Bug 212759 - smb// test label means nothing to me.
smb// test label means nothing to me.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: system-config-printer (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
:
Depends On:
Blocks: FC6Update
  Show dependency treegraph
 
Reported: 2006-10-28 15:26 EDT by Darwin H. Webb
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 0.7.40-1.fc6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-11-30 07:53:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Darwin H. Webb 2006-10-28 15:26:32 EDT
Description of problem:
setting up a windows shared printer Laserjet 6p.
select windownds shaing, get all info including smb// text box.
No instructions, no documentation, no example, no man page.
The only thing a user could put in there is the uncc as
//computername/prtrsharename (I used computername/prtrsharename.
It accepted it and ceated the printer.
Test print got selinux audit on cupd.spool.
I set cups sebool off

test print seems to go but goes nowher.
set to default printer.
closed cups gui.
opened again, printer was there, test print started print queue gui.
documents were not printing.
Checked ports, no ports involved.
A lter reboot, the printer defition was gone. Reverted back to FC6 devel symtoms.

Version-Release number of selected component (if applicable):
all of them.

How reproducible:
Everytime I try it.

Steps to Reproduce:
1.
2.
3.
  
Actual results:
Unusable printing

Expected results:
Sahred printing wiith windowss.

Additional info:
Comment 1 Tim Waugh 2006-11-02 07:27:43 EST
There is meant to be a list of machines for you to click and select a queue
from.  Is that not showing any machines?

> Test print got selinux audit on cupd.spool.

Please tell me exactly what it said.  Thanks.
Comment 2 Darwin H. Webb 2006-11-13 16:21:13 EST
New attemp on devel with latest system-config-printer and SELinux-policy
triggered all of these audit conditions.
audit]# tail -n 20 audit.log
type=SYSCALL msg=audit(1163451265.414:129): arch=40000003 syscall=195 success=no
exit=-13 a0=bfb795b2 a1=bfb7954c a2=790ff4 a3=bfb7954c items=0 ppid=1899
pid=4401 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7
tty=(none) comm="smb" exe="/usr/bin/smbspool"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1163451265.414:129):  path="/tmp/.X11-unix"
type=AVC msg=audit(1163451265.414:130): avc:  denied  { getattr } for  pid=4401
comm="smb" name=".font-unix" dev=dm-0 ino=1671173
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xfs_tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1163451265.414:130): arch=40000003 syscall=195 success=no
exit=-13 a0=bfb795b2 a1=bfb7954c a2=790ff4 a3=bfb7954c items=0 ppid=1899
pid=4401 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7
tty=(none) comm="smb" exe="/usr/bin/smbspool"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1163451265.414:130):  path="/tmp/.font-unix"
type=AVC msg=audit(1163451265.414:131): avc:  denied  { getattr } for  pid=4401
comm="smb" name=".gdm819SIT" dev=dm-0 ino=1672624
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1163451265.414:131): arch=40000003 syscall=195 success=no
exit=-13 a0=bfb795b2 a1=bfb7954c a2=790ff4 a3=bfb7954c items=0 ppid=1899
pid=4401 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7
tty=(none) comm="smb" exe="/usr/bin/smbspool"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1163451265.414:131):  path="/tmp/.gdm819SIT"
type=AVC msg=audit(1163451265.414:132): avc:  denied  { getattr } for  pid=4401
comm="smb" name=".gdm_socket" dev=dm-0 ino=1672302
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1163451265.414:132): arch=40000003 syscall=195 success=no
exit=-13 a0=bfb795b2 a1=bfb7954c a2=790ff4 a3=bfb7954c items=0 ppid=1899
pid=4401 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7
tty=(none) comm="smb" exe="/usr/bin/smbspool"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1163451265.414:132):  path="/tmp/.gdm_socket"
type=AVC msg=audit(1163451265.414:133): avc:  denied  { getattr } for  pid=4401
comm="smb" name="sealert.log" dev=dm-0 ino=1671206
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1163451265.414:133): arch=40000003 syscall=195 success=no
exit=-13 a0=bfb795b2 a1=bfb7954c a2=790ff4 a3=bfb7954c items=0 ppid=1899
pid=4401 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7
tty=(none) comm="smb" exe="/usr/bin/smbspool"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1163451265.414:133):  path="/tmp/sealert.log"
type=AVC msg=audit(1163451265.415:134): avc:  denied  { getattr } for  pid=4401
comm="smb" name=".X0-lock" dev=dm-0 ino=1672622
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1163451265.415:134): arch=40000003 syscall=195 success=no
exit=-13 a0=bfb795b2 a1=bfb7954c a2=790ff4 a3=bfb7954c items=0 ppid=1899
pid=4401 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7
tty=(none) comm="smb" exe="/usr/bin/smbspool"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1163451265.415:134):  path="/tmp/.X0-lock"
type=AVC msg=audit(1163451265.415:135): avc:  denied  { getattr } for  pid=4401
comm="smb" name=".ICE-unix" dev=dm-0 ino=1671172
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:ice_tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1163451265.415:135): arch=40000003 syscall=195 success=no
exit=-13 a0=bfb795b2 a1=bfb7954c a2=790ff4 a3=bfb7954c items=0 ppid=1899
pid=4401 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7
tty=(none) comm="smb" exe="/usr/bin/smbspool"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1163451265.415:135):  path="/tmp/.ICE-unix"
[root@Tasha-19 audit]# 

The print icon is showing with one doc queued but going nowhere.
Still have trouble removong test print w/o close and re-open of printint.

The WORKGROUP
-------SERVER
---------PRINERSHARE
dropdowns show the wrong workgroup, only the SERVER, and no Printershares.

This is for FC6, FC7 devel 
system-config-printer-0.7.36-1.fc7
selinux-policy-2.4.3-10
cups-1.2.6-5.fc7

Comment 3 Darwin H. Webb 2006-11-13 16:37:11 EST
Also, eggcups crashes on FC6 shutdown, a popup about bugbuddy not available
comes up but there is no logging at that time.

Darwin
Comment 4 Tim Waugh 2006-11-14 11:11:12 EST
The AVC messages in comment #2 are harmless and are not preventing SMB browsing
so far as I can tell.

Darwin, there are several different issues here.  Please let's concentrate on
one of them per bug report, or else it gets very confusing.  For other bugs,
please file separate bug reports.

So, back to the problem with browsing for an SMB printer.  What exactly is going
wrong with the tree-view of domains, servers and shares?  What domain are you
expecting to see, and what do you actually see?
Comment 5 Darwin H. Webb 2006-11-17 15:20:31 EST
OK, first, I think the SELinux avc messages are blocking the printing.
Second, I'm not browsing for SMB printers, I'm using the dropdown Printers gui
selection list (to see what it offers.)
The program must differentiate between DOWMIAN and WORKGROUP. Why?
Because the Linux clients would have to be authortized to browse a network to
see printers. One can not assume that the Windows printer is on a DOMAIN or a
simple WORKGROUP like win 98 or Win XP HOME which have no acl or acu (User
rights and Authorized USers), because Win Xp PRO can be reset to the classic
Security model that Win2K sever uses, and that is what I have.
This means I can not use the dropdpwn menus to select the SMB windows share
(because the gui program would not have authorzation to get a list, nor would it
known the WORKGROUP name needed (as there can be more than one WOKGROUP with a
shared printer.))

So for a WORKGROUP the gui must ask for Windows Username and Password.
It does at the bootom.
The test box labeled //smb needs the correct strig for
//workgroupname/wincomputername/winprintshare.
I did not know (and I'm sure many would not known) this format. I do now.

//workgroupname/wincomputername/winprintshare along with the Username and
password get chnaged into a more complex string. Something like
//:Username:pasword:/workgroupname/cpmutername/printsharename

What ever that string is is the only one that will eventually allow the apply
button response to say that it is good.

when I click next it says it is building the printer.
The print is built and it is back to the orginal screen showing a local printer.

I select that and ;
1. The enable button enabled.
2. the default button is enabled.
3. The test button is enabled.
I cleck on set default, and then test print.
That trigger SEtroubleshoot.
There may or may not be a printer icon showing the print queue and the document.
But nothing ever prints and the netwok is never accessed.

A screenshot of the latest test I did for FC6 is on this link.
 http://www.fedoraforum.org/gallery/showimage.php?i=2692 

Darwin
Comment 6 Tim Waugh 2006-11-20 11:37:34 EST
> OK, first, I think the SELinux avc messages are blocking the printing.

I don't believe this is the case.  I get the same avc messages for a successful
print.  I do believe there is a bug there, and it is in the SELinux policy for
samba (or in samba).  An easy test for whether printing is being blocked by the
SELinux policy is to disable it and try a test print: 'setenforce 0'.

Can you please clarify what you mean by the "dropdown printers gui
selection list"?  Do you mean the list on the left of the 'select connection'
page, containing 'Windows Printer via SAMBA'?  Or the 'Share | Comment' list
view on the right hand side of that page once you have selected 'Windows Printer
via SAMBA'?

I am aware that it would be good to describe the URI on that page, and I will
add a label to do that.  But I would like to understand what needs to be fixed
in the GUI to avoid people having to make up their own URIs.

Does the Places->Network Servers file browser, accessible from the main desktop
menu, allow you to browse to the printer you want?
Comment 7 Darwin H. Webb 2006-11-20 19:57:48 EST
"Does the Places->Network Servers file browser, accessible from the main desktop
menu, allow you to browse to the printer you want?"

NO! It is a on a workgroup on NTFS Windows SP2 classic security model. There is
no such thing as browsing a Secured NTFS Win Xp SP2 system. It is addressed per
share with smbclient.

"I am aware that it would be good to describe the URI on that page, and I will
add a label to do that.  But I would like to understand what needs to be fixed
in the GUI to avoid people having to make up their own URIs."

There is only one string that is correct yet the gui accepts more than one as
being acessiable.
The correct string would be
MYWORKGROUPNAME/WINCOMPNAME/WINPRINTSHARENAME
w or w/o leading / or // (the program should make it correct.

The currect strings accepted are,
WINCOMPNAME/WINPRINTSHARE  (This ignores the workgroupname and Windows will deny
access.
WORKGROUP/WINCOMPNAME/WINPRINTSHARE
Any workgroup name is accepted but you get this string in the /
Device URI
smb://.../localhost/WORKGROUP 
which is completly invalid. Also, this same string is used after a change to the
Device URI.

Acceping the wrong WORKGROUP or no WORKGROUP will fail on NTFS access.

"Can you please clarify what you mean by the "dropdown printers gui
selection list"?  Do you mean the list on the left of the 'select connection'
page, containing 'Windows Printer via SAMBA'?  Or the 'Share | Comment' list
view on the right hand side of that page once you have selected 'Windows Printer
via SAMBA'?"

The right side. The arrow point to the test WORKGROUP.
Clcik the arrow and I get WINCOMPNAME
click that arrow and I get nothing which is correct.

"I don't believe this is the case.  I get the same avc messages for a successful
print.  I do believe there is a bug there, and it is in the SELinux policy for
samba (or in samba).  An easy test for whether printing is being blocked by the
SELinux policy is to disable it and try a test print: 'setenforce 0'."

This is comfusing because even after seenforce 0, the sealert keeps popping up.
Sealrt needs to be tired into sestatus. But the messages are still occuing. I
truned cupd boolen off for selinux. I then rebooted to make sure everything was
off. 
This makes building the printer easy with
WINCOMPNAME/PRINTSHARENAME (but it is missing myworkgroupname.)

The next problem I see is in the audit,log which is showing my password in plan
view. Is not this supposed to be encripted. Any admin could use someones accout.
Thats much different than looking at files, or changing the password or 
fixing something. 



Here is an audit message showing no workgroup nd plain password (which I inked out.)
type=LABEL_LEVEL_CHANGE msg=audit(1164064257.467:43): user pid=2582 uid=0
auid=4294967295 subj=system_u:system_r:initrc_t:s0-s0:c0.c1023
msg='printer=HPLaserJ.2
uri=smb://Darwin%20H.%20Webb:********/URANUS-37/HPLaserJ.2 banners=none,none
range=unknown: exe="/usr/sbin/cupsd" (hostname=Jade-38.WinProxy, addr=90.0.0.8,
terminal=? res=success)'

Now back to CIFS.
The print from my user name (not root or test peint) using gedit txt file, 
qued up and the printer icon popped up. The document was shown as sending but it
didn't go anywhre.
But how can samba-3.023c work fine on FC5 (late), FC6 (early) before this new
prints system came down? (If is is CIFS.)

To conclude with a TO-Do list.
If you'll check out the gui for proper //smb strings, proper passwrods, proper
workgroups that would reduce the setup problems.

I will try a http net install of FC7 devl and see if anything clears up about
printing.
May take a few days. :)

thanks,

DArwin


Comment 8 Tim Waugh 2006-11-21 05:25:53 EST
Darwin -- please stay on FC6 to help me with testing.  There are no changes in
FC7 that will help with this problem.
Comment 9 Tim Waugh 2006-11-21 14:08:05 EST
I've added the string to 0.7.39-1.fc6, shortly to appear in updates-testing. 
Actually I've now taken '[username:password@]' out of it, because the entry
widgets at the bottom of that screen are used to fill in those parts of the URI
afterwards.  It should read:

smb://[workgroup/]server[:port]/printer
Comment 10 Darwin H. Webb 2006-11-22 03:03:47 EST
Tim, 
I tried the new packages from test.

The gui stills allows any workgroupname in verify access.
If missed typing in //smb text box, the username: [assword is extracted and put
in bottom boxes, and SMB text reverts to //.../localhot/WORKGOUP.

Anyway, I tried an many cobos as I could.
I would delete the printer ans start over when the queue got missed up with jobs.

But nothing would print. All indicate smb or NTFS denied.

This is will SELinux on, Setroubleshot did not trigger, and the only AVC
messages were the usuall /temp on smb and cups/spool

Maybe you are correct about CIFS.

I can not see any reason why it would not print?

I'll try again when the packes change. Let me know.

P. S. As for FC7, I only meant to re-install as to make it as valid as possible
witout some broken script or conf or update error, To see if there was a
difference. But Anaconda is broken so if you don't find something later, maybe
I'll re-insatll FC6 and make sure that is valid.

TTYL,
Darwin 
Comment 11 Tim Waugh 2006-11-22 07:20:57 EST
Darwin, please file separate bug reports.  I'm taking this bug report to be that
the label should be added, and will close it once the update is released.  I
have already filed a separate bug report for you for the audit log message: bug
#216669.

Please file other reports for the remaining problems, so they can be correctly
tracked and fixed.  Thanks.

Note You need to log in before you can comment on or make changes to this bug.