From ad304534591a36a3ba506a39f8021ecab9d0cb34 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Fri, 2 Aug 2019 11:45:30 +0200 Subject: [PATCH] Rebase on 4.8.3-6 --- samba-4.8-fix_cups_smbspool_backend.part1.patch | 33 + samba-4.8-fix_cups_smbspool_backend.part2.patch | 1094 +++++++++++++++++++++++ samba-4.8-fix_smbspool_as_cups_backend.patch | 557 ++++++++++++ samba.spec | 33 +- 4 files changed, 1702 insertions(+), 15 deletions(-) create mode 100644 samba-4.8-fix_cups_smbspool_backend.part1.patch create mode 100644 samba-4.8-fix_cups_smbspool_backend.part2.patch create mode 100644 samba-4.8-fix_smbspool_as_cups_backend.patch diff --git a/samba-4.8-fix_cups_smbspool_backend.part1.patch b/samba-4.8-fix_cups_smbspool_backend.part1.patch new file mode 100644 index 0000000..61fd9bd --- /dev/null +++ b/samba-4.8-fix_cups_smbspool_backend.part1.patch @@ -0,0 +1,33 @@ +From 56fb8aec557bb5b7264df2713b85b282e1c81f84 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 9 May 2019 16:18:51 +0200 +Subject: [PATCH] s3:smbspool: Fix regression printing with Kerberos + credentials + +This is a regression which has been introduced with Samba 4.8. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit fd4b1f4f16aee3e3c9a2cb449655edfed171963a) +--- + source3/client/smbspool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c +index 8be1009c0a8..ecaaf3c3f22 100644 +--- a/source3/client/smbspool.c ++++ b/source3/client/smbspool.c +@@ -660,7 +660,7 @@ smb_connect(const char *workgroup, /* I - Workgroup */ + * behavior with 3.0.14a + */ + +- if (username != NULL && username[0] != '\0') { ++ if (username == NULL || username[0] == '\0') { + if (kerberos_ccache_is_valid()) { + goto kerberos_auth; + } +-- +2.21.0 + diff --git a/samba-4.8-fix_cups_smbspool_backend.part2.patch b/samba-4.8-fix_cups_smbspool_backend.part2.patch new file mode 100644 index 0000000..f682db0 --- /dev/null +++ b/samba-4.8-fix_cups_smbspool_backend.part2.patch @@ -0,0 +1,1094 @@ +From ab9266a2907fe523937d8576f6de7313d577c2e8 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 13 May 2019 16:55:49 +0200 +Subject: [PATCH 1/9] s3:smbspool: Add the 'lp' group to the users groups + +This is required to access files in /var/spool/cups which have been +temporarily created in there by CUPS. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 6086efb6808089c431e7307fa239924bfda1185b) +--- + source3/client/smbspool_krb5_wrapper.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c +index 5c4da33238b..e6684fc0d0c 100644 +--- a/source3/client/smbspool_krb5_wrapper.c ++++ b/source3/client/smbspool_krb5_wrapper.c +@@ -82,6 +82,7 @@ int main(int argc, char *argv[]) + { + char smbspool_cmd[PATH_MAX] = {0}; + struct passwd *pwd; ++ struct group *g = NULL; + char gen_cc[PATH_MAX] = {0}; + struct stat sb; + char *env = NULL; +@@ -89,6 +90,7 @@ int main(int argc, char *argv[]) + char device_uri[4096] = {0}; + uid_t uid = (uid_t)-1; + gid_t gid = (gid_t)-1; ++ gid_t groups[1] = { (gid_t)-1 }; + unsigned long tmp; + int cmp; + int rc; +@@ -176,6 +178,26 @@ int main(int argc, char *argv[]) + return CUPS_BACKEND_FAILED; + } + ++ /* ++ * We need the primary group of the 'lp' user. This is needed to access ++ * temporary files in /var/spool/cups/. ++ */ ++ g = getgrnam("lp"); ++ if (g == NULL) { ++ CUPS_SMB_ERROR("Failed to find user 'lp' - %s", ++ strerror(errno)); ++ return CUPS_BACKEND_FAILED; ++ } ++ ++ CUPS_SMB_DEBUG("Adding group 'lp' (%u)", g->gr_gid); ++ groups[0] = g->gr_gid; ++ rc = setgroups(sizeof(groups), groups); ++ if (rc != 0) { ++ CUPS_SMB_ERROR("Failed to set groups for 'lp' - %s", ++ strerror(errno)); ++ return CUPS_BACKEND_FAILED; ++ } ++ + CUPS_SMB_DEBUG("Switching to gid=%d", gid); + rc = setgid(gid); + if (rc != 0) { +-- +2.21.0 + + +From d3ab97ba608b0c3000e733e3e56dd7da7bae617a Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 16 May 2019 13:41:02 +0200 +Subject: [PATCH 2/9] s3:smbspool: Print the principal we use to authenticate + with + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 42492d547661cb7a98c237b32d42ee93de35aba5) +--- + source3/client/smbspool.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c +index ecaaf3c3f22..98959bb677b 100644 +--- a/source3/client/smbspool.c ++++ b/source3/client/smbspool.c +@@ -612,6 +612,7 @@ static bool kerberos_ccache_is_valid(void) { + return false; + } else { + krb5_principal default_princ = NULL; ++ char *princ_name = NULL; + + code = krb5_cc_get_principal(ctx, + ccache, +@@ -621,6 +622,16 @@ static bool kerberos_ccache_is_valid(void) { + krb5_free_context(ctx); + return false; + } ++ ++ code = krb5_unparse_name(ctx, ++ default_princ, ++ &princ_name); ++ if (code == 0) { ++ fprintf(stderr, ++ "DEBUG: Try to authenticate as %s\n", ++ princ_name); ++ krb5_free_unparsed_name(ctx, princ_name); ++ } + krb5_free_principal(ctx, default_princ); + } + krb5_cc_close(ctx, ccache); +-- +2.21.0 + + +From b8588870940e282aa2d5f9d553771fcba91681c7 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 16 May 2019 14:25:00 +0200 +Subject: [PATCH 3/9] s3:smbspool: Add debug for finding KRB5CCNAME + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 3632bfef25e471075886eb7aecddd4cc260db8ba) +--- + source3/client/smbspool_krb5_wrapper.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c +index e6684fc0d0c..2cdcd372ec6 100644 +--- a/source3/client/smbspool_krb5_wrapper.c ++++ b/source3/client/smbspool_krb5_wrapper.c +@@ -219,10 +219,14 @@ int main(int argc, char *argv[]) + env = getenv("KRB5CCNAME"); + if (env != NULL && env[0] != 0) { + snprintf(gen_cc, sizeof(gen_cc), "%s", env); ++ CUPS_SMB_DEBUG("User already set KRB5CCNAME [%s] as ccache", ++ gen_cc); + + goto create_env; + } + ++ CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)"); ++ + snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid); + + rc = lstat(gen_cc, &sb); +-- +2.21.0 + + +From 30feae8f20fb60999727cc4a6777b2823db46a64 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 16 May 2019 17:10:57 +0200 +Subject: [PATCH 4/9] s3:smbspool: Use %u format specifier to print uid + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit be596ce3d2455bd49a8ebd311d8c764c37852858) +--- + source3/client/smbspool_krb5_wrapper.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c +index 2cdcd372ec6..3266b90ec1a 100644 +--- a/source3/client/smbspool_krb5_wrapper.c ++++ b/source3/client/smbspool_krb5_wrapper.c +@@ -227,13 +227,13 @@ int main(int argc, char *argv[]) + + CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)"); + +- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid); ++ snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid); + + rc = lstat(gen_cc, &sb); + if (rc == 0) { +- snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%d", uid); ++ snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid); + } else { +- snprintf(gen_cc, sizeof(gen_cc), "/run/user/%d/krb5cc", uid); ++ snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid); + + rc = lstat(gen_cc, &sb); + if (rc == 0 && S_ISDIR(sb.st_mode)) { +-- +2.21.0 + + +From 98b782f300a899ad39fe17fa62ccbe4932e8cd29 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 16 May 2019 17:40:43 +0200 +Subject: [PATCH 5/9] s3:smbspool: Fallback to default ccache if KRB5CCNAME is + not set + +This could also support the new KCM credential cache storage. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 6bbdf69e406916107400e2cabdbc831e2a2bbee3) +--- + source3/client/smbspool_krb5_wrapper.c | 79 ++++++++++++++++++-------- + source3/wscript_build | 1 + + 2 files changed, 55 insertions(+), 25 deletions(-) + +diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c +index 3266b90ec1a..bff1df417e8 100644 +--- a/source3/client/smbspool_krb5_wrapper.c ++++ b/source3/client/smbspool_krb5_wrapper.c +@@ -21,6 +21,7 @@ + + #include "includes.h" + #include "system/filesys.h" ++#include "system/kerberos.h" + #include "system/passwd.h" + + #include +@@ -68,6 +69,50 @@ static void cups_smb_debug(enum cups_smb_dbglvl_e lvl, const char *format, ...) + buffer); + } + ++static bool kerberos_get_default_ccache(char *ccache_buf, size_t len) ++{ ++ krb5_context ctx; ++ const char *ccache_name = NULL; ++ char *full_ccache_name = NULL; ++ krb5_ccache ccache = NULL; ++ krb5_error_code code; ++ ++ code = krb5_init_context(&ctx); ++ if (code != 0) { ++ return false; ++ } ++ ++ ccache_name = krb5_cc_default_name(ctx); ++ if (ccache_name == NULL) { ++ krb5_free_context(ctx); ++ return false; ++ } ++ ++ code = krb5_cc_resolve(ctx, ccache_name, &ccache); ++ if (code != 0) { ++ krb5_free_context(ctx); ++ return false; ++ } ++ ++ code = krb5_cc_get_full_name(ctx, ccache, &full_ccache_name); ++ krb5_cc_close(ctx, ccache); ++ if (code != 0) { ++ krb5_free_context(ctx); ++ return false; ++ } ++ ++ snprintf(ccache_buf, len, "%s", full_ccache_name); ++ ++#ifdef SAMBA4_USES_HEIMDAL ++ free(full_ccache_name); ++#else ++ krb5_free_string(ctx, full_ccache_name); ++#endif ++ krb5_free_context(ctx); ++ ++ return true; ++} ++ + /* + * This is a helper binary to execute smbspool. + * +@@ -84,7 +129,6 @@ int main(int argc, char *argv[]) + struct passwd *pwd; + struct group *g = NULL; + char gen_cc[PATH_MAX] = {0}; +- struct stat sb; + char *env = NULL; + char auth_info_required[256] = {0}; + char device_uri[4096] = {0}; +@@ -92,6 +136,7 @@ int main(int argc, char *argv[]) + gid_t gid = (gid_t)-1; + gid_t groups[1] = { (gid_t)-1 }; + unsigned long tmp; ++ bool ok; + int cmp; + int rc; + +@@ -225,32 +270,16 @@ int main(int argc, char *argv[]) + goto create_env; + } + +- CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)"); +- +- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid); +- +- rc = lstat(gen_cc, &sb); +- if (rc == 0) { +- snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid); +- } else { +- snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid); +- +- rc = lstat(gen_cc, &sb); +- if (rc == 0 && S_ISDIR(sb.st_mode)) { +- snprintf(gen_cc, +- sizeof(gen_cc), +- "DIR:/run/user/%d/krb5cc", +- uid); +- } else { +-#if defined(__linux__) +- snprintf(gen_cc, +- sizeof(gen_cc), +- "KEYRING:persistent:%d", +- uid); +-#endif +- } ++ ok = kerberos_get_default_ccache(gen_cc, sizeof(gen_cc)); ++ if (ok) { ++ CUPS_SMB_DEBUG("Use default KRB5CCNAME [%s]", ++ gen_cc); ++ goto create_env; + } + ++ /* Fallback to a FILE ccache */ ++ snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid); ++ + create_env: + /* + * Make sure we do not have LD_PRELOAD or other security relevant +diff --git a/source3/wscript_build b/source3/wscript_build +index 15c93e46bc3..694acbfa754 100644 +--- a/source3/wscript_build ++++ b/source3/wscript_build +@@ -1120,6 +1120,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper', + deps=''' + DYNCONFIG + cups ++ krb5 + ''', + install_path='${LIBEXECDIR}/samba', + enabled=bld.CONFIG_SET('HAVE_CUPS')) +-- +2.21.0 + + +From 0ffe2ecb356780264b157a03157875758431102f Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 13 May 2019 16:48:31 +0200 +Subject: [PATCH 6/9] s3:smbspool: Print the filename we failed to open + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 281274572bcc3125fe6026a01ef7bf7ef584a0dd) +--- + source3/client/smbspool.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c +index 98959bb677b..43f0cbc04e1 100644 +--- a/source3/client/smbspool.c ++++ b/source3/client/smbspool.c +@@ -223,7 +223,9 @@ main(int argc, /* I - Number of command-line arguments */ + + fp = fopen(print_file, "rb"); + if (fp == NULL) { +- perror("ERROR: Unable to open print file"); ++ fprintf(stderr, ++ "ERROR: Unable to open print file: %s", ++ print_file); + goto done; + } + +-- +2.21.0 + + +From 9d662cda9def334de3a27cab7d77ab6c9deb3f16 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 13 May 2019 18:54:02 +0200 +Subject: [PATCH 7/9] s3:smbspool: Always try to authenticate using Kerberos + +If username and password is given, then fallback to NTLM. However try +kinit first. Also we correctly handle NULL passwords in the meantime and +this makes it easier to deal with issues. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 3d719a1f85db8e423dc3a4116a2228961d5ac48d) +--- + source3/client/smbspool.c | 90 ++++++++++++++++++++++----------------- + 1 file changed, 51 insertions(+), 39 deletions(-) + +diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c +index 43f0cbc04e1..f8e6a76ba11 100644 +--- a/source3/client/smbspool.c ++++ b/source3/client/smbspool.c +@@ -87,8 +87,8 @@ main(int argc, /* I - Number of command-line arguments */ + int port; /* Port number */ + char uri[1024], /* URI */ + *sep, /* Pointer to separator */ +- *tmp, *tmp2, /* Temp pointers to do escaping */ +- *password; /* Password */ ++ *tmp, *tmp2; /* Temp pointers to do escaping */ ++ const char *password = NULL; /* Password */ + char *username, /* Username */ + *server, /* Server name */ + *printer;/* Printer name */ +@@ -292,8 +292,6 @@ main(int argc, /* I - Number of command-line arguments */ + if ((tmp2 = strchr_m(tmp, ':')) != NULL) { + *tmp2++ = '\0'; + password = uri_unescape_alloc(tmp2); +- } else { +- password = empty_str; + } + username = uri_unescape_alloc(tmp); + } else { +@@ -301,14 +299,15 @@ main(int argc, /* I - Number of command-line arguments */ + username = empty_str; + } + +- if ((password = getenv("AUTH_PASSWORD")) == NULL) { +- password = empty_str; ++ env = getenv("AUTH_PASSWORD"); ++ if (env != NULL && strlen(env) > 0) { ++ password = env; + } + + server = uri + 6; + } + +- if (password != empty_str) { ++ if (password != NULL) { + auth_info_required = "username,password"; + } + +@@ -513,6 +512,7 @@ smb_complete_connection(const char *myname, + NTSTATUS nt_status; + struct cli_credentials *creds = NULL; + bool use_kerberos = false; ++ bool fallback_after_kerberos = false; + + /* Start the SMB connection */ + *need_auth = false; +@@ -523,27 +523,21 @@ smb_complete_connection(const char *myname, + return NULL; + } + +- /* +- * We pretty much guarantee password must be valid or a pointer to a +- * 0 char. +- */ +- if (!password) { +- *need_auth = true; +- return NULL; +- } +- + if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) { +- auth_info_required = "negotiate"; + use_kerberos = true; + } + ++ if (flags & CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS) { ++ fallback_after_kerberos = true; ++ } ++ + creds = cli_session_creds_init(cli, + username, + workgroup, + NULL, /* realm */ + password, + use_kerberos, +- false, /* fallback_after_kerberos */ ++ fallback_after_kerberos, + false, /* use_ccache */ + false); /* password_is_nt_hash */ + if (creds == NULL) { +@@ -659,6 +653,10 @@ smb_connect(const char *workgroup, /* I - Workgroup */ + struct cli_state *cli; /* New connection */ + char *myname = NULL; /* Client name */ + struct passwd *pwd; ++ int flags = CLI_FULL_CONNECTION_USE_KERBEROS; ++ bool use_kerberos = false; ++ const char *user = username; ++ int cmp; + + /* + * Get the names and addresses of the client and server... +@@ -668,42 +666,56 @@ smb_connect(const char *workgroup, /* I - Workgroup */ + return NULL; + } + +- /* +- * See if we have a username first. This is for backwards compatible +- * behavior with 3.0.14a +- */ + +- if (username == NULL || username[0] == '\0') { +- if (kerberos_ccache_is_valid()) { +- goto kerberos_auth; ++ cmp = strcmp(auth_info_required, "negotiate"); ++ if (cmp == 0) { ++ if (!kerberos_ccache_is_valid()) { ++ return NULL; + } ++ user = jobusername; ++ ++ use_kerberos = true; ++ fprintf(stderr, ++ "DEBUG: Try to connect using Kerberos ...\n"); ++ } ++ ++ cmp = strcmp(auth_info_required, "username,password"); ++ if (cmp == 0) { ++ if (username == NULL || username[0] == '\0') { ++ return NULL; ++ } ++ ++ /* Fallback to NTLM */ ++ flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS; ++ ++ fprintf(stderr, ++ "DEBUG: Try to connect using username/password ...\n"); ++ } ++ ++ cmp = strcmp(auth_info_required, "none"); ++ if (cmp == 0) { ++ fprintf(stderr, ++ "DEBUG: This backend doesn't support none auth ...\n"); ++ return NULL; + } + + cli = smb_complete_connection(myname, + server, + port, +- username, ++ user, + password, + workgroup, + share, +- 0, ++ flags, + need_auth); + if (cli != NULL) { +- fputs("DEBUG: Connected with username/password...\n", stderr); ++ fprintf(stderr, "DEBUG: SMB connection established.\n"); + return (cli); + } + +-kerberos_auth: +- /* +- * Try to use the user kerberos credentials (if any) to authenticate +- */ +- cli = smb_complete_connection(myname, server, port, jobusername, "", +- workgroup, share, +- CLI_FULL_CONNECTION_USE_KERBEROS, need_auth); +- +- if (cli) { +- fputs("DEBUG: Connected using Kerberos...\n", stderr); +- return (cli); ++ if (!use_kerberos) { ++ fprintf(stderr, "ERROR: SMB connection failed!\n"); ++ return NULL; + } + + /* give a chance for a passwordless NTLMSSP session setup */ +-- +2.21.0 + + +From 56f58726a1f3b98e64e9f6b27c275cc0044e2a9f Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 16 May 2019 18:24:32 +0200 +Subject: [PATCH 8/9] s3:smbspool: Add debug messages to + kerberos_ccache_is_valid() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 93acd880801524c5e621df7b5bf5ad650f93cec3) +--- + source3/client/smbspool.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c +index f8e6a76ba11..ed5837daa0d 100644 +--- a/source3/client/smbspool.c ++++ b/source3/client/smbspool.c +@@ -599,11 +599,15 @@ static bool kerberos_ccache_is_valid(void) { + + ccache_name = krb5_cc_default_name(ctx); + if (ccache_name == NULL) { ++ DBG_ERR("Failed to get default ccache name\n"); ++ krb5_free_context(ctx); + return false; + } + + code = krb5_cc_resolve(ctx, ccache_name, &ccache); + if (code != 0) { ++ DBG_ERR("Failed to resolve ccache name: %s\n", ++ ccache_name); + krb5_free_context(ctx); + return false; + } else { +@@ -614,6 +618,9 @@ static bool kerberos_ccache_is_valid(void) { + ccache, + &default_princ); + if (code != 0) { ++ DBG_ERR("Failed to get default principal from " ++ "ccache: %s\n", ++ ccache_name); + krb5_cc_close(ctx, ccache); + krb5_free_context(ctx); + return false; +-- +2.21.0 + + +From cec536a0437b28e207cb69c318cb5769575d1761 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 14 May 2019 11:35:46 +0200 +Subject: [PATCH 9/9] s3:smbspool: Use NTSTATUS return codes + +This allows us to simplify some code and return better errors. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit d9af3dc02e98a3eb22441dfbdeddbaca0af078ea) +--- + source3/client/smbspool.c | 250 ++++++++++++++++++++++---------------- + 1 file changed, 145 insertions(+), 105 deletions(-) + +diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c +index ed5837daa0d..1c09ca0826d 100644 +--- a/source3/client/smbspool.c ++++ b/source3/client/smbspool.c +@@ -60,12 +60,27 @@ + * Local functions... + */ + +-static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status); ++static int get_exit_code(NTSTATUS nt_status); + static void list_devices(void); +-static struct cli_state *smb_complete_connection(const char *, const char *, +- int, const char *, const char *, const char *, const char *, int, bool *need_auth); +-static struct cli_state *smb_connect(const char *, const char *, int, const +- char *, const char *, const char *, const char *, bool *need_auth); ++static NTSTATUS ++smb_complete_connection(struct cli_state **output_cli, ++ const char *myname, ++ const char *server, ++ int port, ++ const char *username, ++ const char *password, ++ const char *workgroup, ++ const char *share, ++ int flags); ++static NTSTATUS ++smb_connect(struct cli_state **output_cli, ++ const char *workgroup, ++ const char *server, ++ const int port, ++ const char *share, ++ const char *username, ++ const char *password, ++ const char *jobusername); + static int smb_print(struct cli_state *, const char *, FILE *); + static char *uri_unescape_alloc(const char *); + #if 0 +@@ -89,16 +104,15 @@ main(int argc, /* I - Number of command-line arguments */ + *sep, /* Pointer to separator */ + *tmp, *tmp2; /* Temp pointers to do escaping */ + const char *password = NULL; /* Password */ +- char *username, /* Username */ +- *server, /* Server name */ ++ const char *username = NULL; /* Username */ ++ char *server, /* Server name */ + *printer;/* Printer name */ + const char *workgroup; /* Workgroup */ + FILE *fp; /* File to print */ + int status = 1; /* Status of LPD job */ +- struct cli_state *cli; /* SMB interface */ +- char empty_str[] = ""; ++ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; ++ struct cli_state *cli = NULL; /* SMB interface */ + int tries = 0; +- bool need_auth = true; + const char *dev_uri = NULL; + const char *env = NULL; + const char *config_file = NULL; +@@ -295,8 +309,9 @@ main(int argc, /* I - Number of command-line arguments */ + } + username = uri_unescape_alloc(tmp); + } else { +- if ((username = getenv("AUTH_USERNAME")) == NULL) { +- username = empty_str; ++ env = getenv("AUTH_USERNAME"); ++ if (env != NULL && strlen(env) > 0) { ++ username = env; + } + + env = getenv("AUTH_PASSWORD"); +@@ -368,27 +383,39 @@ main(int argc, /* I - Number of command-line arguments */ + load_interfaces(); + + do { +- cli = smb_connect(workgroup, +- server, +- port, +- printer, +- username, +- password, +- print_user, +- &need_auth); +- if (cli == NULL) { +- if (need_auth) { +- exit(2); ++ nt_status = smb_connect(&cli, ++ workgroup, ++ server, ++ port, ++ printer, ++ username, ++ password, ++ print_user); ++ if (!NT_STATUS_IS_OK(nt_status)) { ++ status = get_exit_code(nt_status); ++ if (status == 2) { ++ fprintf(stderr, ++ "DEBUG: Unable to connect to CIFS " ++ "host: %s", ++ nt_errstr(nt_status)); ++ goto done; + } else if (getenv("CLASS") == NULL) { +- fprintf(stderr, "ERROR: Unable to connect to CIFS host, will retry in 60 seconds...\n"); ++ fprintf(stderr, ++ "ERROR: Unable to connect to CIFS " ++ "host: %s. Will retry in 60 " ++ "seconds...\n", ++ nt_errstr(nt_status)); + sleep(60); + tries++; + } else { +- fprintf(stderr, "ERROR: Unable to connect to CIFS host, trying next printer...\n"); ++ fprintf(stderr, ++ "ERROR: Unable to connect to CIFS " ++ "host: %s. Trying next printer...\n", ++ nt_errstr(nt_status)); + goto done; + } + } +- } while ((cli == NULL) && (tries < MAX_RETRY_CONNECT)); ++ } while (!NT_STATUS_IS_OK(nt_status) && (tries < MAX_RETRY_CONNECT)); + + if (cli == NULL) { + fprintf(stderr, "ERROR: Unable to connect to CIFS host after (tried %d times)\n", tries); +@@ -435,10 +462,9 @@ done: + */ + + static int +-get_exit_code(struct cli_state * cli, +- NTSTATUS nt_status) ++get_exit_code(NTSTATUS nt_status) + { +- int i; ++ size_t i; + + /* List of NTSTATUS errors that are considered + * authentication errors +@@ -454,17 +480,16 @@ get_exit_code(struct cli_state * cli, + }; + + +- fprintf(stderr, "DEBUG: get_exit_code(cli=%p, nt_status=%s [%x])\n", +- cli, nt_errstr(nt_status), NT_STATUS_V(nt_status)); ++ fprintf(stderr, ++ "DEBUG: get_exit_code(nt_status=%s [%x])\n", ++ nt_errstr(nt_status), NT_STATUS_V(nt_status)); + + for (i = 0; i < ARRAY_SIZE(auth_errors); i++) { + if (!NT_STATUS_EQUAL(nt_status, auth_errors[i])) { + continue; + } + +- if (cli) { +- fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required); +- } ++ fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required); + + /* + * 2 = authentication required... +@@ -497,16 +522,16 @@ list_devices(void) + } + + +-static struct cli_state * +-smb_complete_connection(const char *myname, ++static NTSTATUS ++smb_complete_connection(struct cli_state **output_cli, ++ const char *myname, + const char *server, + int port, + const char *username, + const char *password, + const char *workgroup, + const char *share, +- int flags, +- bool *need_auth) ++ int flags) + { + struct cli_state *cli; /* New connection */ + NTSTATUS nt_status; +@@ -515,12 +540,11 @@ smb_complete_connection(const char *myname, + bool fallback_after_kerberos = false; + + /* Start the SMB connection */ +- *need_auth = false; + nt_status = cli_start_connection(&cli, myname, server, NULL, port, + SMB_SIGNING_DEFAULT, flags); + if (!NT_STATUS_IS_OK(nt_status)) { + fprintf(stderr, "ERROR: Connection failed: %s\n", nt_errstr(nt_status)); +- return NULL; ++ return nt_status; + } + + if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) { +@@ -543,20 +567,16 @@ smb_complete_connection(const char *myname, + if (creds == NULL) { + fprintf(stderr, "ERROR: cli_session_creds_init failed\n"); + cli_shutdown(cli); +- return NULL; ++ return NT_STATUS_NO_MEMORY; + } + + nt_status = cli_session_setup_creds(cli, creds); + if (!NT_STATUS_IS_OK(nt_status)) { + fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status)); + +- if (get_exit_code(cli, nt_status) == 2) { +- *need_auth = true; +- } +- + cli_shutdown(cli); + +- return NULL; ++ return nt_status; + } + + nt_status = cli_tree_connect_creds(cli, share, "?????", creds); +@@ -564,13 +584,9 @@ smb_complete_connection(const char *myname, + fprintf(stderr, "ERROR: Tree connect failed (%s)\n", + nt_errstr(nt_status)); + +- if (get_exit_code(cli, nt_status) == 2) { +- *need_auth = true; +- } +- + cli_shutdown(cli); + +- return NULL; ++ return nt_status; + } + #if 0 + /* Need to work out how to specify this on the URL. */ +@@ -583,7 +599,8 @@ smb_complete_connection(const char *myname, + } + #endif + +- return cli; ++ *output_cli = cli; ++ return NT_STATUS_OK; + } + + static bool kerberos_ccache_is_valid(void) { +@@ -647,49 +664,48 @@ static bool kerberos_ccache_is_valid(void) { + * 'smb_connect()' - Return a connection to a server. + */ + +-static struct cli_state * /* O - SMB connection */ +-smb_connect(const char *workgroup, /* I - Workgroup */ ++static NTSTATUS ++smb_connect(struct cli_state **output_cli, ++ const char *workgroup, /* I - Workgroup */ + const char *server, /* I - Server */ + const int port, /* I - Port */ + const char *share, /* I - Printer */ + const char *username, /* I - Username */ + const char *password, /* I - Password */ +- const char *jobusername, /* I - User who issued the print job */ +- bool *need_auth) +-{ /* O - Need authentication? */ +- struct cli_state *cli; /* New connection */ ++ const char *jobusername) /* I - User who issued the print job */ ++{ ++ struct cli_state *cli = NULL; /* New connection */ + char *myname = NULL; /* Client name */ + struct passwd *pwd; + int flags = CLI_FULL_CONNECTION_USE_KERBEROS; + bool use_kerberos = false; + const char *user = username; +- int cmp; ++ NTSTATUS nt_status; + + /* + * Get the names and addresses of the client and server... + */ + myname = get_myname(talloc_tos()); + if (!myname) { +- return NULL; ++ return NT_STATUS_NO_MEMORY; + } + + +- cmp = strcmp(auth_info_required, "negotiate"); +- if (cmp == 0) { ++ if (strcmp(auth_info_required, "negotiate") == 0) { + if (!kerberos_ccache_is_valid()) { +- return NULL; ++ fprintf(stderr, ++ "ERROR: No valid Kerberos credential cache " ++ "found!\n"); ++ return NT_STATUS_LOGON_FAILURE; + } + user = jobusername; + + use_kerberos = true; + fprintf(stderr, + "DEBUG: Try to connect using Kerberos ...\n"); +- } +- +- cmp = strcmp(auth_info_required, "username,password"); +- if (cmp == 0) { +- if (username == NULL || username[0] == '\0') { +- return NULL; ++ } else if (strcmp(auth_info_required, "username,password") == 0) { ++ if (username == NULL) { ++ return NT_STATUS_INVALID_ACCOUNT_NAME; + } + + /* Fallback to NTLM */ +@@ -697,59 +713,83 @@ smb_connect(const char *workgroup, /* I - Workgroup */ + + fprintf(stderr, + "DEBUG: Try to connect using username/password ...\n"); +- } ++ } else { ++ if (username != NULL) { ++ flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS; ++ } else if (kerberos_ccache_is_valid()) { ++ auth_info_required = "negotiate"; + +- cmp = strcmp(auth_info_required, "none"); +- if (cmp == 0) { +- fprintf(stderr, +- "DEBUG: This backend doesn't support none auth ...\n"); +- return NULL; ++ user = jobusername; ++ use_kerberos = true; ++ } else { ++ fprintf(stderr, ++ "DEBUG: This backend requires credentials!\n"); ++ return NT_STATUS_ACCESS_DENIED; ++ } + } + +- cli = smb_complete_connection(myname, +- server, +- port, +- user, +- password, +- workgroup, +- share, +- flags, +- need_auth); +- if (cli != NULL) { ++ nt_status = smb_complete_connection(&cli, ++ myname, ++ server, ++ port, ++ user, ++ password, ++ workgroup, ++ share, ++ flags); ++ if (NT_STATUS_IS_OK(nt_status)) { + fprintf(stderr, "DEBUG: SMB connection established.\n"); +- return (cli); ++ ++ *output_cli = cli; ++ return NT_STATUS_OK; + } + + if (!use_kerberos) { + fprintf(stderr, "ERROR: SMB connection failed!\n"); +- return NULL; ++ return nt_status; + } + + /* give a chance for a passwordless NTLMSSP session setup */ + pwd = getpwuid(geteuid()); + if (pwd == NULL) { +- return NULL; +- } +- +- cli = smb_complete_connection(myname, server, port, pwd->pw_name, "", +- workgroup, share, 0, need_auth); +- +- if (cli) { ++ return NT_STATUS_ACCESS_DENIED; ++ } ++ ++ nt_status = smb_complete_connection(&cli, ++ myname, ++ server, ++ port, ++ pwd->pw_name, ++ "", ++ workgroup, ++ share, ++ 0); ++ if (NT_STATUS_IS_OK(nt_status)) { + fputs("DEBUG: Connected with NTLMSSP...\n", stderr); +- return (cli); ++ ++ *output_cli = cli; ++ return NT_STATUS_OK; + } + + /* + * last try. Use anonymous authentication + */ + +- cli = smb_complete_connection(myname, server, port, "", "", +- workgroup, share, 0, need_auth); +- /* +- * Return the new connection... +- */ +- +- return (cli); ++ nt_status = smb_complete_connection(&cli, ++ myname, ++ server, ++ port, ++ "", ++ "", ++ workgroup, ++ share, ++ 0); ++ if (NT_STATUS_IS_OK(nt_status)) { ++ *output_cli = cli; ++ return NT_STATUS_OK; ++ } ++ ++ return nt_status; + } + + +@@ -795,7 +835,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ + if (!NT_STATUS_IS_OK(nt_status)) { + fprintf(stderr, "ERROR: %s opening remote spool %s\n", + nt_errstr(nt_status), title); +- return get_exit_code(cli, nt_status); ++ return get_exit_code(nt_status); + } + + /* +@@ -813,7 +853,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ + status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer, + tbytes, nbytes, NULL); + if (!NT_STATUS_IS_OK(status)) { +- int ret = get_exit_code(cli, status); ++ int ret = get_exit_code(status); + fprintf(stderr, "ERROR: Error writing spool: %s\n", + nt_errstr(status)); + fprintf(stderr, "DEBUG: Returning status %d...\n", +@@ -829,7 +869,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ + if (!NT_STATUS_IS_OK(nt_status)) { + fprintf(stderr, "ERROR: %s closing remote spool %s\n", + nt_errstr(nt_status), title); +- return get_exit_code(cli, nt_status); ++ return get_exit_code(nt_status); + } else { + return (0); + } +-- +2.21.0 + diff --git a/samba-4.8-fix_smbspool_as_cups_backend.patch b/samba-4.8-fix_smbspool_as_cups_backend.patch new file mode 100644 index 0000000..581cc98 --- /dev/null +++ b/samba-4.8-fix_smbspool_as_cups_backend.patch @@ -0,0 +1,557 @@ +From c4c36c2ecc0ed1254e02f046ce08b4937fe26ee6 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 12 Mar 2019 10:15:05 +0100 +Subject: [PATCH 1/5] s3:script: Fix jobid check in test_smbspool.sh + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832 + +Signed-off-by: Andreas Schneider +Reviewed-by: Bryan Mason +Signed-off-by: Guenther Deschner +(cherry picked from commit fad5e4eaeb9202c1b63c42ea09254c17c473e33a) +--- + source3/script/tests/test_smbspool.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/source3/script/tests/test_smbspool.sh b/source3/script/tests/test_smbspool.sh +index d95ed064634..f28c0909334 100755 +--- a/source3/script/tests/test_smbspool.sh ++++ b/source3/script/tests/test_smbspool.sh +@@ -99,8 +99,8 @@ test_vlp_verify() + fi + + jobid=$(echo "$out" | awk '/[0-9]+/ { print $1 };') +- if [ $jobid -lt 1000 || $jobid -gt 2000 ]; then +- echo "failed to get jobid" ++ if [ -z "$jobid" ] || [ $jobid -lt 100 || [ $jobid -gt 2000 ]; then ++ echo "Invalid jobid: $jobid" + echo "$out" + return 1 + fi +-- +2.20.1 + + +From 72f86fe6f41bbe7891fe81811b3234b6662de8da Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 12 Mar 2019 09:40:58 +0100 +Subject: [PATCH 2/5] s3:client: Pass DEVICE_URI and AUTH_INFO_REQUIRED env to + smbspool + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832 + +Signed-off-by: Andreas Schneider +Reviewed-by: Bryan Mason +Signed-off-by: Guenther Deschner +(cherry picked from commit 43160184d254a57f87bb2adeba47f48d8539533a) +--- + source3/client/smbspool_krb5_wrapper.c | 24 +++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c +index dee3b4c54be..5c4da33238b 100644 +--- a/source3/client/smbspool_krb5_wrapper.c ++++ b/source3/client/smbspool_krb5_wrapper.c +@@ -84,24 +84,36 @@ int main(int argc, char *argv[]) + struct passwd *pwd; + char gen_cc[PATH_MAX] = {0}; + struct stat sb; +- char *env; ++ char *env = NULL; ++ char auth_info_required[256] = {0}; ++ char device_uri[4096] = {0}; + uid_t uid = (uid_t)-1; + gid_t gid = (gid_t)-1; + unsigned long tmp; + int cmp; + int rc; + ++ env = getenv("DEVICE_URI"); ++ if (env != NULL && strlen(env) > 2) { ++ snprintf(device_uri, sizeof(device_uri), "%s", env); ++ } ++ + /* Check if AuthInfoRequired is set to negotiate */ + env = getenv("AUTH_INFO_REQUIRED"); + + /* If not set, then just call smbspool. */ +- if (env == NULL) { ++ if (env == NULL || env[0] == 0) { + CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - " + "execute smbspool"); + goto smbspool; + } else { + CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED=%s", env); + ++ snprintf(auth_info_required, ++ sizeof(auth_info_required), ++ "%s", ++ env); ++ + cmp = strcmp(env, "username,password"); + if (cmp == 0) { + CUPS_SMB_DEBUG("Authenticate using username/password - " +@@ -223,12 +235,18 @@ create_env: + #else + { + extern char **environ; +- environ = calloc(1, sizeof(*environ)); ++ environ = calloc(3, sizeof(*environ)); + } + #endif + + CUPS_SMB_DEBUG("Setting KRB5CCNAME to '%s'", gen_cc); + setenv("KRB5CCNAME", gen_cc, 1); ++ if (device_uri[0] != '\0') { ++ setenv("DEVICE_URI", device_uri, 1); ++ } ++ if (auth_info_required[0] != '\0') { ++ setenv("AUTH_INFO_REQUIRED", auth_info_required, 1); ++ } + + smbspool: + snprintf(smbspool_cmd, +-- +2.20.1 + + +From 47771d9ceff2771b5fda430e1836237d85300407 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 4 Jan 2019 09:21:24 +0100 +Subject: [PATCH 3/5] s3:client: Evaluate the AUTH_INFO_REQUIRED variable set + by cups + +This should not switch to username,password if cups has been configured +to use negotiate (Kerberos authentication). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832 + +Signed-off-by: Andreas Schneider +Reviewed-by: Bryan Mason +Signed-off-by: Guenther Deschner +(cherry picked from commit 5274b09fbaa5e45cc58f3301818d4e9f6a402845) +--- + source3/client/smbspool.c | 42 ++++++++++++++++++++++----------------- + 1 file changed, 24 insertions(+), 18 deletions(-) + +diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c +index d6e944d547c..e94d5b33324 100644 +--- a/source3/client/smbspool.c ++++ b/source3/client/smbspool.c +@@ -60,7 +60,7 @@ + * Local functions... + */ + +-static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status, bool use_kerberos); ++static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status); + static void list_devices(void); + static struct cli_state *smb_complete_connection(const char *, const char *, + int, const char *, const char *, const char *, const char *, int, bool *need_auth); +@@ -72,6 +72,8 @@ static char *uri_unescape_alloc(const char *); + static bool smb_encrypt; + #endif + ++static const char *auth_info_required; ++ + /* + * 'main()' - Main entry for SMB backend. + */ +@@ -94,7 +96,7 @@ main(int argc, /* I - Number of command-line arguments */ + FILE *fp; /* File to print */ + int status = 1; /* Status of LPD job */ + struct cli_state *cli; /* SMB interface */ +- char null_str[1]; ++ char empty_str[] = ""; + int tries = 0; + bool need_auth = true; + const char *dev_uri; +@@ -106,8 +108,6 @@ main(int argc, /* I - Number of command-line arguments */ + int cmp; + int len; + +- null_str[0] = '\0'; +- + if (argc == 1) { + /* + * NEW! In CUPS 1.1 the backends are run with no arguments +@@ -187,6 +187,11 @@ main(int argc, /* I - Number of command-line arguments */ + } + } + ++ auth_info_required = getenv("AUTH_INFO_REQUIRED"); ++ if (auth_info_required == NULL) { ++ auth_info_required = "none"; ++ } ++ + cmp = strncmp(dev_uri, "smb://", 6); + if (cmp != 0) { + fprintf(stderr, +@@ -220,21 +225,25 @@ main(int argc, /* I - Number of command-line arguments */ + *tmp2++ = '\0'; + password = uri_unescape_alloc(tmp2); + } else { +- password = null_str; ++ password = empty_str; + } + username = uri_unescape_alloc(tmp); + } else { + if ((username = getenv("AUTH_USERNAME")) == NULL) { +- username = null_str; ++ username = empty_str; + } + + if ((password = getenv("AUTH_PASSWORD")) == NULL) { +- password = null_str; ++ password = empty_str; + } + + server = uri + 6; + } + ++ if (password != empty_str) { ++ auth_info_required = "username,password"; ++ } ++ + tmp = server; + + if ((sep = strchr_m(tmp, '/')) == NULL) { +@@ -354,8 +363,7 @@ done: + + static int + get_exit_code(struct cli_state * cli, +- NTSTATUS nt_status, +- bool use_kerberos) ++ NTSTATUS nt_status) + { + int i; + +@@ -382,10 +390,7 @@ get_exit_code(struct cli_state * cli, + } + + if (cli) { +- if (use_kerberos) +- fputs("ATTR: auth-info-required=negotiate\n", stderr); +- else +- fputs("ATTR: auth-info-required=username,password\n", stderr); ++ fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required); + } + + /* +@@ -454,6 +459,7 @@ smb_complete_connection(const char *myname, + } + + if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) { ++ auth_info_required = "negotiate"; + use_kerberos = true; + } + +@@ -476,7 +482,7 @@ smb_complete_connection(const char *myname, + if (!NT_STATUS_IS_OK(nt_status)) { + fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status)); + +- if (get_exit_code(cli, nt_status, use_kerberos) == 2) { ++ if (get_exit_code(cli, nt_status) == 2) { + *need_auth = true; + } + +@@ -490,7 +496,7 @@ smb_complete_connection(const char *myname, + fprintf(stderr, "ERROR: Tree connect failed (%s)\n", + nt_errstr(nt_status)); + +- if (get_exit_code(cli, nt_status, use_kerberos) == 2) { ++ if (get_exit_code(cli, nt_status) == 2) { + *need_auth = true; + } + +@@ -679,7 +685,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ + if (!NT_STATUS_IS_OK(nt_status)) { + fprintf(stderr, "ERROR: %s opening remote spool %s\n", + nt_errstr(nt_status), title); +- return get_exit_code(cli, nt_status, false); ++ return get_exit_code(cli, nt_status); + } + + /* +@@ -697,7 +703,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ + status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer, + tbytes, nbytes, NULL); + if (!NT_STATUS_IS_OK(status)) { +- int ret = get_exit_code(cli, status, false); ++ int ret = get_exit_code(cli, status); + fprintf(stderr, "ERROR: Error writing spool: %s\n", + nt_errstr(status)); + fprintf(stderr, "DEBUG: Returning status %d...\n", +@@ -713,7 +719,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ + if (!NT_STATUS_IS_OK(nt_status)) { + fprintf(stderr, "ERROR: %s closing remote spool %s\n", + nt_errstr(nt_status), title); +- return get_exit_code(cli, nt_status, false); ++ return get_exit_code(cli, nt_status); + } else { + return (0); + } +-- +2.20.1 + + +From 6e83c1c9c02889bf9b7d42366ae25cd7b8738810 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 12 Mar 2019 10:09:14 +0100 +Subject: [PATCH 4/5] s3:client: Make sure we work on a copy of the title + +We can't be sure we can write to the input buffer. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832 + +Signed-off-by: Andreas Schneider +Reviewed-by: Bryan Mason +Signed-off-by: Guenther Deschner +(cherry picked from commit 129ae27946318a075e99c9e6d1bacf8963f72282) +--- + source3/client/smbspool.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c +index e94d5b33324..4d78db7f77c 100644 +--- a/source3/client/smbspool.c ++++ b/source3/client/smbspool.c +@@ -66,7 +66,7 @@ static struct cli_state *smb_complete_connection(const char *, const char *, + int, const char *, const char *, const char *, const char *, int, bool *need_auth); + static struct cli_state *smb_connect(const char *, const char *, int, const + char *, const char *, const char *, const char *, bool *need_auth); +-static int smb_print(struct cli_state *, char *, FILE *); ++static int smb_print(struct cli_state *, const char *, FILE *); + static char *uri_unescape_alloc(const char *); + #if 0 + static bool smb_encrypt; +@@ -655,7 +655,7 @@ kerberos_auth: + + static int /* O - 0 = success, non-0 = failure */ + smb_print(struct cli_state * cli, /* I - SMB connection */ +- char *title, /* I - Title/job name */ ++ const char *print_title, /* I - Title/job name */ + FILE * fp) + { /* I - File to print */ + uint16_t fnum; /* File number */ +@@ -663,12 +663,18 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ + tbytes; /* Total bytes read */ + char buffer[8192], /* Buffer for copy */ + *ptr; /* Pointer into title */ ++ char title[1024] = {0}; ++ int len; + NTSTATUS nt_status; + + + /* +- * Sanitize the title... +- */ ++ * Sanitize the title... ++ */ ++ len = snprintf(title, sizeof(title), "%s", print_title); ++ if (len != strlen(print_title)) { ++ return 2; ++ } + + for (ptr = title; *ptr; ptr++) { + if (!isalnum((int) *ptr) && !isspace((int) *ptr)) { +-- +2.20.1 + + +From 5a17e86e0dde91b52afd4a192fd5a635a83b412d Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 12 Mar 2019 11:40:30 +0100 +Subject: [PATCH 5/5] s3:client: Fix smbspool device uri handling + +If we are executed as a CUPS backend, argv[0] is set to the device uri. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832 + +Signed-off-by: Andreas Schneider +Reviewed-by: Bryan Mason +Signed-off-by: Guenther Deschner + +(cherry picked from commit 69d7a496d3bf52eaa10e81132bb61430863fdd8a) +--- + source3/client/smbspool.c | 120 ++++++++++++++++++++++++++++++-------- + 1 file changed, 96 insertions(+), 24 deletions(-) + +diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c +index 4d78db7f77c..8be1009c0a8 100644 +--- a/source3/client/smbspool.c ++++ b/source3/client/smbspool.c +@@ -99,10 +99,12 @@ main(int argc, /* I - Number of command-line arguments */ + char empty_str[] = ""; + int tries = 0; + bool need_auth = true; +- const char *dev_uri; ++ const char *dev_uri = NULL; ++ const char *env = NULL; + const char *config_file = NULL; + TALLOC_CTX *frame = talloc_stackframe(); +- bool device_uri_cmdline = false; ++ const char *print_user = NULL; ++ const char *print_title = NULL; + const char *print_file = NULL; + const char *print_copies = NULL; + int cmp; +@@ -139,21 +141,81 @@ main(int argc, /* I - Number of command-line arguments */ + } + + /* +- * If we have 6 arguments find out if we have the device_uri from the +- * command line or the print data ++ * Find out if we have the device_uri in the command line. ++ * ++ * If we are started as a CUPS backend argv[0] is normally the ++ * device_uri! + */ +- if (argc == 7) { +- cmp = strncmp(argv[1], "smb://", 6); +- if (cmp == 0) { +- device_uri_cmdline = true; ++ if (argc == 8) { ++ /* ++ * smbspool <copies> <options> <file> ++ * 0 1 2 3 4 5 6 7 ++ */ ++ ++ dev_uri = argv[1]; ++ ++ print_user = argv[3]; ++ print_title = argv[4]; ++ print_copies = argv[5]; ++ print_file = argv[7]; ++ } else if (argc == 7) { ++ int cmp1; ++ int cmp2; ++ ++ /* ++ * <uri> <job> <user> <title> <copies> <options> <file> ++ * smbspool <uri> <job> <user> <title> <copies> <options> ++ * smbspool <job> <user> <title> <copies> <options> <file> | DEVICE_URI ++ */ ++ cmp1 = strncmp(argv[0], "smb://", 6); ++ cmp2 = strncmp(argv[1], "smb://", 6); ++ ++ if (cmp1 == 0) { ++ /* ++ * <uri> <job> <user> <title> <copies> <options> <file> ++ * 0 1 2 3 4 5 6 ++ */ ++ dev_uri = argv[0]; ++ ++ print_user = argv[2]; ++ print_title = argv[3]; ++ print_copies = argv[4]; ++ print_file = argv[6]; ++ } else if (cmp2 == 0) { ++ /* ++ * smbspool <uri> <job> <user> <title> <copies> <options> ++ * 0 1 2 3 4 5 6 ++ */ ++ dev_uri = argv[1]; ++ ++ print_user = argv[3]; ++ print_title = argv[4]; ++ print_copies = argv[5]; ++ print_file = NULL; + } else { ++ /* ++ * smbspool <job> <user> <title> <copies> <options> <file> | DEVICE_URI ++ * 0 1 2 3 4 5 6 ++ */ ++ print_user = argv[2]; ++ print_title = argv[3]; + print_copies = argv[4]; + print_file = argv[6]; + } +- } else if (argc == 8) { +- device_uri_cmdline = true; +- print_copies = argv[5]; +- print_file = argv[7]; ++ } else if (argc == 6) { ++ /* ++ * <uri> <job> <user> <title> <copies> <options> ++ * smbspool <job> <user> <title> <copies> <options> | DEVICE_URI ++ * 0 1 2 3 4 5 ++ */ ++ cmp = strncmp(argv[0], "smb://", 6); ++ if (cmp == 0) { ++ dev_uri = argv[0]; ++ } ++ ++ print_user = argv[2]; ++ print_title = argv[3]; ++ print_copies = argv[4]; + } + + if (print_file != NULL) { +@@ -178,18 +240,17 @@ main(int argc, /* I - Number of command-line arguments */ + /* + * Find the URI ... + */ +- if (device_uri_cmdline) { +- dev_uri = argv[1]; +- } else { +- dev_uri = getenv("DEVICE_URI"); +- if (dev_uri == NULL || strlen(dev_uri) == 0) { +- dev_uri = ""; ++ if (dev_uri == NULL) { ++ env = getenv("DEVICE_URI"); ++ if (env != NULL && env[0] != '\0') { ++ dev_uri = env; + } + } + +- auth_info_required = getenv("AUTH_INFO_REQUIRED"); +- if (auth_info_required == NULL) { +- auth_info_required = "none"; ++ if (dev_uri == NULL) { ++ fprintf(stderr, ++ "ERROR: No valid device URI has been specified\n"); ++ goto done; + } + + cmp = strncmp(dev_uri, "smb://", 6); +@@ -205,6 +266,11 @@ main(int argc, /* I - Number of command-line arguments */ + goto done; + } + ++ auth_info_required = getenv("AUTH_INFO_REQUIRED"); ++ if (auth_info_required == NULL) { ++ auth_info_required = "none"; ++ } ++ + /* + * Extract the destination from the URI... + */ +@@ -301,8 +367,14 @@ main(int argc, /* I - Number of command-line arguments */ + load_interfaces(); + + do { +- cli = smb_connect(workgroup, server, port, printer, +- username, password, argv[3], &need_auth); ++ cli = smb_connect(workgroup, ++ server, ++ port, ++ printer, ++ username, ++ password, ++ print_user, ++ &need_auth); + if (cli == NULL) { + if (need_auth) { + exit(2); +@@ -338,7 +410,7 @@ main(int argc, /* I - Number of command-line arguments */ + */ + + for (i = 0; i < copies; i++) { +- status = smb_print(cli, argv[4] /* title */ , fp); ++ status = smb_print(cli, print_title, fp); + if (status != 0) { + break; + } +-- +2.20.1 + diff --git a/samba.spec b/samba.spec index 01c44b0..8b400c5 100644 --- a/samba.spec +++ b/samba.spec @@ -6,7 +6,7 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering -%define main_release 4 +%define main_release 6 %define samba_version 4.8.3 %define talloc_version 2.1.11 @@ -72,6 +72,10 @@ %global with_mitkrb5 0 %global with_dc 1 +#%if 0%{?rhel} +#%global with_dc 0 +#%endif + %if %{with testsuite} %global with_mitkrb5 0 %global with_dc 1 @@ -91,7 +95,7 @@ Name: samba Version: 4.8.3 -Release: 106.dc%{?dist} +Release: 105.dc.beta1%{?dist} %if 0%{?rhel} Epoch: 0 @@ -129,6 +133,9 @@ Patch1: samba-4.8.3-fix_winbind_getpwnam_local_user.patch Patch2: samba-4.8.3-smbclient_quiet_argument.patch Patch3: CVE-2018-1139.patch Patch4: CVE-2018-10858.patch +Patch5: samba-4.8-fix_smbspool_as_cups_backend.patch +Patch6: samba-4.8-fix_cups_smbspool_backend.part1.patch +Patch7: samba-4.8-fix_cups_smbspool_backend.part2.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -2025,8 +2032,6 @@ rm -rf %{buildroot} %{python_sitearch}/samba/ms_display_specifiers.py* %{python_sitearch}/samba/ms_schema.py* %{python_sitearch}/samba/ndr.py* -%{python_sitearch}/samba/colour.py* -%{python_sitearch}/samba/graph.py* %{python_sitearch}/samba/net.so %{python_sitearch}/samba/netbios.so %dir %{python_sitearch}/samba/emulate @@ -2090,7 +2095,6 @@ rm -rf %{buildroot} %{python_sitearch}/samba/dcerpc/dnsserver.so %{python_sitearch}/samba/netcmd/fsmo.py* %{python_sitearch}/samba/netcmd/rodc.py* -%{python_sitearch}/samba/netcmd/visualize.py* %dir %{python_sitearch}/samba/kcc %{python_sitearch}/samba/kcc/__init__.py* @@ -2251,8 +2255,6 @@ rm -rf %{buildroot} %{python_sitearch}/samba/tests/upgradeprovision.py* %{python_sitearch}/samba/tests/upgradeprovisionneeddc.py* %{python_sitearch}/samba/tests/xattr.py* -%{python_sitearch}/samba/tests/krb5_credentials.py* -%{python_sitearch}/samba/tests/password_quality.py* ### TEST %files test @@ -3150,14 +3152,15 @@ rm -rf %{buildroot} %endif # with_clustering_support %changelog -* Mon Apr 08 2019 Daniel Berteaud <daniel@firewall-services.com> 4.8.3-101.dc.beta0 -- Enable JSON logging support (daniel@firewall-services.com) - -* Tue Dec 04 2018 Daniel Berteaud <daniel@firewall-services.com> 4.8.3-100.dc -- Don't include libs which are not built, and include those which are - (daniel@firewall-services.com) -- Rebase on 4.8.3 (daniel@firewall-services.com) -- Switch to GitLfsBuilder (daniel@firewall-services.com) +* Fri Aug 2 2019 Daniel Berteaud <daniel@firewall-services.com> - 4.8.3-106.dc +- Enable DC support +- Enable JSON logging + +* Tue May 28 2019 Andreas Schneider <asn@redhat.com> - 4.8.3-6 +- resolves: #1713637 - Fix smbspool with krb5 as CUPS backend + +* Wed Mar 20 2019 Andreas Schneider <asn@redhat.com> - 4.8.3-5 +- resolves: #1690517 - Fix smbspool as CUPS backend * Thu Aug 09 2018 Andreas Schneider <asn@redhat.com> - 4.8.3-4 - resolves: #1614132 - Fix delete-on-close after smb2_find