2 Unix SMB/CIFS implementation.
3 SMB backend for the Common UNIX Printing System ("CUPS")
5 Copyright (C) Michael R Sweet 1999
6 Copyright (C) Andrew Tridgell 1994-1998
7 Copyright (C) Andrew Bartlett 2002
8 Copyright (C) Rodrigo Fernandez-Vizarra 2005
9 Copyright (C) James Peach 2008
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "system/filesys.h"
27 #include "system/passwd.h"
28 #include "system/kerberos.h"
29 #include "libsmb/libsmb.h"
30 #include "lib/param/param.h"
33 * Starting with CUPS 1.3, Kerberos support is provided by cupsd including
34 * the forwarding of user credentials via the authenticated session between
35 * user and server and the KRB5CCNAME environment variable which will point
36 * to a temporary file or an in-memory representation depending on the version
37 * of Kerberos you use. As a result, all of the ticket code that used to
38 * live here has been removed, and we depend on the user session (if you
39 * run smbspool by hand) or cupsd to provide the necessary Kerberos info.
41 * Also, the AUTH_USERNAME and AUTH_PASSWORD environment variables provide
42 * for per-job authentication for non-Kerberized printing. We use those
43 * if there is no username and password specified in the device URI.
45 * Finally, if we have an authentication failure we return exit code 2
46 * which tells CUPS to hold the job for authentication and bug the user
47 * to get the necessary credentials.
50 #define MAX_RETRY_CONNECT 3
63 static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status, bool use_kerberos);
64 static void list_devices(void);
65 static struct cli_state *smb_complete_connection(const char *, const char *,
66 int, const char *, const char *, const char *, const char *, int, bool *need_auth);
67 static struct cli_state *smb_connect(const char *, const char *, int, const
68 char *, const char *, const char *, const char *, bool *need_auth);
69 static int smb_print(struct cli_state *, char *, FILE *);
70 static char *uri_unescape_alloc(const char *);
72 static bool smb_encrypt;
76 * 'main()' - Main entry for SMB backend.
79 int /* O - Exit status */
80 main(int argc, /* I - Number of command-line arguments */
82 { /* I - Command-line arguments */
83 int i; /* Looping var */
84 int copies; /* Number of copies */
85 int port; /* Port number */
86 char uri[1024], /* URI */
87 *sep, /* Pointer to separator */
88 *tmp, *tmp2, /* Temp pointers to do escaping */
89 *password; /* Password */
90 char *username, /* Username */
91 *server, /* Server name */
92 *printer;/* Printer name */
93 const char *workgroup; /* Workgroup */
94 FILE *fp; /* File to print */
95 int status = 1; /* Status of LPD job */
96 struct cli_state *cli; /* SMB interface */
97 char empty_str[] = "";
99 bool need_auth = true;
101 const char *config_file = NULL;
102 TALLOC_CTX *frame = talloc_stackframe();
108 * NEW! In CUPS 1.1 the backends are run with no arguments
109 * to list the available devices. These can be devices
110 * served by this backend or any other backends (i.e. you
111 * can have an SNMP backend that is only used to enumerate
112 * the available network printers... :)
120 if (argc < 7 || argc > 8) {
122 "Usage: %s [DEVICE_URI] job-id user title copies options [file]\n"
123 " The DEVICE_URI environment variable can also contain the\n"
124 " destination printer:\n"
126 " smb://[username:password@][workgroup/]server[:port]/printer\n",
132 * If we have 7 arguments, print the file named on the command-line.
133 * Otherwise, print data from stdin...
138 * Print from Copy stdin to a temporary file...
143 } else if ((fp = fopen(argv[7], "rb")) == NULL) {
144 perror("ERROR: Unable to open print file");
150 copies = strtol(p, &endp, 10);
152 perror("ERROR: Unable to determine number of copies");
160 dev_uri = getenv("DEVICE_URI");
161 if (dev_uri == NULL || strlen(dev_uri) == 0) {
165 cmp = strncmp(dev_uri, "smb://", 6);
168 "ERROR: No valid device URI has been specified\n");
171 len = snprintf(uri, sizeof(uri), "%s", dev_uri);
172 if (len >= sizeof(uri)) {
174 "ERROR: The URI is too long.\n");
179 * Extract the destination from the URI...
182 if ((sep = strrchr_m(uri, '@')) != NULL) {
186 /* username is in tmp */
191 * Extract password as needed...
194 if ((tmp2 = strchr_m(tmp, ':')) != NULL) {
196 password = uri_unescape_alloc(tmp2);
198 password = empty_str;
200 username = uri_unescape_alloc(tmp);
202 if ((username = getenv("AUTH_USERNAME")) == NULL) {
203 username = empty_str;
206 if ((password = getenv("AUTH_PASSWORD")) == NULL) {
207 password = empty_str;
215 if ((sep = strchr_m(tmp, '/')) == NULL) {
216 fputs("ERROR: Bad URI - need printer name!\n", stderr);
223 if ((sep = strchr_m(tmp2, '/')) != NULL) {
225 * Convert to smb://[username:password@]workgroup/server/printer...
230 workgroup = uri_unescape_alloc(tmp);
231 server = uri_unescape_alloc(tmp2);
232 printer = uri_unescape_alloc(sep);
235 server = uri_unescape_alloc(tmp);
236 printer = uri_unescape_alloc(tmp2);
239 if ((sep = strrchr_m(server, ':')) != NULL) {
248 * Setup the SAMBA server state...
251 setup_logging("smbspool", DEBUG_STDERR);
255 config_file = lp_default_path();
256 if (!lp_load_client(config_file)) {
258 "ERROR: Can't load %s - run testparm to debug it\n",
263 if (workgroup == NULL) {
264 workgroup = lp_workgroup();
270 cli = smb_connect(workgroup, server, port, printer,
271 username, password, argv[3], &need_auth);
275 } else if (getenv("CLASS") == NULL) {
276 fprintf(stderr, "ERROR: Unable to connect to CIFS host, will retry in 60 seconds...\n");
280 fprintf(stderr, "ERROR: Unable to connect to CIFS host, trying next printer...\n");
284 } while ((cli == NULL) && (tries < MAX_RETRY_CONNECT));
287 fprintf(stderr, "ERROR: Unable to connect to CIFS host after (tried %d times)\n", tries);
292 * Now that we are connected to the server, ignore SIGTERM so that we
293 * can finish out any page data the driver sends (e.g. to eject the
294 * current page... Only ignore SIGTERM if we are printing data from
295 * stdin (otherwise you can't cancel raw jobs...)
299 CatchSignal(SIGTERM, SIG_IGN);
306 for (i = 0; i < copies; i++) {
307 status = smb_print(cli, argv[4] /* title */ , fp);
316 * Return the queue status...
327 * 'get_exit_code()' - Get the backend exit code based on the current error.
331 get_exit_code(struct cli_state * cli,
337 /* List of NTSTATUS errors that are considered
338 * authentication errors
340 static const NTSTATUS auth_errors[] =
342 NT_STATUS_ACCESS_DENIED, NT_STATUS_ACCESS_VIOLATION,
343 NT_STATUS_SHARING_VIOLATION, NT_STATUS_PRIVILEGE_NOT_HELD,
344 NT_STATUS_INVALID_ACCOUNT_NAME, NT_STATUS_NO_SUCH_USER,
345 NT_STATUS_WRONG_PASSWORD, NT_STATUS_LOGON_FAILURE,
346 NT_STATUS_ACCOUNT_RESTRICTION, NT_STATUS_INVALID_LOGON_HOURS,
347 NT_STATUS_PASSWORD_EXPIRED, NT_STATUS_ACCOUNT_DISABLED
351 fprintf(stderr, "DEBUG: get_exit_code(cli=%p, nt_status=%s [%x])\n",
352 cli, nt_errstr(nt_status), NT_STATUS_V(nt_status));
354 for (i = 0; i < ARRAY_SIZE(auth_errors); i++) {
355 if (!NT_STATUS_EQUAL(nt_status, auth_errors[i])) {
361 fputs("ATTR: auth-info-required=negotiate\n", stderr);
363 fputs("ATTR: auth-info-required=username,password\n", stderr);
367 * 2 = authentication required...
383 * 'list_devices()' - List the available printers seen on the network...
390 * Eventually, search the local workgroup for available hosts and printers.
393 puts("network smb \"Unknown\" \"Windows Printer via SAMBA\"");
397 static struct cli_state *
398 smb_complete_connection(const char *myname,
401 const char *username,
402 const char *password,
403 const char *workgroup,
408 struct cli_state *cli; /* New connection */
410 struct cli_credentials *creds = NULL;
411 bool use_kerberos = false;
413 /* Start the SMB connection */
415 nt_status = cli_start_connection(&cli, myname, server, NULL, port,
416 SMB_SIGNING_DEFAULT, flags);
417 if (!NT_STATUS_IS_OK(nt_status)) {
418 fprintf(stderr, "ERROR: Connection failed: %s\n", nt_errstr(nt_status));
423 * We pretty much guarantee password must be valid or a pointer to a
431 if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
435 creds = cli_session_creds_init(cli,
441 false, /* fallback_after_kerberos */
442 false, /* use_ccache */
443 false); /* password_is_nt_hash */
445 fprintf(stderr, "ERROR: cli_session_creds_init failed\n");
450 nt_status = cli_session_setup_creds(cli, creds);
451 if (!NT_STATUS_IS_OK(nt_status)) {
452 fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status));
454 if (get_exit_code(cli, nt_status, use_kerberos) == 2) {
463 nt_status = cli_tree_connect_creds(cli, share, "?????", creds);
464 if (!NT_STATUS_IS_OK(nt_status)) {
465 fprintf(stderr, "ERROR: Tree connect failed (%s)\n",
466 nt_errstr(nt_status));
468 if (get_exit_code(cli, nt_status, use_kerberos) == 2) {
477 /* Need to work out how to specify this on the URL. */
479 if (!cli_cm_force_encryption_creds(cli, creds, share)) {
480 fprintf(stderr, "ERROR: encryption setup failed\n");
490 static bool kerberos_ccache_is_valid(void) {
492 const char *ccache_name = NULL;
493 krb5_ccache ccache = NULL;
494 krb5_error_code code;
496 code = krb5_init_context(&ctx);
501 ccache_name = krb5_cc_default_name(ctx);
502 if (ccache_name == NULL) {
506 code = krb5_cc_resolve(ctx, ccache_name, &ccache);
508 krb5_free_context(ctx);
511 krb5_principal default_princ = NULL;
513 code = krb5_cc_get_principal(ctx,
517 krb5_cc_close(ctx, ccache);
518 krb5_free_context(ctx);
521 krb5_free_principal(ctx, default_princ);
523 krb5_cc_close(ctx, ccache);
524 krb5_free_context(ctx);
530 * 'smb_connect()' - Return a connection to a server.
533 static struct cli_state * /* O - SMB connection */
534 smb_connect(const char *workgroup, /* I - Workgroup */
535 const char *server, /* I - Server */
536 const int port, /* I - Port */
537 const char *share, /* I - Printer */
538 const char *username, /* I - Username */
539 const char *password, /* I - Password */
540 const char *jobusername, /* I - User who issued the print job */
542 { /* O - Need authentication? */
543 struct cli_state *cli; /* New connection */
544 char *myname = NULL; /* Client name */
548 * Get the names and addresses of the client and server...
550 myname = get_myname(talloc_tos());
556 * See if we have a username first. This is for backwards compatible
557 * behavior with 3.0.14a
560 if (username != NULL && username[0] != '\0') {
561 if (kerberos_ccache_is_valid()) {
566 cli = smb_complete_connection(myname,
576 fputs("DEBUG: Connected with username/password...\n", stderr);
582 * Try to use the user kerberos credentials (if any) to authenticate
584 cli = smb_complete_connection(myname, server, port, jobusername, "",
586 CLI_FULL_CONNECTION_USE_KERBEROS, need_auth);
589 fputs("DEBUG: Connected using Kerberos...\n", stderr);
593 /* give a chance for a passwordless NTLMSSP session setup */
594 pwd = getpwuid(geteuid());
599 cli = smb_complete_connection(myname, server, port, pwd->pw_name, "",
600 workgroup, share, 0, need_auth);
603 fputs("DEBUG: Connected with NTLMSSP...\n", stderr);
608 * last try. Use anonymous authentication
611 cli = smb_complete_connection(myname, server, port, "", "",
612 workgroup, share, 0, need_auth);
614 * Return the new connection...
622 * 'smb_print()' - Queue a job for printing using the SMB protocol.
625 static int /* O - 0 = success, non-0 = failure */
626 smb_print(struct cli_state * cli, /* I - SMB connection */
627 char *title, /* I - Title/job name */
629 { /* I - File to print */
630 uint16_t fnum; /* File number */
631 int nbytes, /* Number of bytes read */
632 tbytes; /* Total bytes read */
633 char buffer[8192], /* Buffer for copy */
634 *ptr; /* Pointer into title */
639 * Sanitize the title...
642 for (ptr = title; *ptr; ptr++) {
643 if (!isalnum((int) *ptr) && !isspace((int) *ptr)) {
649 * Open the printer device...
652 nt_status = cli_open(cli, title, O_RDWR | O_CREAT | O_TRUNC, DENY_NONE,
654 if (!NT_STATUS_IS_OK(nt_status)) {
655 fprintf(stderr, "ERROR: %s opening remote spool %s\n",
656 nt_errstr(nt_status), title);
657 return get_exit_code(cli, nt_status, false);
661 * Copy the file to the printer...
669 while ((nbytes = fread(buffer, 1, sizeof(buffer), fp)) > 0) {
672 status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer,
673 tbytes, nbytes, NULL);
674 if (!NT_STATUS_IS_OK(status)) {
675 int ret = get_exit_code(cli, status, false);
676 fprintf(stderr, "ERROR: Error writing spool: %s\n",
678 fprintf(stderr, "DEBUG: Returning status %d...\n",
680 cli_close(cli, fnum);
687 nt_status = cli_close(cli, fnum);
688 if (!NT_STATUS_IS_OK(nt_status)) {
689 fprintf(stderr, "ERROR: %s closing remote spool %s\n",
690 nt_errstr(nt_status), title);
691 return get_exit_code(cli, nt_status, false);
698 uri_unescape_alloc(const char *uritok)
702 ret = (char *) SMB_STRDUP(uritok);
707 end = rfc1738_unescape(ret);
git.samba.org / samba.git / blob