endless httpPost loop in cupsSendRequest when print to a Windows Print Server with Kerberos/NTLM authentication

[xiaowen581]

Describe the bug after print by lp command, lp got success result and exited , but the "/usr/libexec/cups/backend/http" command is continuously sending request to Windows Print Server. And Windows Print Server always returns "401 Unauthorized".

To Reproduce Steps to reproduce the behavior:

1. Windows Print Server(IIS) with Kerberos/NTLM authentication. (server is not in domain).
2. cups client without Kerberos setting.
3. add raw printer using lpadmin command.
4. print using lp command.

Expected behavior http command should exit clearly.

System Information:

• OS and its version: Ubuntu 20
• Application: lp
• CUPS version : 2.3.3-r0

Additional context debug.txt debug.txt

[zdohnal]

Hi @xiaowen581 ,

please provide cupsd debug2 logs when you print - IIUC one of the issues why you cannot print to the Windows server is because of this:

T001 10:38:04.887  cupsDoAuthentication: Trying scheme "Negotiate"...
T001 10:38:04.887  _cupsSetNegotiateAuthString: Kerberos not available for host "192.168.1.161".
T001 10:38:04.887  cupsDoAuthentication: No credentials for Negotiate.
T001 10:38:04.887  cupsDoAuthentication: Trying scheme "NTLM"...
T001 10:38:04.887  cupsDoAuthentication: Scheme "NTLM" not yet supported.
T001 10:38:04.887  cupsDoAuthentication: authstring="".

The error about Kerberos is from cups/auth.c:

 374   if (!strcmp(http->hostname, "localhost") || http->hostname[0] == '/' || isdigit(http->hostname[0] & 255) || !strchr(http->hostname, '.'))
 375   {
 376     DEBUG_printf("1_cupsSetNegotiateAuthString: Kerberos not available for host \"%s\".", http->hostname);
 377     return (CUPS_GSS_NONE);
 378   }

I suspect you use IP in device uri, which is not correct for Kerberos. If you use hostname and you have kerberos ticket, it should work IMO - but I saw some issues with Kerberos+IPP on Windows servers, which caused CUPS client to use lower IPP versions, so that can be problem as well.

Either way, the endless loop happens in loop when we ask for printer attributes, but we always get UNAUTHORIZED because of incorrect URI. @michaelrsweet IMO we should apply check for contimeout to every error we get in that loop, otherwise we are trapped for loops for any errors except for BUSY and UNAVAILABLE.

[zdohnal]

@michaelrsweet or introduce attempts URI variable for such cases (since UNAUTHORIZED probably does not change in time...) - tbh I would like to introduce something like this either way for the future, so users can use IPP instead of beh backend (which does the similar thing) once CUPS get rid of other backends than IPP.

[michaelrsweet]

@zdohnal It might be better to simply abort if we try to do Kerberos with an IP address (Kerberos depends on a domain name...)