The following command invocation triggers the buggy behavior:
$ AUTH_INFO_REQUIRED=none smbspool <printer-url> test test 1 1 /tmp/test.txt
ERROR: Session setup failed: NT_STATUS_ACCESS_DENIED
DEBUG: get_exit_code(nt_status=NT_STATUS_ACCESS_DENIED [c0000022])
DEBUG: Unable to connect to CIFS host: NT_STATUS_ACCESS_DENIED
$ echo $?
The program exits with `CUPS_BACKEND_AUTH_REQUIRED`, indicating that additional authentication information is required, but instead of printing:
as it should for the printer I am interacting with, it simply echoes back the value passed in through `AUTH_INFO_REQUIRED`, which is not necessarily correct.
This invocation is the same as the one CUPS performs when trying to print for the first time with a newly added authenticated printer. Even if the printer is authenticated, no `auth-info-required` attribute is required to be specified when adding the printer, the backend (smbspool) should specify which authentication information is necessary, if any.
Exiting with `CUPS_BACKEND_AUTH_REQUIRED`, while specifying `none` as `auth-info-required` value breaks the contract with CUPS and results in a job that is indefinitely held for authentication, while being marked as requiring no authentication information.
This bug breaks authenticated printing, unless the `auth-info-required` attribute is manually corrected after adding the printer. The workaround is:
lpadmin -p PRINTER -o auth-info-required=username,password (for username + password)
lpadmin -p PRINTER -o auth-info-required=negotiate (for Kerberos)
For additional context, see the discussion with Michael R Sweet here: https://github.com/OpenPrinting/cups/issues/373
This is not that easy.
What we could do is to check for AUTH_INFO_REQUIRED=none and NT_STATUS_ACCESS_DENIED and in this case return.
AUTH_INFO_REQUIRED=samba will first try to use kerberos and fallback to username/password. We don't know what the server supports.
The question is if cups can deal with that ...
After commit , if `smbspool` reports that the job could not be authenticated, but it does not set the information required to authenticate it, CUPS will assume `username,password` as a fallback, so that it works at least in some cases. This, however, is a problem when the authentication should happen with Kerberos.
Regarding the solution of setting `auth-info-required` to `samba`, I am not sure that setting an arbitrary value is supported, because the documentation reports the expected values explicitly . If `samba` is supported, though, that could indeed be a solution.
I am wondering if, when the anonymous authentication fails, a Kerberos authentication can be attempted to figure out if that authentication method is supported but fails, or is not supported at all. I am just guessing, but isn't this similar to what you are already doing when `auth-info-required` is set to `samba`?