Automating usage of smbspool_krb5_wrapper

Fri Dec 6 07:57:25 UTC 2019

6 декабря 2019 г. 9:56:32 GMT+03:00, Andreas Schneider <asn at samba.org> пишет:
>On Friday, 6 December 2019 07:36:50 CET Mikhail Novosyolov wrote:
>> 06.12.2019 09:30, Andreas Schneider пишет:
>> > On Thursday, 5 December 2019 22:27:59 CET Mikhail Novosyolov wrote:
>> >> 26.11.2019 19:20, Andreas Schneider пишет:
>> >>> On Tuesday, 26 November 2019 00:49:08 CET Mikhail Novosyolov via
>samba-
>> >>> 
>> >>>> I have tested those 4 patches (2 yours, Andreas, and 2 mine that
>I sent
>> >>>> here previously). Behaviour of /usr/lib/cups/backend/smb
>symlinked to
>> >>>> patched smbspool_krb5_wrapper seems to be correct: it passes
>printing
>> >>>> tasks from printers without "AuthInfoRequired negotiate"
>directly to
>> >>>> smbspool and correctly finds /tmp/krb5cc_$UID for printers with
>> >>>> "AuthInfoRequired negotiate", where UID is a local ID of a
>domain user.
>> >>>> I clearly see this in /var/log/cups/error_log when it is
>"LogLevel
>> >>>> debug2" in /etc/cups/cupsd.conf.
>> >>>> 
>> >>>> So, these patches are ready to be merged, I think.
>> >>> 
>> >>> I'm not able to apply your patches. Could you please send patches
>> >>> created
>> >>> with 'git format-patch' or point me to a git repo where I could
>pick
>> >>> them?
>> >> 
>> >> Hello Andreas,
>> >> I have recently read how it is recommended to send patches to
>Linux
>> >> kernel
>> >> and it is recommended to send them as plain text, not as
>attachments, so
>> >> I'm resending them as plain text emails in the following emails.
>> > 
>> > For samba we prefer one attachment as a patchset or a merge
>request.
>> 
>> Ok, thanks.
>> 
>> > I opened one here:
>> > 
>> > https://gitlab.com/samba-team/samba/merge_requests/961
>> 
>> Why are you sure that the root user cannot print using Kerberos
>> authorization? There should be no problem to get a kerberos ticket
>from
>> root and sometimes it can be needed, for example if
>system-config-printer
>> GTK+ GUI is run from root via consolekit or if a crappy proprietary
>> applications works from root and requires printing.
>
>If we are root and have a valid kerberos ticket and we want to print a
>doc, 
>there is no need to do any uid changing and trying to find the
>credential 
>cache. We should just call smbspool directly.
>
>Rembember: smbspool_krb5_wrapper is there to switch to the uid of the
>user 
>printing the document, so that we get access to the krb5 credential
>cache. If 
>we're already root:
>
>a) we already are the right user
>b) we have access to the krb5 credential cache

I see, sorry, forgot that smbspool is capable of finding krb5 ccache. Thanks for explaining.