Use smbspool_krb5_wrapper by default instead of smbspool (exp.)

See https://lists.samba.org/archive/samba-technical/2019-October/134470.html and further emails in that thread for details
2025-02-23 09:02:49 +00:00 · 2019-11-03 02:05:01 +03:00 · 2019-11-03 02:05:01 +03:00 · 4001a7c17a
commit 4001a7c17a
parent 62605cbc8c
5 changed files with 342 additions and 2 deletions
--- a/0001-smbspool-Map-AUTH_INFO_REQUIRED-none-to-anonymous-co.patch
+++ b/0001-smbspool-Map-AUTH_INFO_REQUIRED-none-to-anonymous-co.patch
@ -0,0 +1,55 @@
+From 3ad5ed9bc31d46360b6bf025773bf8ade4717bf8 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 28 Oct 2019 09:35:34 +0100
+Subject: [PATCH 1/4] smbspool: Map AUTH_INFO_REQUIRED=none to anonymous
+ connection
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ source3/client/smbspool.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index 36f7f67ca94..34def0c91a9 100644
+--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
+@@ -287,7 +287,7 @@ main(int argc,			/* I - Number of command-line arguments */
+ 
+ 	auth_info_required = getenv("AUTH_INFO_REQUIRED");
+ 	if (auth_info_required == NULL) {
+-		auth_info_required = "none";
+		auth_info_required = "samba";
+ 	}
+ 
+ 	/*
+@@ -718,7 +718,9 @@ smb_connect(struct cli_state **output_cli,
+ 
+ 		fprintf(stderr,
+ 			"DEBUG: Try to connect using username/password ...\n");
+-	} else {
+	} else if (strcmp(auth_info_required, "none") == 0) {
+		goto anonymous;
+	} else if (strcmp(auth_info_required, "samba") == 0) {
+ 		if (username != NULL) {
+ 			flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
+ 		} else if (kerberos_ccache_is_valid()) {
+@@ -731,6 +733,8 @@ smb_connect(struct cli_state **output_cli,
+ 				"DEBUG: This backend requires credentials!\n");
+ 			return NT_STATUS_ACCESS_DENIED;
+ 		}
+	} else {
+		return NT_STATUS_ACCESS_DENIED;
+ 	}
+ 
+ 	nt_status = smb_complete_connection(&cli,
+@@ -780,6 +784,7 @@ smb_connect(struct cli_state **output_cli,
+          * last try. Use anonymous authentication
+          */
+ 
+anonymous:
+ 	nt_status = smb_complete_connection(&cli,
+ 					    myname,
+ 					    server,
+-- 
+2.20.1
+
--- a/0002-s3-smbspool_krb5_wrapper-Map-AUTH_INFO_REQUIRED-none.patch
+++ b/0002-s3-smbspool_krb5_wrapper-Map-AUTH_INFO_REQUIRED-none.patch
@ -0,0 +1,108 @@
+From 28bbb580dead3f4a523335f89f020ce522458571 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 28 Oct 2019 09:38:08 +0100
+Subject: [PATCH 2/4] s3:smbspool_krb5_wrapper: Map AUTH_INFO_REQUIRED=none to
+ anonymous
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ selftest/target/Samba4.pm              |  3 +++
+ source3/client/smbspool_krb5_wrapper.c | 18 ++++++++++++------
+ source3/script/tests/test_smbspool.sh  | 10 +++-------
+ 3 files changed, 18 insertions(+), 13 deletions(-)
+
+diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
+index 1310e2ff09f..23dafba1574 100755
+--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
+@@ -1845,6 +1845,9 @@ sub provision_ad_dc($$$$$$)
+ 	copy = print1
+ [print3]
+ 	copy = print1
+[print4]
+	copy = print1
+	guest ok = yes
+ [lp]
+ 	copy = print1
+ ";
+diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
+index bff1df417e8..bd6319ca9c3 100644
+--- a/source3/client/smbspool_krb5_wrapper.c
+++ b/source3/client/smbspool_krb5_wrapper.c
+@@ -149,17 +149,19 @@ int main(int argc, char *argv[])
+ 	env = getenv("AUTH_INFO_REQUIRED");
+ 
+         /* If not set, then just call smbspool. */
+-	if (env == NULL || env[0] == 0) {
+	if (env == NULL || env == "none" || env[0] == 0) {
+ 		CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
+ 			       "execute smbspool");
+ 		goto smbspool;
+ 	} else {
+ 		CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED=%s", env);
+ 
+-		snprintf(auth_info_required,
+-			 sizeof(auth_info_required),
+-			 "%s",
+-			 env);
+		cmp = strcmp(env, "none");
+		if (cmp == 0) {
+			CUPS_SMB_DEBUG("Authenticate using none (anonymous) - "
+				       "execute smbspool");
+			goto smbspool;
+		}
+ 
+ 		cmp = strcmp(env, "username,password");
+ 		if (cmp == 0) {
+@@ -168,13 +170,17 @@ int main(int argc, char *argv[])
+ 			goto smbspool;
+ 		}
+ 
+-		/* if AUTH_INFO_REQUIRED=none */
+ 		cmp = strcmp(env, "negotiate");
+ 		if (cmp != 0) {
+ 			CUPS_SMB_ERROR("Authentication unsupported");
+ 			fprintf(stderr, "ATTR: auth-info-required=negotiate\n");
+ 			return CUPS_BACKEND_AUTH_REQUIRED;
+ 		}
+
+		snprintf(auth_info_required,
+			 sizeof(auth_info_required),
+			 "%s",
+			 env);
+ 	}
+ 
+ 	uid = getuid();
+diff --git a/source3/script/tests/test_smbspool.sh b/source3/script/tests/test_smbspool.sh
+index 7ba03f01fc7..01d72101615 100755
+--- a/source3/script/tests/test_smbspool.sh
+++ b/source3/script/tests/test_smbspool.sh
+@@ -48,7 +48,7 @@ test_smbspool_noargs()
+ 
+ test_smbspool_authinforequired_none()
+ {
+-	cmd='$samba_smbspool_krb5 smb://$SERVER_IP/print1 200 $USERNAME "Testprint" 1 "options" $SRCDIR/testdata/printing/example.ps 2>&1'
+	cmd='$samba_smbspool_krb5 smb://$SERVER_IP/print4 200 $USERNAME "Testprint" 1 "options" $SRCDIR/testdata/printing/example.ps 2>&1'
+ 
+ 	AUTH_INFO_REQUIRED="none"
+ 	export AUTH_INFO_REQUIRED
+@@ -60,14 +60,10 @@ test_smbspool_authinforequired_none()
+ 	if [ $ret != 0 ]; then
+ 		echo "$out"
+ 		echo "failed to execute $smbspool_krb5"
+-	fi
+-
+-	echo "$out" | grep 'ATTR: auth-info-required=negotiate'
+-	ret=$?
+-	if [ $ret != 0 ] ; then
+-		echo "$out"
+ 		return 1
+ 	fi
+
+	return 0
+ }
+ 
+ #
+-- 
+2.20.1
+
--- a/0003-s3-smbspool_krb5_wrapper-ignore-unknown-values-of-AU.patch
+++ b/0003-s3-smbspool_krb5_wrapper-ignore-unknown-values-of-AU.patch
@ -0,0 +1,137 @@
+From b2581f0ecc1253fa4d805b962ac8c7191f92e278 Mon Sep 17 00:00:00 2001
+From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+Date: Sun, 3 Nov 2019 01:28:13 +0300
+Subject: [PATCH 3/4] s3:smbspool_krb5_wrapper: ignore unknown values of
+ AUTH_INFO_REQUIRED
+
+To make smbspool_krb5_wrapper usable as a default destination for symlink
+/usr/lib/cups/backend/smb in Linux ditros, it has to be well-prepared
+for any possible values of AUTH_INFO_REQUIRED set by cupsd and correctly
+pass printing tasks to smbspool if it sees that Kerberos authentication
+is not needed.
+
+Discussed here: https://lists.samba.org/archive/samba-technical/2019-October/134470.html
+
+Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+---
+ source3/client/smbspool_krb5_wrapper.c | 34 ++++++++++++++++++++------
+ source3/script/tests/test_smbspool.sh  | 28 +++++++++++++++++++++
+ 2 files changed, 55 insertions(+), 7 deletions(-)
+
+diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
+index bd6319ca9c3..a2851d7fbc1 100644
+--- a/source3/client/smbspool_krb5_wrapper.c
+++ b/source3/client/smbspool_krb5_wrapper.c
+@@ -145,36 +145,56 @@ int main(int argc, char *argv[])
+ 		snprintf(device_uri, sizeof(device_uri), "%s", env);
+ 	}
+ 
+-	/* Check if AuthInfoRequired is set to negotiate */
+	/* We must handle the following values of AUTH_INFO_REQUIRED:
+	 *  none: Anonymous/guest printing
+	 *  username,password: A username (of the form "username" or "DOMAIN\username")
+	 *                     and password are required
+	 *  negotiate: Kerberos authentication
+	 *  NULL (not set): will never happen when called from cupsd
+	 * https://www.cups.org/doc/spec-ipp.html#auth-info-required
+	 * https://github.com/apple/cups/issues/5674
+	 */
+ 	env = getenv("AUTH_INFO_REQUIRED");
+ 
+         /* If not set, then just call smbspool. */
+ 	if (env == NULL || env == "none" || env[0] == 0) {
+ 		CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
+-			       "execute smbspool");
+			       "executing smbspool");
+		/* Pass this printing task to smbspool without Kerberos auth */
+ 		goto smbspool;
+ 	} else {
+ 		CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED=%s", env);
+ 
+		/* First test the value of AUTH_INFO_REQUIRED
+		 * against known possible values
+		 */
+ 		cmp = strcmp(env, "none");
+ 		if (cmp == 0) {
+ 			CUPS_SMB_DEBUG("Authenticate using none (anonymous) - "
+-				       "execute smbspool");
+				       "executing smbspool");
+ 			goto smbspool;
+ 		}
+ 
+ 		cmp = strcmp(env, "username,password");
+ 		if (cmp == 0) {
+ 			CUPS_SMB_DEBUG("Authenticate using username/password - "
+-				       "execute smbspool");
+				       "executing smbspool");
+ 			goto smbspool;
+ 		}
+ 
+		/* Now, if 'goto smbspool' still has not happened,
+		 * there are only two variants left:
+		 * 1) AUTH_INFO_REQUIRED is "negotiate" and then
+		 *    we have to continue working
+		 * 2) or it is something not known to us, then Kerberos
+		 *    authentication is not required, so just also pass
+		 *    this task to smbspool
+		 */
+ 		cmp = strcmp(env, "negotiate");
+ 		if (cmp != 0) {
+-			CUPS_SMB_ERROR("Authentication unsupported");
+-			fprintf(stderr, "ATTR: auth-info-required=negotiate\n");
+-			return CUPS_BACKEND_AUTH_REQUIRED;
+			CUPS_SMB_DEBUG("Value of AUTH_INFO_REQUIRED is not known "
+				       "to smbspool_krb5_wrapper, executing smbspool");
+			goto smbspool;
+ 		}
+ 
+ 		snprintf(auth_info_required,
+diff --git a/source3/script/tests/test_smbspool.sh b/source3/script/tests/test_smbspool.sh
+index 01d72101615..c32ace6682e 100755
+--- a/source3/script/tests/test_smbspool.sh
+++ b/source3/script/tests/test_smbspool.sh
+@@ -66,6 +66,30 @@ test_smbspool_authinforequired_none()
+ 	return 0
+ }
+ 
+test_smbspool_authinforequired_unknown()
+{
+	cmd='$samba_smbspool_krb5 smb://$SERVER_IP/print4 200 $USERNAME "Testprint" 1 "options" $SRCDIR/testdata/printing/example.ps 2>&1'
+
+	# smbspool_krb5_wrapper must ignore AUTH_INFO_REQUIRED unknown to him and pass the task to smbspool
+	# smbspool must fail with NT_STATUS_ACCESS_DENIED (22)
+	# "jjf4wgmsbc0" is just a random string
+	AUTH_INFO_REQUIRED="jjf4wgmsbc0"
+	export AUTH_INFO_REQUIRED
+	eval echo "$cmd"
+	out=$(eval $cmd)
+	ret=$?
+	unset AUTH_INFO_REQUIRED
+
+	case "$ret" in
+		22 ) return 0 ;;
+		* )
+			echo "$out"
+			echo "failed to test $smbspool_krb5 against unknown value of AUTH_INFO_REQUIRED"
+			return 1
+		;;
+	esac
+}
+
+ #
+ # The test enviornment uses 'vlp' (virtual lp) as the printing backend.
+ #
+@@ -187,6 +211,10 @@ testit "smbspool_krb5_wrapper AuthInfoRequired=none" \
+ 	test_smbspool_authinforequired_none || \
+ 	failed=$(expr $failed + 1)
+ 
+testit "smbspool_krb5_wrapper AuthInfoRequired=(sth unknown)" \
+	test_smbspool_authinforequired_unknown || \
+	failed=$(expr $failed + 1)
+
+ testit "smbspool print example.ps" \
+ 	$samba_smbspool smb://$USERNAME:$PASSWORD@$SERVER_IP/print1 200 $USERNAME "Testprint" 1 "options" $SRCDIR/testdata/printing/example.ps || \
+ 	failed=$(expr $failed + 1)
+-- 
+2.20.1
+
--- a/0004-smbspool-print-a-hint-about-smbspool_krb5_wrapper.patch
+++ b/0004-smbspool-print-a-hint-about-smbspool_krb5_wrapper.patch
@ -0,0 +1,32 @@
+From 90dec7767aa6aecd303164eaea22656b9fa4e959 Mon Sep 17 00:00:00 2001
+From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+Date: Sun, 3 Nov 2019 01:47:51 +0300
+Subject: [PATCH 4/4] smbspool: print a hint about smbspool_krb5_wrapper
+
+When I first met with the situation that Kerberos kredentials cache of root
+user was looked for instead of the one of the printing task creator,
+it took a lot of time to understand that smbspool_krb5_wrapper will resolve this.
+
+Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+---
+ source3/client/smbspool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index 34def0c91a9..5e2d230ab8b 100644
+--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
+@@ -699,8 +699,8 @@ smb_connect(struct cli_state **output_cli,
+ 	if (strcmp(auth_info_required, "negotiate") == 0) {
+ 		if (!kerberos_ccache_is_valid()) {
+ 			fprintf(stderr,
+-				"ERROR: No valid Kerberos credential cache "
+-				"found!\n");
+				"ERROR: No valid Kerberos credential cache found! "
+				"Using smbspool_krb5_wrapper may help.\n");
+ 			return NT_STATUS_LOGON_FAILURE;
+ 		}
+ 		user = jobusername;
+-- 
+2.20.1
+
--- a/samba.spec
+++ b/samba.spec
@ -89,7 +89,7 @@
 Summary:	Samba SMB server
 Name:		samba
 Version:	4.10.10
-Release:	2
+Release:	3
 Epoch:		1
 License:	GPLv3+
 Group:		System/Servers
@ -124,6 +124,14 @@ Patch13:	ROSA-Force-libsystemd.patch
 Patch14:	0001-samba-tool-dbcheck-Avoid-creating-child-DNs-via-ldb..patch
 Patch15:	0002-samba-tool-dbcheck-Avoid-creating-an-RDN-via-ldb.Dn-.patch

+# https://lists.samba.org/archive/samba-technical/2019-October/134470.html
+# /usr/lib/cups/backend/smb is now symlinked to smbspool_krb5_wrapper
+# instead of smbspool (NOTE: this is an experimental change)
+Patch16:	0001-smbspool-Map-AUTH_INFO_REQUIRED-none-to-anonymous-co.patch
+Patch17:	0002-s3-smbspool_krb5_wrapper-Map-AUTH_INFO_REQUIRED-none.patch
+Patch18:	0003-s3-smbspool_krb5_wrapper-ignore-unknown-values-of-AU.patch
+Patch19:	0004-smbspool-print-a-hint-about-smbspool_krb5_wrapper.patch
+
 %if %{with clang}
 BuildRequires:	clang lld
 %else
@ -1475,7 +1483,7 @@ sed -i -e 's,@ROSA_PLATFORM@,%{rosa_release},g' %{buildroot}/%{_sysconfdir}/%{na
 sed -i -e 's,@smb_usershare_dir@,%{smb_usershare_dir},g' %{buildroot}/%{_sysconfdir}/%{name}/smb.conf

 mkdir -p %{buildroot}/%{_libdir}/cups/backend
-ln -s %{_bindir}/smbspool %{buildroot}/%{_libdir}/cups/backend/smb
+ln -s %{_libexecdir}/samba/smbspool_krb5_wrapper %{buildroot}/%{_libdir}/cups/backend/smb

 echo 127.0.0.1 localhost > %{buildroot}/%{_sysconfdir}/%{name}/lmhosts