Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible values of AUTH_INFO_REQUIRED #5674

Closed
mikhailnov opened this issue Oct 30, 2019 · 1 comment
Closed

Possible values of AUTH_INFO_REQUIRED #5674

mikhailnov opened this issue Oct 30, 2019 · 1 comment
Assignees
@michaelrsweet
Labels
question General usage question

Comments

@mikhailnov
Copy link

We have been investigating how smbspool and smbspool_krb5_wrapper from samba must deal with AUTH_INFO_REQUIRED environmental variable.

Discussion was here: https://lists.samba.org/archive/samba-technical/2019-October/134476.html (and other emails in that thread)

I see in job.c that AUTH_INFO_REQUIRED may have up to 4 comma-separated values. Its possible values are not docimented and for me were not clear in the source code.

I know about following possible values:

  • AUTH_INFO_REQUIRED=none
  • AUTH_INFO_REQUIRED=negotiate
  • AUTH_INFO_REQUIRED=username,password

Can AUTH_INFO_REQUIRED be null (not set or empty)? If yes, in which cases? What are other possible values and which combinations are possible?

This code tries to understand if kerberos authorization using credentials of the creator of the printing task will be needed or not:
https://git.samba.org/?p=asn/samba.git;a=blob;f=source3/client/smbspool_krb5_wrapper.c;h=85b0d0952a9d190b4e1eb8cac104c21af557c3e3;hb=20dd0308aa072ed656550af487338b50cda9b59f
If it is not needed, then goto smbspool; must be done.

Currently this code seems not very correct to me because:

  • it tries to deal with AUTH_INFO_REQUIRED being null, I don't undertand how it can be null, cups code seems to always set it to at least none
  • if AUTH_INFO_REQUIRED is not either username,password or negotiate or null ot none, than that code does not proceed with non-kernerized authentication

So the main question here is how we must deal with possible values of AUTH_INFO_REQUIRED which are not documented.

Thank you!
@michaelrsweet michaelrsweet self-assigned this Oct 31, 2019
@michaelrsweet michaelrsweet added the question General usage question label Oct 31, 2019
@michaelrsweet
Copy link
Collaborator

@mikhailnov The values of AUTH_INFO_REQUIRED are documented here, although looking at it I see the "negotiate" value is not defined...

For SMB, the three values you should expect are:

  • none: Anonymous/guest printing
  • username,password: A username (of the form "username" or "DOMAIN\username") and password are required
  • negotiate: Kerberized printing

The NULL check is probably useful when running directly/interactively, as not all users/software will set every cupsd environment variable...

One other responsibility of a backend that uses AUTH_INFO and AUTH_INFO_REQUIRED is to update the value of the "auth-info-required" attribute as needed. This is done by sending an ATTR: message to stderr, like:

ATTR: auth-info-required=negotiate
ATTR: auth-info-required=username,password

Doing so will make sure that cupsd collects the correct credentials/identity information when a job is submitted so you'll be able to do the right thing in the SMB backend...

michaelrsweet added a commit that referenced this issue Oct 31, 2019
@michaelrsweet
Update documentation of auth-info-required values (Issue #5674)
025b8ce
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michaelrsweet michaelrsweet

Labels
question General usage question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@michaelrsweet @mikhailnov