1662408 – cups allows the smbspool backend to overwrite a configured printers AuthInfoRequired as "username,password"

Bug 1662408 - cups allows the smbspool backend to overwrite a configured printers AuthInfoRequired as "username,password"

Summary: cups allows the smbspool backend to overwrite a configured printers AuthInfoR...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	samba
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Andreas Schneider
QA Contact:	Andrej Dzilský
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-12-28 08:52 UTC by bugreports2005
Modified:	2019-08-06 12:46 UTC (History)
CC List:	6 users (show)
Fixed In Version:	samba-4.9.1-3.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-06 12:45:55 UTC
Target Upstream Version:

Attachments	(Terms of Use)
spoolss patch (4.00 KB, patch) 2019-01-04 08:24 UTC, Andreas Schneider	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:2099	None	None	None	2019-08-06 12:46:08 UTC

Description bugreports2005 2018-12-28 08:52:13 UTC

Description of problem:

We are printing to a kerberos-authenticated samba queue, which is configured with "AuthInfoRequired negotiate". Under unclear circumstances it has on its own reset to "AuthInfoRequired username,password", which has broken Kerberos authentication and caused credentials to be prompted for.

For historical reasons we are using our own wrapper script instead of the samba-krb5-printing package, but as this too is just a wrapper to smbspool, the chances are that it is not just our problem.

I was going though the sources in search for clues of what is going on and I think I may have found an unintended consequence. I'm not entirely sure if I should file this under cups or samba, but I picked cups because I think it is rather surprising that it allows a single job to reconfigure the authentication method of a system printer as it does in cups-1.6.3/scheduler/job.c, function update_job():

      if ((attr = cupsGetOption("auth-info-required", num_attrs,
                                attrs)) != NULL)
      {
        cupsdSetAuthInfoRequired(job->printer, attr, NULL);
        cupsdSetPrinterAttrs(job->printer);

        cupsdMarkDirty(CUPSD_DIRTY_PRINTERS);
      }

This is cups parsing a message received from the backend through stderr. In the case of the smbspool backend, this message can be written in samba-4.8.3/source3/client/smbspool.c function get_exit_code(). If the function happened to be  called with use_kerberos==false, attr will read "username,password" and cups will react by reconfiguring it into the printers AuthInfoRequired.

get_exit_code() appears to be called from several places of smbspool.c, some with a hardcoded use_kerberos==false, but the logic in smb_connect() looks interesting already: kerberos authentication is attempted if use_kerberos==true, but if it fails fails for any reason, fallbacks without kerberos are attempted.

And if a fallback fails for one of 12 reasons, including the wrong password given, "ATTR: auth-info-required=username,password" gets written by the backend and cups responds by reconfiguring the printer to never try Kerberos anymore.

So if I'm reading this right, it can go like this:

 1. User A runs kdestroy
 2. User A tries to print a web page, but fumbles his password when prompted.
 3. User B can no longer print with Kerberos authentication.


Version-Release number of selected component (if applicable):

cups-1.6.3-35.el7.x86_64
samba-client-4.8.3-4.el7.x86_64

Comment 2 Zdenek Dohnal 2019-01-02 19:23:55 UTC

Hi,

thank you for reporting the issue and deep analysis! Would you mind trying the samba-krb5-printing package you mentioned? It is supported in RHEL and if it won't help (it checks several env variables probably needed for kerberos authentication and can possibly return bad status, so smbspool is not called, so cupsd do not get undesired "ATTR: auth-info-required=username,password" - but it is only my deduction based on brief look on the krb5-wrapper code), we can cross it out. Andreas could be more helpful with samba though, I'll reassign it to samba for more info.

But please keep in mind this bug tracking system is not a mechanism for requesting support, and I am not able to guarantee the timeliness or suitability of a resolution.

If this issue is critical or in any way time sensitive, please raise a ticket through the regular Red Hat support channels to ensure it receives the proper attention and prioritization to assure a timely resolution. 

For information on how to contact the Red Hat production support team, please visit:
    https://www.redhat.com/support/process/production/#howto

Andreas, does our samba-krb5-printing package solve the issue?

Comment 3 Andreas Schneider 2019-01-04 08:24:48 UTC

Created attachment 1518318 [details]
spoolss patch

Hello Bug Reporter,

your analysis is correct. It isn't that easy to fix as CUPS seems to be dump here. Maybe we should evaluate AUTH_INFO_REQUIRED and return that in get_exit_code(). Can you test the attached patch?

Comment 4 bugreports2005 2019-01-09 08:19:04 UTC

I quickly tried the attached patch (except there was an undeclared empty_str which I replaced with null_str). It seemed to help, at least in a single test case.

Comment 10 errata-xmlrpc 2019-08-06 12:45:55 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2099

Note You need to log in before you can comment on or make changes to this bug.