Use smbspool_krb5_wrapper by default instead of smbspool (exp.)

See https://lists.samba.org/archive/samba-technical/2019-October/134470.html and further emails in that thread for details
2025-02-24 01:22:47 +00:00 · 2019-11-03 02:05:01 +03:00 · 2019-11-03 02:05:01 +03:00 · 4001a7c17a
commit 4001a7c17a
parent 62605cbc8c
5 changed files with 342 additions and 2 deletions
--- a/0001-smbspool-Map-AUTH_INFO_REQUIRED-none-to-anonymous-co.patch
+++ b/0001-smbspool-Map-AUTH_INFO_REQUIRED-none-to-anonymous-co.patch
@ -0,0 +1,55 @@
 From 3ad5ed9bc31d46360b6bf025773bf8ade4717bf8 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Mon, 28 Oct 2019 09:35:34 +0100
 Subject: [PATCH 1/4] smbspool: Map AUTH_INFO_REQUIRED=none to anonymous
 connection
 Signed-off-by: Andreas Schneider <asn@samba.org>
 ---
 source3/client/smbspool.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)
 diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
 index 36f7f67ca94..34def0c91a9 100644
 --- a/source3/client/smbspool.c
 +++ b/source3/client/smbspool.c
@@ -287,7 +287,7 @@ main(int argc,			/* I - Number of command-line arguments */
 	auth_info_required = getenv("AUTH_INFO_REQUIRED");
 	if (auth_info_required == NULL) {
 -		auth_info_required = "none";
 +		auth_info_required = "samba";
 	}
 	/*
@@ -718,7 +718,9 @@ smb_connect(struct cli_state **output_cli,
 		fprintf(stderr,
 			"DEBUG: Try to connect using username/password ...\n");
 -	} else {
 +	} else if (strcmp(auth_info_required, "none") == 0) {
 +		goto anonymous;
 +	} else if (strcmp(auth_info_required, "samba") == 0) {
 		if (username != NULL) {
 			flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
 		} else if (kerberos_ccache_is_valid()) {
@@ -731,6 +733,8 @@ smb_connect(struct cli_state **output_cli,
 				"DEBUG: This backend requires credentials!\n");
 			return NT_STATUS_ACCESS_DENIED;
 		}
 +	} else {
 +		return NT_STATUS_ACCESS_DENIED;
 	}
 	nt_status = smb_complete_connection(&cli,
@@ -780,6 +784,7 @@ smb_connect(struct cli_state **output_cli,
          * last try. Use anonymous authentication
          */
 +anonymous:
 	nt_status = smb_complete_connection(&cli,
 					    myname,
 					    server,
 -- 
 2.20.1
--- a/0002-s3-smbspool_krb5_wrapper-Map-AUTH_INFO_REQUIRED-none.patch
+++ b/0002-s3-smbspool_krb5_wrapper-Map-AUTH_INFO_REQUIRED-none.patch
@ -0,0 +1,108 @@
 From 28bbb580dead3f4a523335f89f020ce522458571 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Mon, 28 Oct 2019 09:38:08 +0100
 Subject: [PATCH 2/4] s3:smbspool_krb5_wrapper: Map AUTH_INFO_REQUIRED=none to
 anonymous
 Signed-off-by: Andreas Schneider <asn@samba.org>
 ---
 selftest/target/Samba4.pm              |  3 +++
 source3/client/smbspool_krb5_wrapper.c | 18 ++++++++++++------
 source3/script/tests/test_smbspool.sh  | 10 +++-------
 3 files changed, 18 insertions(+), 13 deletions(-)
 diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
 index 1310e2ff09f..23dafba1574 100755
 --- a/selftest/target/Samba4.pm
 +++ b/selftest/target/Samba4.pm
@@ -1845,6 +1845,9 @@ sub provision_ad_dc($$$$$$)
 	copy = print1
 [print3]
 	copy = print1
 +[print4]
 +	copy = print1
 +	guest ok = yes
 [lp]
 	copy = print1
 ";
 diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
 index bff1df417e8..bd6319ca9c3 100644
 --- a/source3/client/smbspool_krb5_wrapper.c
 +++ b/source3/client/smbspool_krb5_wrapper.c
@@ -149,17 +149,19 @@ int main(int argc, char *argv[])
 	env = getenv("AUTH_INFO_REQUIRED");
         /* If not set, then just call smbspool. */
 -	if (env == NULL || env[0] == 0) {
 +	if (env == NULL || env == "none" || env[0] == 0) {
 		CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
 			       "execute smbspool");
 		goto smbspool;
 	} else {
 		CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED=%s", env);
 -		snprintf(auth_info_required,
 -			 sizeof(auth_info_required),
 -			 "%s",
 -			 env);
 +		cmp = strcmp(env, "none");
 +		if (cmp == 0) {
 +			CUPS_SMB_DEBUG("Authenticate using none (anonymous) - "
 +				       "execute smbspool");
 +			goto smbspool;
 +		}
 		cmp = strcmp(env, "username,password");
 		if (cmp == 0) {
@@ -168,13 +170,17 @@ int main(int argc, char *argv[])
 			goto smbspool;
 		}
 -		/* if AUTH_INFO_REQUIRED=none */
 		cmp = strcmp(env, "negotiate");
 		if (cmp != 0) {
 			CUPS_SMB_ERROR("Authentication unsupported");
 			fprintf(stderr, "ATTR: auth-info-required=negotiate\n");
 			return CUPS_BACKEND_AUTH_REQUIRED;
 		}
 +
 +		snprintf(auth_info_required,
 +			 sizeof(auth_info_required),
 +			 "%s",
 +			 env);
 	}
 	uid = getuid();
 diff --git a/source3/script/tests/test_smbspool.sh b/source3/script/tests/test_smbspool.sh
 index 7ba03f01fc7..01d72101615 100755
 --- a/source3/script/tests/test_smbspool.sh
 +++ b/source3/script/tests/test_smbspool.sh
@@ -48,7 +48,7 @@ test_smbspool_noargs()
 test_smbspool_authinforequired_none()
 {
 -	cmd='$samba_smbspool_krb5 smb://$SERVER_IP/print1 200 $USERNAME "Testprint" 1 "options" $SRCDIR/testdata/printing/example.ps 2>&1'
 +	cmd='$samba_smbspool_krb5 smb://$SERVER_IP/print4 200 $USERNAME "Testprint" 1 "options" $SRCDIR/testdata/printing/example.ps 2>&1'
 	AUTH_INFO_REQUIRED="none"
 	export AUTH_INFO_REQUIRED
@@ -60,14 +60,10 @@ test_smbspool_authinforequired_none()
 	if [ $ret != 0 ]; then
 		echo "$out"
 		echo "failed to execute $smbspool_krb5"
 -	fi
 -
 -	echo "$out" | grep 'ATTR: auth-info-required=negotiate'
 -	ret=$?
 -	if [ $ret != 0 ] ; then
 -		echo "$out"
 		return 1
 	fi
 +
 +	return 0
 }
 #
 -- 
 2.20.1
--- a/0003-s3-smbspool_krb5_wrapper-ignore-unknown-values-of-AU.patch
+++ b/0003-s3-smbspool_krb5_wrapper-ignore-unknown-values-of-AU.patch
@ -0,0 +1,137 @@
 From b2581f0ecc1253fa4d805b962ac8c7191f92e278 Mon Sep 17 00:00:00 2001
 From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 Date: Sun, 3 Nov 2019 01:28:13 +0300
 Subject: [PATCH 3/4] s3:smbspool_krb5_wrapper: ignore unknown values of
 AUTH_INFO_REQUIRED
 To make smbspool_krb5_wrapper usable as a default destination for symlink
 /usr/lib/cups/backend/smb in Linux ditros, it has to be well-prepared
 for any possible values of AUTH_INFO_REQUIRED set by cupsd and correctly
 pass printing tasks to smbspool if it sees that Kerberos authentication
 is not needed.
 Discussed here: https://lists.samba.org/archive/samba-technical/2019-October/134470.html
 Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 ---
 source3/client/smbspool_krb5_wrapper.c | 34 ++++++++++++++++++++------
 source3/script/tests/test_smbspool.sh  | 28 +++++++++++++++++++++
 2 files changed, 55 insertions(+), 7 deletions(-)
 diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
 index bd6319ca9c3..a2851d7fbc1 100644
 --- a/source3/client/smbspool_krb5_wrapper.c
 +++ b/source3/client/smbspool_krb5_wrapper.c
@@ -145,36 +145,56 @@ int main(int argc, char *argv[])
 		snprintf(device_uri, sizeof(device_uri), "%s", env);
 	}
 -	/* Check if AuthInfoRequired is set to negotiate */
 +	/* We must handle the following values of AUTH_INFO_REQUIRED:
 +	 *  none: Anonymous/guest printing
 +	 *  username,password: A username (of the form "username" or "DOMAIN\username")
 +	 *                     and password are required
 +	 *  negotiate: Kerberos authentication
 +	 *  NULL (not set): will never happen when called from cupsd
 +	 * https://www.cups.org/doc/spec-ipp.html#auth-info-required
 +	 * https://github.com/apple/cups/issues/5674
 +	 */
 	env = getenv("AUTH_INFO_REQUIRED");
         /* If not set, then just call smbspool. */
 	if (env == NULL || env == "none" || env[0] == 0) {
 		CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
 -			       "execute smbspool");
 +			       "executing smbspool");
 +		/* Pass this printing task to smbspool without Kerberos auth */
 		goto smbspool;
 	} else {
 		CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED=%s", env);
 +		/* First test the value of AUTH_INFO_REQUIRED
 +		 * against known possible values
 +		 */
 		cmp = strcmp(env, "none");
 		if (cmp == 0) {
 			CUPS_SMB_DEBUG("Authenticate using none (anonymous) - "
 -				       "execute smbspool");
 +				       "executing smbspool");
 			goto smbspool;
 		}
 		cmp = strcmp(env, "username,password");
 		if (cmp == 0) {
 			CUPS_SMB_DEBUG("Authenticate using username/password - "
 -				       "execute smbspool");
 +				       "executing smbspool");
 			goto smbspool;
 		}
 +		/* Now, if 'goto smbspool' still has not happened,
 +		 * there are only two variants left:
 +		 * 1) AUTH_INFO_REQUIRED is "negotiate" and then
 +		 *    we have to continue working
 +		 * 2) or it is something not known to us, then Kerberos
 +		 *    authentication is not required, so just also pass
 +		 *    this task to smbspool
 +		 */
 		cmp = strcmp(env, "negotiate");
 		if (cmp != 0) {
 -			CUPS_SMB_ERROR("Authentication unsupported");
 -			fprintf(stderr, "ATTR: auth-info-required=negotiate\n");
 -			return CUPS_BACKEND_AUTH_REQUIRED;
 +			CUPS_SMB_DEBUG("Value of AUTH_INFO_REQUIRED is not known "
 +				       "to smbspool_krb5_wrapper, executing smbspool");
 +			goto smbspool;
 		}
 		snprintf(auth_info_required,
 diff --git a/source3/script/tests/test_smbspool.sh b/source3/script/tests/test_smbspool.sh
 index 01d72101615..c32ace6682e 100755
 --- a/source3/script/tests/test_smbspool.sh
 +++ b/source3/script/tests/test_smbspool.sh
@@ -66,6 +66,30 @@ test_smbspool_authinforequired_none()
 	return 0
 }
 +test_smbspool_authinforequired_unknown()
 +{
 +	cmd='$samba_smbspool_krb5 smb://$SERVER_IP/print4 200 $USERNAME "Testprint" 1 "options" $SRCDIR/testdata/printing/example.ps 2>&1'
 +
 +	# smbspool_krb5_wrapper must ignore AUTH_INFO_REQUIRED unknown to him and pass the task to smbspool
 +	# smbspool must fail with NT_STATUS_ACCESS_DENIED (22)
 +	# "jjf4wgmsbc0" is just a random string
 +	AUTH_INFO_REQUIRED="jjf4wgmsbc0"
 +	export AUTH_INFO_REQUIRED
 +	eval echo "$cmd"
 +	out=$(eval $cmd)
 +	ret=$?
 +	unset AUTH_INFO_REQUIRED
 +
 +	case "$ret" in
 +		22 ) return 0 ;;
 +		* )
 +			echo "$out"
 +			echo "failed to test $smbspool_krb5 against unknown value of AUTH_INFO_REQUIRED"
 +			return 1
 +		;;
 +	esac
 +}
 +
 #
 # The test enviornment uses 'vlp' (virtual lp) as the printing backend.
 #
@@ -187,6 +211,10 @@ testit "smbspool_krb5_wrapper AuthInfoRequired=none" \
 	test_smbspool_authinforequired_none || \
 	failed=$(expr $failed + 1)
 +testit "smbspool_krb5_wrapper AuthInfoRequired=(sth unknown)" \
 +	test_smbspool_authinforequired_unknown || \
 +	failed=$(expr $failed + 1)
 +
 testit "smbspool print example.ps" \
 	$samba_smbspool smb://$USERNAME:$PASSWORD@$SERVER_IP/print1 200 $USERNAME "Testprint" 1 "options" $SRCDIR/testdata/printing/example.ps || \
 	failed=$(expr $failed + 1)
 -- 
 2.20.1
--- a/0004-smbspool-print-a-hint-about-smbspool_krb5_wrapper.patch
+++ b/0004-smbspool-print-a-hint-about-smbspool_krb5_wrapper.patch
@ -0,0 +1,32 @@
 From 90dec7767aa6aecd303164eaea22656b9fa4e959 Mon Sep 17 00:00:00 2001
 From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 Date: Sun, 3 Nov 2019 01:47:51 +0300
 Subject: [PATCH 4/4] smbspool: print a hint about smbspool_krb5_wrapper
 When I first met with the situation that Kerberos kredentials cache of root
 user was looked for instead of the one of the printing task creator,
 it took a lot of time to understand that smbspool_krb5_wrapper will resolve this.
 Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 ---
 source3/client/smbspool.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
 index 34def0c91a9..5e2d230ab8b 100644
 --- a/source3/client/smbspool.c
 +++ b/source3/client/smbspool.c
@@ -699,8 +699,8 @@ smb_connect(struct cli_state **output_cli,
 	if (strcmp(auth_info_required, "negotiate") == 0) {
 		if (!kerberos_ccache_is_valid()) {
 			fprintf(stderr,
 -				"ERROR: No valid Kerberos credential cache "
 -				"found!\n");
 +				"ERROR: No valid Kerberos credential cache found! "
 +				"Using smbspool_krb5_wrapper may help.\n");
 			return NT_STATUS_LOGON_FAILURE;
 		}
 		user = jobusername;
 -- 
 2.20.1
--- a/samba.spec
+++ b/samba.spec
@ -89,7 +89,7 @@
 Summary:	Samba SMB server
 Name:		samba
 Version:	4.10.10
-Release:	2
+Release:	3
 Epoch:		1
 License:	GPLv3+
 Group:		System/Servers
@ -124,6 +124,14 @@ Patch13:	ROSA-Force-libsystemd.patch
 Patch14:	0001-samba-tool-dbcheck-Avoid-creating-child-DNs-via-ldb..patch
 Patch15:	0002-samba-tool-dbcheck-Avoid-creating-an-RDN-via-ldb.Dn-.patch
 # https://lists.samba.org/archive/samba-technical/2019-October/134470.html
 # /usr/lib/cups/backend/smb is now symlinked to smbspool_krb5_wrapper
 # instead of smbspool (NOTE: this is an experimental change)
 Patch16:	0001-smbspool-Map-AUTH_INFO_REQUIRED-none-to-anonymous-co.patch
 Patch17:	0002-s3-smbspool_krb5_wrapper-Map-AUTH_INFO_REQUIRED-none.patch
 Patch18:	0003-s3-smbspool_krb5_wrapper-ignore-unknown-values-of-AU.patch
 Patch19:	0004-smbspool-print-a-hint-about-smbspool_krb5_wrapper.patch
 %if %{with clang}
 BuildRequires:	clang lld
 %else
@ -1475,7 +1483,7 @@ sed -i -e 's,@ROSA_PLATFORM@,%{rosa_release},g' %{buildroot}/%{_sysconfdir}/%{na
 sed -i -e 's,@smb_usershare_dir@,%{smb_usershare_dir},g' %{buildroot}/%{_sysconfdir}/%{name}/smb.conf
 mkdir -p %{buildroot}/%{_libdir}/cups/backend
-ln -s %{_bindir}/smbspool %{buildroot}/%{_libdir}/cups/backend/smb
+ln -s %{_libexecdir}/samba/smbspool_krb5_wrapper %{buildroot}/%{_libdir}/cups/backend/smb
 echo 127.0.0.1 localhost > %{buildroot}/%{_sysconfdir}/%{name}/lmhosts