[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#711341: marked as done ([cups] Please call smbspool under user identity to allow it to read kerberos TGT)

Your message dated Thu, 9 Mar 2017 18:40:41 +0000
with message-id <09032017183724.1bbc0a8d3e3f@desktop.copernicus.org.uk>
and subject line Re: Bug#711341: [cups] Please call smbspool under user identity to allow it to read kerberos TGT
has caused the Debian Bug report #711341,
regarding [cups] Please call smbspool under user identity to allow it to read kerberos TGT
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
711341: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711341
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: cups
Version: 1.6.2-8
Severity: normal

--- Please enter the report below this line. ---
smbspool linked as smb in /usr/lib/cups/backend/ is able to read /tmp/krb5cc_${uid} (or content of KRB5CCNAME variable) and authenticate itself with kerberos on a shared samba or windows printer.
for exemple, launching as user:
DEVICE_URI=smb://SERVER/Printer strace -e trace=open smbspool 1 user "Test print" 1 "none" <<EOF
printed OK
EOF
works

smbspool is launched with lp user so it does not have krb5 infos.
A workaround is to add login and password in the printer URI but the password appears in clear text in /etc/cups/printer.conf and this method is not applicable when a worksation is used by more than one user.
Some used to replace /usr/lib/cups/backend/smb by a wrapper that calls su -u user smbspools, but thi can't work when launched as lp. It may be possible to play with sudo and NOPASSWD: directives to but it can bring security problems.

--- System information. ---
Architecture: amd64
Kernel: Linux 3.9-1-amd64

Debian Release: jessie/sid
500 unstable http.debian.net
500 testing http.debian.net
500 stable security.debian.org
500 stable http.debian.net
101 experimental http.debian.net

--- Package information. ---
Depends (Version) | Installed
=====================================-+-===============
libavahi-client3 (>= 0.6.16) |
libavahi-common3 (>= 0.6.16) |
libc6 (>= 2.16) |
libcups2 (= 1.6.2-8) |
libcupscgi1 (>= 1.4.2) |
libcupsimage2 (>= 1.4.0) |
libcupsmime1 (>= 1.4.0) |
libcupsppdc1 (>= 1.4.0) |
libgcc1 (>= 1:4.1.1) |
libstdc++6 (>= 4.1.1) |
libusb-1.0-0 (>= 2:1.0.8) |
debconf (>= 1.2.9) |
OR debconf-2.0 |
libc-bin (>= 2.13) |
cups-daemon (>= 1.6.2-8) |
poppler-utils (>= 0.12) |
procps |
ghostscript (>= 9.02~) |
lsb-base (>= 3) |
cups-common (>= 1.6.2-8) |
cups-server-common (>= 1.6.2-8) |
cups-client (>= 1.6.2-8) |
cups-ppdc |
cups-filters (>= 1.0.24-3~) |


Recommends (Version) | Installed
========================================-+-===========
avahi-daemon | 0.6.31-2
colord | 0.1.21-4
foomatic-filters (>= 4.0) | 4.0.17-1
printer-driver-gutenprint | 5.2.9-1
ghostscript-cups (>= 9.02~) | 9.05~dfsg-6.3


Suggests (Version) | Installed
==========================================-+-===========
cups-bsd | 1.6.2-8
foomatic-db-compressed-ppds | 20130517-1
OR foomatic-db |
printer-driver-hpcups | 3.13.4-1+b1
hplip | 3.13.4-1+b1
cups-pdf |
udev | 175-7.2
smbclient | 2:3.6.15-1





--

Landry MINOZA
MGI Sud-Ouest
Pour le compte du département informatique
de l’établissement public de musée d’Orsay et de l’Orangerie
Chef de projet technique Linux et réseaux
E-mail : landry.minoza@musee-orsay.fr

Tél :01 40 49 47 15

Musée d’Orsay et de l’Orangerie :62 rue de Lille - 75343 Paris Cedex 07 | www.musee-orsay.fr

MGI France :5 rue Sextius Michel - 75015 Paris | RCS: Paris B 382 770 584 | www.mgi.fr
MGI SO :281 route d'Espagne - 31100 Toulouse | RCS: Toulouse B 421 125 816 | www.mgi.fr
MGI Suisse :5 avenue de Rothorn - CH3960 Sierre | TVA 517-269 | www.mgiconsultants.ch

--- End Message ---
--- Begin Message --- 
On Thu 06 Jun 2013 at 12:33:39 +0000, MINOZA Landry wrote:

> smbspool linked as smb in /usr/lib/cups/backend/ is able to read
> /tmp/krb5cc_${uid} (or content of KRB5CCNAME variable) and
> authenticate itself with kerberos on a shared samba or windows
> printer.
> for exemple, launching as user:
> DEVICE_URI=smb://SERVER/Printer strace -e trace=open smbspool 1 user "Test print" 1 "none" <<EOF
> printed OK
> EOF
> works
> 
> smbspool is launched with lp user so it does not have krb5 infos.
> A workaround is to add login and password in the printer URI but the
> password appears in clear text in /etc/cups/printer.conf and this
> method is not applicable when a worksation is used by more than one
> user.
> Some used to replace /usr/lib/cups/backend/smb by a wrapper that calls
> su -u user smbspools, but thi can't work when launched as lp. It may
> be possible to play with sudo and NOPASSWD: directives to but it can
> bring security problems.

I think it could be wishful thinking to expect this enhancement request
to be fulfilled any time soon. The question becomes - should we carry
this bug in the BTS indefinitely? I think not; hence closing. Sorry.

Regards,

Brian.

--- End Message ---
Reply to: