mirror of
https://abf.rosa.ru/djam/samba.git
synced 2025-02-23 09:02:49 +00:00
4001a7c17a
See https://lists.samba.org/archive/samba-technical/2019-October/134470.html and further emails in that thread for details
137 lines
4.9 KiB
Diff
137 lines
4.9 KiB
Diff
From b2581f0ecc1253fa4d805b962ac8c7191f92e278 Mon Sep 17 00:00:00 2001
|
|
From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
|
|
Date: Sun, 3 Nov 2019 01:28:13 +0300
|
|
Subject: [PATCH 3/4] s3:smbspool_krb5_wrapper: ignore unknown values of
|
|
AUTH_INFO_REQUIRED
|
|
|
|
To make smbspool_krb5_wrapper usable as a default destination for symlink
|
|
/usr/lib/cups/backend/smb in Linux ditros, it has to be well-prepared
|
|
for any possible values of AUTH_INFO_REQUIRED set by cupsd and correctly
|
|
pass printing tasks to smbspool if it sees that Kerberos authentication
|
|
is not needed.
|
|
|
|
Discussed here: https://lists.samba.org/archive/samba-technical/2019-October/134470.html
|
|
|
|
Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
|
|
---
|
|
source3/client/smbspool_krb5_wrapper.c | 34 ++++++++++++++++++++------
|
|
source3/script/tests/test_smbspool.sh | 28 +++++++++++++++++++++
|
|
2 files changed, 55 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
|
|
index bd6319ca9c3..a2851d7fbc1 100644
|
|
--- a/source3/client/smbspool_krb5_wrapper.c
|
|
+++ b/source3/client/smbspool_krb5_wrapper.c
|
|
@@ -145,36 +145,56 @@ int main(int argc, char *argv[])
|
|
snprintf(device_uri, sizeof(device_uri), "%s", env);
|
|
}
|
|
|
|
- /* Check if AuthInfoRequired is set to negotiate */
|
|
+ /* We must handle the following values of AUTH_INFO_REQUIRED:
|
|
+ * none: Anonymous/guest printing
|
|
+ * username,password: A username (of the form "username" or "DOMAIN\username")
|
|
+ * and password are required
|
|
+ * negotiate: Kerberos authentication
|
|
+ * NULL (not set): will never happen when called from cupsd
|
|
+ * https://www.cups.org/doc/spec-ipp.html#auth-info-required
|
|
+ * https://github.com/apple/cups/issues/5674
|
|
+ */
|
|
env = getenv("AUTH_INFO_REQUIRED");
|
|
|
|
/* If not set, then just call smbspool. */
|
|
if (env == NULL || env == "none" || env[0] == 0) {
|
|
CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
|
|
- "execute smbspool");
|
|
+ "executing smbspool");
|
|
+ /* Pass this printing task to smbspool without Kerberos auth */
|
|
goto smbspool;
|
|
} else {
|
|
CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED=%s", env);
|
|
|
|
+ /* First test the value of AUTH_INFO_REQUIRED
|
|
+ * against known possible values
|
|
+ */
|
|
cmp = strcmp(env, "none");
|
|
if (cmp == 0) {
|
|
CUPS_SMB_DEBUG("Authenticate using none (anonymous) - "
|
|
- "execute smbspool");
|
|
+ "executing smbspool");
|
|
goto smbspool;
|
|
}
|
|
|
|
cmp = strcmp(env, "username,password");
|
|
if (cmp == 0) {
|
|
CUPS_SMB_DEBUG("Authenticate using username/password - "
|
|
- "execute smbspool");
|
|
+ "executing smbspool");
|
|
goto smbspool;
|
|
}
|
|
|
|
+ /* Now, if 'goto smbspool' still has not happened,
|
|
+ * there are only two variants left:
|
|
+ * 1) AUTH_INFO_REQUIRED is "negotiate" and then
|
|
+ * we have to continue working
|
|
+ * 2) or it is something not known to us, then Kerberos
|
|
+ * authentication is not required, so just also pass
|
|
+ * this task to smbspool
|
|
+ */
|
|
cmp = strcmp(env, "negotiate");
|
|
if (cmp != 0) {
|
|
- CUPS_SMB_ERROR("Authentication unsupported");
|
|
- fprintf(stderr, "ATTR: auth-info-required=negotiate\n");
|
|
- return CUPS_BACKEND_AUTH_REQUIRED;
|
|
+ CUPS_SMB_DEBUG("Value of AUTH_INFO_REQUIRED is not known "
|
|
+ "to smbspool_krb5_wrapper, executing smbspool");
|
|
+ goto smbspool;
|
|
}
|
|
|
|
snprintf(auth_info_required,
|
|
diff --git a/source3/script/tests/test_smbspool.sh b/source3/script/tests/test_smbspool.sh
|
|
index 01d72101615..c32ace6682e 100755
|
|
--- a/source3/script/tests/test_smbspool.sh
|
|
+++ b/source3/script/tests/test_smbspool.sh
|
|
@@ -66,6 +66,30 @@ test_smbspool_authinforequired_none()
|
|
return 0
|
|
}
|
|
|
|
+test_smbspool_authinforequired_unknown()
|
|
+{
|
|
+ cmd='$samba_smbspool_krb5 smb://$SERVER_IP/print4 200 $USERNAME "Testprint" 1 "options" $SRCDIR/testdata/printing/example.ps 2>&1'
|
|
+
|
|
+ # smbspool_krb5_wrapper must ignore AUTH_INFO_REQUIRED unknown to him and pass the task to smbspool
|
|
+ # smbspool must fail with NT_STATUS_ACCESS_DENIED (22)
|
|
+ # "jjf4wgmsbc0" is just a random string
|
|
+ AUTH_INFO_REQUIRED="jjf4wgmsbc0"
|
|
+ export AUTH_INFO_REQUIRED
|
|
+ eval echo "$cmd"
|
|
+ out=$(eval $cmd)
|
|
+ ret=$?
|
|
+ unset AUTH_INFO_REQUIRED
|
|
+
|
|
+ case "$ret" in
|
|
+ 22 ) return 0 ;;
|
|
+ * )
|
|
+ echo "$out"
|
|
+ echo "failed to test $smbspool_krb5 against unknown value of AUTH_INFO_REQUIRED"
|
|
+ return 1
|
|
+ ;;
|
|
+ esac
|
|
+}
|
|
+
|
|
#
|
|
# The test enviornment uses 'vlp' (virtual lp) as the printing backend.
|
|
#
|
|
@@ -187,6 +211,10 @@ testit "smbspool_krb5_wrapper AuthInfoRequired=none" \
|
|
test_smbspool_authinforequired_none || \
|
|
failed=$(expr $failed + 1)
|
|
|
|
+testit "smbspool_krb5_wrapper AuthInfoRequired=(sth unknown)" \
|
|
+ test_smbspool_authinforequired_unknown || \
|
|
+ failed=$(expr $failed + 1)
|
|
+
|
|
testit "smbspool print example.ps" \
|
|
$samba_smbspool smb://$USERNAME:$PASSWORD@$SERVER_IP/print1 200 $USERNAME "Testprint" 1 "options" $SRCDIR/testdata/printing/example.ps || \
|
|
failed=$(expr $failed + 1)
|
|
--
|
|
2.20.1
|
|
|