Kerberos printing is not working over unix domain socket #4758
Comments
|
CUPS.org User: asn This is a successful printjob over the local http socket. I've disabled the unix socket. |
|
CUPS.org User: asn The implementation of my smbspool_krb5_wrapper which sets the correct KRB5CCNAME can be found here: https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-smbspool |
|
CUPS.org User: mike Mapping kerberos accounts to local accounts is potentially dangerous, even if the account names match. Will have to think about this, but don't expect a quick fix. |
|
CUPS.org User: asn FYI: Kerberos auth over the unix domain socket works with CUPS 1.6.3 |
|
The safest solution for this is to run the smb backend as the user (that's what we do on macOS), so any change here has to come from the Samba folks... |
|
How can you run the smb backend as the user who submitted the print job? |
|
@cryptomilk There is code you can draw inspiration from in the IPP backend sources of CUPS (backend/ipp.c); essentially you run the backend as root (chmod 500 /usr/lib/cups/backend/smb) and then have the SMB backend do a seteuid if the AUTH_UID environment variable is set and a number > 0. |
|
That's exactly what I'm doing. You can see the code for it here: This works fine with cups 1.6.3 over a unix socket (cupsd.conf: Listen /run/cups/cups.sock) It doesn't work with cups 2.x over a unix socket (cupsd.conf: Listen /run/cups/cups.sock) |
|
@cryptomilk Hmm, is AUTH_UID getting set for your backend? All of this relies on the UNIX domain peer credentials stuff working and getting set, which controls whether the AUTH_UID environment variable being passed to the backend. Running cupsd with the log level set to "debug2" will at least show you the peer credentials when they are collected... Also, I would check that you don't have another security layer like SELinux or AppArmor interfering, and maybe trace the execution of the smbprint program to see what it is looking for if everything else looks right. (on macOS we actually trampoline into a real user login session through XPC rather than doing the setuid trick, so there we get the whole user environment and not just the UID and primary GID set...) |
|
@cryptomilk You may have a look at At SUSE/openSUSE we have the RPM packages For some more details and background information Of course those information could be meanwhile |
|
@jsmeix Thanks for your effort. I'm familiar with the really old hack SUSE is packaging. However this hack doesn't work with credential caches stored in the Kernel Keyring. That's why I implemented smbspool_krb5_wrapper based on how backends should be implemented. Essential is the AUTH_UID in this case which tells you the UID of the user you should switch too. Your samba-krb-printing works with usernames and IIRC the cups documentation tells you not to do that. So you should use the smbspool_krb5_wrapper implemented by Samba :-) I think I need to reproduce the issue and prove that AUTH_UID is not set. |
|
@cryptomilk |
|
Hi, i tried smbspool_krb5_wrapper and it says, that AUTH_UID is not set. I'm using opensuse which comes with cups 1.7.5 and samba 4.4.2. |
|
Yes, that's an environment variable which CUPS sets to tell the backend (smb) which user submitted the print job. This variable gets correctly set with CUPS 1.6.3. We have that working with RHEL7. It is broken on newer versions. If you set the log level to debug in cups, you will see additional information from the smbspool_krb5_wrapper. Note the wrapper needs to have 0700 as file permissions and must be owned by root that it get executed with root privileges. Else it can't switch to the user to access the kerberos credentials cache. |
|
OK, thanks. So i need cups 1.6.3 or cups 2.x or i stick with the opensuse wrapper. |
|
I think it is broken in all version newer than 1.7. I'm trying to reproduce the issue with CUPS 2.2 right now that AUTH_UID is not set if job is submitted over the unix socket. |
|
Ok, confirmed it works with CUPS >= 2.2.0 |
|
https://git.samba.org/?p=asn/samba.git;a=commitdiff;h=c34b29406e274aa679241069243d75e6f4371470 This is the fix. You can also fix the issue by editing /etc/cups/printers.conf and set: |
|
The lpadmin command can also do it: |
|
@michaelrsweet Could you add exactly this line as an example to the lpadmin manpage? |
|
@cryptomilk I hesitate to do so only because a) it normally isn't necessary and b) it exposes an implementation detail that is only supported by two backends. The -o option is already documented, just not the specific usage of "-o auth-info-required=foo". |
|
Hello, My configuration (sorry, it's in french) : http://www.numopen.fr/Integrer-un-ordinateur-avec-Linux-Mint-MATE-dans-un-domaine-Windows |
Version: 2.1.2
CUPS.org User: asn
I've implemented a kerberos wrapper for SMB printing with CUPS. Printing on the localhost on Linux (Fedora 23) works fine if I disable the unix domain socket, it doesn't work if it is enabled.
Attached is the log from cups with the failing print job over a unix domai socket.
The text was updated successfully, but these errors were encountered: