2 Unix SMB/CIFS implementation.
3 SMB backend for the Common UNIX Printing System ("CUPS")
5 Copyright (C) Michael R Sweet 1999
6 Copyright (C) Andrew Tridgell 1994-1998
7 Copyright (C) Andrew Bartlett 2002
8 Copyright (C) Rodrigo Fernandez-Vizarra 2005
9 Copyright (C) James Peach 2008
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "system/filesys.h"
27 #include "system/passwd.h"
28 #include "system/kerberos.h"
29 #include "libsmb/libsmb.h"
30 #include "lib/param/param.h"
31 #include "lib/krb5_wrap/krb5_samba.h"
34 * Starting with CUPS 1.3, Kerberos support is provided by cupsd including
35 * the forwarding of user credentials via the authenticated session between
36 * user and server and the KRB5CCNAME environment variable which will point
37 * to a temporary file or an in-memory representation depending on the version
38 * of Kerberos you use. As a result, all of the ticket code that used to
39 * live here has been removed, and we depend on the user session (if you
40 * run smbspool by hand) or cupsd to provide the necessary Kerberos info.
42 * Also, the AUTH_USERNAME and AUTH_PASSWORD environment variables provide
43 * for per-job authentication for non-Kerberized printing. We use those
44 * if there is no username and password specified in the device URI.
46 * Finally, if we have an authentication failure we return exit code 2
47 * which tells CUPS to hold the job for authentication and bug the user
48 * to get the necessary credentials.
51 #define MAX_RETRY_CONNECT 3
64 static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status, bool use_kerberos);
65 static void list_devices(void);
66 static struct cli_state *smb_complete_connection(const char *, const char *,
67 int, const char *, const char *, const char *, const char *, int, bool *need_auth);
68 static struct cli_state *smb_connect(const char *, const char *, int, const
69 char *, const char *, const char *, const char *, bool *need_auth);
70 static int smb_print(struct cli_state *, char *, FILE *);
71 static char *uri_unescape_alloc(const char *);
73 static bool smb_encrypt;
77 * 'main()' - Main entry for SMB backend.
80 int /* O - Exit status */
81 main(int argc, /* I - Number of command-line arguments */
83 { /* I - Command-line arguments */
84 int i; /* Looping var */
85 int copies; /* Number of copies */
86 int port; /* Port number */
87 char uri[1024], /* URI */
88 *sep, /* Pointer to separator */
89 *tmp, *tmp2, /* Temp pointers to do escaping */
90 *password; /* Password */
91 char *username, /* Username */
92 *server, /* Server name */
93 *printer;/* Printer name */
94 const char *workgroup; /* Workgroup */
95 FILE *fp; /* File to print */
96 int status = 1; /* Status of LPD job */
97 struct cli_state *cli; /* SMB interface */
98 char empty_str[] = "";
100 bool need_auth = true;
102 const char *config_file = NULL;
103 TALLOC_CTX *frame = talloc_stackframe();
104 bool device_uri_cmdline = false;
105 const char *print_file = NULL;
106 const char *print_copies = NULL;
112 * NEW! In CUPS 1.1 the backends are run with no arguments
113 * to list the available devices. These can be devices
114 * served by this backend or any other backends (i.e. you
115 * can have an SNMP backend that is only used to enumerate
116 * the available network printers... :)
125 * We need at least 5 options if the DEVICE_URI is passed via an env
126 * variable and printing data comes via stdin.
127 * We don't accept more than 7 options in total, including optional.
129 if (argc < 5 || argc > 8) {
131 "Usage: %s [DEVICE_URI] job-id user title copies options [file]\n"
132 " The DEVICE_URI environment variable can also contain the\n"
133 " destination printer:\n"
135 " smb://[username:password@][workgroup/]server[:port]/printer\n",
141 * If we have 6 arguments find out if we have the device_uri from the
142 * command line or the print data
145 cmp = strncmp(argv[1], "smb://", 6);
147 device_uri_cmdline = true;
149 print_copies = argv[4];
150 print_file = argv[6];
152 } else if (argc == 8) {
153 device_uri_cmdline = true;
154 print_copies = argv[5];
155 print_file = argv[7];
158 if (print_file != NULL) {
161 fp = fopen(print_file, "rb");
163 perror("ERROR: Unable to open print file");
167 copies = strtol(print_copies, &endp, 10);
168 if (print_copies == endp) {
169 perror("ERROR: Unable to determine number of copies");
180 if (device_uri_cmdline) {
183 dev_uri = getenv("DEVICE_URI");
184 if (dev_uri == NULL || strlen(dev_uri) == 0) {
189 cmp = strncmp(dev_uri, "smb://", 6);
192 "ERROR: No valid device URI has been specified\n");
195 len = snprintf(uri, sizeof(uri), "%s", dev_uri);
196 if (len >= sizeof(uri)) {
198 "ERROR: The URI is too long.\n");
203 * Extract the destination from the URI...
206 if ((sep = strrchr_m(uri, '@')) != NULL) {
210 /* username is in tmp */
215 * Extract password as needed...
218 if ((tmp2 = strchr_m(tmp, ':')) != NULL) {
220 password = uri_unescape_alloc(tmp2);
222 password = empty_str;
224 username = uri_unescape_alloc(tmp);
226 if ((username = getenv("AUTH_USERNAME")) == NULL) {
227 username = empty_str;
230 if ((password = getenv("AUTH_PASSWORD")) == NULL) {
231 password = empty_str;
239 if ((sep = strchr_m(tmp, '/')) == NULL) {
240 fputs("ERROR: Bad URI - need printer name!\n", stderr);
247 if ((sep = strchr_m(tmp2, '/')) != NULL) {
249 * Convert to smb://[username:password@]workgroup/server/printer...
254 workgroup = uri_unescape_alloc(tmp);
255 server = uri_unescape_alloc(tmp2);
256 printer = uri_unescape_alloc(sep);
259 server = uri_unescape_alloc(tmp);
260 printer = uri_unescape_alloc(tmp2);
263 if ((sep = strrchr_m(server, ':')) != NULL) {
272 * Setup the SAMBA server state...
275 setup_logging("smbspool", DEBUG_STDERR);
279 config_file = lp_default_path();
280 if (!lp_load_client(config_file)) {
282 "ERROR: Can't load %s - run testparm to debug it\n",
287 if (workgroup == NULL) {
288 workgroup = lp_workgroup();
294 cli = smb_connect(workgroup, server, port, printer,
295 username, password, argv[3], &need_auth);
299 } else if (getenv("CLASS") == NULL) {
300 fprintf(stderr, "ERROR: Unable to connect to CIFS host, will retry in 60 seconds...\n");
304 fprintf(stderr, "ERROR: Unable to connect to CIFS host, trying next printer...\n");
308 } while ((cli == NULL) && (tries < MAX_RETRY_CONNECT));
311 fprintf(stderr, "ERROR: Unable to connect to CIFS host after (tried %d times)\n", tries);
316 * Now that we are connected to the server, ignore SIGTERM so that we
317 * can finish out any page data the driver sends (e.g. to eject the
318 * current page... Only ignore SIGTERM if we are printing data from
319 * stdin (otherwise you can't cancel raw jobs...)
323 CatchSignal(SIGTERM, SIG_IGN);
330 for (i = 0; i < copies; i++) {
331 status = smb_print(cli, argv[4] /* title */ , fp);
340 * Return the queue status...
351 * 'get_exit_code()' - Get the backend exit code based on the current error.
355 get_exit_code(struct cli_state * cli,
361 /* List of NTSTATUS errors that are considered
362 * authentication errors
364 static const NTSTATUS auth_errors[] =
366 NT_STATUS_ACCESS_DENIED, NT_STATUS_ACCESS_VIOLATION,
367 NT_STATUS_SHARING_VIOLATION, NT_STATUS_PRIVILEGE_NOT_HELD,
368 NT_STATUS_INVALID_ACCOUNT_NAME, NT_STATUS_NO_SUCH_USER,
369 NT_STATUS_WRONG_PASSWORD, NT_STATUS_LOGON_FAILURE,
370 NT_STATUS_ACCOUNT_RESTRICTION, NT_STATUS_INVALID_LOGON_HOURS,
371 NT_STATUS_PASSWORD_EXPIRED, NT_STATUS_ACCOUNT_DISABLED
375 fprintf(stderr, "DEBUG: get_exit_code(cli=%p, nt_status=%s [%x])\n",
376 cli, nt_errstr(nt_status), NT_STATUS_V(nt_status));
378 for (i = 0; i < ARRAY_SIZE(auth_errors); i++) {
379 if (!NT_STATUS_EQUAL(nt_status, auth_errors[i])) {
385 fputs("ATTR: auth-info-required=negotiate\n", stderr);
387 fputs("ATTR: auth-info-required=username,password\n", stderr);
391 * 2 = authentication required...
407 * 'list_devices()' - List the available printers seen on the network...
414 * Eventually, search the local workgroup for available hosts and printers.
417 puts("network smb \"Unknown\" \"Windows Printer via SAMBA\"");
421 static struct cli_state *
422 smb_complete_connection(const char *myname,
425 const char *username,
426 const char *password,
427 const char *workgroup,
432 struct cli_state *cli; /* New connection */
434 struct cli_credentials *creds = NULL;
435 bool use_kerberos = false;
437 /* Start the SMB connection */
439 nt_status = cli_start_connection(&cli, myname, server, NULL, port,
440 SMB_SIGNING_DEFAULT, flags);
441 if (!NT_STATUS_IS_OK(nt_status)) {
442 fprintf(stderr, "ERROR: Connection failed: %s\n", nt_errstr(nt_status));
447 * We pretty much guarantee password must be valid or a pointer to a
455 if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
459 creds = cli_session_creds_init(cli,
465 false, /* fallback_after_kerberos */
466 false, /* use_ccache */
467 false); /* password_is_nt_hash */
469 fprintf(stderr, "ERROR: cli_session_creds_init failed\n");
474 nt_status = cli_session_setup_creds(cli, creds);
475 if (!NT_STATUS_IS_OK(nt_status)) {
476 fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status));
478 if (get_exit_code(cli, nt_status, use_kerberos) == 2) {
487 nt_status = cli_tree_connect_creds(cli, share, "?????", creds);
488 if (!NT_STATUS_IS_OK(nt_status)) {
489 fprintf(stderr, "ERROR: Tree connect failed (%s)\n",
490 nt_errstr(nt_status));
492 if (get_exit_code(cli, nt_status, use_kerberos) == 2) {
501 /* Need to work out how to specify this on the URL. */
503 if (!cli_cm_force_encryption_creds(cli, creds, share)) {
504 fprintf(stderr, "ERROR: encryption setup failed\n");
514 static bool kerberos_ccache_is_valid(void) {
516 const char *ccache_name = NULL;
517 krb5_ccache ccache = NULL;
518 krb5_error_code code;
520 code = smb_krb5_init_context_common(&ctx);
522 DBG_ERR("kerberos init context failed (%s)\n",
523 error_message(code));
527 ccache_name = krb5_cc_default_name(ctx);
528 if (ccache_name == NULL) {
529 krb5_free_context(ctx);
533 code = krb5_cc_resolve(ctx, ccache_name, &ccache);
535 krb5_free_context(ctx);
538 krb5_principal default_princ = NULL;
540 code = krb5_cc_get_principal(ctx,
544 krb5_cc_close(ctx, ccache);
545 krb5_free_context(ctx);
548 krb5_free_principal(ctx, default_princ);
550 krb5_cc_close(ctx, ccache);
551 krb5_free_context(ctx);
557 * 'smb_connect()' - Return a connection to a server.
560 static struct cli_state * /* O - SMB connection */
561 smb_connect(const char *workgroup, /* I - Workgroup */
562 const char *server, /* I - Server */
563 const int port, /* I - Port */
564 const char *share, /* I - Printer */
565 const char *username, /* I - Username */
566 const char *password, /* I - Password */
567 const char *jobusername, /* I - User who issued the print job */
569 { /* O - Need authentication? */
570 struct cli_state *cli; /* New connection */
571 char *myname = NULL; /* Client name */
575 * Get the names and addresses of the client and server...
577 myname = get_myname(talloc_tos());
583 * See if we have a username first. This is for backwards compatible
584 * behavior with 3.0.14a
587 if (username != NULL && username[0] != '\0') {
588 if (kerberos_ccache_is_valid()) {
593 cli = smb_complete_connection(myname,
603 fputs("DEBUG: Connected with username/password...\n", stderr);
609 * Try to use the user kerberos credentials (if any) to authenticate
611 cli = smb_complete_connection(myname, server, port, jobusername, "",
613 CLI_FULL_CONNECTION_USE_KERBEROS, need_auth);
616 fputs("DEBUG: Connected using Kerberos...\n", stderr);
620 /* give a chance for a passwordless NTLMSSP session setup */
621 pwd = getpwuid(geteuid());
626 cli = smb_complete_connection(myname, server, port, pwd->pw_name, "",
627 workgroup, share, 0, need_auth);
630 fputs("DEBUG: Connected with NTLMSSP...\n", stderr);
635 * last try. Use anonymous authentication
638 cli = smb_complete_connection(myname, server, port, "", "",
639 workgroup, share, 0, need_auth);
641 * Return the new connection...
649 * 'smb_print()' - Queue a job for printing using the SMB protocol.
652 static int /* O - 0 = success, non-0 = failure */
653 smb_print(struct cli_state * cli, /* I - SMB connection */
654 char *title, /* I - Title/job name */
656 { /* I - File to print */
657 uint16_t fnum; /* File number */
658 int nbytes, /* Number of bytes read */
659 tbytes; /* Total bytes read */
660 char buffer[8192], /* Buffer for copy */
661 *ptr; /* Pointer into title */
666 * Sanitize the title...
669 for (ptr = title; *ptr; ptr++) {
670 if (!isalnum((int) *ptr) && !isspace((int) *ptr)) {
676 * Open the printer device...
679 nt_status = cli_open(cli, title, O_RDWR | O_CREAT | O_TRUNC, DENY_NONE,
681 if (!NT_STATUS_IS_OK(nt_status)) {
682 fprintf(stderr, "ERROR: %s opening remote spool %s\n",
683 nt_errstr(nt_status), title);
684 return get_exit_code(cli, nt_status, false);
688 * Copy the file to the printer...
696 while ((nbytes = fread(buffer, 1, sizeof(buffer), fp)) > 0) {
699 status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer,
700 tbytes, nbytes, NULL);
701 if (!NT_STATUS_IS_OK(status)) {
702 int ret = get_exit_code(cli, status, false);
703 fprintf(stderr, "ERROR: Error writing spool: %s\n",
705 fprintf(stderr, "DEBUG: Returning status %d...\n",
707 cli_close(cli, fnum);
714 nt_status = cli_close(cli, fnum);
715 if (!NT_STATUS_IS_OK(nt_status)) {
716 fprintf(stderr, "ERROR: %s closing remote spool %s\n",
717 nt_errstr(nt_status), title);
718 return get_exit_code(cli, nt_status, false);
725 uri_unescape_alloc(const char *uritok)
729 ret = (char *) SMB_STRDUP(uritok);
734 end = rfc1738_unescape(ret);
git.samba.org / metze / samba / wip.git / blob