cups smb logon fails quietly

Bug #132791 reported by Justin
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Confirmed
Medium
Unassigned

Bug Description

When printing to an SMB printer, if the credentials are incorrect then printing simply fails without notifying the user. I believe because the print job will be retried repeatedly this can also result in having a Windows AD account locked out because of too many failed logon attempts within a short interval...although I'm not sure if the default 60 second interval is enough to avoid this, I believe clicking 'print' repeatedly can trigger a lock-out. Either way, the user should probably know their credentials are incorrect.

An excerpt from my /var/log/cups/error_log:
E [15/Aug/2007:13:48:36 -0700] [Job 35] Tree connect failed (NT_STATUS_ACCESS_DENIED)
E [15/Aug/2007:13:48:36 -0700] [Job 35] No ticket cache found for userid=1000
E [15/Aug/2007:13:48:36 -0700] [Job 35] Can not get the ticket cache for justin
E [15/Aug/2007:13:48:36 -0700] [Job 35] Session setup failed: NT_STATUS_LOGON_FAILURE
E [15/Aug/2007:13:48:36 -0700] [Job 35] Tree connect failed (NT_STATUS_ACCESS_DENIED)
E [15/Aug/2007:13:48:36 -0700] [Job 35] Unable to connect to CIFS host, will retry in 60 seconds...
E [15/Aug/2007:13:48:36 -0700] PID 5834 (/usr/lib/cups/backend/smb) crashed on signal 9!
E [15/Aug/2007:13:48:36 -0700] PID 5832 (/usr/lib/cups/filter/pstops) crashed on signal 9!
E [15/Aug/2007:13:48:36 -0700] [Job 35] Session setup failed: NT_STATUS_LOGON_FAILURE
E [15/Aug/2007:13:48:36 -0700] [Job 35] No ticket cache found for userid=1000
E [15/Aug/2007:13:48:36 -0700] [Job 35] Can not get the ticket cache for justin
E [15/Aug/2007:13:48:36 -0700] [Job 35] Session setup failed: NT_STATUS_LOGON_FAILURE
E [15/Aug/2007:13:48:36 -0700] [Job 35] Tree connect failed (NT_STATUS_ACCESS_DENIED)
E [15/Aug/2007:13:48:36 -0700] [Job 35] Unable to connect to CIFS host, will retry in 60 seconds...
...
E [15/Aug/2007:13:48:38 -0700] [Job 35] Session setup failed: NT_STATUS_ACCOUNT_LOCKED_OUT
E [15/Aug/2007:13:48:38 -0700] [Job 35] No ticket cache found for userid=1000
E [15/Aug/2007:13:48:38 -0700] [Job 35] Can not get the ticket cache for justin
E [15/Aug/2007:13:48:38 -0700] [Job 35] Session setup failed: NT_STATUS_LOGON_FAILURE
E [15/Aug/2007:13:48:38 -0700] [Job 35] Tree connect failed (NT_STATUS_ACCESS_DENIED)
E [15/Aug/2007:13:48:38 -0700] [Job 35] Unable to connect to CIFS host, will retry in 60 seconds...

Revision history for this message
Justin (justin-domain17) wrote :

attaching my /var/log/cups/error_log

Revision history for this message
Mikko Ohtamaa (mikko-red-innovation) wrote :

I can confirm this, Ubuntu Feisty Fawn, printer shared on Windows Vista

E [20/Aug/2007:18:08:34 +0300] [Job 140] Session setup failed: NT_STATUS_LOGON_FAILURE
E [20/Aug/2007:18:08:34 +0300] [Job 140] No ticket cache found for userid=1000
E [20/Aug/2007:18:08:34 +0300] [Job 140] Can not get the ticket cache for moo
E [20/Aug/2007:18:08:34 +0300] [Job 140] Session setup failed: NT_STATUS_LOGON_FAILURE
E [20/Aug/2007:18:08:34 +0300] [Job 140] Tree connect failed (NT_STATUS_ACCESS_DENIED)
E [20/Aug/2007:18:08:34 +0300] [Job 140] Unable to connect to CIFS host, will retry in 60 seconds...

Revision history for this message
Serge Podunov (serp-www) wrote :

I confirm this bag, Ubuntu Feisty Fawn, printer shared on Windows XP

E [23/Aug/2007:15:01:39 +0400] cupsdAuthorize: Local authentication certificate not found!
E [23/Aug/2007:15:01:39 +0400] cupsdAuthorize: Local authentication certificate not found!
E [23/Aug/2007:15:01:39 +0400] cupsdAuthorize: Local authentication certificate not found!
E [23/Aug/2007:15:01:40 +0400] [Job 394] Session setup failed: NT_STATUS_ACCOUNT_LOCKED_OUT
E [23/Aug/2007:15:01:40 +0400] [Job 394] No ticket cache found for userid=1000
E [23/Aug/2007:15:01:40 +0400] [Job 394] Can not get the ticket cache for podunov
E [23/Aug/2007:15:01:40 +0400] [Job 394] Session setup failed: NT_STATUS_LOGON_FAILURE
E [23/Aug/2007:15:01:40 +0400] [Job 394] Tree connect failed (NT_STATUS_ACCESS_DENIED)
E [23/Aug/2007:15:01:40 +0400] [Job 394] Unable to connect to CIFS host, will retry in 60 seconds...
E [23/Aug/2007:15:01:42 +0400] cupsdAuthorize: Local authentication certificate not found!
E [23/Aug/2007:15:01:42 +0400] cupsdAuthorize: Local authentication certificate not found!
E [23/Aug/2007:15:01:42 +0400] cupsdAuthorize: Local authentication certificate not found!
E [23/Aug/2007:15:01:42 +0400] cupsdAuthorize: Local authentication certificate not found!
E [23/Aug/2007:15:01:42 +0400] cupsdAuthorize: Local authentication certificate not found!

Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

The credentials are handled by the "smb" CUPS backend (/usr/lib/cups/backend/smb) which is provided by the samba package. Moving to samba ...

Note also that in Gutsy, with gnome-cups-manager being replaced by system-config-printer one can check the credentials before creating a print queue to an SMB-shared printer.

Revision history for this message
Soren Hansen (soren) wrote :

Till, what can Samba do to make this information available to the user? I'm not quite familiar with CUPS's backend API.

Changed in samba:
status: New → Incomplete
Revision history for this message
Justin (justin-domain17) wrote :

The print queue credentials were fine when I created it, but when I was forced to change my password by the domain policy it became broken quietly. That's why I think it makes sense to alert the user.

Revision history for this message
Soren Hansen (soren) wrote : Re: [Bug 132791] Re: cups smb logon fails quietly

On Thu, Aug 30, 2007 at 06:34:22PM -0000, Justin wrote:
> The print queue credentials were fine when I created it, but when I was
> forced to change my password by the domain policy it became broken
> quietly. That's why I think it makes sense to alert the user.

I agree that it makes sense. I just need to know a bit about CUPS before
I can patch Samba to make this possible.

--
Soren Hansen
Ubuntu Server Team
http://www.ubuntu.com/

Changed in samba:
importance: Undecided → Medium
status: Incomplete → Confirmed
Revision history for this message
Paul Dufresne (paulduf) wrote :

Well, GNOME seems not to know how to prompt for a password anyway, yet.
As it was discovered in bug #283811.

But then, it sounds like the cache is not invalidated on error (else I suppose it would not retry so much as to deactivate password a while on the server).

As far I could tell, this cache is CUPS stuff, not Samba backend stuff.
Like http://www.cups.org/str.php?L2268+P0+S0+C0+I0+E0+M20+Q2268 says:
BACKENDS

Backends will continue to get the authentication information from the cache file (aNNNNN in the spool directory, where NNNNN is the job ID). The format of this file is one authentication value per line, with each value Base64-encoded.

When the authentication fails, backends can send an "ATTR: auth-info-required=..." message to stderr to reconfigure the auth-info-required attribute on the queue, and then exit with code 2 to indicate that authentication is required.

I believe this is how, cache is supposed to be invalidated, and a new password asked.

So if things goes correctly, Justin should be affected by bug #283811, if he is not... then that's looks like a bug to me.
Or maybe I spend to much time looking bug #283811 and not seeing things as they are. ;-)

Revision history for this message
segler (segler-alex) wrote :

it works for me in lucid, thanks

Revision history for this message
Oernie (arne-henningsen) wrote :

It does not work for me in lucid (KDE, Kubuntu) :-(

Revision history for this message
stefanwelte (post-stefan-welte) wrote :

It does not work for me in hardy (KDE, Kubuntu) :-((

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.