Description of problem:
We are printing to a kerberos-authenticated samba queue, which is configured with "AuthInfoRequired negotiate". Under unclear circumstances it has on its own reset to "AuthInfoRequired username,password", which has broken Kerberos authentication and caused credentials to be prompted for.
For historical reasons we are using our own wrapper script instead of the samba-krb5-printing package, but as this too is just a wrapper to smbspool, the chances are that it is not just our problem.
I was going though the sources in search for clues of what is going on and I think I may have found an unintended consequence. I'm not entirely sure if I should file this under cups or samba, but I picked cups because I think it is rather surprising that it allows a single job to reconfigure the authentication method of a system printer as it does in cups-1.6.3/scheduler/job.c, function update_job():
if ((attr = cupsGetOption("auth-info-required", num_attrs,
attrs)) != NULL)
cupsdSetAuthInfoRequired(job->printer, attr, NULL);
This is cups parsing a message received from the backend through stderr. In the case of the smbspool backend, this message can be written in samba-4.8.3/source3/client/smbspool.c function get_exit_code(). If the function happened to be called with use_kerberos==false, attr will read "username,password" and cups will react by reconfiguring it into the printers AuthInfoRequired.
get_exit_code() appears to be called from several places of smbspool.c, some with a hardcoded use_kerberos==false, but the logic in smb_connect() looks interesting already: kerberos authentication is attempted if use_kerberos==true, but if it fails fails for any reason, fallbacks without kerberos are attempted.
And if a fallback fails for one of 12 reasons, including the wrong password given, "ATTR: auth-info-required=username,password" gets written by the backend and cups responds by reconfiguring the printer to never try Kerberos anymore.
So if I'm reading this right, it can go like this:
1. User A runs kdestroy
2. User A tries to print a web page, but fumbles his password when prompted.
3. User B can no longer print with Kerberos authentication.
Version-Release number of selected component (if applicable):
thank you for reporting the issue and deep analysis! Would you mind trying the samba-krb5-printing package you mentioned? It is supported in RHEL and if it won't help (it checks several env variables probably needed for kerberos authentication and can possibly return bad status, so smbspool is not called, so cupsd do not get undesired "ATTR: auth-info-required=username,password" - but it is only my deduction based on brief look on the krb5-wrapper code), we can cross it out. Andreas could be more helpful with samba though, I'll reassign it to samba for more info.
But please keep in mind this bug tracking system is not a mechanism for requesting support, and I am not able to guarantee the timeliness or suitability of a resolution.
If this issue is critical or in any way time sensitive, please raise a ticket through the regular Red Hat support channels to ensure it receives the proper attention and prioritization to assure a timely resolution.
For information on how to contact the Red Hat production support team, please visit:
Andreas, does our samba-krb5-printing package solve the issue?
Created attachment 1518318 [details]
Hello Bug Reporter,
your analysis is correct. It isn't that easy to fix as CUPS seems to be dump here. Maybe we should evaluate AUTH_INFO_REQUIRED and return that in get_exit_code(). Can you test the attached patch?
I quickly tried the attached patch (except there was an undeclared empty_str which I replaced with null_str). It seemed to help, at least in a single test case.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.