[cups.general] Kerberos printing to SMB printers
John Hodrien
johnh at comp.leeds.ac.uk
Mon Dec 17 05:22:40 PST 2007
On Fri, 14 Dec 2007, John Hodrien wrote:
> Is there an "approved" route to getting this end-to-end kerberosiness
> working?
At the moment things just don't look quite right. I've got a root owned
credential in /tmp, I've got the KRB5CCNAME environment variable set right,
and the smb backend gets called. I've ditched my fix, and am using krb5 1.6.3
which has a similar fix in. I've also jumped samba to 3.2.
D [17/Dec/2007:11:47:50 +0000] [Job 2] argv[0]="pre-lp2"
D [17/Dec/2007:11:47:50 +0000] [Job 2] argv[1]="2"
D [17/Dec/2007:11:47:50 +0000] [Job 2] argv[2]="my.user at MY.DOMAIN"
D [17/Dec/2007:11:47:50 +0000] [Job 2] argv[3]="rabbits.ps"
D [17/Dec/2007:11:47:50 +0000] [Job 2] argv[4]="1"
D [17/Dec/2007:11:47:50 +0000] [Job 2] argv[5]="finishings=3 number-up=1 job-uuid=urn:uuid:f7a57c73-9dad-3927-6dff-72be041871ae"
D [17/Dec/2007:11:47:50 +0000] [Job 2] argv[6]="/var/spool/cups/d00002-001"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[0]="CUPS_CACHEDIR=/var/cache/cups"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[1]="CUPS_DATADIR=/usr/share/cups"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[2]="CUPS_DOCROOT=/usr/share/doc/cups-1.3.4"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[3]="CUPS_FONTPATH=/usr/share/cups/fonts"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[4]="CUPS_REQUESTROOT=/var/spool/cups"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[5]="CUPS_SERVERBIN=/usr/lib/cups"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[6]="CUPS_SERVERROOT=/etc/cups"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[7]="CUPS_STATEDIR=/var/run/cups"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[8]="PATH=/usr/lib/cups/filter:/usr/lib64/cups/filter:/usr/bin:/usr/sbin:/bin:/usr/bin"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[9]="SERVER_ADMIN=root at my.machine"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[10]="SOFTWARE=CUPS/1.3.4"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[11]="TMPDIR=/var/spool/cups/tmp"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[12]="USER=root"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[13]="CUPS_SERVER=/var/run/cups/cups.sock"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[14]="CUPS_ENCRYPTION=IfRequested"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[15]="IPP_PORT=631"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[16]="CHARSET=utf-8"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[17]="LANG=en_GB.UTF8"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[18]="PPD=/etc/cups/ppd/my-printer.ppd"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[19]="RIP_MAX_CACHE=8m"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[20]="CONTENT_TYPE=application/postscript"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[21]="DEVICE_URI=smb://printserver/my-printer"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[22]="PRINTER=my-printer"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[23]="AUTH_U****"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[24]="AUTH_P****"
D [17/Dec/2007:11:47:50 +0000] [Job 2] envp[25]="KRB5CCNAME=FILE:/tmp/tktExtgfS"
I [17/Dec/2007:11:47:50 +0000] [Job 2] Started backend /usr/lib/cups/backend/smb (PID 15777)
But...
smbspool gets irritated by the username be user at DOMAIN:
if ( !(pw = sys_getpwnam(username)) ) {
fprintf(stderr,"ERROR Can not get %s uid\n", username);
cli_shutdown(cli);
return NULL;
}
So it bails at that point. Even if that's understood, it bails lower down:
setuid(pw->pw_uid);
Doesn't that mean it's now running as the submitting user? Not helpful when
the credential pointed to by KRB5CCNAME is owned by root, along with the job
file.
Now on a machine where the cups server is on the same machine as the client,
things look healthier as long as I ignore kerberos to cups. The setuid then
makes sense, and the username comes through right. I'm still not getting a
printout, despite it working if I do a manual smbspool, but that's nearly
right.
Anyone spot where I'm being dim?
jh
--
"History teaches us that men and nations behave wisely once they have exhaused
all other alternatives." -- Abba Eban
More information about the cups
mailing list