Web lists-archives.com

Re: [Samba] Printing via SMB-Kerberos no longer works




Alex Persson wrote:
> Robert Schetterer wrote:
>> Alex Persson wrote:
>>> Robert Schetterer wrote:
>>>> Alex Persson wrote:
>>>>> After upgrading from Ubuntu 16.04 to 18.04 printing via SMB-Kerberos no longer works (printing still works in 18.04 when I print via SMB but I don't want to have the password stored in clear text in /usr/lib/cups/backend/smb).
>>>>>
>>>>> In 16.04 I can just type "lpr file.pdf", but when doing this in 18.04 I get "Password for [myuser] on localhost?" and it expects me to type my password instead of using my Kerberos ticket for sending the print job to the print queue.
>>>>>
>>>>> I have the same Kerberos ticket available according to "klist" in 18.04 as I had in 16.04.
>>>>> I have "AuthInfoRequired negotiate" in /etc/cups/printers.conf
>>>>> The file /usr/lib/cups/backend/smb is a symbolic link pointing to /usr/lib/x86_64-linux-gnu/samba/smbspool_krb5_wrapper (in 16.04 it was pointing at /usr/bin/smbspool_krb5_wrapper).
>>>>> The permission is 700 on /usr/lib/x86_64-linux-gnu/samba/smbspool_krb5_wrapper.
>>>>> The version of cups is 2.2.7-1ubuntu2.1 in 18.04 while it was 2.1.3-4ubuntu0.5 in 16.04.
>>>>> The version of smbclient is 2:4.7.6+dfsg~ubuntu-0ubuntu2.2 in 18.04 while it was 2:4.3.11+dfsg-0ubuntu0.16.04.16 16.04.
>>>>>
>>>>> Maybe it is something wrong with smbspool_krb5_wrapper from the smbclient package?
>>>>
>>>> this feature broke times before by varia reasons
>>>> "just a shot in the dark", if you use kerberos tickets in /tmp then
>>>> stuff changed in 18.04 this also broke our cifs automounter
>>>> see here
>>>> https://blog.nutmeg.at/2017/04/17/getting-pam-krb5-working-autofs-and-cifs/
>>>> i did
>>>> default_ccache_name = FILE:/tmp/krb5cc_%{uid}
>>>> in /etc/krb5.conf
>>>> to fix our problem
>>> 
>>> I tried to set default_ccache_name in /etc/krb5.conf as you suggest above but "lpr" still asks "Password for [myuser] on localhost?".
>>> My CIFS mount works fine (as before) and I have $KRB5CCNAME set in my env and it points to the ticket under /tmp/:
>>> $ env|grep KRB
>>> KRB5CCNAME=FILE:/tmp/krb5cc_5241_RIBf32
>>> I wonder what makes "lpr" ask me "Password for [myuser] on localhost?" instead of using my Kerberos ticket as it does in Ubuntu 16.04? I see that /usr/bin/lpr comes with the package cups-bsd version 2.2.7-1ubuntu2.1 in Ubuntu 18.04 while it is 2.1.3-4ubuntu0.5 in Ubuntu 16.04.
>>
>> our stuff may not comparable to your setup, our ksmb print module is a
>> modified version, but i am nearly sure changes in new kerberos version
>> at 18.04 are your problem. I think you should log very verbose to find
>> the exact problem
> 
> Ok, so smbspool_krb5_wrapper might not be compatible with the Kerberos version in 18.04. When I "strace -f" the "lpr" command and then grep for "open" and "krb" I get almost the same lines in both 16.04 and in 18.04 (the difference is in the beginning of the lines: "open(" vs "openat(AT_FDCWD, "):
> 
> 16.04$ grep ^open /tmp/strace.out|grep krb
> open("/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = 3
> open("/usr/lib/x86_64-linux-gnu/libkrb5.so.3", O_RDONLY|O_CLOEXEC) = 3
> open("/usr/lib/x86_64-linux-gnu/libkrb5support.so.0", O_RDONLY|O_CLOEXEC) = 3
> 
> 18.04$ grep ^open /tmp/strace.out|grep krb
> openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = 3
> openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libkrb5.so.3", O_RDONLY|O_CLOEXEC) = 3
> openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libkrb5support.so.0", O_RDONLY|O_CLOEXEC) = 3
> 
> In 16.04 the three files belongs to libgssapi-krb5-2:amd64, libkrb5-3:amd64, and libkrb5support0:amd64 which all are version 1.13.2+dfsg-5ubuntu2 while they in 18.04 are version 1.16-2build1.

I have tried setting the user environment variable $KRB5_TRACE with "export KRB5_TRACE=$HOME/krb5.log" before typing "lpr file.pdf", but I get no log in "$HOME/krb5.log".

I've also tried adding the following lines to /etc/krb5.conf:

[logging]
    kdc = 0/FILE:/var/log/kdc.log
    kdc = 1-/SYSLOG:INFO:USER
    default = STDERR

However, I see no Kerberos-related output in /var/log/ so I assume I'm using the wrong Kerberos logging above (I looked at .

Best regards, Alex

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba