Bug 1420130 - samba_krb5_wrapper does not list devices when called with no arguments
Summary: samba_krb5_wrapper does not list devices when called with no arguments
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: samba
Version: 7.3
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Andreas Schneider
QA Contact: Robin Hack
URL:
Whiteboard:
Depends On:
Blocks: 1298243
TreeView+ depends on / blocked
 
Reported: 2017-02-07 22:43 UTC by Bryan Mason
Modified: 2020-02-14 18:31 UTC (History)
5 users (show)

Fixed In Version: samba-4.6.0-0.1.rc4.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 18:21:34 UTC
Target Upstream Version:


Attachments (Terms of Use)
Proposed patch (749 bytes, patch)
2017-02-07 23:51 UTC, Bryan Mason
no flags Details | Diff
Another possible patch (1.46 KB, patch)
2017-02-09 18:21 UTC, Bryan Mason
no flags Details | Diff
New patch (2.03 KB, patch)
2017-02-16 07:22 UTC, Bryan Mason
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2909161 0 None None None 2017-02-08 00:39:37 UTC
Red Hat Product Errata RHSA-2017:1950 0 normal SHIPPED_LIVE Low: samba security, bug fix, and enhancement update 2017-08-01 18:09:24 UTC
Samba Project 12575 0 None None None 2019-04-17 11:49:38 UTC

Description Bryan Mason 2017-02-07 22:43:36 UTC
Description of problem:

  The new samba_krb5_wrapper that allows CUPS to use Kerberos to
  authenticate with printers doesn't list SMB devices when called with
  no arguments.  As a result, the SMB protocol isn't listed as a 
  possible printer connection mechanism.

Version-Release number of selected component (if applicable):

  samba-4.4.4-9

How reproducible:

  100%

Steps to Reproduce:

  run "lpinfo -v"

  or

  run "/usr/lib/cups/backend/smb"

Actual results:

  # lpinfo -v
  serial serial:/dev/ttyS0?baud=115200
  network ipps
  network lpd
  network socket
  network https
  network http
  network ipp

  # /usr/lib/cups/backend/smb
  DEBUG: SMBSPOOL_KRB5 - Started with uid=0

  DEBUG: SMBSPOOL_KRB5 - AUTH_INFO_REQUIRED is not set
  ATTR: auth-info-required=negotiate

Expected results:

  # lpinfo -v
  serial serial:/dev/ttyS0?baud=115200
  network ipps
  network lpd
  network socket
  network https
  network http
  network ipp
  network smb

  (Last entry "network smb" should be included)

  # /usr/lib/cups/backend/smb 
  network smb "Unknown" "Windows Printer via SAMBA"

Additional info:

  When the "lpinfo -v" command is used, cupsd calls
  /usr/lib/cups/daemon/cups-deviced to execute all the backends in
  /usr/lib/cups/backend with no arguments.  When a backend is called
  with no arguments, it should list all the devices that are accessible
  via that backend.

  This mechanism is also used by the Web UI and system-config-printer to
  enumerate  possible  print  devices.   If  samba_krb5_wrapper  doesn't
  provide the proper out put, SMB will not be listed as an option in the
  GUI when installing new printers.

  Proposed patch forthcoming...

Comment 1 Bryan Mason 2017-02-07 23:51:20 UTC
Created attachment 1248514 [details]
Proposed patch

Before (no "network smb" entry):

  # lpinfo -v
  serial serial:/dev/ttyS0?baud=115200
  network ipps
  network lpd
  network socket
  network https
  network http
  network ipp

After ("network smb" included as third entry):

  # lpinfo -v
  serial serial:/dev/ttyS0?baud=115200
  network ipps
  network smb
  network lpd
  network socket
  network https
  network http
  network ipp

Comment 4 Bryan Mason 2017-02-09 18:21:54 UTC
Created attachment 1248878 [details]
Another possible patch

This patch falls back to the smbspool command if AUTH_INFO_REQUIRED is not set or is not set to "negotiate".  Because cups-deviced doesn't set AUTH_INFO_REQUIRED when searching for devices, this allows the wrapper to call smbspool to send the line

  network smb "Unknown" "Windows Printer via SAMBA"

back to cups-deviced/cupsd when enumerating devices.

I believe this patch will also allow the backend to be used both with SMB printers that use Kerberos as well as SMB printers that use other authentication methods (username,password for example).

Comment 5 Andreas Schneider 2017-02-10 10:31:06 UTC
I think I prefer the patch from comment #4.

Could you please apply this to the Samba git master branch. And send a git-format patch with your sign-off to samba-technical mailing list or attach it here. However you need to sign the CoO that your patch can be added, see 

https://git.samba.org/?p=samba.git;a=blob;f=README.contributing

Comment 6 Andreas Schneider 2017-02-10 10:32:00 UTC
The commit message requires the following line in the description:

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12575

Comment 8 Bryan Mason 2017-02-16 07:22:18 UTC
Created attachment 1250789 [details]
New patch

As requested, a patch created using "git format-patch" with BUG: and Signed-off-by: headers.  I also sent this to samba-technical.

Comment 12 errata-xmlrpc 2017-08-01 18:21:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:1950


Note You need to log in before you can comment on or make changes to this bug.