Search code examples
pythonwindowslinuxauthenticationsamba

Python Samba: user credentials not passed (cli_init_creds)?

I am currently having a problem accessing Windows print shares (at work, so I don't reall have access to their settings) in Ubuntu, so I eventually got down to poking around the source of Gnome's 'system-config-printer' which is written in Python, and uses the Python smbc bindings for Samba.

 

I have basically managed to get down my problem to this piece of code, which comes from /usr/share/system-config-printer/pysmb.py, and which I run in the python command line shell:

import smbc, os 
def do_auth (svr, shr, wg, un, pw):
  return ("myworkdomain.com", "MYWORKUSERNAME", "MYWORKPASSWORD")

ctx = smbc.Context (debug=10, auth_fn=do_auth)
f = ctx.open ("smb://%s/%s" % ("printserver.myworkdomain.com", "PRINTSHARENAME"), os.O_RDWR, 0777)

 

The first (sort of) a problem is that upon the execution of the ctx = smbc.Context... line, Python always complains:

params.c:OpenConfFile() - Unable to open configuration file "/home/MYUSERNAME/.smb/smb.conf":
    No such file or directory

... but maybe that is not really a problem? (maybe smbc is supposed to recreate this file anew?).

 

The big problem is, of course, that I cannot connect to the share: after executing the f = ctx.open... line, there is a big dump of Samba communication, Windows server seems to be talking etc - and the connection effort finishes with failure: 

SPNEGO login failed: Logon failure
cli_init_creds: user  domain myworkdomain.com
 session setup ok
map_errno_from_nt_status: 32 bit codes: code=c0000022
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
smbc.PermissionError: (13, 'Permission denied')

Basically, I know too little about Samba to be able to read the rest of the error log, but I find the line: 

cli_init_creds: user  domain myworkdomain.com

... very suspicious - it looks as if the 'user' there is an empty string - even though I'd expect it to be 'MYWORKUSERNAME', as specified by the 'do_auth' function above!!

Note that this failure is somewhat similar to the NT_STATUS_LOGON_FAILURE that I used to get with the cmdline smbclient (see Obtaining Windows printer share SMB settings (for tsclient/rdesktop on Linux) - Super User), which was solved by explicity specifying a Windows workgroup on the command line - however, I cannot tell if that is also the problem here in the Python case; or if instead, the username is not passed here (or something completely third). EDIT: this working command line (which lists shares) is (in respect to this example): 

smbclient -L \\printserver.myworkdomain.com -U MYWORKUSERNAME -W myworkdomain.com

 

Thanks in advance for any suggestions,
Cheers!

Solution

  • Ok, well, I think I finally got it, thanks to comments in Bug #848065 “system-config-printer cannot authenticate Windows Samba printer, while smbclient can (cli_init_creds)” - and reviewing newprinter.py (from system-config-printer)...

    But first of all, a little overview:

    • My local username on my Ubuntu machine: MYUSERNAME
    • Main address (domain) of the work network: myworkdomain.com
    • My account name on the work network: MYWORKUSERNAME
    • My work account is a member of workgroup MYWORKGROUP, which also has a subdomain myworkgroup.myworkdomain.com
    • The print server on the work network is at printserver.myworkdomain.com
    • The printer name (share) on the print server at work I want to access is PRINTSHARENAME

     

    Well, it turns out that a single line in the test.py script above is wrong - instead of:

    return ("myworkdomain.com", "MYWORKUSERNAME", "MYWORKPASSWORD")

    ... one should have had:

    return ("MYWORKGROUP", "MYWORKUSERNAME", "MYWORKPASSWORD")

    ... (with MYWORKGROUP in allcaps, as typical for Windows)

     

    Interestingly, using the workgroup subdomain does not work:

    return ("myworkgroup.myworkdomain.com", "MYWORKUSERNAME", "MYWORKPASSWORD")

    ... as it will also fail with 'smbc.PermissionError: (13, 'Permission denied')' (just like the original post example).

     

    One way to troubleshoot the "permission denied" error is to check the log - it shows something like this: 

        DomainNameLen            : 0x000c (12)
    DomainNameMaxLen         : 0x000c (12)
    DomainName               : *
        DomainName               : 'myworkdomain.com'
    UserNameLen              : 0x0004 (4)
    UserNameMaxLen           : 0x0004 (4)
    UserName                 : *
        UserName                 : 'MYWORKUSERNAME'
    WorkstationLen           : 0x0012 (18)
    WorkstationMaxLen        : 0x0012 (18)
    Workstation              : *
        Workstation              : 'MYPC'

    ... apparently, the DomainName should be: 

            DomainName               : 'MYWORKGROUP'

     

    For reference, here is a snippet of the log from the "working" setup (with return ("MYWORKGROUP" ...): 

    ...
cli_init_creds: user MYWORKUSERNAME domain MYWORKGROUP
 session setup ok
 tconx ok
...
Could not retrieve case sensitivity flag: NT_STATUS_INVALID_DEVICE_REQUEST.
Server connect ok: //printserver.myworkdomain.com/PRINTSHARENAME: 0xa297768
Performing aggressive shutdown.
...
smbc_remove_usused_server: 0xa297768 removed.
Context 0xa276658 successfully freed