smbspool-auth-updates [plain text]
<rdar://problem/5819241> Fix smbspool issues with Authentication
From Mike S:
In smbspool where we weren't checking for authentication in all
places. Fixes the authentication checks and properly supports
Kerberos authentication when available
Index: samba/source/client/smbspool.c
===================================================================
--- samba/source/client/smbspool.c.orig
+++ samba/source/client/smbspool.c
@@ -55,6 +55,7 @@ extern BOOL in_client; /* Boolean for c
* Local functions...
*/
+static int get_exit_code(struct cli_state *cli, NTSTATUS nt_status);
static void list_devices(void);
static struct cli_state *smb_complete_connection(const char *, const char *,int , const char *, const char *, const char *, const char *, int, int *need_auth);
static struct cli_state *smb_connect(const char *, const char *, int, const char *, const char *, const char *, const char *, int *need_auth);
@@ -262,10 +263,7 @@ static char * uri_unescape_alloc(const
if ((cli = smb_connect(workgroup, server, port, printer, username, password, argv[2], &need_auth)) == NULL)
{
if (need_auth)
- {
- fputs("ATTR: auth-info-required=username,password\n", stderr);
exit(2);
- }
else if (getenv("CLASS") == NULL)
{
fprintf(stderr, "ERROR: Unable to connect to CIFS host, will retry in 60 seconds...\n");
@@ -315,6 +313,55 @@ static char * uri_unescape_alloc(const
/*
+ * 'get_exit_code()' - Get the backend exit code based on the current error.
+ */
+
+static int
+get_exit_code(struct cli_state *cli,
+ NTSTATUS nt_status)
+{
+ int i;
+ static const NTSTATUS auth_errors[] =
+ { /* List of NTSTATUS errors that are considered authentication errors */
+ NT_STATUS_ACCESS_DENIED, NT_STATUS_ACCESS_VIOLATION,
+ NT_STATUS_SHARING_VIOLATION, NT_STATUS_PRIVILEGE_NOT_HELD,
+ NT_STATUS_INVALID_ACCOUNT_NAME, NT_STATUS_NO_SUCH_USER,
+ NT_STATUS_WRONG_PASSWORD, NT_STATUS_LOGON_FAILURE,
+ NT_STATUS_ACCOUNT_RESTRICTION, NT_STATUS_INVALID_LOGON_HOURS,
+ NT_STATUS_PASSWORD_EXPIRED, NT_STATUS_ACCOUNT_DISABLED
+ };
+
+
+ fprintf(stderr, "DEBUG: get_exit_code(cli=%p, nt_status=%x)\n",
+ cli, NT_STATUS_V(nt_status));
+
+ for (i = 0; i < (int)(sizeof(auth_errors) / sizeof(auth_errors[0])); i ++)
+ if (NT_STATUS_V(nt_status) == NT_STATUS_V(auth_errors[i]))
+ {
+ if (cli)
+ {
+ if (cli->use_kerberos || (cli->capabilities & CAP_EXTENDED_SECURITY))
+ fputs("ATTR: auth-info-required=negotiate\n", stderr);
+ else
+ fputs("ATTR: auth-info-required=username,password\n", stderr);
+ }
+
+ /*
+ * 2 = authentication required...
+ */
+
+ return (2);
+ }
+
+ /*
+ * 1 = fail
+ */
+
+ return (1);
+}
+
+
+/*
* 'list_devices()' - List the available printers seen on the network...
*/
@@ -342,16 +389,6 @@ static struct cli_state
{
struct cli_state *cli; /* New connection */
NTSTATUS nt_status;
- int i;
- static const NTSTATUS auth_errors[] =
- { /* List of NTSTATUS errors that are considered authentication errors */
- NT_STATUS_ACCESS_DENIED, NT_STATUS_ACCESS_VIOLATION,
- NT_STATUS_SHARING_VIOLATION, NT_STATUS_PRIVILEGE_NOT_HELD,
- NT_STATUS_INVALID_ACCOUNT_NAME, NT_STATUS_NO_SUCH_USER,
- NT_STATUS_WRONG_PASSWORD, NT_STATUS_LOGON_FAILURE,
- NT_STATUS_ACCOUNT_RESTRICTION, NT_STATUS_INVALID_LOGON_HOURS,
- NT_STATUS_PASSWORD_EXPIRED, NT_STATUS_ACCOUNT_DISABLED
- };
/* Start the SMB connection */
*need_auth = 0;
@@ -363,7 +400,7 @@ static struct cli_state
return NULL;
}
- /* We pretty much guarentee password must be valid or a pointer
+ /* We pretty much guarantee password must be valid or a pointer
to a 0 char. */
if (!password) {
*need_auth = 1;
@@ -378,12 +415,8 @@ static struct cli_state
{
fprintf(stderr,"ERROR: Session setup failed: %s\n", nt_errstr(nt_status));
- for (i = 0; i < (int)(sizeof(auth_errors) / sizeof(auth_errors[0])); i ++)
- if (NT_STATUS_V(nt_status) == NT_STATUS_V(auth_errors[i]))
- {
+ if (get_exit_code(cli, nt_status) == 2)
*need_auth = 1;
- break;
- }
cli_shutdown(cli);
@@ -393,14 +426,9 @@ static struct cli_state
if (!cli_send_tconX(cli, share, "?????", password, strlen(password)+1))
{
fprintf(stderr, "ERROR: Tree connect failed (%s)\n", cli_errstr(cli));
- nt_status = cli_nt_error(cli);
- for (i = 0; i < (int)(sizeof(auth_errors) / sizeof(auth_errors[0])); i ++)
- if (NT_STATUS_V(nt_status) == NT_STATUS_V(auth_errors[i]))
- {
+ if (get_exit_code(cli, cli_nt_error(cli)) == 2)
*need_auth = 1;
- break;
- }
cli_shutdown(cli);
@@ -442,7 +470,10 @@ smb_connect(const char *workgroup, /* I
cli = smb_complete_connection(myname, server, port, username,
password, workgroup, share, 0, need_auth);
if (cli)
- return cli;
+ {
+ fputs("DEBUG: Connected with username/password...\n", stderr);
+ return (cli);
+ }
}
/*
@@ -452,10 +483,13 @@ smb_connect(const char *workgroup, /* I
workgroup, share,
CLI_FULL_CONNECTION_USE_KERBEROS, need_auth);
- if (cli ) { return cli; }
+ if (cli)
+ {
+ fputs("DEBUG: Connected using Kerberos...\n", stderr);
+ return (cli);
+ }
/* give a chance for a passwordless NTLMSSP session setup */
-
pwd = getpwuid(geteuid());
if (pwd == NULL) {
return NULL;
@@ -464,7 +498,11 @@ smb_connect(const char *workgroup, /* I
cli = smb_complete_connection(myname, server, port, pwd->pw_name, "",
workgroup, share, 0, need_auth);
- if (cli) { return cli; }
+ if (cli)
+ {
+ fputs("DEBUG: Connected with NTLMSSP...\n", stderr);
+ return (cli);
+ }
/*
* last try. Use anonymous authentication
@@ -512,7 +550,7 @@ smb_print(struct cli_state *cli, /* I -
{
fprintf(stderr, "ERROR: %s opening remote spool %s\n",
cli_errstr(cli), title);
- return (1);
+ return (get_exit_code(cli, cli_nt_error(cli)));
}
/*
@@ -528,8 +566,13 @@ smb_print(struct cli_state *cli, /* I -
{
if (cli_write(cli, fnum, 0, buffer, tbytes, nbytes) != nbytes)
{
+ int status = get_exit_code(cli, cli_nt_error(cli));
+
fprintf(stderr, "ERROR: Error writing spool: %s\n", cli_errstr(cli));
- break;
+ fprintf(stderr, "DEBUG: Returning status %d...\n", status);
+ cli_close(cli, fnum);
+
+ return (status);
}
tbytes += nbytes;
@@ -539,7 +582,7 @@ smb_print(struct cli_state *cli, /* I -
{
fprintf(stderr, "ERROR: %s closing remote spool %s\n",
cli_errstr(cli), title);
- return (1);
+ return (get_exit_code(cli, cli_nt_error(cli)));
}
else
return (0);