CUPS cannot print to Kerberos-authenticated SMB print queue

Bug #788167 reported by Etienne Goyer on 2011-05-25
140
This bug affects 27 people
Affects Status Importance Assigned to Milestone
Debian
Fix Released
Unknown
cups (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: cups

That was investigated on maverick (cups 1.4.4) and natty (cups 1.4.6).

CUPS in Ubuntu cannot authenticate using Kerberos to an SMB print queue, such as one in an Active Directory. This is because the smb backend is being invoked as user lp, and this user cannot access the Kerberos credential cache of the user who submitted the job. When trying to print, the job is held for authentication, and a dialog prompting for username/password is being shown. On Windows (and possibly other OS), the user would not be prompted if he has a ticket in the Kerberos realm (ie, "logged on to the domain") he is trying to print to.

The CUPS smb backend on Ubuntu is the smbspool binary provided by Samba. When run as a user, it will pick the Kerberos credential cache by itself and authenticate seamlessly. Otherwise, it will read the KRB5CCNAME environment variable and try to use that when possible.

There is two possible solutions to that:

- Invoke the smb backend as root and pass it the KRB5CCNAME environment variable pointing to the user's Kerberos credential cache. CUPS execute the backend as user lp if it is world-executable, which is currently the case on Ubuntu. User lp do not have the permission to read the user's credential cache, hence why the smb backend would need to be executed as root (by removing the world-executable bit). Also, CUPS does not currently set KRB5CCNAME before invoking the smb backend (see http://www.cups.org/str.php?L3847).

- Execute smbspool as the user submitting the job.

I presume we would have the same problem with other backend that would do Kerberos authentication, although I do not know of a specific one. I have only tested and investigated with the smb backend.

CUPS not setting the KRB5CCNAME environment variable has been reported upstream at http://www.cups.org/str.php?L3847.

Beli (beli) wrote :

Hi, in openSUSE there is a package called "samba-krb-printing" that does just that - serves as a wrapper for smbspool that enables correct kerberos auth. And it works, I used it in openSUSE to print to windows print servers in AD domain. I suppose it could be easily ported to Ubuntu, I may even do it myself if I find some spare time.
Best regards.

Changed in cups (Ubuntu):
status: New → Confirmed
Bart Vermeulen (bartverm) wrote :

Still doesn't work under Oneiric with CUPS 1.5

Just noting that the upstream bug is listed as "fixed in subversion" as of May 25, 2011, targetted for CUPS 1.4.7,

It also notes that the smb backend would need to be updated for CUPS 1.5; I can't find out if the Samba guys have included the AUTH_UID stuff, though...

Robstarusa (rob-naseca) wrote :

Affects me on quantal

PorkCharSui (porkcharsui) wrote :

Same with Trusty. The script mentioned here, http://ubuntuforums.org/showthread.php?t=2176738, does work. If you've installed your samba printer, then replace the symlink /usr/lib/cups/backend/smb (point to /usr/bin/smbspool) with the scipt mentioned in the link, authenticated printing over samba with kerberos works. It only has one problem. After replacing the symlink /usr/lib/cups/backend/smb with the script from the link, it becomes impossible to install samba printers either through cups or the GUI. Replace the script with the original symlink to /usr/bin/smbspool and you can install samba printers again. I would really like a good solution for this, since we now have to option to either print or to install a printer, but not both.

Keith Ward (kward) on 2017-01-11
Changed in debian:
importance: Undecided → Unknown
status: New → Unknown
Changed in debian:
status: Unknown → New
Changed in debian:
status: New → Fix Released
Alfonso de Cala (alfem) wrote :

Fix released in Debian?

Reading the bug report (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711341) they just closed it with a wontfix.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.