[Pkg-samba-maint] smbspool vs smbspool_krb5_wrapper

Andrew Bartlett abartlet at samba.org
Tue Apr 5 09:55:06 BST 2022 

On Tue, 2022-04-05 at 11:26 +0300, Michael Tokarev wrote:
> Hi!
> 
> For a very long time, apparently, we ship smbspool
> backend for cups in samba package in a wrong way.
> 
> source3/client/smbspool_krb5_wrapper.c reads:
> 
> /*
>   * This is a helper binary to execute smbspool.
>   *
>   * It needs to be installed or symlinked as:
>   *      /usr/lib/cups/backend/smb
>   *
>   * The permissions of the binary need to be set to 0700 so that it
> is executed
>   * as root. The binary switches to the user which is passed via the
> environment
>   * variable AUTH_UID, so we can access the kerberos ticket.
>   */
> 
> And we have:
>   /usr/lib/cups/backend/smb => /usr/bin/smbspool
> 
> Is it okay for smbspool to be run as root to start
> with ? Or does cups run things as different user
> when it has wider than 0700 file permissions?
> 
> Should it be
> 
>   usr/lib/cups/backend/smb =>
>     usr/libexec/samba/smbspool_krb5_wrapper
> 
> instead?
> 
> (This is how the move to libexec "affects" cups: it doesn't).
> 
> But overall, does it really matter?  What this wrapper is
> supposed to do, what _is_ this $AUTH_UID thing, when we
> are run from cups? Is it a local user who submitted a
> print job, and the backend runs under this local user?
> How about remote print jobs?
> 
> Just guessing here. Can cups people answer some of that?

My understanding is that we want the binary executed as root and then
it will change to the 'correct' user and find the right krb5 ccache.

This commit might be enlightening:

commit c95d32f685d989c91e62a734229d2bd241291315
Author: Mikhail Novosyolov <m.novosyolov at rosalinux.ru>
Date:   Sun Nov 3 01:47:51 2019 +0300

    s3:smbspool: print a hint about smbspool_krb5_wrapper
    
    When I first met with the situation that Kerberos kredentials cache of root
    user was looked for instead of the one of the printing task creator,
    it took a lot of time to understand that smbspool_krb5_wrapper will resolve this.
    
    Signed-off-by: Mikhail Novosyolov <m.novosyolov at rosalinux.ru>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 34def0c91a9..5e2d230ab8b 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -699,8 +699,8 @@ smb_connect(struct cli_state **output_cli,
        if (strcmp(auth_info_required, "negotiate") == 0) {
                if (!kerberos_ccache_is_valid()) {
                        fprintf(stderr,
-                               "ERROR: No valid Kerberos credential cache "
-                               "found!\n");
+                               "ERROR: No valid Kerberos credential cache found! "
+                               "Using smbspool_krb5_wrapper may help.\n");
                        return NT_STATUS_LOGON_FAILURE;
                }
                user = jobusername;

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the Pkg-samba-maint mailing list