CUPS cannot print to Kerberos-authenticated SMB print queue

Bug #788167 reported by Etienne Goyer
158
This bug affects 30 people
Affects Status Importance Assigned to Milestone
Debian
Fix Released
Unknown
cups (Ubuntu)
Confirmed
Undecided
Unassigned
samba (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: cups

That was investigated on maverick (cups 1.4.4) and natty (cups 1.4.6).

CUPS in Ubuntu cannot authenticate using Kerberos to an SMB print queue, such as one in an Active Directory. This is because the smb backend is being invoked as user lp, and this user cannot access the Kerberos credential cache of the user who submitted the job. When trying to print, the job is held for authentication, and a dialog prompting for username/password is being shown. On Windows (and possibly other OS), the user would not be prompted if he has a ticket in the Kerberos realm (ie, "logged on to the domain") he is trying to print to.

The CUPS smb backend on Ubuntu is the smbspool binary provided by Samba. When run as a user, it will pick the Kerberos credential cache by itself and authenticate seamlessly. Otherwise, it will read the KRB5CCNAME environment variable and try to use that when possible.

There is two possible solutions to that:

- Invoke the smb backend as root and pass it the KRB5CCNAME environment variable pointing to the user's Kerberos credential cache. CUPS execute the backend as user lp if it is world-executable, which is currently the case on Ubuntu. User lp do not have the permission to read the user's credential cache, hence why the smb backend would need to be executed as root (by removing the world-executable bit). Also, CUPS does not currently set KRB5CCNAME before invoking the smb backend (see http://www.cups.org/str.php?L3847).

- Execute smbspool as the user submitting the job.

I presume we would have the same problem with other backend that would do Kerberos authentication, although I do not know of a specific one. I have only tested and investigated with the smb backend.

Revision history for this message
Etienne Goyer (etienne-goyer-outlands) wrote :

CUPS not setting the KRB5CCNAME environment variable has been reported upstream at http://www.cups.org/str.php?L3847.

Revision history for this message
Beli (beli) wrote :

Hi, in openSUSE there is a package called "samba-krb-printing" that does just that - serves as a wrapper for smbspool that enables correct kerberos auth. And it works, I used it in openSUSE to print to windows print servers in AD domain. I suppose it could be easily ported to Ubuntu, I may even do it myself if I find some spare time.
Best regards.

Changed in cups (Ubuntu):
status: New → Confirmed
Revision history for this message
Bart Vermeulen (bartverm) wrote :

Still doesn't work under Oneiric with CUPS 1.5

Revision history for this message
Brownie in Motion (brownianmotion) wrote :

Just noting that the upstream bug is listed as "fixed in subversion" as of May 25, 2011, targetted for CUPS 1.4.7,

It also notes that the smb backend would need to be updated for CUPS 1.5; I can't find out if the Samba guys have included the AUTH_UID stuff, though...

Revision history for this message
Robstarusa (rob-naseca) wrote :

Affects me on quantal

Revision history for this message
PorkCharSui (porkcharsui) wrote :

Same with Trusty. The script mentioned here, http://ubuntuforums.org/showthread.php?t=2176738, does work. If you've installed your samba printer, then replace the symlink /usr/lib/cups/backend/smb (point to /usr/bin/smbspool) with the scipt mentioned in the link, authenticated printing over samba with kerberos works. It only has one problem. After replacing the symlink /usr/lib/cups/backend/smb with the script from the link, it becomes impossible to install samba printers either through cups or the GUI. Replace the script with the original symlink to /usr/bin/smbspool and you can install samba printers again. I would really like a good solution for this, since we now have to option to either print or to install a printer, but not both.

Keith Ward (kward)
Changed in debian:
importance: Undecided → Unknown
status: New → Unknown
Changed in debian:
status: Unknown → New
Changed in debian:
status: New → Fix Released
Revision history for this message
Alfonso de Cala (alfem) wrote :

Fix released in Debian?

Reading the bug report (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711341) they just closed it with a wontfix.

Revision history for this message
Thomas Schweikle (tps) wrote :

Same for Ubuntu 19.10 with cups 2.2.12

Revision history for this message
supremesyntax (supremesyntax) wrote :

Still not possible to print to via SMB shared printer with kerberos authentication.

"No valid Kerberos credential cache found!"

Ubuntu 20.04.3
Cups 2.3.1
smbclient 4.11.6-Ubuntu

Revision history for this message
SE Admin (eased) wrote :

still broken, debian 711341 actually says wishful thinking to expect this to be fulfilled
-cups samba

this should be reopened

lp lists the debian status as "​ Debian Fix Released Unknown debbugs #711341 "

this is false

In debian,

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711341

says:

 - Done: Brian Potkin <email address hidden>

what this acutally means is Brian's message:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711341#12

> I think it could be wishful thinking to expect this enhancement request
> to be fulfilled any time soon. The question becomes - should we carry
> this bug in the BTS indefinitely? I think not; hence closing. Sorry.
>
> Regards,
>
> Brian.

as Alfonso said, this means wontfix https://bugs.launchpad.net/ubuntu/+source/cups/+bug/788167/comments/7

please reopen

tags: added: focal needs-reassignment patch-rejected patch-rejected-debian verification-needed-focal
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.