Hardy Heron: Adding SMB printer fails

Please have a look at this:

http://www.cups.org/articles.php?L291+TFAQ+P1+Q

Thanks
chuck

Thanks for the reply Chuck.

This article doesn't appear to address my problem. I say this because if I un-check the 'Requires Authentication' box when adding my SMB printer then it will add fine (but still won't print).

From what I can tell, this issue has cropped up before and, if I remember correctly, it had something to do with the smbspool program.

Also, from what the log files show above, the error appears to be related to an authentication issue:

E [16/Apr/2008:14:39:23 +1000] [Job 15] No ticket cache found for userid=0
E [16/Apr/2008:14:39:23 +1000] [Job 15] Can not get the ticket cache for root
E [16/Apr/2008:14:39:23 +1000] [Job 15] Session setup failed: NT_STATUS_LOGON_FAILURE
E [16/Apr/2008:14:39:23 +1000] [Job 15] Tree connect failed (NT_STATUS_ACCESS_DENIED)
E [16/Apr/2008:14:39:23 +1000] [Job 15] Unable to connect to CIFS host, will retry in 60 seconds...

I think I may have narrowed down the issue. I changed the cupsd.conf LogLevel to 'debug'.

When adding a printer via SMB with 'requires authentication' ticked and filled out I noticed that the logfile says:

CUPS-Add-Modify-Printer client-error-not-possible: Bad device-uri "smb://myusername:MyComplexpAss/1/2/3@/server/PRINTERSHARENAME"!

My Password has forward-slashes in it and so does the device URI. From what I can see, they're not being escaped properly which may be causing the 'Bad device-uri' error.

Can anyone else please confirm this? I've successfully added the printer IF my password does not contain any forward-slashes. So it would seem that it is indeed an escaping problem.

As such, should this be classified as a security issue too? If these characters aren't being escaped then you could potentially discover all sorts of injection attacks.

I can confirm this as can some others on my campus.

In my case it fails without any forward slashes in the password.

I don't believe it is an escaping problem as changing the URI for the printer to match what I see on Gutsy shows the same log message with the same URI.

I'm also getting "cupsdAuthorize: Local authentication certificate not found!" errors in my /var/log/cups/error_log.

For now I'm researching the issue. I've come across the following possibilities for the cause of the problem:
-AppArmor
-Firewall

Disabling apparmor and ufw does not appear to have any impact.

I've narrowed down the issue some more. It appears to be an issue with deciding which username to use for authenticating.

I did the following on Gutsy and Hardy:
-Installed wireshark
-Scanned for SMB protocol
-Looked at authentication tries
-Noted usernames.

Results:
-Gutsy authenticated once with the username I supplied within the dialog box.
-Hardy tries to authenticate several times under various usernames, none of which I have specified.
  -lp
  -<my local login>
  -anonymous

My /etc/cups/printers.conf is identical for each of the machines. I'm gonna look into this more after class today, as this issue is a sticking point for most of the people I know who run Ubuntu.

I believe I have fixed the issue. After playing around I realized that smbclient would complain that 'client plaintext auth' was disabled (my campus server needs plaintext for some reasom).

Adding the following to smb.conf and rebooting fixed my problem entirely:
client plaintext auth = yes
client lanman auth = yes

This may compromise security slightly (plaintext passwords are almost never a good idea). Please let me know if this fixes it for you. I'd be happy to keep investigating this if my fix does not work for you.

I confirm this bug and the fact that the above fix solved it for me.

As a fix authentication with clear-text password transfer is suggested. This looks like a design flaw of the smb CUPS backend, which is a part of Samba. Therefore moving to Samba.

This is not a design flaw, it's a deliberate design decision; use of plaintext passwords on an untrusted network is insecure, and in Ubuntu 8.04 smbspool (and other samba clients) will no longer allow negotiation of plaintext connections unless the user takes explicit action to enable this.

To enable plaintext authentication, set 'client plaintext auth = yes' in the [global] section of /etc/samba/smb.conf.

Couldn't there be a „plain-text authentication required” instead of „client-error-not-possible” message. That would definitely close the bug for me.