https://bugzilla.novell.com/show_bug.cgi?id=661845 https://bugzilla.novell.com/show_bug.cgi?id=661845#c0 Summary: yast2-printer: Add support for samba-krb-printing Classification: openSUSE Product: openSUSE 11.4 Version: Factory Platform: All OS/Version: SuSE Other Status: NEEDINFO Severity: Enhancement Priority: P5 - None Component: Printing AssignedTo: jsmeix@novell.com ReportedBy: jsmeix@novell.com QAContact: jsmeix@novell.com CC: lmuelle@novell.com InfoProvider: samba-maintainers@SuSE.de Found By: Development Blocker: --- I would like to add support for samba-krb-printing to yast2-printer so that it is easier for the users to set up printing in a Windows Active Directory (AD) environment. Printing to a SMB printer share in an AD environment requires the RPM package samba-krb-printing. As far as I know it should be sufficient to only install the samba-krb-printing RPM and then printing via a Device URI smb://username:password@workgroup/server[:port]/printer would also work in an AD environment. Background information: Without samba-krb-printing there is the symbolic link /usr/lib/cups/backend/smb -> /usr/bin/smbspool which is created by the RPM post install script in the samba-client package which provides smbspool. smbspool is used to pass the printing data to the final recipient i.e. to a SMB printer share. By default CUPS runs backends (here smbspool) as user "lp". But "lp" is not allowed to use the ticket granting ticket (TGT) of the user who had submitted the print job and who would be allowed to print via his tickets in the AD environment. The RPM post install script in samba-krb-printing changes the above mentioned link to /usr/lib/cups/backend/smb -> /usr/bin/get_printing_ticket get_printing_ticket is a set uid root wrapper binary to run smbspool with the original calling UID of the user who submitted the particular print job. This way smbspool can access the TGT of the user who had submitted the print job and use this ticket to pass the printing data to the SMB printer share even in an AD environment. Lars, I have several questions: 1. Is my understanding how it works correct? 2. Is a plain installation of samba-krb-printing sufficient? 3. Are all kind of DeviceURIs which are listed in "man smbspool" ----------------------------------------------------------------- smb://server[:port]/printer smb://workgroup/server[:port]/printer smb://username:password@server[:port]/printer smb://username:password@workgroup/server[:port]/printer ----------------------------------------------------------------- also valid in an AD environment or are ther restrictions? In particular: Is "username:password" required in an AD environment (is it perhaps needed to get a TGT?) or is it useless or even forbidden (e.g. because of security reasons) in an AD environment? 4. Does get_printing_ticket run smbspool with the UID of the user who submitted each individual print job (i.e. different UIDs when different users submit print jobs to the same print queue) or does get_printing_ticket perhaps use the fixed "username" if it is specified in the DeviceURI? 5. How could one test if printing in an AD environment works? Currently yast2-printer runs /usr/lib/YaST2/bin/test_remote_smb as "root" which basically runs this test command (where $HOST $SHARE $PASSWORD $USER $WORKGROUP are the values from the DeviceURI): ----------------------------------------------------------------------- echo -en "\r" \ | /usr/bin/smbclient "//$HOST/$SHARE" "$PASSWORD" \ -c "print -" -U "$USER" -W "$WORKGROUP" ----------------------------------------------------------------------- I assume this does no longer work in an AD environment when the user "root" is not allowed to print there. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.