The Samba-Bugzilla – Attachment 11791 Details for
Bug 11690
Kerberos printing (smbspool) with CUPS 1.5+ does not work anymore
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.2
v4-2-test.patch (text/plain), 9.09 KB, created by
Andreas Schneider
on 2016-01-27 07:38:25 UTC
(
hide
)
Description:
patch for 4.2
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2016-01-27 07:38:25 UTC
Size:
9.09 KB
patch
obsolete
>From 96e888fc6dd350dec8054e64637c3c5eff8d9659 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@cryptomilk.org> >Date: Tue, 12 Jan 2016 15:17:22 +0100 >Subject: [PATCH 1/2] s3-client: Add a KRB5 wrapper for smbspool > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11690 > >We need a wrapper for smbspool to be able to authenticate with Kerberos. >This needs to replace the cups smb backend. The permission need to be >0700 and the owner root. > >Note that Kerberos support is broken in CUPS 2.1.2 maybe earlier >versions. It works with 1.6.3. > >Signed-off-by: Andreas Schneider <asn@cryptomilk.org> >Reviewed-by: Michael Adam <obnox@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> > >Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> >Autobuild-Date(master): Mon Jan 25 19:58:46 CET 2016 on sn-devel-144 > >(cherry picked from commit 62c68bd8c8f7a7e057e38a461707f1c195e62df0) >--- > source3/client/README.smbspool | 17 +++ > source3/client/smbspool_krb5_wrapper.c | 210 +++++++++++++++++++++++++++++++++ > source3/wscript_build | 7 ++ > 3 files changed, 234 insertions(+) > create mode 100644 source3/client/README.smbspool > create mode 100644 source3/client/smbspool_krb5_wrapper.c > >diff --git a/source3/client/README.smbspool b/source3/client/README.smbspool >new file mode 100644 >index 0000000..f73167a6 >--- /dev/null >+++ b/source3/client/README.smbspool >@@ -0,0 +1,17 @@ >+smbspool >+========= >+ >+smbspool is a very small print spooling program that sends a print file to an >+SMB printer. The command-line arguments are position-dependent for >+compatibility with the CUPS. >+ >+For printing support with Kerberos, CUPS 1.5+ needs a wrapper for the backend >+which sets the correct location of the Kerberos credential cache. >+ >+smbspool_krb5_wrapper >+====================== >+ >+This tool can be used to print using Kerberos credentials. To get this working >+smbspool_krb5_wrapper needs to be the smb backend of CUPS. It needs to be owned >+by root and the permissions for the binary need to be 0700. Once >+smbspool_krb5_wrapper switched to the user trying to print it executes smbspool. >diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c >new file mode 100644 >index 0000000..e19fd92 >--- /dev/null >+++ b/source3/client/smbspool_krb5_wrapper.c >@@ -0,0 +1,210 @@ >+/* >+ * Unix SMB/CIFS implementation. >+ * >+ * CUPS printing backend helper to execute smbspool >+ * >+ * Copyright (C) 2010-2011 Andreas Schneider <asn@samba.org> >+ * >+ * This program is free software; you can redistribute it and/or modify >+ * it under the terms of the GNU General Public License as published by >+ * the Free Software Foundation; either version 3 of the License, or >+ * (at your option) any later version. >+ * >+ * This program is distributed in the hope that it will be useful, >+ * but WITHOUT ANY WARRANTY; without even the implied warranty of >+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+ * GNU General Public License for more details. >+ * >+ * You should have received a copy of the GNU General Public License >+ * along with this program. If not, see <http://www.gnu.org/licenses/>. >+ */ >+ >+#include "includes.h" >+#include "system/filesys.h" >+#include "system/passwd.h" >+ >+#include <errno.h> >+#include <string.h> >+ >+#include <cups/backend.h> >+ >+#include "dynconfig/dynconfig.h" >+ >+enum cups_smb_dbglvl_e { >+ CUPS_SMB_LOG_DEBUG = 0, >+ CUPS_SMB_LOG_ERROR, >+}; >+static void cups_smb_debug(enum cups_smb_dbglvl_e lvl, const char *format, ...); >+ >+#define CUPS_SMB_DEBUG(...) cups_smb_debug(CUPS_SMB_LOG_DEBUG, __VA_ARGS__) >+#define CUPS_SMB_ERROR(...) cups_smb_debug(CUPS_SMB_LOG_DEBUG, __VA_ARGS__) >+ >+static void cups_smb_debug(enum cups_smb_dbglvl_e lvl, const char *format, ...) >+{ >+ const char *prefix = "DEBUG"; >+ char buffer[1024]; >+ va_list va; >+ >+ va_start(va, format); >+ vsnprintf(buffer, sizeof(buffer), format, va); >+ va_end(va); >+ >+ switch (lvl) { >+ case CUPS_SMB_LOG_DEBUG: >+ prefix = "DEBUG"; >+ break; >+ case CUPS_SMB_LOG_ERROR: >+ prefix = "ERROR"; >+ break; >+ } >+ >+ fprintf(stderr, >+ "%s: SMBSPOOL_KRB5 - %s\n", >+ prefix, >+ buffer); >+} >+ >+/* >+ * This is a helper binary to execute smbspool. >+ * >+ * It needs to be installed or symlinked as: >+ * /usr/lib/cups/backend/smb >+ * >+ * The permissions of the binary need to be set to 0700 so that it is executed >+ * as root. The binary switches to the user which is passed via the environment >+ * variable AUTH_UID, so we can access the kerberos ticket. >+ */ >+int main(int argc, char *argv[]) >+{ >+ char smbspool_cmd[PATH_MAX] = {0}; >+ struct passwd *pwd; >+ char gen_cc[PATH_MAX] = {0}; >+ struct stat sb; >+ char *env; >+ uid_t uid = (uid_t)-1; >+ gid_t gid = (gid_t)-1; >+ unsigned long tmp; >+ int cmp; >+ int rc; >+ >+ uid = getuid(); >+ >+ CUPS_SMB_DEBUG("Started with uid=%d\n", uid); >+ if (uid != 0) { >+ goto smbspool; >+ } >+ >+ /* Check if AuthInfoRequired is set to negotiate */ >+ env = getenv("AUTH_INFO_REQUIRED"); >+ if (env == NULL) { >+ CUPS_SMB_ERROR("AUTH_INFO_REQUIRED is not set"); >+ fprintf(stderr, "ATTR: auth-info-required=negotiate\n"); >+ return CUPS_BACKEND_AUTH_REQUIRED; >+ } >+ >+ CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED=%s", env); >+ cmp = strcmp(env, "negotiate"); >+ if (cmp != 0) { >+ CUPS_SMB_ERROR("AUTH_INFO_REQUIRED is not set to negotiate"); >+ fprintf(stderr, "ATTR: auth-info-required=negotiate\n"); >+ return CUPS_BACKEND_AUTH_REQUIRED; >+ } >+ >+ /* >+ * AUTH_UID gets only set if we have an incoming connection over the >+ * CUPS unix domain socket. >+ */ >+ env = getenv("AUTH_UID"); >+ if (env == NULL) { >+ CUPS_SMB_ERROR("AUTH_UID is not set"); >+ fprintf(stderr, "ATTR: auth-info-required=negotiate\n"); >+ return CUPS_BACKEND_AUTH_REQUIRED; >+ } >+ >+ if (strlen(env) > 10) { >+ CUPS_SMB_ERROR("Invalid AUTH_UID"); >+ return CUPS_BACKEND_FAILED; >+ } >+ >+ errno = 0; >+ tmp = strtoul(env, NULL, 10); >+ if (errno != 0 || tmp >= UINT32_MAX) { >+ CUPS_SMB_ERROR("Failed to convert AUTH_UID=%s", env); >+ return CUPS_BACKEND_FAILED; >+ } >+ uid = (uid_t)tmp; >+ >+ pwd = getpwuid(uid); >+ if (pwd == NULL) { >+ CUPS_SMB_ERROR("Failed to find system user: %u - %s", >+ uid, strerror(errno)); >+ return CUPS_BACKEND_FAILED; >+ } >+ gid = pwd->pw_gid; >+ >+ rc = setgroups(0, NULL); >+ if (rc != 0) { >+ CUPS_SMB_ERROR("Failed to clear groups - %s", >+ strerror(errno)); >+ return CUPS_BACKEND_FAILED; >+ } >+ >+ CUPS_SMB_DEBUG("Switching to gid=%d", gid); >+ rc = setgid(gid); >+ if (rc != 0) { >+ CUPS_SMB_ERROR("Failed to switch to gid=%u", >+ gid, >+ strerror(errno)); >+ return CUPS_BACKEND_FAILED; >+ } >+ >+ CUPS_SMB_DEBUG("Switching to uid=%u", uid); >+ rc = setuid(uid); >+ if (rc != 0) { >+ CUPS_SMB_ERROR("Failed to switch to uid=%u", >+ uid, >+ strerror(errno)); >+ return CUPS_BACKEND_FAILED; >+ } >+ >+ snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid); >+ >+ rc = lstat(gen_cc, &sb); >+ if (rc == 0) { >+ snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%d", uid); >+ } else { >+ snprintf(gen_cc, sizeof(gen_cc), "/run/user/%d/krb5cc", uid); >+ >+ rc = lstat(gen_cc, &sb); >+ if (rc == 0 && S_ISDIR(sb.st_mode)) { >+ snprintf(gen_cc, >+ sizeof(gen_cc), >+ "DIR:/run/user/%d/krb5cc", >+ uid); >+ } else { >+#if defined(__linux__) >+ snprintf(gen_cc, >+ sizeof(gen_cc), >+ "KEYRING:persistent:%d", >+ uid); >+#endif >+ } >+ } >+ >+ /* >+ * Make sure we do not have LD_PRELOAD or other security relevant >+ * environment variables set. >+ */ >+ clearenv(); >+ >+ CUPS_SMB_DEBUG("Setting KRB5CCNAME to '%s'", gen_cc); >+ setenv("KRB5CCNAME", gen_cc, 1); >+ >+smbspool: >+ snprintf(smbspool_cmd, >+ sizeof(smbspool_cmd), >+ "%s/smbspool", >+ get_dyn_BINDIR()); >+ >+ return execv(smbspool_cmd, argv); >+} >diff --git a/source3/wscript_build b/source3/wscript_build >index 27f3783..f82b05b 100755 >--- a/source3/wscript_build >+++ b/source3/wscript_build >@@ -1152,6 +1152,13 @@ bld.SAMBA3_BINARY('smbspool', > libsmb > samba3core''') > >+bld.SAMBA3_BINARY('smbspool_krb5_wrapper', >+ source='client/smbspool_krb5_wrapper.c', >+ deps=''' >+ DYNCONFIG >+ cups >+ ''') >+ > bld.SAMBA3_BINARY('testparm', > source='utils/testparm.c', > deps=''' >-- >2.7.0 > > >From 63f8f53cdb16108bbaf2591c6773826dc64019f3 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Tue, 26 Jan 2016 11:28:50 +0100 >Subject: [PATCH 2/2] waf: Only build smb_krb5_wrapper if we have CUPS > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 192f1516c378ae942d14921bfcc1e11173da36e6) >--- > source3/wscript_build | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > >diff --git a/source3/wscript_build b/source3/wscript_build >index f82b05b..58e1b99 100755 >--- a/source3/wscript_build >+++ b/source3/wscript_build >@@ -1157,7 +1157,8 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper', > deps=''' > DYNCONFIG > cups >- ''') >+ ''', >+ enabled=bld.CONFIG_SET('HAVE_CUPS')) > > bld.SAMBA3_BINARY('testparm', > source='utils/testparm.c', >-- >2.7.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 11690
: 11791 |
11792
|
11811
|
11812