snprintf(device_uri, sizeof(device_uri), "%s", env);
}
- /* Check if AuthInfoRequired is set to negotiate */
+ /* We must handle the following values of AUTH_INFO_REQUIRED:
+ * none: Anonymous/guest printing
+ * username,password: A username (of the form "username" or "DOMAIN\username")
+ * and password are required
+ * negotiate: Kerberos authentication
+ * NULL (not set): will never happen when called from cupsd
+ * https://www.cups.org/doc/spec-ipp.html#auth-info-required
+ * https://github.com/apple/cups/issues/5674
+ */
env = getenv("AUTH_INFO_REQUIRED");
/* If not set, then just call smbspool. */
if (env == NULL || env[0] == 0) {
CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
- "execute smbspool");
+ "executing smbspool");
+ /* Pass this printing task to smbspool without Kerberos auth */
goto smbspool;
} else {
CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED=%s", env);
+ /* First test the value of AUTH_INFO_REQUIRED
+ * against known possible values
+ */
cmp = strcmp(env, "none");
if (cmp == 0) {
CUPS_SMB_DEBUG("Authenticate using none (anonymous) - "
- "execute smbspool");
+ "executing smbspool");
goto smbspool;
}
cmp = strcmp(env, "username,password");
if (cmp == 0) {
CUPS_SMB_DEBUG("Authenticate using username/password - "
- "execute smbspool");
+ "executing smbspool");
goto smbspool;
}
+ /* Now, if 'goto smbspool' still has not happened,
+ * there are only two variants left:
+ * 1) AUTH_INFO_REQUIRED is "negotiate" and then
+ * we have to continue working
+ * 2) or it is something not known to us, then Kerberos
+ * authentication is not required, so just also pass
+ * this task to smbspool
+ */
cmp = strcmp(env, "negotiate");
if (cmp != 0) {
- CUPS_SMB_ERROR("Authentication unsupported");
- fprintf(stderr, "ATTR: auth-info-required=negotiate\n");
- return CUPS_BACKEND_AUTH_REQUIRED;
+ CUPS_SMB_DEBUG("Value of AUTH_INFO_REQUIRED is not known "
+ "to smbspool_krb5_wrapper, executing smbspool");
+ goto smbspool;
}
snprintf(auth_info_required,
return 0
}
+test_smbspool_authinforequired_unknown()
+{
+ cmd='$samba_smbspool_krb5 smb://$SERVER_IP/print4 200 $USERNAME "Testprint" 1 "options" $SRCDIR/testdata/printing/example.ps 2>&1'
+
+ # smbspool_krb5_wrapper must ignore AUTH_INFO_REQUIRED unknown to him and pass the task to smbspool
+ # smbspool must fail with NT_STATUS_ACCESS_DENIED (22)
+ # "jjf4wgmsbc0" is just a random string
+ AUTH_INFO_REQUIRED="jjf4wgmsbc0"
+ export AUTH_INFO_REQUIRED
+ eval echo "$cmd"
+ out=$(eval $cmd)
+ ret=$?
+ unset AUTH_INFO_REQUIRED
+
+ case "$ret" in
+ 2 ) return 0 ;;
+ * )
+ echo "ret=$ret"
+ echo "$out"
+ echo "failed to test $smbspool_krb5 against unknown value of AUTH_INFO_REQUIRED"
+ return 1
+ ;;
+ esac
+}
+
#
# The test enviornment uses 'vlp' (virtual lp) as the printing backend.
#
test_smbspool_authinforequired_none || \
failed=$(expr $failed + 1)
+testit "smbspool_krb5_wrapper AuthInfoRequired=(sth unknown)" \
+ test_smbspool_authinforequired_unknown || \
+ failed=$(expr $failed + 1)
+
testit "smbspool print example.ps" \
$samba_smbspool smb://$USERNAME:$PASSWORD@$SERVER_IP/print1 200 $USERNAME "Testprint" 1 "options" $SRCDIR/testdata/printing/example.ps || \
failed=$(expr $failed + 1)