Bug 13832 - Printing via smbspool backend with kerberos auth fails
Summary: Printing via smbspool backend with kerberos auth fails
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Printing (show other bugs)
Version: 4.9.4
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-12 00:40 UTC by John Hebron
Modified: 2019-03-28 08:10 UTC (History)
2 users (show)

See Also:


Attachments
Patch for 4.8 (15.41 KB, patch)
2019-03-19 12:18 UTC, Andreas Schneider
gd: review+
Details
Patch for 4.9 (15.41 KB, patch)
2019-03-19 12:19 UTC, Andreas Schneider
gd: review+
Details
Patch for 4.10 (15.41 KB, patch)
2019-03-19 12:19 UTC, Andreas Schneider
gd: review+
Details
Updated patch for 4.8 (16.39 KB, patch)
2019-03-20 12:13 UTC, Andreas Schneider
gd: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description John Hebron 2019-03-12 00:40:26 UTC
smbspool printing with kerberos auth has been broken since samba 4.8.

It used to work fine with samba 4.7.

Here's how to reproduce the problem:

1.  On a Linux computer, `kinit` to a Windows Domain Controller.

2.  Print to a Windows printer with smbspool, as in:

`smbspool smb://DOMAIN/windows_server_name/printername 42 username filename 1 '' ./filename.ps`

At debug level 5, you can see that smbspool connects to the windows server on port 445, registers a bunch of GENSEC backend options, and then starts GENSEC mechanism spnego, and then the GENSEC submechanism ntlmssp.  smbspool then gets a bunch of challenge flags and fails to authenticate.

However, it next tries with GENSEC submechanism gse_krb5 and the print job is successful.

The problem is that when printing via CUPS, the first failure puts the print queue into an error state and the print job fails before smbspool even gets a chance to try gse_krb5.

With samba 4.7, smbspool would see that there is a valid Kerberos ticket and would immediately try gse_krb5 without ntlmssp, and CUPS would be happy.  Please restore samba 4.9 (and 4.8) to this previous behaviour.
Comment 1 Andreas Schneider 2019-03-12 08:14:31 UTC
I'm working on fixes.
Comment 2 Andreas Schneider 2019-03-19 12:18:47 UTC
Created attachment 14947 [details]
Patch for 4.8
Comment 3 Andreas Schneider 2019-03-19 12:19:15 UTC
Created attachment 14948 [details]
Patch for 4.9
Comment 4 Andreas Schneider 2019-03-19 12:19:41 UTC
Created attachment 14949 [details]
Patch for 4.10
Comment 5 Guenther Deschner 2019-03-19 12:59:12 UTC
Comment on attachment 14947 [details]
Patch for 4.8

LGTM
Comment 6 Guenther Deschner 2019-03-19 12:59:19 UTC
Comment on attachment 14948 [details]
Patch for 4.9

LGTM
Comment 7 Guenther Deschner 2019-03-19 12:59:28 UTC
Comment on attachment 14949 [details]
Patch for 4.10

LGTM
Comment 8 Guenther Deschner 2019-03-19 13:00:30 UTC
Karolin, please add to the appropriate branches. Thanks!
Comment 9 Andreas Schneider 2019-03-20 12:13:42 UTC
Created attachment 14956 [details]
Updated patch for 4.8
Comment 10 Guenther Deschner 2019-03-20 18:22:22 UTC
Comment on attachment 14956 [details]
Updated patch for 4.8

LGTM
Comment 11 Karolin Seeger 2019-03-21 12:20:54 UTC
Pushed to autobuild-v4-{10,9,8}-test.
Comment 12 Karolin Seeger 2019-03-28 08:10:06 UTC
(In reply to Karolin Seeger from comment #11)
Pushed to all branches.
Closing out bug report.

Thanks!