From f284a5c10f7c8df63f1303f8aa695ec09f7ea711 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 4 Jan 2019 09:21:24 +0100
Subject: s3:client: Evaluate the AUTH_INFO_REQUIRED variable set by cups

This should not switch to username,password if cups has been configured
to use negotiate (Kerberos authentication).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Bryan Mason <bmason@redhat.com>
Signed-off-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 5274b09fbaa5e45cc58f3301818d4e9f6a402845)
---
 source3/client/smbspool.c | 42 ++++++++++++++++++++++++------------------
 1 file changed, 24 insertions(+), 18 deletions(-)

diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index d6e944d547c..e94d5b33324 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -60,7 +60,7 @@
  * Local functions...
  */
 
-static int      get_exit_code(struct cli_state * cli, NTSTATUS nt_status, bool use_kerberos);
+static int      get_exit_code(struct cli_state * cli, NTSTATUS nt_status);
 static void     list_devices(void);
 static struct cli_state *smb_complete_connection(const char *, const char *,
 	int, const char *, const char *, const char *, const char *, int, bool *need_auth);
@@ -72,6 +72,8 @@ static char    *uri_unescape_alloc(const char *);
 static bool     smb_encrypt;
 #endif
 
+static const char *auth_info_required;
+
 /*
  * 'main()' - Main entry for SMB backend.
  */
@@ -94,7 +96,7 @@ main(int argc,			/* I - Number of command-line arguments */
 	FILE           *fp;	/* File to print */
 	int             status = 1;	/* Status of LPD job */
 	struct cli_state *cli;	/* SMB interface */
-	char            null_str[1];
+	char            empty_str[] = "";
 	int             tries = 0;
 	bool		need_auth = true;
 	const char     *dev_uri;
@@ -106,8 +108,6 @@ main(int argc,			/* I - Number of command-line arguments */
 	int cmp;
 	int len;
 
-	null_str[0] = '\0';
-
 	if (argc == 1) {
 		/*
 	         * NEW!  In CUPS 1.1 the backends are run with no arguments
@@ -187,6 +187,11 @@ main(int argc,			/* I - Number of command-line arguments */
 		}
 	}
 
+	auth_info_required = getenv("AUTH_INFO_REQUIRED");
+	if (auth_info_required == NULL) {
+		auth_info_required = "none";
+	}
+
 	cmp = strncmp(dev_uri, "smb://", 6);
 	if (cmp != 0) {
 		fprintf(stderr,
@@ -220,21 +225,25 @@ main(int argc,			/* I - Number of command-line arguments */
 			*tmp2++ = '\0';
 			password = uri_unescape_alloc(tmp2);
 		} else {
-			password = null_str;
+			password = empty_str;
 		}
 		username = uri_unescape_alloc(tmp);
 	} else {
 		if ((username = getenv("AUTH_USERNAME")) == NULL) {
-			username = null_str;
+			username = empty_str;
 		}
 
 		if ((password = getenv("AUTH_PASSWORD")) == NULL) {
-			password = null_str;
+			password = empty_str;
 		}
 
 		server = uri + 6;
 	}
 
+	if (password != empty_str) {
+		auth_info_required = "username,password";
+	}
+
 	tmp = server;
 
 	if ((sep = strchr_m(tmp, '/')) == NULL) {
@@ -354,8 +363,7 @@ done:
 
 static int
 get_exit_code(struct cli_state * cli,
-	      NTSTATUS nt_status,
-	      bool use_kerberos)
+	      NTSTATUS nt_status)
 {
 	int i;
 
@@ -382,10 +390,7 @@ get_exit_code(struct cli_state * cli,
 		}
 
 		if (cli) {
-			if (use_kerberos)
-				fputs("ATTR: auth-info-required=negotiate\n", stderr);
-			else
-				fputs("ATTR: auth-info-required=username,password\n", stderr);
+			fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required);
 		}
 
 		/*
@@ -454,6 +459,7 @@ smb_complete_connection(const char *myname,
 	}
 
 	if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
+		auth_info_required = "negotiate";
 		use_kerberos = true;
 	}
 
@@ -476,7 +482,7 @@ smb_complete_connection(const char *myname,
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status));
 
-		if (get_exit_code(cli, nt_status, use_kerberos) == 2) {
+		if (get_exit_code(cli, nt_status) == 2) {
 			*need_auth = true;
 		}
 
@@ -490,7 +496,7 @@ smb_complete_connection(const char *myname,
 		fprintf(stderr, "ERROR: Tree connect failed (%s)\n",
 			nt_errstr(nt_status));
 
-		if (get_exit_code(cli, nt_status, use_kerberos) == 2) {
+		if (get_exit_code(cli, nt_status) == 2) {
 			*need_auth = true;
 		}
 
@@ -679,7 +685,7 @@ smb_print(struct cli_state * cli,	/* I - SMB connection */
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		fprintf(stderr, "ERROR: %s opening remote spool %s\n",
 			nt_errstr(nt_status), title);
-		return get_exit_code(cli, nt_status, false);
+		return get_exit_code(cli, nt_status);
 	}
 
 	/*
@@ -697,7 +703,7 @@ smb_print(struct cli_state * cli,	/* I - SMB connection */
 		status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer,
 				      tbytes, nbytes, NULL);
 		if (!NT_STATUS_IS_OK(status)) {
-			int ret = get_exit_code(cli, status, false);
+			int ret = get_exit_code(cli, status);
 			fprintf(stderr, "ERROR: Error writing spool: %s\n",
 				nt_errstr(status));
 			fprintf(stderr, "DEBUG: Returning status %d...\n",
@@ -713,7 +719,7 @@ smb_print(struct cli_state * cli,	/* I - SMB connection */
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		fprintf(stderr, "ERROR: %s closing remote spool %s\n",
 			nt_errstr(nt_status), title);
-		return get_exit_code(cli, nt_status, false);
+		return get_exit_code(cli, nt_status);
 	} else {
 		return (0);
 	}
-- 
cgit v1.2.1