> Sent: Saturday, September 22, 2018 at 12:08 PM > From: "Robert Schetterer via samba" <samba at lists.samba.org> > To: samba at lists.samba.org > Subject: Re: [Samba] Printing via SMB-Kerberos no longer works > > Am 22.09.2018 um 09:49 schrieb Alex Persson via samba: > > After upgrading from Ubuntu 16.04 to 18.04 printing via SMB-Kerberos no longer works (printing still works in 18.04 when I print via SMB but I don't want to have the password stored in clear text in /usr/lib/cups/backend/smb). > > > > In 16.04 I can just type "lpr file.pdf", but when doing this in 18.04 I get "Password for [myuser] on localhost?" and it expects me to type my password instead of using my Kerberos ticket for sending the print job to the print queue. > > > > I have the same Kerberos ticket available according to "klist" in 18.04 as I had in 16.04. > > I have "AuthInfoRequired negotiate" in /etc/cups/printers.conf > > The file /usr/lib/cups/backend/smb is a symbolic link pointing to /usr/lib/x86_64-linux-gnu/samba/smbspool_krb5_wrapper (in 16.04 it was pointing at /usr/bin/smbspool_krb5_wrapper). > > The permission is 700 on /usr/lib/x86_64-linux-gnu/samba/smbspool_krb5_wrapper. > > The version of cups is 2.2.7-1ubuntu2.1 in 18.04 while it was 2.1.3-4ubuntu0.5 in 16.04. > > The version of smbclient is 2:4.7.6+dfsg~ubuntu-0ubuntu2.2 in 18.04 while it was 2:4.3.11+dfsg-0ubuntu0.16.04.16 16.04. > > > > Can you please help me figure out what the problem is? Maybe it is something wrong with smbspool_krb5_wrapper from the smbclient package? > > this feature broke times before by varia reasons > "just a shot in the dark", if you use kerberos tickets in /tmp then > stuff changed in 18.04 this also broke our cifs automounter > see here > https://blog.nutmeg.at/2017/04/17/getting-pam-krb5-working-autofs-and-cifs/ > i did > default_ccache_name = FILE:/tmp/krb5cc_%{uid} > in /etc/krb5.conf > to fix our problemThanks you very much for your answer! I tried to set default_ccache_name in /etc/krb5.conf as you suggest above but "lpr" still asks "Password for [myuser] on localhost?". My CIFS mount works fine (as before) and I have $KRB5CCNAME set in my env and it points to the ticket under /tmp/: $ env|grep KRB KRB5CCNAME=FILE:/tmp/krb5cc_5241_RIBf32 I wonder what makes "lpr" ask me "Password for [myuser] on localhost?" instead of using my Kerberos ticket as it does in Ubuntu 16.04? I see that /usr/bin/lpr comes with the package cups-bsd version 2.2.7-1ubuntu2.1 in Ubuntu 18.04 while it is 2.1.3-4ubuntu0.5 in Ubuntu 16.04. Best regards, Alex
Am 22.09.2018 um 13:24 schrieb Alex Persson:>> Sent: Saturday, September 22, 2018 at 12:08 PM >> From: "Robert Schetterer via samba" <samba at lists.samba.org> >> To: samba at lists.samba.org >> Subject: Re: [Samba] Printing via SMB-Kerberos no longer works >> >> Am 22.09.2018 um 09:49 schrieb Alex Persson via samba: >>> After upgrading from Ubuntu 16.04 to 18.04 printing via SMB-Kerberos no longer works (printing still works in 18.04 when I print via SMB but I don't want to have the password stored in clear text in /usr/lib/cups/backend/smb). >>> >>> In 16.04 I can just type "lpr file.pdf", but when doing this in 18.04 I get "Password for [myuser] on localhost?" and it expects me to type my password instead of using my Kerberos ticket for sending the print job to the print queue. >>> >>> I have the same Kerberos ticket available according to "klist" in 18.04 as I had in 16.04. >>> I have "AuthInfoRequired negotiate" in /etc/cups/printers.conf >>> The file /usr/lib/cups/backend/smb is a symbolic link pointing to /usr/lib/x86_64-linux-gnu/samba/smbspool_krb5_wrapper (in 16.04 it was pointing at /usr/bin/smbspool_krb5_wrapper). >>> The permission is 700 on /usr/lib/x86_64-linux-gnu/samba/smbspool_krb5_wrapper. >>> The version of cups is 2.2.7-1ubuntu2.1 in 18.04 while it was 2.1.3-4ubuntu0.5 in 16.04. >>> The version of smbclient is 2:4.7.6+dfsg~ubuntu-0ubuntu2.2 in 18.04 while it was 2:4.3.11+dfsg-0ubuntu0.16.04.16 16.04. >>> >>> Can you please help me figure out what the problem is? Maybe it is something wrong with smbspool_krb5_wrapper from the smbclient package? >> >> this feature broke times before by varia reasons >> "just a shot in the dark", if you use kerberos tickets in /tmp then >> stuff changed in 18.04 this also broke our cifs automounter >> see here >> https://blog.nutmeg.at/2017/04/17/getting-pam-krb5-working-autofs-and-cifs/ >> i did >> default_ccache_name = FILE:/tmp/krb5cc_%{uid} >> in /etc/krb5.conf >> to fix our problem > > Thanks you very much for your answer! > > I tried to set default_ccache_name in /etc/krb5.conf as you suggest above but "lpr" still asks "Password for [myuser] on localhost?". > > My CIFS mount works fine (as before) and I have $KRB5CCNAME set in my env and it points to the ticket under /tmp/: > > $ env|grep KRB > KRB5CCNAME=FILE:/tmp/krb5cc_5241_RIBf32 > > I wonder what makes "lpr" ask me "Password for [myuser] on localhost?" instead of using my Kerberos ticket as it does in Ubuntu 16.04? I see that /usr/bin/lpr comes with the package cups-bsd version 2.2.7-1ubuntu2.1 in Ubuntu 18.04 while it is 2.1.3-4ubuntu0.5 in Ubuntu 16.04. > > Best regards, Alex >our stuff may not comparable to your setup, our ksmb print module is a modified version, but i am nearly sure changes in new kerberos version at 18.04 are your problem. I think you should log very verbose to find the exact problem Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Robert Schetterer wrote:> Alex Persson wrote: >> Robert Schetterer wrote: >>> Alex Persson wrote: >>>> After upgrading from Ubuntu 16.04 to 18.04 printing via SMB-Kerberos no longer works (printing still works in 18.04 when I print via SMB but I don't want to have the password stored in clear text in /usr/lib/cups/backend/smb). >>>> >>>> In 16.04 I can just type "lpr file.pdf", but when doing this in 18.04 I get "Password for [myuser] on localhost?" and it expects me to type my password instead of using my Kerberos ticket for sending the print job to the print queue. >>>> >>>> I have the same Kerberos ticket available according to "klist" in 18.04 as I had in 16.04. >>>> I have "AuthInfoRequired negotiate" in /etc/cups/printers.conf >>>> The file /usr/lib/cups/backend/smb is a symbolic link pointing to /usr/lib/x86_64-linux-gnu/samba/smbspool_krb5_wrapper (in 16.04 it was pointing at /usr/bin/smbspool_krb5_wrapper). >>>> The permission is 700 on /usr/lib/x86_64-linux-gnu/samba/smbspool_krb5_wrapper. >>>> The version of cups is 2.2.7-1ubuntu2.1 in 18.04 while it was 2.1.3-4ubuntu0.5 in 16.04. >>>> The version of smbclient is 2:4.7.6+dfsg~ubuntu-0ubuntu2.2 in 18.04 while it was 2:4.3.11+dfsg-0ubuntu0.16.04.16 16.04. >>>> >>>> Maybe it is something wrong with smbspool_krb5_wrapper from the smbclient package? >>> >>> this feature broke times before by varia reasons >>> "just a shot in the dark", if you use kerberos tickets in /tmp then >>> stuff changed in 18.04 this also broke our cifs automounter >>> see here >>> https://blog.nutmeg.at/2017/04/17/getting-pam-krb5-working-autofs-and-cifs/ >>> i did >>> default_ccache_name = FILE:/tmp/krb5cc_%{uid} >>> in /etc/krb5.conf >>> to fix our problem >> >> I tried to set default_ccache_name in /etc/krb5.conf as you suggest above but "lpr" still asks "Password for [myuser] on localhost?". >> My CIFS mount works fine (as before) and I have $KRB5CCNAME set in my env and it points to the ticket under /tmp/: >> $ env|grep KRB >> KRB5CCNAME=FILE:/tmp/krb5cc_5241_RIBf32 >> I wonder what makes "lpr" ask me "Password for [myuser] on localhost?" instead of using my Kerberos ticket as it does in Ubuntu 16.04? I see that /usr/bin/lpr comes with the package cups-bsd version 2.2.7-1ubuntu2.1 in Ubuntu 18.04 while it is 2.1.3-4ubuntu0.5 in Ubuntu 16.04. > > our stuff may not comparable to your setup, our ksmb print module is a > modified version, but i am nearly sure changes in new kerberos version > at 18.04 are your problem. I think you should log very verbose to find > the exact problemOk, so smbspool_krb5_wrapper might not be compatible with the Kerberos version in 18.04. When I "strace -f" the "lpr" command and then grep for "open" and "krb" I get almost the same lines in both 16.04 and in 18.04 (the difference is in the beginning of the lines: "open(" vs "openat(AT_FDCWD, "): 16.04$ grep ^open /tmp/strace.out|grep krb open("/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = 3 open("/usr/lib/x86_64-linux-gnu/libkrb5.so.3", O_RDONLY|O_CLOEXEC) = 3 open("/usr/lib/x86_64-linux-gnu/libkrb5support.so.0", O_RDONLY|O_CLOEXEC) = 3 18.04$ grep ^open /tmp/strace.out|grep krb openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libkrb5.so.3", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libkrb5support.so.0", O_RDONLY|O_CLOEXEC) = 3 In 16.04 the three files belongs to libgssapi-krb5-2:amd64, libkrb5-3:amd64, and libkrb5support0:amd64 which all are version 1.13.2+dfsg-5ubuntu2 while they in 18.04 are version 1.16-2build1. Can you please tell me how I turn on verbose logging to be able to track down the problem? Best regards, Alex