Cups and Kerberized SMB

[Matthew Richardson]

> Matthew Richardson wrote:
> > I'm currently trying to use cups to send print jobs from a linux client to a printer which is available as a smb share on an AD server.
> >
> > So far, I've successfully tested this using smbspool:
> >
> > smbspool smb://server.example.com/printqueue "" "username" "" "1" "" /tmp/helloworld.txt
> >
> > This goes to the printer successfully if I have a valid kerberos ticket, and fails if I don't.
> >
> > However, I can't carry this over into cups.
> >
> > The important bits of my printers.conf are as follows:
> >
> > <DefaultPrinter printqueue>
> > Info printqueue
> > DeviceURI smb://server.example.com/printqueue
> > ..snip...
> > </Printer>
> >
> > I've tried setting 'AuthInfoRequired none' or 'AuthInfoRequired negotiate' - but neither shows any signs of working.
> >
> > Any ideas what I'm doing wrong?
> >
> > (I'm also using chattr +i to make printers.conf immutable to prevent it being overwritten by cupsd at startup and resetting AuthInfoRequired to username,password).
>
> If you have to do this, it pretty much means that you don't have a
> recent enough version of Samba installed with the necessary smbspool
> authentication fixes.

I've tried this with newish versions of smbspool (samba 3.2.6?) and cups 1.3.9.

>From what I can make out from strace/command editing, the following happens:

1) Cups notices a print job for a samba queue.  It changes uid to that of 'lp' (presumably for security purposes).

2) It calls /usr/lib/cups/backend/smb and passes it the appropriate job info including job owner.

3) smbspool (running as user lp) tries to do setuid 'job owner' - this fails as its not root.

4) It then fails to do things like read the user's kerberos ticket cache, and thus authentication fails.

I presume then that the method of changing uid and calling smbspool has been fundamentally changed since 3.2.6?

Thanks,

Matthew