Bug 453951

Summary: Authorization is broken in cups
Product: [Fedora] Fedora Reporter: Carlo de Wolf <cdewolf>
Component: sambaAssignee: Simo Sorce <ssorce>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 9CC: craigwhite, eddie.kuns, gdeschner, matt.sage, twaugh
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-08-12 17:04:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
samba-auth-info-required.patch none

Description Carlo de Wolf 2008-07-03 13:47:21 UTC 
Description of problem:

I've configured a network printer via SMB. After I've submitted my first job I
can't print any more.

The log shows the following:
D [03/Jul/2008:15:24:58 +0200] cupsdAcceptClient: skipping getpeercon()
D [03/Jul/2008:15:24:58 +0200] cupsdAcceptClient: 14 from localhost (Domain)
D [03/Jul/2008:15:24:58 +0200] cupsdReadClient: 14 POST /printers/OfficeJet-5110
HTTP/1.1
D [03/Jul/2008:15:24:58 +0200] cupsdAuthorize: No authentication data provided.
D [03/Jul/2008:15:24:58 +0200] Print-Job ipp://localhost/printers/OfficeJet-5110
E [03/Jul/2008:15:24:58 +0200] Print-Job: Unauthorized
D [03/Jul/2008:15:24:58 +0200] cupsdSendError: 14 code=401 (Unauthorized)
D [03/Jul/2008:15:24:58 +0200] cupsdSendHeader: WWW-Authenticate: Negotiate
D [03/Jul/2008:15:24:58 +0200] cupsdCloseClient: 14

Both the SMB share and the cups printer definition allow for anybody to submit a
job, so there should be no authorization issue.

Also there is no cups authentication dialog popping up.

Now when I change the printer definition:
AuthInfoRequired negotiate
to
AuthInfoRequired none
it works as expected.

Version-Release number of selected component (if applicable):

1:1.3.7-2.fc9

How reproducible:


Steps to Reproduce:
1. Install a network printer to a SMB share
   Note that verify will always give me an error 'share not available'
2. Print test page, observe the setup working
3. Print test page, observe the setup not working

Actual results:

Print-Job: Unauthorized

Expected results:

cupsdIsAuthorized: requesting-user-name="carlo"

Additional info:
Comment 1 Tim Waugh 2008-07-03 14:24:41 UTC 
This is a samba bug.

The smbspool program is assuming Kerberos authentication when it shouldn't.

(Simo: I sent you mail about this last month, not sure if you remember..)
Comment 2 Tim Waugh 2008-07-28 12:57:55 UTC 
Created attachment 312767 [details]
samba-auth-info-required.patch

This patch is not quite right according to James Peach, but I haven't heard
from him about what exactly needs changing.  It fixes the problem for
non-Kerberos installations anyway.
Comment 3 Tim Waugh 2008-07-28 15:03:58 UTC 
*** Bug 456555 has been marked as a duplicate of this bug. ***
Comment 4 Simo Sorce 2008-08-11 18:28:16 UTC 
Tim I've built a new package in rawhide with the patch Jeremy committed upstream to fix upstream bug 5675, it's in koji (samba-3.2.1-1.18.fc10) can you test it ?
Comment 5 Simo Sorce 2008-08-11 18:53:37 UTC 
Make that samba-3.2.1-0.19.fc10 ...
Comment 6 Tim Waugh 2008-08-12 15:04:48 UTC 
Works for me.  Thanks.
Comment 7 Edward Kuns 2008-12-18 05:16:43 UTC 
Hmm, current FC10 has samba-*-3.2.5-0.23, seemingly later than 3.2.1-1, but this bug is still present in FC10 with update.
Comment 8 Simo Sorce 2008-12-18 13:28:58 UTC 
Edward, can you provide logs ?
I want to confirm it before reopening
Comment 9 Matthew Sage 2008-12-19 20:46:17 UTC 
The problem exists for Fedora 10.

[root@<host> ~]# service cups restart
Stopping cups:                                             [  OK  ]
Starting cups:                                             [  OK  ]
[root@<host> ~]# grep Auth /etc/cups/printers.conf
AuthInfoRequired none

(Print a job here)

[root@<host> ~]# grep Auth /etc/cups/printers.conf
AuthInfoRequired username,password

(Print another job here, while...)

[root@insatiable ~]# tail -f /var/log/cups/error-log
D [20/Dec/2008:07:39:38 +1100] cupsdAcceptClient: skipping getpeercon()
D [20/Dec/2008:07:39:38 +1100] cupsdAcceptClient: 25 from <client>:631 (IPv4)
D [20/Dec/2008:07:39:38 +1100] cupsdReadClient: 25 POST /printers/MFC7220 HTTP/1.1
D [20/Dec/2008:07:39:38 +1100] cupsdAuthorize: No authentication data provided.
D [20/Dec/2008:07:39:38 +1100] Get-Printer-Attributes ipp://<server>:631/printers/MFC7220
D [20/Dec/2008:07:39:38 +1100] cupsdProcessIPPRequest: 25 status_code=0 (successful-ok)
D [20/Dec/2008:07:39:38 +1100] cupsdReadClient: 25 POST /printers/MFC7220 HTTP/1.1
D [20/Dec/2008:07:39:38 +1100] cupsdAuthorize: No authentication data provided.
D [20/Dec/2008:07:39:46 +1100] Print-Job ipp://<server>:631/printers/MFC7220
E [20/Dec/2008:07:39:46 +1100] Print-Job: Unauthorized
D [20/Dec/2008:07:39:46 +1100] cupsdSendError: 25 code=426 (Upgrade Required)
D [20/Dec/2008:07:39:46 +1100] cupsdCloseClient: 25
D [20/Dec/2008:07:39:46 +1100] cupsdAcceptClient: skipping getpeercon()
D [20/Dec/2008:07:39:46 +1100] cupsdAcceptClient: 25 from <client>:631 (IPv4)
D [20/Dec/2008:07:39:46 +1100] cupsdReadClient: 25 OPTIONS * HTTP/1.1
D [20/Dec/2008:07:39:46 +1100] cupsdAuthorize: No authentication data provided.
D [20/Dec/2008:07:39:46 +1100] encrypt_client: 25 Connection from 121.223.222.239 now encrypted.
D [20/Dec/2008:07:39:46 +1100] cupsdReadClient: 25 POST /printers/MFC7220 HTTP/1.1
D [20/Dec/2008:07:39:47 +1100] cupsdAuthorize: No authentication data provided.
D [20/Dec/2008:07:39:55 +1100] Print-Job ipp://<server>:631/printers/MFC7220
E [20/Dec/2008:07:39:55 +1100] Print-Job: Unauthorized
D [20/Dec/2008:07:39:55 +1100] cupsdSendError: 25 code=401 (Unauthorized)
D [20/Dec/2008:07:39:55 +1100] cupsdCloseClient: 25
D [20/Dec/2008:07:39:55 +1100] SSL shutdown successful!
D [20/Dec/2008:07:39:55 +1100] cupsdCloseClient: 25
D [20/Dec/2008:07:39:55 +1100] cupsdAcceptClient: skipping getpeercon()
D [20/Dec/2008:07:39:55 +1100] cupsdAcceptClient: 25 from <client>:631 (IPv4)
D [20/Dec/2008:07:39:55 +1100] cupsdReadClient: 25 OPTIONS * HTTP/1.1
D [20/Dec/2008:07:39:55 +1100] cupsdAuthorize: No authentication data provided.
D [20/Dec/2008:07:39:55 +1100] encrypt_client: 25 Connection from 121.223.222.239 now encrypted.
D [20/Dec/2008:07:39:55 +1100] cupsdReadClient: 25 POST /printers/MFC7220 HTTP/1.1
D [20/Dec/2008:07:39:55 +1100] cupsdAuthorize: No authentication data provided.
D [20/Dec/2008:07:39:55 +1100] Get-Printer-Attributes ipp://<server>:631/printers/MFC7220
D [20/Dec/2008:07:39:55 +1100] cupsdProcessIPPRequest: 25 status_code=0 (successful-ok)
D [20/Dec/2008:07:39:55 +1100] cupsdCloseClient: 25
D [20/Dec/2008:07:39:55 +1100] SSL shutdown successful!
D [20/Dec/2008:07:39:55 +1100] cupsdCloseClient: 25
Comment 10 Tim Waugh 2008-12-19 21:36:09 UTC 
Working as designed.

The job is held, waiting for authentication.  If you are running the system-config-printer-applet program (which runs automatically on login for the default desktop installations), you should see a notification about it on the screen.

If you don't, please file a separate bug against system-config-printer.
Comment 11 Matthew Sage 2008-12-20 00:44:03 UTC 
But the point is that the

AuthInfoRequired none

is being replaced with

AuthInfoRequired username,password

after each print job.  That is why the job is waiting for authentication.

If I set

#/usr/sbin/lpadmin -p<printer> -o auth-info-required=none

I don't expect it to be reset after each print job - this is why I think it is a bug with cups.
Comment 12 Tim Waugh 2008-12-20 11:58:22 UTC 
Please file a separate bug report to explain your issue further.  *This* bug report is for a samba bug that is now fixed.