Ubuntu
system-config-printer package

system-config-printer: Windows/Samba printer authentication too complicated

Bug #848065 reported by sdaau
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
system-config-printer (Ubuntu)
Confirmed
Medium
Unassigned

Bug Description

Hi all,

Apologies for the nagging if this is not really a bug... but here it is:

I have already posted about this here:

http://stackoverflow.com/questions/7150774/python-samba-user-credentials-not-passed-cli-init-creds

... here it is in brief:

I'm using Ubuntu machine at work, where printers are shared via Samba.

Assume on that network, I am <email address hidden> (apparently, the 'myworkdomain.com' is my "workgroup") with password MYWORKPASSWORD; and I'm trying to access PRINTSHARENAME on the print server printserver.myworkdomain.com.

Trying to list the print shares using smbclient seems to work fine (even though there is that "session request failed"):

$ smbclient -L \\printserver.myworkdomain.com -U MYWORKUSERNAME -W myworkdomain.com
Enter MYWORKUSERNAME's password:
Domain=[MYWORKDOMAIN] OS=[Windows Server 2008 R2 Enterprise 7601 Service Pack 1] Server=[Windows Server 2008 R2 Enterprise 6.1]

 Sharename Type Comment
 --------- ---- -------
 printer-name Printer HP Color LaserJet CP6015DN PCL6
 PRINTSHARENAME Printer HP Color LaserJet CP6015DN PCL6
...
 print$ Disk Printer Drivers
session request to PRINTSERVER.MY failed (Called name not present)
Domain=[MYWORKDOMAIN] OS=[Windows Server 2008 R2 Enterprise 7601 Service Pack 1] Server=[Windows Server 2008 R2 Enterprise 6.1]

 Server Comment
 --------- -------

 Workgroup Master
 --------- -------

However, system-config-printer fails to either list these printers, or to add them explicitly. For system-config-printer, I'm supposed to enter the SAMBA address:

smb://myworkdomain.com/printserver.myworkdomain.com/PRINTSHARENAME

... but when I do that, and click on Verify, I'm asked for user credentials (it's on "Prompt user if authentication is required"), which I enter, and then the process fails with "Not authorized : The password may be incorrect".

Here are the last few lines of `system-config-printer --debug`:

pysmb: authentication pass: 2
pysmb: try auth as guest
pysmb: got password callback; user LoCaLuSeR, use_user guest; workgroup WORKGROUP, self.use_workgroup WORKGROUP; server printserver.myworkdomain.com, share PRINTSHARENAME
pysmb: operation failed: PermissionError(13, 'Permission denied')
pysmb: authentication pass: 3
pysmb: try as LoCaLuSeR
pysmb: got password callback; user LoCaLuSeR, use_user MYWORKUSERNAME; workgroup WORKGROUP, self.use_workgroup myworkdomain.com; server printserver.myworkdomain.com, share PRINTSHARENAME
pysmb: operation failed: PermissionError(13, 'Permission denied')
pysmb: authentication pass: 4
get_notifications
update_jobs
Next notifications fetch in 60s
[here prompt repeats]

Apparently, after iterating local users on the machine, then it finally gets to the auth entered in the "Verify" prompt, but that doesn't seem to do much...

I have isolated this in a small Python script, extracting relevant lines from system-config-printer, below:

import smbc, os
def do_auth (svr, shr, wg, un, pw):
  return ("myworkdomain.com", "MYWORKUSERNAME", "MYWORKPASSWORD")

ctx = smbc.Context (debug=10, auth_fn=do_auth)
f = ctx.open ("smb://%s/%s" % ("printserver.myworkdomain.com", "PRINTSHARENAME"), os.O_RDWR, 0777)

When I run this script (python test.py) - I get at the end:

....
smb_mid=3
smt_wct=0
smb_bcc=0
SPNEGO login failed: Logon failure
cli_init_creds: user domain myworkdomain.com
 session setup ok
map_errno_from_nt_status: 32 bit codes: code=c0000022
Traceback (most recent call last):
  File "test.py", line 6, in <module>
    f = ctx.open ("smb://%s/%s" % ("printserver.myworkdomain.com", "PRINTSHARENAME"), os.O_RDWR, 0777)
smbc.PermissionError: (13, 'Permission denied')

... as if the user name hasn't propagated at all to cli_init_creds!

So, if smbclient can list the shares, then I guess system-config-printer should also be able to list them (and connect to them)? Which is why I thought this is a bug - if I was wrong, sorry about that :)

Thanks in advance for any guidance for this,
Cheers!

PS:
Ubuntu 11.04
$ apt-cache policy system-config-printer-gnome
system-config-printer-gnome:
  Installed: 1.3.1+20110222-0ubuntu16.3
  Candidate: 1.3.1+20110222-0ubuntu16.3

Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Tim, can you have a look into this?

Revision history for this message
Tim Waugh (twaugh) wrote :

Try setting the PYSMBC_DEBUG environment variable to "1" before running your test program. What output do you get?

Till Kamppeter (till-kamppeter)
Changed in system-config-printer (Ubuntu):
status: New → Incomplete
Revision history for this message
sdaau (sd-imi) wrote :

Hi @till-kamppeter, @twaugh,

Many thanks for the responses!

> Try setting the PYSMBC_DEBUG environment variable to "1"
> before running your test program. What output do you get?

Sorry I wasn't able to deliver this by now..

I just tried setting that variable, and calling:

PYSMBC_DEBUG=1 python test.py 2>&1 | tee logout_pysmbc_04-oct-2011.txt

... and the logout_pysmbc_04-oct-2011.txt is attached.

I tried to again obfuscate / search/replace all direct mentions of the work server addresses, and convert them to strings like in the original post example - except, for better accuracy, now it shows 'my.workdomain.com' for the domain I'm member of, printserver is thus 'printserver.workdomain.com' - and so the "master" site is "workdomain.com".

Note, I remember I did something at a certain point to increase log verbosity, but I can't really remember what - so this log may actually generate a bit more data than what PYSMBC_DEBUG=1 would cause..

Anyways, let me know if I can assist further with this.

Thanks again - Cheers!

Revision history for this message
Tim Waugh (twaugh) wrote :

Could the problem be to do with some unusual character in your password (or username)? Are you able to try with a "simpler" one?

I don't really know what the problem might be otherwise, I'm afraid.

Revision history for this message
sdaau (sd-imi) wrote :

Hi @twaugh,

Many thanks for your response! I don't believe I have any unusual characters in the password, but I think it will be possible for me to try with a new password (but that will take some time to report on).

Btw, one of the techies here mentioned once there were some changes in the SMB URI's (?!), I searched for that around a bit, and found this post for Mac, where (I guess) something similar is mentioned:

SMB client URL works in 10.4.10, breaks...: Apple Support Communities -
https://discussions.apple.com/thread/1209800?start=0&tstart=0

Could this have anything to do with this problem?

Thanks again,
Cheers!

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for system-config-printer (Ubuntu) because there has been no activity for 60 days.]

Changed in system-config-printer (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Steffen Hemer (s-hemer) wrote :

I noticed a that bug too. In my case the authentification is rejected when I lgoin via the prompt and when trying to verify my login data in the login data fields on adding the printer. But when use the "Search ... " (Durchsuchen)-button with entered MYWORKGROUP/server/, it asks not just for the username and the password but also for the workgroup and I can login and view all the available printers there.
So it seems that the workgroup give in the smb://-line isn't used correctly on login (it may use standard WORKGROUP instead).

Hopefully this may help.

Revision history for this message
sdaau (sd-imi) wrote :
Revision history for this message
sdaau (sd-imi) wrote :
Revision history for this message
sdaau (sd-imi) wrote :
Revision history for this message
sdaau (sd-imi) wrote :
Revision history for this message
sdaau (sd-imi) wrote :
Revision history for this message
sdaau (sd-imi) wrote :
Download full text (5.1 KiB)

Hi @s-hemer,

Many, many thanks for your note! I believe it helped me solve both this issue, and the issue in SO:7150774 (mentioned in OP).

(Also, note that in the text below, I tried to add links to the screenshots added as attachments)

> But when use the "Search ... " (Durchsuchen)-button with
> entered MYWORKGROUP/server/, it asks not just for the
> username and the password but also for the workgroup and I
> can login and view all the available printers there.

This was the critical tip - I take it you were talking about the `system-config-printer` applet; however, I had some problems finding exactly where this "Search" button is there.

First of all, in system-config-printer, upon "Add" / "Printer", one can choose "Find network printer":

https://launchpadlibrarian.net/96462666/sys-conf-print-findnet.png

... however, as the screenshot shows, the "Host" field there doesn't accept forward slash ("removed disallowed character /") nor backslash - so, an address like 'MYWORKGROUP/server/' cannot be entered.

So, I tried the "Windows Printer via SAMBA" option. But first, let me repeat my settings (a little more precisely than in the original post):

* My local username on my Ubuntu machine: MYUSERNAME
* Main address (domain) of the work network: myworkdomain.com
* My account name on the work network: MYWORKUSERNAME
* My work account is a member of workgroup MYWORKGROUP, which also has a subdomain myworkgroup.myworkdomain.com
* The print server on the work network is at printserver.myworkdomain.com
* The printer name (share) on the print server at work I want to access is PRINTSHARENAME

Note that in this work setup, my email address would be: <email address hidden>

Second of all - our IT at work supplies information, that in order to connect to printers, we should use the stanza:

smb://Userdomain/PrintServer/PrinterName

... in order to connect via CUPS (although, for some reason, the localhost:631 always kept failing for me - which is why I wanted to use system-config-printer instead).

So, the first part of the trick here, was to use the "Windows Printer via SAMBA" option in system-config-printer - *and* enter the *full* path to the given printer. I was otherwise hoping that I could use just `smb://Userdomain/PrintServer` and obtain a list of available printers, but cannot get that to work via system-config-printer (however, I can use either smbclient for that; or login to terminal console via rdesktop; and observe the printer names).

So, in my case, I enter:

smb://myworkgroup.myworkdomain.com/printserver.myworkdomain.com/PRINTSHARENAME

... in the "SMB Printer" field:

https://launchpadlibrarian.net/96464829/sys-conf-print-new-smb.png

... and then click on "Verify" button.

Finally, I can see the auth prompt window that has the domain:

https://launchpadlibrarian.net/96466242/sys-conf-print-smb-auth.png

And here I have to enter:
* Username: my full work email address, <email address hidden>
* .. and also password..

... however, the second part of the trick here, is that the "Domain:" field should have the workgroup name here in allcaps (as Windows usually refers to it) - for me, I *...

Read more...

Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Principally using Windows/SMB-shared printers with authentication works, but the UI could be simplified a lot.

Changed in system-config-printer (Ubuntu):
status: Expired → Confirmed
importance: Undecided → Medium
summary: - system-config-printer cannot authenticate Windows Samba printer, while
- smbclient can (cli_init_creds)
+ system-config-printer: Windows/Samba printer authentication too
+ complicated
Revision history for this message
Matthew Paul Thomas (mpt) wrote :

It looks to me that the problem here is both the "New Printer" dialog and "Authentication" alert require people to concatenate strings -- workgroup, server, port, printer, etc -- and to get the separator and capitalization exactly right each time.

So, why not have separate fields for each of those strings, then in the "New Printer" dialog, display the assembled URL as constantly-updating text underneath the last of those fields?

If the reason is that some people are given a pre-assembled smb:// URL by their IT department, then that constantly-updating URL can be its own editable field. Editing any of the component fields would live-update the URL field below, and editing the URL field would live-update the component fields above.

Revision history for this message
steve taylor (stevemail) wrote :

Just to add to the authentication issue:
On Ubuntu 12.04 I am experiencing this problem now.

I have a Kodak Hero 5.1 with the driver in synaptic as well as Launchpad.

Was working fine but since various updates I can no longer connect via wireless on this home printer.
I can connect easily via USB port.

Having spent all day with this, there has got to be a simpler way to do this, too many perameters, too confusing.
It's supposed to just work.

I have yet to check if my two Mint boxes can still print wirless. Don't want to know at the moment. Hmm

Revision history for this message
SRoesgen (s-roesgen) wrote :

@steve taylor
have a look at bug 987212 it could be that you are affected by the same issue. Something in cup's dnssd module is seemingly broken (at least if you try to discover printers over WLAN).

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.