[cups.general] Kerberos printing to SMB printers

Mon Dec 17 05:22:40 PST 2007

On Fri, 14 Dec 2007, John Hodrien wrote:

> Is there an "approved" route to getting this end-to-end kerberosiness 
> working?

At the moment things just don't look quite right.  I've got a root owned
credential in /tmp, I've got the KRB5CCNAME environment variable set right,
and the smb backend gets called.  I've ditched my fix, and am using krb5 1.6.3
which has a similar fix in.  I've also jumped samba to 3.2.

D [17/Dec/2007:11:47:50 +0000] [Job 2] argv[0]="pre-lp2"
D [17/Dec/2007:11:47:50 +0000] [Job 2] argv[1]="2"
D [17/Dec/2007:11:47:50 +0000] [Job 2] argv[2]="my.user at MY.DOMAIN"
D [17/Dec/2007:11:47:50 +0000] [Job 2] argv[3]="rabbits.ps"
D [17/Dec/2007:11:47:50 +0000] [Job 2] argv[4]="1"
D [17/Dec/2007:11:47:50 +0000] [Job 2] argv[5]="finishings=3 number-up=1 job-uuid=urn:uuid:f7a57c73-9dad-3927-6dff-72be041871ae"
D [17/Dec/2007:11:47:50 +0000] [Job 2] argv[6]="/var/spool/cups/d00002-001"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[0]="CUPS_CACHEDIR=/var/cache/cups"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[1]="CUPS_DATADIR=/usr/share/cups"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[2]="CUPS_DOCROOT=/usr/share/doc/cups-1.3.4"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[3]="CUPS_FONTPATH=/usr/share/cups/fonts"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[4]="CUPS_REQUESTROOT=/var/spool/cups"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[5]="CUPS_SERVERBIN=/usr/lib/cups"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[6]="CUPS_SERVERROOT=/etc/cups"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[7]="CUPS_STATEDIR=/var/run/cups"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[8]="PATH=/usr/lib/cups/filter:/usr/lib64/cups/filter:/usr/bin:/usr/sbin:/bin:/usr/bin"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[9]="SERVER_ADMIN=root at my.machine"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[10]="SOFTWARE=CUPS/1.3.4"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[11]="TMPDIR=/var/spool/cups/tmp"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[12]="USER=root"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[13]="CUPS_SERVER=/var/run/cups/cups.sock"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[14]="CUPS_ENCRYPTION=IfRequested"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[15]="IPP_PORT=631"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[16]="CHARSET=utf-8"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[17]="LANG=en_GB.UTF8"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[18]="PPD=/etc/cups/ppd/my-printer.ppd"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[19]="RIP_MAX_CACHE=8m"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[20]="CONTENT_TYPE=application/postscript"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[21]="DEVICE_URI=smb://printserver/my-printer"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[22]="PRINTER=my-printer"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[23]="AUTH_U****"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[24]="AUTH_P****"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[25]="KRB5CCNAME=FILE:/tmp/tktExtgfS"
I [17/Dec/2007:11:47:50 +0000] [Job 2] Started backend /usr/lib/cups/backend/smb (PID 15777)

But...

smbspool gets irritated by the username be user at DOMAIN:

if ( !(pw = sys_getpwnam(username)) ) {
       fprintf(stderr,"ERROR Can not get %s uid\n", username);
       cli_shutdown(cli);
       return NULL;
     }

So it bails at that point.  Even if that's understood, it bails lower down:

     setuid(pw->pw_uid);

Doesn't that mean it's now running as the submitting user?  Not helpful when
the credential pointed to by KRB5CCNAME is owned by root, along with the job
file.

Now on a machine where the cups server is on the same machine as the client,
things look healthier as long as I ignore kerberos to cups.  The setuid then
makes sense, and the username comes through right.  I'm still not getting a
printout, despite it working if I do a manual smbspool, but that's nearly
right.

Anyone spot where I'm being dim?

jh

-- 
"History teaches us that men and nations behave wisely once they have exhaused
  all other alternatives."                            -- Abba Eban