Red Hat Bugzilla – Bug 565774
CUPS cannot print with smbspool backend in AD / Kerberos environment
Last modified: 2018-10-27 11:31:22 EDT
Description of problem: We're trying to print in a MS AD environment, i.e. the user authenticates against AD using pam_krb5 and has a valid TGT. Using the "smb://...?k" DEVICE_URI syntax, the smb CUPS backend (which symlinks to smbspool) should be able to use the user's TGT to authenticate against the print share. This can't work, however, because CUPS runs the smb backend either as root (if smbspool is 0500) or as lp. Neither of them can use the user's Kerberos ticket. Version-Release number of selected component (if applicable): samba3x-client-3.3.8-0.49.el5.i386.rpm How reproducible: always. Steps to Reproduce: 1. set up client machine as AD member and authenticate using pam_krb5 / nss_winbind. 2. set up Windows network printer with Kerberos auth (?k) 3. print Actual results: does not print; message in cups error_log that authentication info cannot be used (sorry, haven't got it verbatim right now) Expected results: should print Additional info: A second issue is that the samba3x-client package does not create the symlink /usr/lib/cups/backends/smb -> /usr/bin/smbspool
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: CUPS printing could fail in an Active Directory environment with Kerberos. This occurred because CUPS run the smb backend either as a root or lp and neither can authenticate only with a user Kerberos ticket to smbspool in an Active Directory environment. With this update, regular users can print in such environment
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1 +1 @@ -CUPS printing could fail in an Active Directory environment with Kerberos. This occurred because CUPS run the smb backend either as a root or lp and neither can authenticate only with a user Kerberos ticket to smbspool in an Active Directory environment. With this update, regular users can print in such environment+CUPS printing could fail in an Active Directory environment with Kerberos. With this update, regular users can print in such environment.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0054.html