Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 565774

Summary: CUPS cannot print with smbspool backend in AD / Kerberos environment
Product: Red Hat Enterprise Linux 5 Reporter: Harald Milz <harald.milz>
Component: samba3xAssignee: Guenther Deschner <gdeschner>
Status: CLOSED ERRATA QA Contact: qe-baseos-daemons
Severity: high Docs Contact:
Priority: low    
Version: 5.4CC: azelinka, dpal, jpayne, tao
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
CUPS printing could fail in an Active Directory environment with Kerberos. With this update, regular users can print in such environment.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-13 22:44:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Harald Milz 2010-02-16 08:59:54 UTC 
Description of problem:

We're trying to print in a MS AD environment, i.e. the user authenticates against AD using pam_krb5 and has a valid TGT. Using the "smb://...?k" DEVICE_URI syntax, the smb CUPS backend (which symlinks to smbspool) should be able to use the user's TGT to authenticate against the print share. This can't work, however, because CUPS runs the smb backend either as root (if smbspool is 0500) or as lp. Neither of them can use the user's Kerberos ticket. 

Version-Release number of selected component (if applicable):

samba3x-client-3.3.8-0.49.el5.i386.rpm

How reproducible:

always. 

Steps to Reproduce:
1. set up client machine as AD member and authenticate using pam_krb5 / nss_winbind.
2. set up Windows network printer with Kerberos auth (?k)
3. print
  
Actual results:

does not print; message in cups error_log that authentication info cannot be used (sorry, haven't got it verbatim right now)

Expected results:

should print

Additional info:

A second issue is that the samba3x-client package does not create the symlink /usr/lib/cups/backends/smb -> /usr/bin/smbspool
Comment 9 Eva Kopalova 2010-12-15 07:58:00 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
CUPS printing could fail in an Active Directory environment with Kerberos. This occurred because CUPS run the smb backend either as a root or lp and neither can authenticate only with a user Kerberos ticket to smbspool in an Active Directory environment. With this update, regular users can print in such environment
Comment 10 Eva Kopalova 2010-12-15 08:08:47 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-CUPS printing could fail in an Active Directory environment with Kerberos. This occurred because CUPS run the smb backend either as a root or lp and neither can authenticate only with a user Kerberos ticket to smbspool in an Active Directory environment. With this update, regular users can print in such environment+CUPS printing could fail in an Active Directory environment with Kerberos. With this update, regular users can print in such environment.
Comment 12 errata-xmlrpc 2011-01-13 22:44:46 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0054.html