After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 669008 - Kerberos authentication popup
Kerberos authentication popup
Status: RESOLVED FIXED
Product: gtk+
Classification: Platform
Component: Printing
2.2.x
Other Linux
: Normal normal
: ---
Assigned To: gtk-bugs
gtk-bugs
Depends on:
Blocks:
 
 
Reported: 2012-01-30 10:37 UTC by Markus Bach
Modified: 2015-03-09 13:22 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
Screenshot of popup (11.92 KB, image/png)
2012-01-30 10:37 UTC, Markus Bach
  Details
Default policy (927 bytes, text/plain)
2012-01-31 10:07 UTC, Markus Bach
  Details
Patch to prevent the password request popup (1.76 KB, patch)
2015-02-05 11:01 UTC, Andre Heinecke
none Details | Review
Patch to prevent the password request popup - V2 (2.12 KB, patch)
2015-02-27 19:23 UTC, Andre Heinecke
none Details | Review
Patch to prevent the password request popup - V3 (2.05 KB, patch)
2015-03-09 09:54 UTC, Andre Heinecke
committed Details | Review

Description Markus Bach 2012-01-30 10:37:36 UTC
Created attachment 206405 [details]
Screenshot of popup

Hi,

We have are using Debian Squeeze and a kerberized cups server which also allows printing without a kerberos ticket from specific IPs. When somone trys to print with a gtk-Application (e.g. gimp, gedit...) he gets a popup with the message "Authentication is required to print document 'example.png' on printer 'printer1'".
When ok is clicked, the print job and the authentication is sent to the server.
I'm not sure if this is a bug or a feature, but it's annoying to always click ok when you want to print.
Comment 1 Markus Bach 2012-01-31 10:07:26 UTC
Created attachment 206503 [details]
Default policy

Here is the important part of our cupsd.conf
Comment 2 Markus Bach 2012-02-13 10:25:56 UTC
The problem seems to be Satisfy Any.

If I change the policy to only Allow,Deny or only Kerberos it works.
Comment 3 Andre Heinecke 2015-02-05 11:01:24 UTC
Created attachment 296185 [details] [review]
Patch to prevent the password request popup

Hi,

This popup is caused by the auth_info handling that is used to authenticate jobs where credentials are needed. But the auth_info handling currently only handles username, password and domain. For kerberos authentication this is set to negotiate and the request password dialog is called with an empty list for auth_info_required.

The cups library handles attaching the kerberos ticket to the print job transparently so there is no need for special auth info handling in GTK in that case.

Attached patch fixes this by disabling the GTK auth info handling in case negotiate is the only required auth info field.
Comment 4 Marek Kašík 2015-02-20 15:55:31 UTC
Hi,

I can not reproduce the problem. The dialog doesn't show up and the job finishes successfully. What version of Gtk+ and CUPS do you have on your client and what CUPS is running on the print server?

Regards

Marek
Comment 5 Andre Heinecke 2015-02-20 16:03:40 UTC
I've tested this with serveral gtk 2/3 versions. 

E.g.:
Cups 1.7.2-0ubuntu1 Gtk 3.10.8-0ubuntu1

But I think you are probably missing the AuthInfoRequired directly at the printer:

<Printer samsung_auth>
....
AuthInfoRequired negotiate
....
</Printer>

For this bug to occur the printer itself has to be configured for kerberos authentication.

Just changing the DefaultAuthType to negotiate for example is not enough.
Comment 6 Marek Kašík 2015-02-27 16:32:06 UTC
Review of attachment 296185 [details] [review]:

Thank you for the patch and mentioning the "AuthInfoRequired negotiate". I had some other problems with configuration of the Kerberos-CUPS combination so I'm responding now.

The patch fixes the specific problem described by this bug but I think that it needs some work yet. See corresponding comment.

::: modules/printbackends/cups/gtkprintbackendcups.c
@@ +733,3 @@
+  if (cups_printer->auth_info_required &&
+      g_strv_length (cups_printer->auth_info_required) == 1 &&
+      g_strcmp0 (cups_printer->auth_info_required[0], "negotiate") == 0)

You should set "request->need_auth_info = FALSE" also for the case when "cups_printer->auth_info_required" is NULL or when its only member is "none".
It would be good to set the "request->auth_info_required" to NULL instead of the g_strdupv() if the need_auth_info is FALSE.
Comment 7 Andre Heinecke 2015-02-27 19:23:05 UTC
Created attachment 298127 [details] [review]
Patch to prevent the password request popup - V2

Thanks for reviewing. I also spent way more time on this bug trying to get a test setup then on the actual fix ;-)

(In reply to Marek Kašík from comment #6)
> Review of attachment 296185 [details] [review] [review]:
> The patch fixes the specific problem described by this bug but I think that
> it needs some work yet. See corresponding comment.
> 
> ::: modules/printbackends/cups/gtkprintbackendcups.c
> @@ +733,3 @@
> +  if (cups_printer->auth_info_required &&
> +      g_strv_length (cups_printer->auth_info_required) == 1 &&
> +      g_strcmp0 (cups_printer->auth_info_required[0], "negotiate") == 0)
> 
> You should set "request->need_auth_info = FALSE" also for the case when
> "cups_printer->auth_info_required" is NULL

I checked the pointer here. Made this an explicit check for != NULL now.
auth_info_required[0] != NULL is checked with the g_strv_length check.

> or when its only member is "none".

Good catch! I had not thought of that.

> It would be good to set the "request->auth_info_required" to NULL instead of
> the g_strdupv() if the need_auth_info is FALSE.

Changed this accordingly. Previously I just left it the way I found it ;-)

There was also a logic error in the first patch. I did not check if auth_info_required was actually not NULL before setting need_auth_info to true in the else part. This is fixed now.
Comment 8 Matthias Clasen 2015-03-06 02:47:26 UTC
Marek, should we include this patch for 3.16 ?
Comment 9 Marek Kašík 2015-03-06 10:44:21 UTC
Review of attachment 298127 [details] [review]:

Hi Andre,

thank you for the modifications you've done. I have just few trivial requests.
I'll push the patch once you incorporate them there.

::: modules/printbackends/cups/gtkprintbackendcups.c
@@ +735,3 @@
+
+  /* Check if auth_info_required is set and if it should be handled.
+   * For "negotiate" the cups libraries handle the ticket exchange. */

Could you place the 'For "negotiate"' part to the end of the sentence?

@@ +739,3 @@
+      g_strv_length (cups_printer->auth_info_required) == 1 &&
+      (g_strcmp0 (cups_printer->auth_info_required[0], "negotiate") == 0 ||
+       g_strcmp0 (cups_printer->auth_info_required[0], "none") == 0))

I was wrong. We already check for "none" in cups_printer_handle_attribute(), so there is no need for checking it here again.

@@ +742,3 @@
+    {
+      GTK_NOTE (PRINTING,
+                g_print ("CUPS Backend: Ignoring auth_info_required \"%s\"\n",

You can say auth-info-required here.
Comment 10 Marek Kašík 2015-03-06 10:46:01 UTC
(In reply to Matthias Clasen from comment #8)
> Marek, should we include this patch for 3.16 ?

Yes, I would like to get it into 3.16.
Comment 11 Andre Heinecke 2015-03-09 09:54:13 UTC
Created attachment 298857 [details] [review]
Patch to prevent the password request popup - V3

Hi,

Updated patch with the suggested changes.

Thanks,
Andre
Comment 12 Marek Kašík 2015-03-09 13:22:37 UTC
Review of attachment 298857 [details] [review]:

Hi Andre,

thank you very much for the patch. I've pushed it to master branch.

Regards

Marek