From 4001a7c17a42598dce5b30f8c9e7e4f581df2c3a Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Sun, 3 Nov 2019 02:05:01 +0300 Subject: [PATCH] Use smbspool_krb5_wrapper by default instead of smbspool (exp.) See https://lists.samba.org/archive/samba-technical/2019-October/134470.html and further emails in that thread for details --- ...H_INFO_REQUIRED-none-to-anonymous-co.patch | 55 +++++++ ..._wrapper-Map-AUTH_INFO_REQUIRED-none.patch | 108 ++++++++++++++ ..._wrapper-ignore-unknown-values-of-AU.patch | 137 ++++++++++++++++++ ...t-a-hint-about-smbspool_krb5_wrapper.patch | 32 ++++ samba.spec | 12 +- 5 files changed, 342 insertions(+), 2 deletions(-) create mode 100644 0001-smbspool-Map-AUTH_INFO_REQUIRED-none-to-anonymous-co.patch create mode 100644 0002-s3-smbspool_krb5_wrapper-Map-AUTH_INFO_REQUIRED-none.patch create mode 100644 0003-s3-smbspool_krb5_wrapper-ignore-unknown-values-of-AU.patch create mode 100644 0004-smbspool-print-a-hint-about-smbspool_krb5_wrapper.patch diff --git a/0001-smbspool-Map-AUTH_INFO_REQUIRED-none-to-anonymous-co.patch b/0001-smbspool-Map-AUTH_INFO_REQUIRED-none-to-anonymous-co.patch new file mode 100644 index 0000000..e24aeb6 --- /dev/null +++ b/0001-smbspool-Map-AUTH_INFO_REQUIRED-none-to-anonymous-co.patch @@ -0,0 +1,55 @@ +From 3ad5ed9bc31d46360b6bf025773bf8ade4717bf8 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 28 Oct 2019 09:35:34 +0100 +Subject: [PATCH 1/4] smbspool: Map AUTH_INFO_REQUIRED=none to anonymous + connection + +Signed-off-by: Andreas Schneider +--- + source3/client/smbspool.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c +index 36f7f67ca94..34def0c91a9 100644 +--- a/source3/client/smbspool.c ++++ b/source3/client/smbspool.c +@@ -287,7 +287,7 @@ main(int argc, /* I - Number of command-line arguments */ + + auth_info_required = getenv("AUTH_INFO_REQUIRED"); + if (auth_info_required == NULL) { +- auth_info_required = "none"; ++ auth_info_required = "samba"; + } + + /* +@@ -718,7 +718,9 @@ smb_connect(struct cli_state **output_cli, + + fprintf(stderr, + "DEBUG: Try to connect using username/password ...\n"); +- } else { ++ } else if (strcmp(auth_info_required, "none") == 0) { ++ goto anonymous; ++ } else if (strcmp(auth_info_required, "samba") == 0) { + if (username != NULL) { + flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS; + } else if (kerberos_ccache_is_valid()) { +@@ -731,6 +733,8 @@ smb_connect(struct cli_state **output_cli, + "DEBUG: This backend requires credentials!\n"); + return NT_STATUS_ACCESS_DENIED; + } ++ } else { ++ return NT_STATUS_ACCESS_DENIED; + } + + nt_status = smb_complete_connection(&cli, +@@ -780,6 +784,7 @@ smb_connect(struct cli_state **output_cli, + * last try. Use anonymous authentication + */ + ++anonymous: + nt_status = smb_complete_connection(&cli, + myname, + server, +-- +2.20.1 + diff --git a/0002-s3-smbspool_krb5_wrapper-Map-AUTH_INFO_REQUIRED-none.patch b/0002-s3-smbspool_krb5_wrapper-Map-AUTH_INFO_REQUIRED-none.patch new file mode 100644 index 0000000..4a923e2 --- /dev/null +++ b/0002-s3-smbspool_krb5_wrapper-Map-AUTH_INFO_REQUIRED-none.patch @@ -0,0 +1,108 @@ +From 28bbb580dead3f4a523335f89f020ce522458571 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 28 Oct 2019 09:38:08 +0100 +Subject: [PATCH 2/4] s3:smbspool_krb5_wrapper: Map AUTH_INFO_REQUIRED=none to + anonymous + +Signed-off-by: Andreas Schneider +--- + selftest/target/Samba4.pm | 3 +++ + source3/client/smbspool_krb5_wrapper.c | 18 ++++++++++++------ + source3/script/tests/test_smbspool.sh | 10 +++------- + 3 files changed, 18 insertions(+), 13 deletions(-) + +diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm +index 1310e2ff09f..23dafba1574 100755 +--- a/selftest/target/Samba4.pm ++++ b/selftest/target/Samba4.pm +@@ -1845,6 +1845,9 @@ sub provision_ad_dc($$$$$$) + copy = print1 + [print3] + copy = print1 ++[print4] ++ copy = print1 ++ guest ok = yes + [lp] + copy = print1 + "; +diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c +index bff1df417e8..bd6319ca9c3 100644 +--- a/source3/client/smbspool_krb5_wrapper.c ++++ b/source3/client/smbspool_krb5_wrapper.c +@@ -149,17 +149,19 @@ int main(int argc, char *argv[]) + env = getenv("AUTH_INFO_REQUIRED"); + + /* If not set, then just call smbspool. */ +- if (env == NULL || env[0] == 0) { ++ if (env == NULL || env == "none" || env[0] == 0) { + CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - " + "execute smbspool"); + goto smbspool; + } else { + CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED=%s", env); + +- snprintf(auth_info_required, +- sizeof(auth_info_required), +- "%s", +- env); ++ cmp = strcmp(env, "none"); ++ if (cmp == 0) { ++ CUPS_SMB_DEBUG("Authenticate using none (anonymous) - " ++ "execute smbspool"); ++ goto smbspool; ++ } + + cmp = strcmp(env, "username,password"); + if (cmp == 0) { +@@ -168,13 +170,17 @@ int main(int argc, char *argv[]) + goto smbspool; + } + +- /* if AUTH_INFO_REQUIRED=none */ + cmp = strcmp(env, "negotiate"); + if (cmp != 0) { + CUPS_SMB_ERROR("Authentication unsupported"); + fprintf(stderr, "ATTR: auth-info-required=negotiate\n"); + return CUPS_BACKEND_AUTH_REQUIRED; + } ++ ++ snprintf(auth_info_required, ++ sizeof(auth_info_required), ++ "%s", ++ env); + } + + uid = getuid(); +diff --git a/source3/script/tests/test_smbspool.sh b/source3/script/tests/test_smbspool.sh +index 7ba03f01fc7..01d72101615 100755 +--- a/source3/script/tests/test_smbspool.sh ++++ b/source3/script/tests/test_smbspool.sh +@@ -48,7 +48,7 @@ test_smbspool_noargs() + + test_smbspool_authinforequired_none() + { +- cmd='$samba_smbspool_krb5 smb://$SERVER_IP/print1 200 $USERNAME "Testprint" 1 "options" $SRCDIR/testdata/printing/example.ps 2>&1' ++ cmd='$samba_smbspool_krb5 smb://$SERVER_IP/print4 200 $USERNAME "Testprint" 1 "options" $SRCDIR/testdata/printing/example.ps 2>&1' + + AUTH_INFO_REQUIRED="none" + export AUTH_INFO_REQUIRED +@@ -60,14 +60,10 @@ test_smbspool_authinforequired_none() + if [ $ret != 0 ]; then + echo "$out" + echo "failed to execute $smbspool_krb5" +- fi +- +- echo "$out" | grep 'ATTR: auth-info-required=negotiate' +- ret=$? +- if [ $ret != 0 ] ; then +- echo "$out" + return 1 + fi ++ ++ return 0 + } + + # +-- +2.20.1 + diff --git a/0003-s3-smbspool_krb5_wrapper-ignore-unknown-values-of-AU.patch b/0003-s3-smbspool_krb5_wrapper-ignore-unknown-values-of-AU.patch new file mode 100644 index 0000000..b2eaf02 --- /dev/null +++ b/0003-s3-smbspool_krb5_wrapper-ignore-unknown-values-of-AU.patch @@ -0,0 +1,137 @@ +From b2581f0ecc1253fa4d805b962ac8c7191f92e278 Mon Sep 17 00:00:00 2001 +From: Mikhail Novosyolov +Date: Sun, 3 Nov 2019 01:28:13 +0300 +Subject: [PATCH 3/4] s3:smbspool_krb5_wrapper: ignore unknown values of + AUTH_INFO_REQUIRED + +To make smbspool_krb5_wrapper usable as a default destination for symlink +/usr/lib/cups/backend/smb in Linux ditros, it has to be well-prepared +for any possible values of AUTH_INFO_REQUIRED set by cupsd and correctly +pass printing tasks to smbspool if it sees that Kerberos authentication +is not needed. + +Discussed here: https://lists.samba.org/archive/samba-technical/2019-October/134470.html + +Signed-off-by: Mikhail Novosyolov +--- + source3/client/smbspool_krb5_wrapper.c | 34 ++++++++++++++++++++------ + source3/script/tests/test_smbspool.sh | 28 +++++++++++++++++++++ + 2 files changed, 55 insertions(+), 7 deletions(-) + +diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c +index bd6319ca9c3..a2851d7fbc1 100644 +--- a/source3/client/smbspool_krb5_wrapper.c ++++ b/source3/client/smbspool_krb5_wrapper.c +@@ -145,36 +145,56 @@ int main(int argc, char *argv[]) + snprintf(device_uri, sizeof(device_uri), "%s", env); + } + +- /* Check if AuthInfoRequired is set to negotiate */ ++ /* We must handle the following values of AUTH_INFO_REQUIRED: ++ * none: Anonymous/guest printing ++ * username,password: A username (of the form "username" or "DOMAIN\username") ++ * and password are required ++ * negotiate: Kerberos authentication ++ * NULL (not set): will never happen when called from cupsd ++ * https://www.cups.org/doc/spec-ipp.html#auth-info-required ++ * https://github.com/apple/cups/issues/5674 ++ */ + env = getenv("AUTH_INFO_REQUIRED"); + + /* If not set, then just call smbspool. */ + if (env == NULL || env == "none" || env[0] == 0) { + CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - " +- "execute smbspool"); ++ "executing smbspool"); ++ /* Pass this printing task to smbspool without Kerberos auth */ + goto smbspool; + } else { + CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED=%s", env); + ++ /* First test the value of AUTH_INFO_REQUIRED ++ * against known possible values ++ */ + cmp = strcmp(env, "none"); + if (cmp == 0) { + CUPS_SMB_DEBUG("Authenticate using none (anonymous) - " +- "execute smbspool"); ++ "executing smbspool"); + goto smbspool; + } + + cmp = strcmp(env, "username,password"); + if (cmp == 0) { + CUPS_SMB_DEBUG("Authenticate using username/password - " +- "execute smbspool"); ++ "executing smbspool"); + goto smbspool; + } + ++ /* Now, if 'goto smbspool' still has not happened, ++ * there are only two variants left: ++ * 1) AUTH_INFO_REQUIRED is "negotiate" and then ++ * we have to continue working ++ * 2) or it is something not known to us, then Kerberos ++ * authentication is not required, so just also pass ++ * this task to smbspool ++ */ + cmp = strcmp(env, "negotiate"); + if (cmp != 0) { +- CUPS_SMB_ERROR("Authentication unsupported"); +- fprintf(stderr, "ATTR: auth-info-required=negotiate\n"); +- return CUPS_BACKEND_AUTH_REQUIRED; ++ CUPS_SMB_DEBUG("Value of AUTH_INFO_REQUIRED is not known " ++ "to smbspool_krb5_wrapper, executing smbspool"); ++ goto smbspool; + } + + snprintf(auth_info_required, +diff --git a/source3/script/tests/test_smbspool.sh b/source3/script/tests/test_smbspool.sh +index 01d72101615..c32ace6682e 100755 +--- a/source3/script/tests/test_smbspool.sh ++++ b/source3/script/tests/test_smbspool.sh +@@ -66,6 +66,30 @@ test_smbspool_authinforequired_none() + return 0 + } + ++test_smbspool_authinforequired_unknown() ++{ ++ cmd='$samba_smbspool_krb5 smb://$SERVER_IP/print4 200 $USERNAME "Testprint" 1 "options" $SRCDIR/testdata/printing/example.ps 2>&1' ++ ++ # smbspool_krb5_wrapper must ignore AUTH_INFO_REQUIRED unknown to him and pass the task to smbspool ++ # smbspool must fail with NT_STATUS_ACCESS_DENIED (22) ++ # "jjf4wgmsbc0" is just a random string ++ AUTH_INFO_REQUIRED="jjf4wgmsbc0" ++ export AUTH_INFO_REQUIRED ++ eval echo "$cmd" ++ out=$(eval $cmd) ++ ret=$? ++ unset AUTH_INFO_REQUIRED ++ ++ case "$ret" in ++ 22 ) return 0 ;; ++ * ) ++ echo "$out" ++ echo "failed to test $smbspool_krb5 against unknown value of AUTH_INFO_REQUIRED" ++ return 1 ++ ;; ++ esac ++} ++ + # + # The test enviornment uses 'vlp' (virtual lp) as the printing backend. + # +@@ -187,6 +211,10 @@ testit "smbspool_krb5_wrapper AuthInfoRequired=none" \ + test_smbspool_authinforequired_none || \ + failed=$(expr $failed + 1) + ++testit "smbspool_krb5_wrapper AuthInfoRequired=(sth unknown)" \ ++ test_smbspool_authinforequired_unknown || \ ++ failed=$(expr $failed + 1) ++ + testit "smbspool print example.ps" \ + $samba_smbspool smb://$USERNAME:$PASSWORD@$SERVER_IP/print1 200 $USERNAME "Testprint" 1 "options" $SRCDIR/testdata/printing/example.ps || \ + failed=$(expr $failed + 1) +-- +2.20.1 + diff --git a/0004-smbspool-print-a-hint-about-smbspool_krb5_wrapper.patch b/0004-smbspool-print-a-hint-about-smbspool_krb5_wrapper.patch new file mode 100644 index 0000000..ad293b7 --- /dev/null +++ b/0004-smbspool-print-a-hint-about-smbspool_krb5_wrapper.patch @@ -0,0 +1,32 @@ +From 90dec7767aa6aecd303164eaea22656b9fa4e959 Mon Sep 17 00:00:00 2001 +From: Mikhail Novosyolov +Date: Sun, 3 Nov 2019 01:47:51 +0300 +Subject: [PATCH 4/4] smbspool: print a hint about smbspool_krb5_wrapper + +When I first met with the situation that Kerberos kredentials cache of root +user was looked for instead of the one of the printing task creator, +it took a lot of time to understand that smbspool_krb5_wrapper will resolve this. + +Signed-off-by: Mikhail Novosyolov +--- + source3/client/smbspool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c +index 34def0c91a9..5e2d230ab8b 100644 +--- a/source3/client/smbspool.c ++++ b/source3/client/smbspool.c +@@ -699,8 +699,8 @@ smb_connect(struct cli_state **output_cli, + if (strcmp(auth_info_required, "negotiate") == 0) { + if (!kerberos_ccache_is_valid()) { + fprintf(stderr, +- "ERROR: No valid Kerberos credential cache " +- "found!\n"); ++ "ERROR: No valid Kerberos credential cache found! " ++ "Using smbspool_krb5_wrapper may help.\n"); + return NT_STATUS_LOGON_FAILURE; + } + user = jobusername; +-- +2.20.1 + diff --git a/samba.spec b/samba.spec index 6de292b..0880deb 100644 --- a/samba.spec +++ b/samba.spec @@ -89,7 +89,7 @@ Summary: Samba SMB server Name: samba Version: 4.10.10 -Release: 2 +Release: 3 Epoch: 1 License: GPLv3+ Group: System/Servers @@ -124,6 +124,14 @@ Patch13: ROSA-Force-libsystemd.patch Patch14: 0001-samba-tool-dbcheck-Avoid-creating-child-DNs-via-ldb..patch Patch15: 0002-samba-tool-dbcheck-Avoid-creating-an-RDN-via-ldb.Dn-.patch +# https://lists.samba.org/archive/samba-technical/2019-October/134470.html +# /usr/lib/cups/backend/smb is now symlinked to smbspool_krb5_wrapper +# instead of smbspool (NOTE: this is an experimental change) +Patch16: 0001-smbspool-Map-AUTH_INFO_REQUIRED-none-to-anonymous-co.patch +Patch17: 0002-s3-smbspool_krb5_wrapper-Map-AUTH_INFO_REQUIRED-none.patch +Patch18: 0003-s3-smbspool_krb5_wrapper-ignore-unknown-values-of-AU.patch +Patch19: 0004-smbspool-print-a-hint-about-smbspool_krb5_wrapper.patch + %if %{with clang} BuildRequires: clang lld %else @@ -1475,7 +1483,7 @@ sed -i -e 's,@ROSA_PLATFORM@,%{rosa_release},g' %{buildroot}/%{_sysconfdir}/%{na sed -i -e 's,@smb_usershare_dir@,%{smb_usershare_dir},g' %{buildroot}/%{_sysconfdir}/%{name}/smb.conf mkdir -p %{buildroot}/%{_libdir}/cups/backend -ln -s %{_bindir}/smbspool %{buildroot}/%{_libdir}/cups/backend/smb +ln -s %{_libexecdir}/samba/smbspool_krb5_wrapper %{buildroot}/%{_libdir}/cups/backend/smb echo 127.0.0.1 localhost > %{buildroot}/%{_sysconfdir}/%{name}/lmhosts