FS#62521 - [samba] Network printer does not authenticates

Attached to Project: Arch Linux
Opened by dmiranda (dmiranda) - Wednesday, 01 May 2019, 19:24 GMT
Last edited by Tobias Powalowski (tpowa) - Monday, 28 March 2022, 07:32 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Tobias Powalowski (tpowa)
Jelle van der Waa (jelly)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 11
Private No

Details

I upgraded the cups package to the last version. Printing looks good in the first seconds and it seems as if the dox are sent over the network. Then a dialog window pops up reading "Authentication required for printing document "..."." The dialog contains a field "negotiate" and a checkbox "Remember password". It doesn't matter what I enter into the "negotiate" text box, none seems right, neither the local user's or root's passwd, nor the passwd of the account creds' passwd I'm supplied with. The only option that makes the dialog vanish is Cancel. A look into the printer queue then shows an entry reading "Tree connect failed (NT_STATUS_ACCESS_DENIED)".

A look into /etc/cups/printer.conf tells me that "AuthInfoRequired none" has changed to "AuthInfoRequired negotiate". When I stop cups and the change that entry back to "none", start cups, the same happens again: The dialog pops up and the entry in /etc/cups/printers.conf has been overwritten and reads "AuthInfoRequired negotiate" again.

Steps to reproduce:

-Add samba printer that requires authentication.
-Print a document

Upstream bug report: https://github.com/apple/cups/issues/5573
This task depends upon

Closed by  Tobias Powalowski (tpowa)
Monday, 28 March 2022, 07:32 GMT
Reason for closing:  Upstream
Comment by dmiranda (dmiranda) - Thursday, 02 May 2019, 01:37 GMT
It seems to be a problem in the integration of samba and kerberos.
Seens that it's necessary to build Samba with MIT Kerberos Support
From the release notes for the 4.10 release at https://www.samba.org/samba/history/samba-4.10.0.html, there is an interesting snippet included.
Comment by Morits S (moritzschaefer) - Monday, 13 May 2019, 09:29 GMT
Discussion in Arch Linux forum: https://bbs.archlinux.org/viewtopic.php?id=245658
Comment by loqs (loqs) - Tuesday, 14 May 2019, 19:28 GMT
Please test by building the packages in the following order
talloc with extra-x86_64-build
tdb with extra-x86_64-build
tevent with extra-x86_64-build -- -I ../talloc/talloc-2.1.16-1-x86_64.pkg.tar.xz
ldb with extra-x86_64-build -- -I ../tdb/tdb-1.3.18-2-x86_64.pkg.tar.xz -I ../talloc/talloc-2.1.16-1-x86_64.pkg.tar.xz -I ../tevent/tevent-1\:0.9.39-2-x86_64.pkg.tar.xz
samba-git with extra-x86_64-build -- -I ../tdb/tdb-1.3.18-2-x86_64.pkg.tar.xz -I ../talloc/talloc-2.1.16-1-x86_64.pkg.tar.xz -I ../tevent/tevent-1\:0.9.39-2-x86_64.pkg.tar.xz -I ../ldb/ldb-1\:1.4.6-1-x86_64.pkg.tar.xz
This is the last commit that can be built with ldb 1.4.6 before switching to ldb 1.5.4
(application/x-gzip)    talloc-2.1.16-1.src.tar.gz (1.5 KiB)
(application/x-gzip)    tdb-1.3.18-2.src.tar.gz (1.2 KiB)
(application/x-gzip)    tevent-1:0.9.39-2.src.tar.gz (1.1 KiB)
(application/x-gzip)    ldb-1:1.4.6-1.src.tar.gz (1.2 KiB)
(application/x-gzip)    samba-git-4.9.0rc1.r347.gb6b7... (4.4 KiB)
Comment by Danny Schneider (schnedan) - Saturday, 29 June 2019, 06:46 GMT
Why this issue is still "unconfirmed", as many people report the same problem, and why the priority is still low? I currently need to block samba and the associated packages in pacman, as any update to > 4.9.5 is breaking my system.? And as far as I understand a changed build setting would resolve the issue!
Comment by Simon (Giggi) - Friday, 15 November 2019, 07:28 GMT
In the PKGBUILD of samba I've added the options "--with-system-mitkrb5 --with-experimental-mit-ad-dc " in the configure, and it works!
Pls. fix this problem (The solution is very simple).


./configure --enable-fhs \
--prefix=/usr \
--sysconfdir=/etc \
--sbindir=/usr/bin \
--libdir=/usr/lib \
--libexecdir=/usr/lib/samba \
--localstatedir=/var \
--with-configdir=/etc/samba \
--with-lockdir=/var/cache/samba \
--with-sockets-dir=/run/samba \
--with-piddir=/run \
--with-ads \
--with-ldap \
--with-winbind \
--with-acl-support \
--with-systemd \
--systemd-install-services \
--enable-gnutls \
--with-pam \
--with-pammodulesdir=/usr/lib/security \
--bundled-libraries=!tdb,!talloc,!pytalloc-util,!tevent,!popt,!ldb,!pyldb-util \
--with-shared-modules=${_samba4_idmap_modules},${_samba4_pdb_modules},${_samba4_auth_modules} \
--disable-rpath-install \
--with-system-mitkrb5 --with-experimental-mit-ad-dc
Comment by Danny Schneider (schnedan) - Friday, 15 November 2019, 16:39 GMT
Great news, thats what I have expected: easy, just build flags and dependecies...
So the next binary build automaticly has it active, right?
Comment by Simon (Giggi) - Sunday, 17 November 2019, 20:16 GMT
I hope that a developer watch this bug.
Comment by Danny Schneider (schnedan) - Friday, 17 January 2020, 18:10 GMT
Just want to confirm: manual build of samba with the right build flags solves the problem... it's not a cups issue, it's samba causing the problem
Comment by telsch (telsch) - Monday, 10 February 2020, 21:58 GMT


Just compiled latest samba without "--with-system-mitkrb5 --with-experimental-mit-ad-dc" . Could print from an arch client after authentication with a valid samba user. Didn't have AuthInfoRequired set in /etc/cups/printers.conf.

pacman -Q talloc tdb tevent ldb samba libwbclient smbclient
talloc 2.3.1-1
tdb 1.4.3-1
tevent 1:0.10.2-1
ldb 1:2.0.8-1
samba 4.11.6-1
libwbclient 4.11.6-1
smbclient 4.11.6-1

Comment by telsch (telsch) - Wednesday, 25 March 2020, 15:03 GMT
Can anybody else confirm that printing works with latest samba 4.11.7 without adding experimental MIT Kerberos feature?
I add patches to compile. tdb can be installed from testing repo.


I wouldn't like to see experimental and insecure feature enabled:

https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC#Experimental_Feature
MIT Kerberos. Since the time of the release a number of issues, including security issues, have been found by real-world use.
   samba.patch (2.3 KiB)
   ldb.patch (0.9 KiB)
   tevent.patch (0.6 KiB)
Comment by Danny Schneider (schnedan) - Thursday, 26 March 2020, 07:42 GMT
Hi,
updated all my Computers,
to what is in the normal repositories 4.10.10-2
yes now printing works again (by magic?),
so it seems the problem is solved somehow...

I try to boot Windows later and test if printing from Windows to Linux now also works again.

Just a comment to: "I wouldn't like to see experimental and insecure feature enabled:"
Yes, agree, but it was enabled before and The absolute top rule is: DO NOT break userspace. No discussion about it. People use this stuff to earn a living. Not working is not an option.
Comment by telsch (telsch) - Thursday, 26 March 2020, 10:14 GMT
It's only in testing enabled. So i see no problem to revert it:
https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/samba&id=b5ffb98d77dad1dd2454d01a836096b803ef5e17
Comment by Olav Seyfarth (nursoda) - Friday, 03 April 2020, 17:29 GMT
My Kyocera FS-C2126 MFP isn't able to drop files of scanned documents to the samba share on my arch server any more since I updated samba from 4.10.10-2 to 4.11.3-3 on 2020-03-28. This is due to the change of default from CORE to SMB2. Apparently many older MFP do not get firmware updates implementing SMB2, so I have to switch to either FTP (trying to avoid that) or E-Mail (testing now).

While I understand the need to strengthen security, in the context of a LAN-only setup (allow /24 except router), this breaks things that cannot be fixed. I agree that Kyocera (and others) is to blame, but that renders my MFP Scanner useless until FTP is set up. Not sure with BIG files via E-Mail, apart from that it's just the wrong service for file handling.

Unfortunately, neither "server min protocol = CORE" nor "client min protocol = CORE" do fix that for me – any idea why?

I also get "NT_STATUS_INVALID_PARAMETER_MIX" when trying to force max protocol on smbclient ("-m NT1" or "-m CORE", to debug and find a suitable parameter combination – any idea why?

Anyway, I now switched to Scan2Mail and uninstalled Samba completely so I can no longer test.
Comment by Tobias Powalowski (tpowa) - Monday, 28 March 2022, 07:32 GMT
SMB1 is not supported anymore by samba.

Loading...