cups can work with situations when it hasup up to 4 comma-separated
components, I don't know examples, but now smpspool_krb5_wrapper will
return CUPS_BACKEND_AUTH_REQUIRED.
If we intend to make smbspool_krb5_wrapper universal, I think "goto
smbspool;" should be done in cases of not clear AUTH_INFO_REQUIRED, not
exit with error.
Sorry if I misunderstood something. Thank you for quick patches!
More information about the samba-technical
mailing list