Web lists-archives.com

Re: [Samba] Printing via SMB-Kerberos no longer works




Am 22.09.2018 um 12:08 schrieb Robert Schetterer:
> Am 22.09.2018 um 09:49 schrieb Alex Persson via samba:
>> Hello,
>>
>> After upgrading from Ubuntu 16.04 to 18.04 printing via SMB-Kerberos no longer works (printing still works in 18.04 when I print via SMB but I don't want to have the password stored in clear text in /usr/lib/cups/backend/smb).
>>
>> In 16.04 I can just type "lpr file.pdf", but when doing this in 18.04 I get "Password for [myuser] on localhost?" and it expects me to type my password instead of using my Kerberos ticket for sending the print job to the print queue.
>>
>> I have the same Kerberos ticket available according to "klist" in 18.04 as I had in 16.04.
>> I have "AuthInfoRequired negotiate" in /etc/cups/printers.conf
>> The file /usr/lib/cups/backend/smb is a symbolic link pointing to /usr/lib/x86_64-linux-gnu/samba/smbspool_krb5_wrapper (in 16.04 it was pointing at /usr/bin/smbspool_krb5_wrapper).
>> The permission is 700 on /usr/lib/x86_64-linux-gnu/samba/smbspool_krb5_wrapper.
>> The version of cups is 2.2.7-1ubuntu2.1 in 18.04 while it was 2.1.3-4ubuntu0.5 in 16.04.
>> The version of smbclient is 2:4.7.6+dfsg~ubuntu-0ubuntu2.2 in 18.04 while it was 2:4.3.11+dfsg-0ubuntu0.16.04.16 16.04.
>>
>> Can you please help me figure out what the problem is? Maybe it is something wrong with smbspool_krb5_wrapper from the smbclient package?
>>
>> Best regards, Alex
>>
> 
> this feature broke times before by varia reasons
> "just a shot in the dark", if you use kerberos tickets in /tmp then
> stuff changed in 18.04 this also broke our cifs automounter
> 
> see here
> 
> https://blog.nutmeg.at/2017/04/17/getting-pam-krb5-working-autofs-and-cifs/
> 
> i did
> 
> default_ccache_name = FILE:/tmp/krb5cc_%{uid}
> 
> in /etc/krb5.conf
> 
> to fix our problem
> 
> Best Regards
> MfG Robert Schetterer
> 

by the way, simply changing did not work on the first try cause
the system did in fact used the old functions, in our case i simply did
a puppet reinstall during testing phase, if you want to try it on the
fly i think you have to make sure that the change is really used, so
study how to make this work


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba