CUPS can hold for authentication jobs on printers without auth-info-required attribute

[EliaGeretto]

In my specific instance, this happens when an SMB printer that requires authentication does not have the auth-info-required attribute. When trying to print with it, the backend (smbspool) will exit with CUPS_BACKEND_AUTH_REQUIRED, leading to the following snippet of code, which holds the job for authentication:

cups/scheduler/job.c

Lines 3458 to 3474 in 3a1a81d

	case CUPS_BACKEND_AUTH_REQUIRED :
	/*
	* Hold the job for authentication...
	*/
	if (job_state == IPP_JOB_COMPLETED)
	{
	cupsdSetJobHoldUntil(job, "auth-info-required", 1);
	job_state = IPP_JOB_HELD;
	message = "Job held for authentication.";
	if (strncmp(job->reasons->values[0].string.text, "account-", 8))
	ippSetString(job->attrs, &job->reasons, 0,
	"cups-held-for-authentication");
	}
	break;

Since the printer does not have an auth-info-required attribute specified, though, the UIs in gnome-control-center andsystem-config-printer (but I suspect other interfaces as well) break, because they cannot provide an authentication prompt given that CUPS replies that no authentication is needed. The job can, at that point, only be cancelled manually despite the "Job held for authentication" message.

Given that receiving a CUPS_BACKEND_AUTH_REQUIRED exit code from the backend while having no auth-info-required on the printer is a clear sign of misconfiguration, I suspect that, in this situation, an error should be either printed in the logs or shown to the user. At the moment, no clear indication of a misconfiguration seems to be present.

[michaelrsweet]

@EliaGeretto So this sounds like a Samba bug - the backend should be sending the appropriate message to stderr when authentication is needed:

ATTR: auth-info-required=username,password
ATTR: auth-info-required=negotiate

In the meantime you can use the lpadmin command to tell GNOME what kind of authentication is required:

lpadmin -p PRINTER -o auth-info-required=username,password  (for username + password)
lpadmin -p PRINTER -o auth-info-required=negotiate          (for Kerberos)

[EliaGeretto]

So, just to clarify, you are supposed to be able to add a printer without specifying if it needs authentication and then the backend is responsible to tell CUPS what authentication info is needed? If that is the case, then I should report the bug to samba, indeed.

As for the workaround, I edited manually /etc/cups/printers.conf and added the appropriate AuthInfoRequired line there, I guess it is the same as doing it with lpadmin.

[EliaGeretto]

I have just tried to execute smbspool manually. This behavior is buggy, right?

$ AUTH_INFO_REQUIRED=none smbspool <printer-url> test test 1 1 /tmp/test.txt
ERROR: Session setup failed: NT_STATUS_ACCESS_DENIED
DEBUG: get_exit_code(nt_status=NT_STATUS_ACCESS_DENIED [c0000022])
ATTR: auth-info-required=none
DEBUG: Unable to connect to CIFS host: NT_STATUS_ACCESS_DENIED

The return code is 2, so CUPS_BACKEND_AUTH_REQUIRED. Despite this, the auth-info-required value returned is the one that was passed in, instead of username,password.

[michaelrsweet]

@EliaGeretto Yes, it is a Samba bug.

[EliaGeretto]

I gave another look at the logs and what is shown in the snippet above is indeed the problem. Since no auth-info-required is specified when adding the printer, CUPS will invoke smbspool with AUTH_INFO_REQUIRED=none. smbspool exits with the correct code, CUPS_BACKEND_AUTH_REQUIRED, but echoes back the auth-info-required attribute that was passed in instead of specifying which authentication information is required. I will report this to samba then, let me know if I made a mistake in my summary.

Regarding this issue, I still think it would be nice to check if a backend returning CUPS_BACKEND_AUTH_REQUIRED actually specifies which information is required for authentication. A nice error log reporting a possible bug in the backend would have made this easier to debug. In addition, maybe marking the job as failed in such a situation could be a better than holding it indefinitely. At this point, though, this is more of a feature request than a bug report. Let me know what you think.

[EliaGeretto]

I have reported the samba bug. See: https://bugzilla.samba.org/show_bug.cgi?id=15057

[michaelrsweet]

@EliaGeretto Another option is to force username,password if auth-info-required is none...

[michaelrsweet]

[master f4e8437] Set default auth-info-required='username,password' if a backend doesn't set an authentication method (Issue #373)

[EliaGeretto]

If you think this is a sane default, then sure, that definitely works in my setup. I just wonder what could happen if, for example, auth-info-required was supposed to be negotiate, or domain was also supposed to be on the list. Anyway, I will try to get this fixed in samba as well 👍 Thank you 👍

[michaelrsweet]

@EliaGeretto In those cases, the fix I made wouldn't be any worse - the default (none) would be replaced by username,password if the backend doesn't set one. But if you need Kerberos (negotiate) you just need to use lpadmin to change the default (lpadmin -p PRINTER -o auth-info-required=negotiate)

[EliaGeretto]

Fair, it's true that setting it to username,password by default when there is a bug in the backend will at least make it work in some cases. Still, when some other kind of authentication is required, users will now be shown a username and password authentication dialog that is unrelated to what they need. I don't know, I would have probably gone with logging an error as well, but you have definitely more experience here and this fixes my problem 👍