Andrey Repin
2015-May-12 19:28 UTC
[Samba] [Solved] A working CUPS authentication now fails without change anything...
Greetings, Daniel Carrasco Mar?n!>>> Hi again!!, this time is not for help request as always :P finally i've >>>> found the solution and I want to share it. >>>> The problem was just permissions. If you change the keytab permission to >>>> 644 it works perfect: chmod 644 /etc/krb5.keytab >>>> Anyway I don't understand why the daemons can't read that file when are >>>> running as root. >>>> >>> >>> Not all daemons are run as root, far from that. >>> Most of single-purpose daemons, such as cups, run as their own users. >>> >> >> Yep, this is done for security purposes so that if one process is >> compromised, it doesn't have administrative access to the rest of the >> system. >> >> In a similar vein, you don't generally want any process on the machine to >> have access to some things. The system kerberos keytab is probably one of >> those. If cups is running as it's own user, a better solution would be to >> either generate a new keytab just for cups, or copy the existing keytab and >> make it only readable by the cups user. >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>> Yes, for now keytab is compromised.> Cups calls pam authentication, and pam use winbind then I need to give > permissions to winbind daemon but i don't know what account is using that > daemon. How i can see it?, because ps aux shows the most as root.winbind normally have access to Kerberos keytab by default. I see no reason why it would not. -- With best regards, Andrey Repin Tuesday, May 12, 2015 22:28:05 Sorry for my terrible english...
Daniel Carrasco MarĂn
2015-May-12 19:41 UTC
[Samba] [Solved] A working CUPS authentication now fails without change anything...
2015-05-12 21:28 GMT+02:00 Andrey Repin <anrdaemon at yandex.ru>:> Greetings, Daniel Carrasco Mar?n! > > >>> Hi again!!, this time is not for help request as always :P finally > i've > >>>> found the solution and I want to share it. > >>>> The problem was just permissions. If you change the keytab permission > to > >>>> 644 it works perfect: chmod 644 /etc/krb5.keytab > >>>> Anyway I don't understand why the daemons can't read that file when > are > >>>> running as root. > >>>> > >>> > >>> Not all daemons are run as root, far from that. > >>> Most of single-purpose daemons, such as cups, run as their own users. > >>> > >> > >> Yep, this is done for security purposes so that if one process is > >> compromised, it doesn't have administrative access to the rest of the > >> system. > >> > >> In a similar vein, you don't generally want any process on the machine > to > >> have access to some things. The system kerberos keytab is probably one > of > >> those. If cups is running as it's own user, a better solution would be > to > >> either generate a new keytab just for cups, or copy the existing keytab > and > >> make it only readable by the cups user. > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > Yes, for now keytab is compromised. > > > Cups calls pam authentication, and pam use winbind then I need to give > > permissions to winbind daemon but i don't know what account is using that > > daemon. How i can see it?, because ps aux shows the most as root. > > winbind normally have access to Kerberos keytab by default. > I see no reason why it would not. >I don't know why, but winbind was failing (access denied) until i''ve changed the permissions to 644. I've tried a lot of things and the file was created by samba but was failing until i've changed the permissions. Greetings!!> > -- > With best regards, > Andrey Repin > Tuesday, May 12, 2015 22:28:05 > > Sorry for my terrible english... >
Andrey Repin
2015-May-12 23:06 UTC
[Samba] [Solved] A working CUPS authentication now fails without change anything...
Greetings, Daniel Carrasco Mar?n!>> > Cups calls pam authentication, and pam use winbind then I need to give >> > permissions to winbind daemon but i don't know what account is using that >> > daemon. How i can see it?, because ps aux shows the most as root. >> >> winbind normally have access to Kerberos keytab by default. >> I see no reason why it would not. >>> I don't know why, but winbind was failing (access denied) until i''ve > changed the permissions to 644. I've tried a lot of things and the file was > created by samba but was failing until i've changed the permissions.I would start from a level 10 log of winbind calls with "debug uid = yes" -- With best regards, Andrey Repin Wednesday, May 13, 2015 02:05:02 Sorry for my terrible english...
Possibly Parallel Threads
- A working CUPS authentication now fails without change anything...
- SIGSEGV with pam_winbind kerberos authentication
- A working CUPS authentication now fails without change anything...
- winbindd_raw_kerberos_login: kinit failed
- A working CUPS authentication now fails without change anything...