Bug 1700791

Summary: Printing cannot be authenticated
Product: [Fedora] Fedora Reporter: Berend De Schouwer <berend.de.schouwer>
Component: sambaAssignee: Guenther Deschner <gdeschner>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 30CC: abokovoy, anoopcs, asn, gdeschner, guina, joukj, jpopelka, jrivera, jstephen, lmohanty, luca.giuzzi, madam, ngaywood, paullee0, sbose, ssorce, twaugh, zdohnal
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: samba-4.10.5-1.fc30 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-06 04:08:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
log file from cups none

Description Berend De Schouwer 2019-04-17 11:46:48 UTC
Description of problem:

Configure cups to print to a SMB printer that requires authentication.  Print a file.  Gnome will popup "authentication required"; but it's impossible to do so.


Version-Release number of selected component (if applicable):

cups-2.2.11-1.fc30.x86_64
gnome-control-center-3.32.1-1.fc30.x86_64


How reproducible:

Always, but it requires a SMB print spooler.


Steps to Reproduce:
1. Have a printer on a SMB spooler
2. Configure printer (DEVICE_URI smb://...)
3. Print

Actual results:

1. Popup "authentication required" bubble
2. gnome-control-center -> devices -> printers -> authenticate -> authenticate is greyed out (cannot authenticate)


Expected results:

1. Popup a dialog (not just a bubble)
2. gnome-control-center -> devices -> printers -> authenticate -> authenticate shouldn't be greyed out.


Additional info:

Cups has three (that I've found) possible values for the "AuthInfo" attribute per printer: none, username,password, and negotiate.

On SMB printers this will always become "negotiate".  That may be related to BZ 1662408.

If it's "negotiate", the authentication is greyed out, and no help is provided.  If it's set to username,password the authentication dialog allows for entering a username and password; however the correct username and password *still* don't work.

Re-printing re-sets the authinfo attribute to negotiate.


Workaround:

Set the AuthInfo attribute to none, and hardcode the username and password in DeviceUri.

Comment 1 Berend De Schouwer 2019-04-29 08:38:48 UTC
Addition requirement for workaround: hardcode exit code of smbspool to 0.

Comment 2 J.Jansen 2019-05-02 07:41:34 UTC
I got the same problem

Applying the work-around of comment 1 I was able to change both AuthInfRequired and Shared again.

but in my case it seemed that it did not want to pickup the credentials from the DeviceUri, as it did before the upgrade from F29 to F30.

Comment 3 Zdenek Dohnal 2019-05-13 09:52:37 UTC
Hi all,

I'm sorry for the late response, I was focused on other problems and I had PTO after that. According CUPS upstream samba should take care of it:

https://github.com/apple/cups/issues/5573

Comment 4 Andreas Schneider 2019-05-13 10:18:26 UTC
This should be fixed with:

https://bugzilla.samba.org/show_bug.cgi?id=13939

and

https://bugzilla.samba.org/show_bug.cgi?id=13832

Comment 5 Andreas Schneider 2019-05-13 10:21:17 UTC
*** Bug 1705606 has been marked as a duplicate of this bug. ***

Comment 6 Luca Giuzzi 2019-06-17 14:56:19 UTC
I have managed to get the authentication to work by hardcoding the url in the smbspool executable.
More in detail, I moved /usr/bin/smbspool to /usr/bin/smbspool.true and then added the following script as /usr/bin/smbspool

#!/bin/sh
cat <&0| /usr/bin/smbspool.true CORRECT_SMB_PATH_TO_USE "$1" "$2" "$3" "$4" "$5"
exit 0


where CORRECT_SMB_PATH_TO_USE is an url like smb://username:password@domain/ip_address/queue_name
It appears that smbspool (as it was) did not receive the correct smb url.

Comment 7 Fedora Update System 2019-06-20 20:04:52 UTC
FEDORA-2019-8015e5dc40 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-8015e5dc40

Comment 8 Fedora Update System 2019-06-22 06:04:30 UTC
samba-4.10.5-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8015e5dc40

Comment 9 Luca Giuzzi 2019-06-25 08:14:18 UTC
I have just updated to samba-4.10.5-1.fc30 but I still have problems with authentication (i.e. the username/password pair is not passed by cups to smbspool). 
With the fix of comment 6 I can print (but that fix is still needed).

Comment 10 Andreas Schneider 2019-06-25 09:34:55 UTC
CUPS passes the SMB url via the DEVICE_URI to the backend. If you don't enable debug logging in CUPS you wont find out what you're doing wrong.

Comment 11 Luca Giuzzi 2019-06-25 10:38:36 UTC
The DEVICE_URI string is passed correctly.
The following script works.


#!/bin/sh
echo $DEVICE_URI >> /tmp/lll
cat <&0| /usr/bin/smbspool.true $DEVICE_URI "$1" "$2" "$3" "$4" "$5"
exit 0

This is curious.

Comment 12 Luca Giuzzi 2019-06-25 12:00:18 UTC
Curioser and curioser,
 if I set DEVICE_URI from the shell and call directly smbspool.true with somethink like
 smbspool.true 1 1 1 1 1 file.ps 
 it works as well as
 cat file.ps | smbspool.true 1 1 1 1 1

I cannot quite figure out what is going on (and debug logging of cups does not seem to suggest anything of relevance).

Comment 13 Andreas Schneider 2019-06-25 14:36:34 UTC
The cups debug log is quite verbose and smbspool has enough debug messages now. My guess would be that AUTH_INFO_REQUIRED is set incorrectly.

Comment 14 Luca Giuzzi 2019-06-25 15:29:58 UTC
No...AUTH_INFO_REQUIRED is set correctly (it should be None; cups however rewrites it as negotiate after failure; none the less, with the script above it works also with negotiate)
The environment printed by cupsd in the debug log has  the following:
Jun 25 17:24:00 atum.local cupsd[8800]: envp[23]="DEVICE_URI=smb://dip.unibs.local/10.128.132.101/FollowMe_Dominio"
where the authentication tags do not appear. What is passed to smbspool however appears to have DEVICE_URI properly set. This is what puzzles me.

Comment 15 Luca Giuzzi 2019-06-25 15:33:07 UTC
Created attachment 1584342 [details]
log file from cups

I attach a debug log from cups; I hope there is everything.

Comment 16 Andreas Schneider 2019-06-26 09:49:22 UTC
AUTH_INFO_REQUIRED should be username/password or negotiate.

Comment 17 Andreas Schneider 2019-06-26 09:50:59 UTC
From your log file:

Jun 25 17:24:00 atum.local cupsd[8800]: This backend requires credentials!
Jun 25 17:24:00 atum.local cupsd[8800]: get_exit_code(nt_status=NT_STATUS_ACCESS_DENIED [c0000022])
Jun 25 17:24:00 atum.local cupsd[8800]: ATTR: auth-info-required=none

Comment 18 Berend De Schouwer 2019-06-26 10:52:54 UTC
(In reply to Luca Giuzzi from comment #14)
> No...AUTH_INFO_REQUIRED is set correctly (it should be None; cups however
> rewrites it as negotiate after failure; none the less, with the script above
> it works also with negotiate)
> The environment printed by cupsd in the debug log has  the following:
> Jun 25 17:24:00 atum.local cupsd[8800]:
> envp[23]="DEVICE_URI=smb://dip.unibs.local/10.128.132.101/FollowMe_Dominio"
> where the authentication tags do not appear. What is passed to smbspool
> however appears to have DEVICE_URI properly set. This is what puzzles me.

Lots of apps strip out username/password when logging.  Cups might do this too.

Comment 19 Fedora Update System 2019-07-06 04:08:58 UTC
samba-4.10.5-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Luca Giuzzi 2019-07-08 08:43:17 UTC
The problem I mentioned before seems to be fixed, in the sense that with
AuthInfoRequired username,password
I can print provided I enter the credentials every time.
This is the case even if the device uri contains the correct username/password pair; perhaps this is a different problem, though.

Comment 21 Andreas Schneider 2019-07-17 08:07:08 UTC
Please open a new bug against CUPS. The documentation for writing CUPS back-ends is more or less non-existent. Maybe it will shine some light on it.

Comment 22 paul 2019-07-31 23:23:27 UTC
In my case, "Required Credential to print" appears in notification area.


Procedures:
1.  Install F30
2.  Install Printer, searching the local network area, add the printer
3.  Print to the network printer
4.  "Required Credential to print"


F29 has no such problem.