[SRU] AuthInfoRequired negotiate in cups 2.2.7 in Bionic does not work

Bug #1783298 reported by Ian Gordon on 2018-07-24
44
This bug affects 8 people
Affects Status Importance Assigned to Milestone
CUPS
Fix Released
Unknown
cups (Ubuntu)
Undecided
Till Kamppeter
Bionic
Undecided
Unassigned
Cosmic
Undecided
Unassigned
Disco
Undecided
Till Kamppeter

Bug Description

[Impact]

If a print queue is set up with "auth-info-required=negotiate" because the server requires authentication (for example Kerberos) the user is asked for user name and password on every join, instead of the authentication working automatically. This worked correctly in 14.04 and 16.04.

Also setting "AuthType Default" for "/" in cupsd.conf leads to be prompted for a password on commands like "lpatat -a", even for root. Works correctly in Xenial and Cosmic.

[Test Case]

Set up a queue pointing to a Kerberos-authenticated Windows server with "lpadmin ... -o auth-info-required=negotiate ..." OR set "AuthType Default" for "/" in cupsd.conf. When printing or running other commands accessing your print queue you will get prompted for credentials. With the fix the authentication will get automatic again.

[Regression Potential]

Low, as the fix are simple one-line corrections taken from upstream.

[Original report]

Hi,

We have our printers configured to print to a Windows print server. In Ubuntu 14.04 and 16.04 our setup works fine but in 18.04 our setup seems to be acting more like AuthInfoRequired username,password i.e. it prompts for a password when printing rather than using the available Kerberos credentials.

We are using an unaltered cupsd.conf file and are adding printers with the following command:

lpadmin -p "printer" -D "Printer" -L "room" -v "smb://printers.cis.strath.ac.uk/printers" -o Media=A4 -o PageSize=A4 -o printer-error-policy=abort-job -o auth-info-required=negotiate -m "CIS/hp-officejet_pro_476_576_series-ps.ppd"

the smb backend has been linked to /usr/lib/x86_64-linux-gnu/samba/smbspool_krb5_wrapper (I've added this the apparmor profile as it's blocked by default) and the permissions on this file changed to 700 (owner root) as per manpage instructions.

When using lp -d printer /tmp/test.txt I get the following response:

Password for myuid on localhost?

Typing my password gets the job accepted to the queue but it does spool to the Windows Print Server and in the error_log file I can see

D [24/Jul/2018:10:33:00 +0100] [Job 45] SMBSPOOL_KRB5 - AUTH_INFO_REQUIRED=negotiate
D [24/Jul/2018:10:33:00 +0100] [Job 45] SMBSPOOL_KRB5 - Started with uid=0
D [24/Jul/2018:10:33:00 +0100] [Job 45] SMBSPOOL_KRB5 - AUTH_UID is not set

As I said earlier this all works perfectly on Xenial and Trusty.
(A similar AuthInfoRequired negotiate setup also works in cups 2.2.5 on MacOS 10.13)

Any ideas how to fix this?

Thanks,

Ian.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: cups 2.2.7-1ubuntu2.1
ProcVersionSignature: Ubuntu 4.15.0-29.31-generic 4.15.18
Uname: Linux 4.15.0-29-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.2
Architecture: amd64
Date: Tue Jul 24 10:03:57 2018
InstallationDate: Installed on 2018-06-22 (31 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
Lsusb:
 Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
 Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
 Bus 001 Device 003: ID 0461:4d81 Primax Electronics, Ltd Dell N889 Optical Mouse
 Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
 Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
MachineType: Dell Inc. OptiPlex 790
Papersize: a4
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz root=/dev/mapper/pd--ig--vg-root ro quiet splash
SourcePackage: cups
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 05/28/2011
dmi.bios.vendor: Dell Inc.
dmi.bios.version: A05
dmi.board.name: 0HY9JP
dmi.board.vendor: Dell Inc.
dmi.board.version: A00
dmi.chassis.type: 6
dmi.chassis.vendor: Dell Inc.
dmi.modalias: dmi:bvnDellInc.:bvrA05:bd05/28/2011:svnDellInc.:pnOptiPlex790:pvr01:rvnDellInc.:rn0HY9JP:rvrA00:cvnDellInc.:ct6:cvr:
dmi.product.name: OptiPlex 790
dmi.product.version: 01
dmi.sys.vendor: Dell Inc.

Ian Gordon (ian-gordon) wrote :
Ian Gordon (ian-gordon) wrote :

The above setup work fine in Ubuntu 17.10 as well which uses cups 2.2.4

Ian Gordon (ian-gordon) wrote :

It appears that it first stops working in cups version 2.2.7 when there is a major change in cups/auth.c.

It is still broken in the current cups github repo master branch.

I have noticed it works correctly if you disable the unix domain socket, e.g. comment out

Listen /run/cups/cups.sock

in /etc/cups/cupsd.conf

Ian Gordon (ian-gordon) wrote :

My suggested work around above does not fix the issue (completely) because systemd is in charge of the socket - so as well as commenting out "Listen /run/cups/cups.sock" in /etc/cups/cupsd.conf you have to also do the following:

systemctl stop cups.service
systemctl stop cups.socket
rm /run/cups/cups.sock
systemctl disable cups.socket
systemctl start cups.service

Ian Gordon (ian-gordon) wrote :

Here is my proposed solution (attached) to the problem - I do not claim to fully understand cups' authentication system but it seems to me from looking at the old code to cups/auth.c and the new broken code that this patch would make the unix domain socket authentication work the same as it did before:

The attachment "proposed_solution.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Ian Gordon (ian-gordon) wrote :

Unfortunately my possible workaround in comments 3 & 4 only partially work - cups stops prompting for a password but its smb backend (/usr/lib/x86_64-linux-gnu/samba/smbspool_krb5_wrapper) does not receive the AUTH_UID is not set and therefore cannot spool the job the a Windows print server.

I'm assuming that AUTH_UID can only be set if using a domain socket connection rather than a localhost connection to the cups daemon.

The patch I propose in comment 5 does appear to work.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in cups (Ubuntu):
status: New → Confirmed
josephpei (josephpei) wrote :

I found the solution:

https://www.dedoimedo.com/computers/ubuntu-beaver-samba-shares.html

Quote: The reason is, they changed the default protocol version and whatnot, and actually, who cares. People just want to be able to share things with their Windows boxes easily!

Edit

/etc/samba/smb.conf

Add a line

client max protocol = NT1

Restart smb

sudo systemctl restart smbd.service

Now we can see the windows neighbours and the share printers.

Launo Tuuri (ltuuri) wrote :

To get kerberos authentication fixed again in CUPS would be extremely good!

I guess downgrading to SMB1 is not even an option in many bigger and/or more open environments -- typically managed by someone else with security oriented attitude.

Sebastien Bacher (seb128) wrote :

Ideally that would be reported upstream, Till maybe you can help with that?

Changed in cups (Ubuntu):
assignee: nobody → Till Kamppeter (till-kamppeter)
Changed in cups:
status: Unknown → Fix Released
Sebastien Bacher (seb128) wrote :

Upstream referenced to a commit that could fix the issue https://github.com/apple/cups/commit/ef2f369c

Esko Järnfors (esko-jarnfors) wrote :

We had very similar symptoms (the user always gets a username/password prompt when trying to print) but it seems for us PeerCred was not working properly. I tried compiling the source tree from cosmic and it worked correctly. I then took a diff between that and the bionic package and the cups/auth.c has 3 different lines. Applying this patch to the 2.2.7 source tree fixes the issue at least for us.

Sebastien Bacher (seb128) wrote :

@Esko, could you describe the setup enough so the description can be used for a SRU (https://wiki.ubuntu.com/StableReleaseUpdates)?

Looking to the upstream commits and your diff, it looks like that one might be the one fixing your issue
https://github.com/apple/cups/commit/1f679daf
and the third line changed is
https://github.com/apple/cups/commit/b643d6ba

Esko Järnfors (esko-jarnfors) wrote :

Actually it looks this is probably a bit different than the original issue in this bug, sorry about that. However, I have attached our cupsd.conf and any printers we are using have "OpPolicy authenticated". With this config (the difference to stock Ubuntu config is AuthType Default for /), for example lpstat -a always prompts for credentials. In xenial and cosmic this works without prompting through PeerCred. With the attached config, even root is asked for credentials for 'lpstat -a'. After applying both of the patches you found upstream (which were combined in my earlier diff) this works without prompting as it should and the AUTH_UID is passed correctly.

You can also see one of the symptoms of this problem in the original bug report as AUTH_UID is not set in the original post. Even with the Kerberos authentication failing, when using the socket cups should have set the AUTH_UID properly.

Esko Järnfors (esko-jarnfors) wrote :

If this is not fixed, the attached config also breaks any cups package updates as the package scripts get the authentication prompt and hang.

summary: - AuthInfoRequired negotiate in cups 2.2.7 in Bionic does not work
+ [SRU] AuthInfoRequired negotiate in cups 2.2.7 in Bionic does not work

Thanks Esko for your investigations. I have uploaded and appropriately patched CUPS package for Bionic now. As soon as it gets approved you will be asked for testing here. Please do the testing then and give us feedback whether it solves your problem, so that we can make the fix an official update for Bionic.

description: updated

debdiff of the fix.

Brian Murray (brian-murray) wrote :

There is only one bug task for this bug report and the default bug task in that case is meant to target the development release of Ubuntu, subsequently it is not clear if this bug is fixed in Disco. Is it? Additionally, is it fixed in Ubuntu 18.10?

Changed in cups (Ubuntu):
status: Confirmed → Incomplete
Esko Järnfors (esko-jarnfors) wrote :

Any progress on this? It would be nice to get this fixed in distribution.

Timo Aaltonen (tjaalton) wrote :

since the bug was recently filed upstream, it's seems clear that it's not fixed in cosmic or disco either, and the policy is to first fix it in the devel series.. so the SRU needs to wait for a bit

Timo Aaltonen (tjaalton) wrote :

sorry, looks like this is actually fixed upstream in 2.2.10, so I'm marking it fixed for disco

Till, please upload a fix for cosmic too

Changed in cups (Ubuntu Disco):
status: Incomplete → Fix Released
Timo Aaltonen (tjaalton) wrote :

meh, the fixes are from 2.2.8 which is in cosmic

Changed in cups (Ubuntu Bionic):
status: New → Fix Committed
Changed in cups (Ubuntu Cosmic):
status: New → Fix Released
Mathew Hodson (mathew-hodson) wrote :

cups 2.2.7-1ubuntu2.4 is now in bionic-proposed

description: updated
Esko Järnfors (esko-jarnfors) wrote :

cups 2.2.7-1ubuntu2.4 from proposed works and fixes this issue for us.

Esko, thanks for the feedback. I have marked the fix as verified now so it will get an official update for Bionic soon.

tags: added: verification-done-bionic
Ian Gordon (ian-gordon) wrote :

cups 2.2.7-1ubuntu2.4 from proposed has exactly the same symptoms for me - prompts for password when printing. So the original issue seems to be different from Esko's.

Ian Gordon (ian-gordon) wrote :

If I also set "AuthType Default" for "/" then the cups 2.2.7-1ubuntu2.4 works.
I did not have this set in 14.04 or 16.04.

Łukasz Zemczak (sil2100) wrote :

@ian-gordon does this mean the fix does not work for you? I'll release it into bionic-updates since it seems to work for others and not introduce any regressions, but if you are still encountering issues please open a new bug.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cups - 2.2.7-1ubuntu2.4

---------------
cups (2.2.7-1ubuntu2.4) bionic; urgency=medium

  * fix-a-parsing-bug-in-the-new-authentication-code.patch,
    fix-cups-auth-find-for-schemes-without-parameters.patch: Backported
    authentication fixes from upstream (LP: #1783298).

 -- Till Kamppeter <email address hidden> Sun, 3 Mar 2019 12:28:01 +0100

Changed in cups (Ubuntu Bionic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for cups has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Ian Gordon (ian-gordon) wrote :

@sil2100 it works for me as long as I set AuthType Default for / (which I didn't have to set before but I'm happy to set it now)

Ian, could you perhaps apply the patch of comment #13 and see whether you get your problem fully solved (no need of setting AuthType Default for /)?

Johan Bengtsson (chalmersjb) wrote :

Is this fix available in Disco?

Johan Bengtsson (chalmersjb) wrote :

I have a situation that is similar but not with a windows server.

I have an experimental server which is installed with Ubuntu Disco. Queues are authenticated with kerberos. This is IPP-Everywhere queues.

I have a client with Ubuntu 18.04.2 LTS.

Printing did not work with cups-2.2.7-1ubuntu2.4 on the client. Same symptoms as described here, cannot print, authentication prompt despite valid kerberos tickets.

I compiled upstream cups 2.2.7 with Eskos fix-password-prompt.patch AND the kerberos truncate patch from #13 and installed it on the client.

It works, but printing is very slow, at least from firefox.

Johan Bengtsson (chalmersjb) wrote :
Download full text (3.3 KiB)

The slowness might have caused by some apparmor probs:
pr 11 15:16:58 zander kernel: [13422.621558] audit: type=1400 audit(1554988618.771:27): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/gss/mech.d/" pid=13888 comm="ipp" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 11 15:20:43 zander kernel: [13647.282091] audit: type=1400 audit(1554988843.431:28): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/gss/mech.d/" pid=20908 comm="ipp" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 11 15:25:43 zander kernel: [13947.374877] audit: type=1400 audit(1554989143.520:29): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/gss/mech.d/" pid=27940 comm="ipp" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 11 15:28:24 zander kernel: [14108.309867] audit: type=1400 audit(1554989304.459:30): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/gss/mech.d/" pid=424 comm="ipp" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 11 15:28:46 zander kernel: [14130.333125] audit: type=1400 audit(1554989326.483:31): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/gss/mech.d/" pid=1116 comm="ipp" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 11 15:43:00 zander kernel: [14984.432581] audit: type=1400 audit(1554990180.581:32): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/gss/mech.d/" pid=26456 comm="ipp" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 11 15:43:03 zander kernel: [14987.725323] audit: type=1400 audit(1554990183.873:33): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/gss/mech.d/" pid=26546 comm="ipp" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 11 15:43:05 zander kernel: [14989.287668] audit: type=1400 audit(1554990185.433:34): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/gss/mech.d/" pid=26584 comm="ipp" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 11 15:43:06 zander kernel: [14990.386287] audit: type=1400 audit(1554990186.533:35): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/gss/mech.d/" pid=26610 comm="ipp" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 11 15:54:37 zander dbus-daemon[859]: [system] Activating service name='org.opensuse.CupsPkHelper.Mechanism' requested by ':1.167' (uid=1000 pid=14054 comm="/usr/bin/python3 /usr/share/system-config-printer/" label="unconfined") (using servicehelper)
Apr 11 15:54:37 zander dbus-daemon[859]: [system] Successfully activated service 'org.opensuse.CupsPkHelper.Mechanism'
Apr 11 15:55:43 zander kernel: [15747.355081] audit: type=1400 audit(1554990943.501:36): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/gss/mech.d/" pid=15434 comm="ipp" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Apr 11 15:58:20 zander kernel: [15904.185434] audit: type=1400 audit(1554991100.336:37): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=21257 comm="apparmor_parser"
Apr 11 15:58:20 zander kernel: [15904.185716] audit: type=1400 audit(1...

Read more...

There is a bug in Samba >= 4.8: https://bugzilla.samba.org/show_bug.cgi?id=13939
A fix for samba is needed if negotiate authorization still does not work. Sympthom is a window asking for some password.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.