Printing to smb with kerberos authentication

Wed Jan 14 23:59:13 PST 2009

> > Martin wrote:
> > > Hi all,
> > >
> > > I'm trying to print to a printer connected to a Windows server in our AD from a linux machine. I managed to get kerberos working and can access the server with the samba client utilities. I can even do (as user me)
> > >
> > > DEVICE_URI=smb://server.domain.name/PRINTER /usr/lib/cups/backend/smb 1234 me test 1 none something.txt
> > >
> > > to print without being asked for a password. However, when I print via the local cups, I get
> > >
> > > E [14/Jan/2009:08:51:06 +0100] [Job 496] Session setup failed: NT_STATUS_LOGON_FAILURE
> > > D [14/Jan/2009:08:51:06 +0100] Discarding unused printer-state-changed event...
> > > D [14/Jan/2009:08:51:06 +0100] [Job 496] get_exit_code(cli=0x270f570, nt_status=c000006d)
> > > I [14/Jan/2009:08:51:06 +0100] Saving printers.conf...
> > > E [14/Jan/2009:08:51:06 +0100] [Job 496] Session setup failed: NT_STATUS_NO_SUCH_FILE
> > > D [14/Jan/2009:08:51:06 +0100] Discarding unused printer-state-changed event...
> > > D [14/Jan/2009:08:51:06 +0100] [Job 496] get_exit_code(cli=0x270f570, nt_status=c000000f)
> > > E [14/Jan/2009:08:51:06 +0100] [Job 496] Session setup failed: NT_STATUS_LOGON_FAILURE
> > > D [14/Jan/2009:08:51:06 +0100] Discarding unused printer-state-changed event...
> > > D [14/Jan/2009:08:51:06 +0100] [Job 496] get_exit_code(cli=0x27100c0, nt_status=c000006d)
> > > I [14/Jan/2009:08:51:06 +0100] Saving printers.conf...
> > > E [14/Jan/2009:08:51:06 +0100] [Job 496] Tree connect failed (NT_STATUS_ACCESS_DENIED)
> > >
> > > My guess is that KRB5CCNAME is not set up correctly when the smb backend is invoked. A work-around solution would be a wrapper script that switches user id to the owner of the print job and then invokes smbspool, but surely, I just missed some important configuration in cups to make this work smoothly.
> > >
> > > Any hints, anyone?
> > >
> > > For completeness, I'm using cups 1.3.8, samba 3.2.5, MIT krb5 1.6 (from Debian lenny).
> >
> >  From the Using Kerberos help document:
> >
> >      http://www.cups.org/documentation.php/doc-1.4/kerberos.html
> >      (also on your local system...)
> >
> > you need MIT Kerberos 1.6.3 or later.
> >
>
> Oops, sorry for the confusion, I lost a .4 somewhere, so that's Kerberos 1.6.4.
>
> > You also need to setup your system with the KDC so you can forward
> > credentials from your user account through CUPS to the Windows system.
>
> Well, yes, I guess this is where the error is... is there some howto or other detailed documentation about this around somewhere? Or at least some guideline to figure out what component to tweak?
>
> From my client perspective, it looks like this: My TGT has FPRIA flags. Printing through cups (trying to, that is) does not add anything to the credentials cache; furthermore, with wireshark I can confirm that no ticket requests are made. Invoking the smb backend directly from my user account, I get a ticket for the server$@REALM service principal (and a printout).
>
> I do have
> DefaultAuthType Negotiate
> in my cupsd.conf, but I'm not even sure whether this is necessary. Does cups request a ticket from the user upon submitting the print job, or does it use the users credentials cache (for a local user) to acquire a ticket in his name? From your remark I gather that the former is true, correct?
>
> Thanks
> Martin

Update:
After adding AuthType Default to <Limit All> in my default policy, I get cups to request a kerberos ticket from clients*). The ticket in the client users cache has FPRA flags. Now the backend gets the KRB5CCNAME variable set, but still...

D [15/Jan/2009:08:30:27 +0100] [Job 504] envp[26]="KRB5CCNAME=FILE:/tmp/tktsz8E8O"
[...]
E [15/Jan/2009:08:30:27 +0100] [Job 504] Session setup failed: NT_STATUS_UNSUCCESSFUL
D [15/Jan/2009:08:30:27 +0100] [Job 504] get_exit_code(cli=0xbb5570, nt_status=c0000001)
D [15/Jan/2009:08:30:27 +0100] Discarding unused printer-state-changed event...
E [15/Jan/2009:08:30:27 +0100] [Job 504] Session setup failed: NT_STATUS_LOGON_FAILURE
D [15/Jan/2009:08:30:27 +0100] Discarding unused printer-state-changed event...
D [15/Jan/2009:08:30:27 +0100] [Job 504] get_exit_code(cli=0xbb60c0, nt_status=c000006d)
I [15/Jan/2009:08:30:27 +0100] Saving printers.conf...
E [15/Jan/2009:08:30:27 +0100] [Job 504] Tree connect failed (NT_STATUS_ACCESS_DENIED)

The /tmp/tktsz8E8O file does contain my TGT with FfPRA flags. Furthermore,

KRB5CCNAME=FILE:/tmp/tktsz8E8O DEVICE_URI=smb://server.domain.name/PRINTER /usr/lib/cups/backend/smb 1234 me test 1 none something.txt

as root does print successfully and adds a server$@REALM entry to /tmp/tktsz8E8O. What's the difference when run by cups?

I feel I'm a step further, any more useful hints?

*) I have to access cups through its public interface, though. Accessing it through 127.0.0.1 makes cups use the service principal ipp/localhost which doesn't work.

Thanks
Martin