samba - May 2015 - [Solved] A working CUPS authentication now fails without change anything...

Greetings, Daniel Carrasco Mar?n!
>>>  Hi again!!, this time is not for help request as always :P finally
i've
>>>> found the solution and I want to share it.
>>>> The problem was just permissions. If you change the keytab
permission to
>>>> 644 it works perfect: chmod 644 /etc/krb5.keytab
>>>> Anyway I don't understand why the daemons can't read
that file when are
>>>> running as root.
>>>>
>>>
>>> Not all daemons are run as root, far from that.
>>> Most of single-purpose daemons, such as cups, run as their own
users.
>>>
>>
>> Yep, this is done for security purposes so that if one process is
>> compromised, it doesn't have administrative access to the rest of
the
>> system.
>>
>> In a similar vein, you don't generally want any process on the
machine to
>> have access to some things.  The system kerberos keytab is probably one
of
>> those.  If cups is running as it's own user, a better solution
would be to
>> either generate a new keytab just for cups, or copy the existing keytab
and
>> make it only readable by the cups user.
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> Yes, for now keytab is compromised.
> Cups calls pam authentication, and pam use winbind then I need to give
> permissions to winbind daemon but i don't know what account is using
that
> daemon. How i can see it?, because ps aux shows the most as root.
winbind normally have access to Kerberos keytab by default.
I see no reason why it would not.


-- 
With best regards,
Andrey Repin
Tuesday, May 12, 2015 22:28:05

Sorry for my terrible english...

2015-05-12 21:28 GMT+02:00 Andrey Repin <anrdaemon at yandex.ru>:
> Greetings, Daniel Carrasco Mar?n!
>
> >>>  Hi again!!, this time is not for help request as always :P
finally
> i've
> >>>> found the solution and I want to share it.
> >>>> The problem was just permissions. If you change the keytab
permission
> to
> >>>> 644 it works perfect: chmod 644 /etc/krb5.keytab
> >>>> Anyway I don't understand why the daemons can't
read that file when
> are
> >>>> running as root.
> >>>>
> >>>
> >>> Not all daemons are run as root, far from that.
> >>> Most of single-purpose daemons, such as cups, run as their own
users.
> >>>
> >>
> >> Yep, this is done for security purposes so that if one process is
> >> compromised, it doesn't have administrative access to the rest
of the
> >> system.
> >>
> >> In a similar vein, you don't generally want any process on the
machine
> to
> >> have access to some things.  The system kerberos keytab is
probably one
> of
> >> those.  If cups is running as it's own user, a better solution
would be
> to
> >> either generate a new keytab just for cups, or copy the existing
keytab
> and
> >> make it only readable by the cups user.
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
>
> > Yes, for now keytab is compromised.
>
> > Cups calls pam authentication, and pam use winbind then I need to give
> > permissions to winbind daemon but i don't know what account is
using that
> > daemon. How i can see it?, because ps aux shows the most as root.
>
> winbind normally have access to Kerberos keytab by default.
> I see no reason why it would not.
>
I don't know why, but winbind was failing (access denied) until
i''ve
changed the permissions to 644. I've tried a lot of things and the file was
created by samba but was failing until i've changed the permissions.

Greetings!!

>
> --
> With best regards,
> Andrey Repin
> Tuesday, May 12, 2015 22:28:05
>
> Sorry for my terrible english...
>

Greetings, Daniel Carrasco Mar?n!
>> > Cups calls pam authentication, and pam use winbind then I need to
give
>> > permissions to winbind daemon but i don't know what account is
using that
>> > daemon. How i can see it?, because ps aux shows the most as root.
>>
>> winbind normally have access to Kerberos keytab by default.
>> I see no reason why it would not.
>>
> I don't know why, but winbind was failing (access denied) until
i''ve
> changed the permissions to 644. I've tried a lot of things and the file
was
> created by samba but was failing until i've changed the permissions.
I would start from a level 10 log of winbind calls with "debug uid =
yes"


-- 
With best regards,
Andrey Repin
Wednesday, May 13, 2015 02:05:02

Sorry for my terrible english...