smbspool printing with kerberos auth has been broken since samba 4.8. It used to work fine with samba 4.7. Here's how to reproduce the problem: 1. On a Linux computer, `kinit` to a Windows Domain Controller. 2. Print to a Windows printer with smbspool, as in: `smbspool smb://DOMAIN/windows_server_name/printername 42 username filename 1 '' ./filename.ps` At debug level 5, you can see that smbspool connects to the windows server on port 445, registers a bunch of GENSEC backend options, and then starts GENSEC mechanism spnego, and then the GENSEC submechanism ntlmssp. smbspool then gets a bunch of challenge flags and fails to authenticate. However, it next tries with GENSEC submechanism gse_krb5 and the print job is successful. The problem is that when printing via CUPS, the first failure puts the print queue into an error state and the print job fails before smbspool even gets a chance to try gse_krb5. With samba 4.7, smbspool would see that there is a valid Kerberos ticket and would immediately try gse_krb5 without ntlmssp, and CUPS would be happy. Please restore samba 4.9 (and 4.8) to this previous behaviour.
I'm working on fixes.
Created attachment 14947 [details] Patch for 4.8
Created attachment 14948 [details] Patch for 4.9
Created attachment 14949 [details] Patch for 4.10
Comment on attachment 14947 [details] Patch for 4.8 LGTM
Comment on attachment 14948 [details] Patch for 4.9 LGTM
Comment on attachment 14949 [details] Patch for 4.10 LGTM
Karolin, please add to the appropriate branches. Thanks!
Created attachment 14956 [details] Updated patch for 4.8
Comment on attachment 14956 [details] Updated patch for 4.8 LGTM
Pushed to autobuild-v4-{10,9,8}-test.
(In reply to Karolin Seeger from comment #11) Pushed to all branches. Closing out bug report. Thanks!