new printing protocols in samba
play

New printing protocols in Samba Gnther Deschner - PowerPoint PPT Presentation

Nov 25, 2023 •121 likes •579 views

New printing protocols in Samba Gnther Deschner <gd@samba.org> Agenda MS16-087 RPRN and PAR PAR support detection Print Driver Packages Driver Signing Core Printer Drivers Current state of PAR in

  1. New printing protocols in Samba Günther Deschner <gd@samba.org>

  2. Agenda  MS16-087  RPRN and PAR  PAR support detection  Print Driver Packages  Driver Signing  Core Printer Drivers  Current state of PAR in Samba  Next steps  Further reading & Q/A SambaXP 2017, Slide 2

  3. Samba at RedHat  Part of Red Hat Gluster Storage Team  Close relationship with RHEL / Identity Team  Often collaborate with Andreas Schneider <asn@samba.org> on Samba feature or bugfix development such as printing related matters SambaXP 2017, Slide 3

  4. MS016-087 (CVE-2016-3238)  July 2016: Microsoft released security update to address a critical vulnerability in the Windows spooler components  This update addressed issue by: Correcting Windows spooler access to filesystem ● Issue a warning when untrusted printer drivers are attempted to be used ●  V3 non-package aware printer drivers will get security prompt: SambaXP 2017, Slide 4

  5. MS016-087 (CVE-2016-3238)  For non-interactive scenarios, the installation of untrusted printer drivers fails completely (!)  September 2016: Discussed issue at Samba / Interoperability Lab in Redmond  October 2016: Microsoft issued follow-up update to mitigate the Point and Print restrictions via white-listing of print servers via Group Policy  Detailed instructions for this mechanism are both described on support.microsoft.com ● wiki.samba.org ●  What is the real resolution? SambaXP 2017, Slide 5

  6. MS16-087 resolution: “Update the afgected printer driver. Package-aware V3 printer drivers were introduced in Windows Vista. Installing a package-aware printer driver will resolve the issue.”

  7. Samba needs to support package- aware printer drivers!

  8. What is a package-aware printer driver?  A package-aware driver typically comes as a driver package  Microsoft Cabinet Files (.cab) Printer Driver Inf File (.inf) ● Driver Catalog File (.cat) ● “Amd64”, “x86” directories ●  Advantages of Point and Print with driver packages: All runable components are part of driver package ● Driver signing and integrity can be checked on the client during ● installation Easier to manage (less likely to have overlapping driver files) ● SambaXP 2017, Slide 8

  9. What is a package-aware printer driver?  PackageAware keyword in driver.inf: ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ● ;These sections are to identify the Vista drivers as "Package Aware" to allow them to ;take advantage of features such as "Package Point-and-Print" in Vista and above ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; [PrinterPackageInstallation.amd64] PackageAware=TRUE CoreDriverDependencies={D20EA372-DD35-4950-9ED8- A6335AFE79F0} SambaXP 2017, Slide 9

  10. What is a package-aware printer driver?  Package awareness flag in PrinterDriverAttributes of PRINTER_INFO_2 PRINTER_DRIVER_PACKAGE_AWARE = 0x00000001 ●  Accessible in the driver configuration backend, the Windows registry: HKLM\System\CurrentControlSet\Control\Print\Enviroments\ ● Windows x64\Drivers\Version-3\ DRIVERNAME\PrinterDriverAttributes  People start manipulating this attribute in the registry to pretend these drivers were properly packaged and securely verified SambaXP 2017, Slide 10

  11. Can we support package-aware drivers?  Can we install v3 print driver packages for Point and Print?  Remember: as Samba does not run off Microsoft OS (usually), we need to let a Windows client prepare everything for Point and Print  But: spoolss protocol does not provide means to manage package-aware drivers  => In order to provide package-aware drivers for Point and Print we need to use a different DCE/RPC protocol SambaXP 2017, Slide 11

  12. For Samba to fully support package- aware printer drivers we need MS-PAR!

  13. RPRN and PAR  PAR is very similar to RPRN  PAR inherits the entire messages and marshalling aspects of RPRN  PAR overcomes fundamental limitations of RPRN Synchronous delivery of printer change notifications ● Client print server requirement ● No driver package management capabilities ●  66 PAR calls out of 74 have a 1:1 match to RPRN calls 4 new calls for driver management ● 4 new calls for change notifications ● SambaXP 2017, Slide 13

  14. RPRN and PAR  RPRN - “Print System Remote Protocol” ncacn_np ● “spoolss” ● available since Windows NT ●  PAR - “Print System Asynchronous Remote Protocol” ncacn_ip_tcp ● auth_level >= DCERPC_AUTH_LEVEL_PACKET ● use of DCE/RPC header object_uuid ● DCERPC_PFC_FLAG_OBJECT_UUID “IRemoteWinspool” or “winspool” ● available since Windows Vista ● SambaXP 2017, Slide 14

  15. PAR support detection  RPRN named pipe is used for PAR detection  Client calls “OpenPrinterEx” for a print server handle  Client calls “GetPrinterData” for “OsVersion”  Client calls “ClosePrinter” for the print server handle  Client inspects “OsVersion” binary blob MajorVersion ● MinorVersion ● BuildNumber ●  If “BuildNumber” >= 3791 then PAR will be tried SambaXP 2017, Slide 15

  16. Printer Change Notifjcations with RPRN

  17. RPRN and PAR  ● SambaXP 2017, Slide 17

  18. Printer Change Notifjcations with PAR

  19. PAR printer change notify  MS-PAR, 3.1.4.9. Printing Related Notification Methods SyncRegisterForRemoteNotifications ● SyncUnRegisterForRemoteNotifications ● SyncRefreshRemoteNotifications ● AsyncGetRemoteNotifications ● SambaXP 2017, Slide 19

  20. RPRN and PAR  ● SambaXP 2017, Slide 20

  21. Driver upload with “Print Management” and MS-RPRN

  22. Driver upload with MS-RPRN  Client uploads individual driver files via SMB to print$  Client calls AddPrinterDriver() DCE/RPC with a fully filled out driver definition  Server moves files to download area in print$  Server registers driver definition in backend (registry)  Server associates driver with printer (if requested) SambaXP 2017, Slide 22

  23. Driver upload with “Print Management” and MS-PAR

  24. PAR driver management  MS-PAR, 3.1.4.2. Printer Driver Management Methods AsyncInstallPrinterDriverFromPackage ● AsyncUploadPrinterDriverPackage ● AsyncCorePrinterDriverInstalled ● AsyncDeletePrinterDriverPackage ● SambaXP 2017, Slide 24

  25. Driver upload with MS-PAR  Client uploads driver package components to print$ via SMB  Client calls AsyncUploadPrinterDriverPackage with SMB path to driver.inf  Server replies returns driver.inf path of local, private driver repository  Client calls AsyncInstallPrinterDriverFromPackage with local, private path to driver.inf and driver name  Server parses driver.inf, creates driver definition, creates driver package cabinet SambaXP 2017, Slide 25

  26. Driver upload with MS-PAR  Server has much more work to do with PAR than in RPRN Printer.inf parsing ● Cabinet creation ● SambaXP 2017, Slide 26

  27. Prerequisites for implementing MS-PAR in Samba

  28. DCE/RPC requirements  Support for ncacn_ip_tcp and endpointmapper  Support for object_uuid in DCE/RPC header  Support for DCERPC_AUTH_LEVEL_PACKET  Thanks to Stefan Metzmacher <metze@samba.org> SambaXP 2017, Slide 28

  29. Print Driver Package components  Microsoft Cabinet Files (.cab) Well documented format, similar to .tar ●  Printer Driver Inf File (.inf) Well documented format ● Driver installation instructions ● Consumed by Windows Setup API ●  Driver Catalog File (.cat) Mostly undocumented format ● Cryptographic signatures of Driver Files ●  “Amd64”, “x86” directories DLLs, XML files ● SambaXP 2017, Slide 29

  30. Cabinet Files – FOSS implementations  libmspack - https://www.cabextract.org.uk/libmspack/ compression support (MSZIP) ● C library API ● Client tool (cabextract) ● NO cabinet creation ● cabinet extraction ●  lcab NO compression ● NO C library API ● Client tool (lcab) ● cabinet creation ● NO cabinet extraction ● SambaXP 2017, Slide 30

  31. Cabinet Files – Samba implementation  cab.idl Samba style standard interface definition ● autogenerated marshalling code ●  MSZIP compression builtin in libndr Used for AD replication via DRSUAPI ●  Aurélien Aptel <aaptel@suse.com> Resolved various issues with MSZIP use in libndr ● Created new client tool code ●  libcab.so print server needs to be able to create .cab files on the fly ● SambaXP 2017, Slide 31

  32. Driver signing  Andreas Schneider wrote a .cat file parser “parsemscat” Based on gnutls and libtasn1 ● https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master ● -mscat Needs “Microsoft Root Authority” certificate ●  parsemscat allows to fully verify the integrity of files in a printer driver  PKCS#7 Certifcate (Signature) with an embedded data part  The embedded data is an ASN.1 structure call Certificate Trust List  It holds checksums (SHA1, SHA256) for files in the driver package SambaXP 2017, Slide 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Samba in the Enterprise : Samba 3.0 and beyond By Jeremy Allison jra@samba.org

Samba in the Enterprise : Samba 3.0 and beyond By Jeremy Allison jra@samba.org

Samba in the Enterprise : Samba 3.0 and beyond By Jeremy Allison jra@samba.org jeremy.allison@hp.com Where we are now : Samba 2.2 The current Samba is a credible replacement for a Windows server providing file and

529 views • 19 slides
Implementing the Witness protocol in Samba Gnther Deschner &lt;gd@samba.org&gt; (Red Hat /

Implementing the Witness protocol in Samba Gnther Deschner &lt;gd@samba.org&gt; (Red Hat /

Implementing the Witness protocol in Samba Gnther Deschner &lt;gd@samba.org&gt; (Red Hat / Samba Team) About Samba and RedHat Currently 7 Samba Team members inside RedHat Creators and users of Samba technology for authentication

836 views • 45 slides
The pad printing process Pad printing The origins of the pad printing process are rooted in the

The pad printing process Pad printing The origins of the pad printing process are rooted in the

During the past twenty years, colour absorption. The pad What is pad printing? pad printing machines Introduction mark on any product. a high-quality decoration or marking process that provides printing process is a direct and because it is

469 views • 7 slides
Samba Witness Protection Programming Samuel Cabrero scabrero@suse.com David Disseldorp

Samba Witness Protection Programming Samuel Cabrero scabrero@suse.com David Disseldorp

Samba Witness Protection Programming Samuel Cabrero scabrero@suse.com David Disseldorp ddiss@samba.org Agenda Clustered Samba Witness Protocol Demo Outlook Clustered Samba Samba File and print server SMB / CIFS, SMB2

428 views • 40 slides
Samba and the road to Python3 Noel Power SUSE/Samba team noel.power@suse.com npower@samba.org

Samba and the road to Python3 Noel Power SUSE/Samba team noel.power@suse.com npower@samba.org

Samba and the road to Python3 Noel Power SUSE/Samba team noel.power@suse.com npower@samba.org Agenda Reasons to move to Python3 What is supported in what release Some history of the porting effort Challenges Lessons learned

815 views • 19 slides
The Important Details Of Windows Authentication Stefan Metzmacher &lt;metze@samba.org&gt; Samba

The Important Details Of Windows Authentication Stefan Metzmacher &lt;metze@samba.org&gt; Samba

The Important Details Of Windows Authentication Stefan Metzmacher &lt;metze@samba.org&gt; Samba Team / SerNet 2017-05-04 https://samba.org/~metze/presentations/2017/SambaXP/ Topics Windows Domains, Forests and Trusts Netlogon Secure

497 views • 34 slides
SMB3 Multi-Channel in Samba ... Now Really! Michael Adam Red Hat / samba.org sambaXP -

SMB3 Multi-Channel in Samba ... Now Really! Michael Adam Red Hat / samba.org sambaXP -

SMB3 Multi-Channel in Samba ... Now Really! Michael Adam Red Hat / samba.org sambaXP - 2016-05-11 Introduction SMB - mini history SMB: created around 1983 by Barry Feigenbaum, IBM SMB in Lan Manager: around 1990 SMB in Windows for

1.29k views • 58 slides
Tools for the Vagabonding Samba Developer sambaXP 2015 Michael Adam Samba Team / Red Hat May

Tools for the Vagabonding Samba Developer sambaXP 2015 Michael Adam Samba Team / Red Hat May

Tools for the Vagabonding Samba Developer sambaXP 2015 Michael Adam Samba Team / Red Hat May 21, 2015 We use a lot of VMs and containers for testing and building Samba. The setup and maintenance of these machines requires a lot of work. How

351 views • 20 slides
Samba's AD DC: Samba 4.2 and Beyond Presented by Andrew Bartlett of Catalyst // 2014-09 About me

Samba's AD DC: Samba 4.2 and Beyond Presented by Andrew Bartlett of Catalyst // 2014-09 About me

Samba's AD DC: Samba 4.2 and Beyond Presented by Andrew Bartlett of Catalyst // 2014-09 About me Andrew Bartlett Samba T eam member since 2001 Working on the AD DC since 2006 These views are my own, but I do with to thank:

856 views • 36 slides
Faking a Failover Over the Top With Samba Clusters Christopher R. Hertel Samba Team May 2017

Faking a Failover Over the Top With Samba Clusters Christopher R. Hertel Samba Team May 2017

Faking a Failover Over the Top With Samba Clusters Christopher R. Hertel Samba Team May 2017 Introductions Introductor a t i o n a r y e s q u e n e s s e si s m Me: Samba Team Elder SMB Wizard with: The opinions expressed are my

874 views • 21 slides
Status of SMB2 and SMB3 development in Samba SDC 2012 Michael Adam obnox@samba.org Samba Team /

Status of SMB2 and SMB3 development in Samba SDC 2012 Michael Adam obnox@samba.org Samba Team /

Status of SMB2 and SMB3 development in Samba SDC 2012 Michael Adam obnox@samba.org Samba Team / SerNet 2012-09-17 Hi there! Oh ... ... please interrupt with questions! Michael Adam SMB2+ in Samba (3 / 20) SMB2 in Samba Only SMB 2.0

1.35k views • 75 slides
Samba and the road to 100,000 users Presented by Andrew Bartlet Samba Team - Catalyst / / SambaXP

Samba and the road to 100,000 users Presented by Andrew Bartlet Samba Team - Catalyst / / SambaXP

Samba and the road to 100,000 users Presented by Andrew Bartlet Samba Team - Catalyst / / SambaXP 2017 Andrew Bartlet Samba developer since 2001 Working on the AD DC since soon afuer the start of the 4.0 branch, since 2004! Driven to

664 views • 44 slides
A Few things happened on the way to LMDB Presented by Andrew Bartlet Samba Team - Catalyst / /

A Few things happened on the way to LMDB Presented by Andrew Bartlet Samba Team - Catalyst / /

A Few things happened on the way to LMDB Presented by Andrew Bartlet Samba Team - Catalyst / / June 2018 Samba is a member project of the Sofuware Freedom Conseraancy Andrew Bartlet and Catalysts Samba Team Samba Deaeloper since 2001

436 views • 30 slides
Using the Samba Testsuite Andrew Tridgell Samba Team tridge@osdl.org Torture yourself! The

Using the Samba Testsuite Andrew Tridgell Samba Team tridge@osdl.org Torture yourself! The

Using the Samba Testsuite Andrew Tridgell Samba Team tridge@osdl.org Torture yourself! The Samba4 torture suite is an extensive, general purpose CIFS test suite. It is not Samba specific. All CIFS vendors should take advantage of it to

377 views • 21 slides
MIT KDC integration Andreas Schneider &lt;asn@samba.org&gt; G unther Deschner

MIT KDC integration Andreas Schneider &lt;asn@samba.org&gt; G unther Deschner

MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices MIT KDC integration Andreas Schneider &lt;asn@samba.org&gt; G unther Deschner &lt;gd@samba.org&gt; Red Hat May 21th, 2015 Andreas Schneider &lt;asn@samba.org&gt; G

1.17k views • 29 slides
THE SELFTEST SUITE Testing Samba May 21th, 2015 Andreas Schneider Red Hat Inc. Samba Team Who

THE SELFTEST SUITE Testing Samba May 21th, 2015 Andreas Schneider Red Hat Inc. Samba Team Who

THE SELFTEST SUITE Testing Samba May 21th, 2015 Andreas Schneider Red Hat Inc. Samba Team Who am I? The Selftest Suite Running tests Writing tests ABOUT ME I'm a Free and Open Source Software developer working on: Samba - The domain

383 views • 25 slides
Does Distributed Development Affect Software Quality? An Empirical Case Study of Windows Vista

Does Distributed Development Affect Software Quality? An Empirical Case Study of Windows Vista

Does Distributed Development Affect Software Quality? An Empirical Case Study of Windows Vista By C. Bird, N. Nagappan, P. Devanbu, H. Gall, B. Murphy Presented by Tanja Werthmller 1 Overview 1.What is distributed development - What does

412 views • 12 slides
A Lap Around NativeScript TJ VanToll | @tjvantoll What is NativeScript? A runtime for

A Lap Around NativeScript TJ VanToll | @tjvantoll What is NativeScript? A runtime for

A Lap Around NativeScript TJ VanToll | @tjvantoll What is NativeScript? A runtime for building and running native iOS, Android, and Windows Phone apps with a single, JavaScript code base != No DOM != No cross compilation !=

328 views • 30 slides
The Times They Are A-changin Sofia Svanteson, Founder &amp; CEO About Ocean Founded in 2001,

The Times They Are A-changin Sofia Svanteson, Founder &amp; CEO About Ocean Founded in 2001,

The Times They Are A-changin Sofia Svanteson, Founder &amp; CEO About Ocean Founded in 2001, Stockholm, Sweden Consultancy focusing on Interaction Design, Graphic Design, Industrial Design &amp; Sound Design for mobile products and

454 views • 34 slides
Mobile App Development Workshop Kiichi Takeuchi Senior Software Developer Adjunct Professor

Mobile App Development Workshop Kiichi Takeuchi Senior Software Developer Adjunct Professor

Invited Speaker Sessions Nov 12, 2013 3pm - 5pm (Broadway 3 &amp; 4) Facilitator: Mickey Dietrich, Tug Hill Commission; Mobile App Development Workshop Kiichi Takeuchi Senior Software Developer Adjunct Professor

848 views • 46 slides
Windows Search Protocol &amp; Samba Noel Power noel.power@suse.com Agenda Overview

Windows Search Protocol &amp; Samba Noel Power noel.power@suse.com Agenda Overview

Windows Search Protocol &amp; Samba Noel Power noel.power@suse.com Agenda Overview History Some WSP protocol info Approach to a WIP Implementation Demo Questions 2 Windows Search (some background) Overview Windows

555 views • 40 slides
3/9/2020 The Virtual The Virtual The Virtual The Virtual Certification Certification

3/9/2020 The Virtual The Virtual The Virtual The Virtual Certification Certification

3/9/2020 The Virtual The Virtual The Virtual The Virtual Certification Certification Certification Certification Interview Interview Interview Interview NACC Initial Certification Webinar for a Zoom Conference Interview 1

359 views • 7 slides
where user experience and software engineering meet Andrew J. Ko

where user experience and software engineering meet Andrew J. Ko

where user experience and software engineering meet Andrew J. Ko Monday, November 30, 2009 in method , Im an HCI researcher I study problems I evaluate I design

1.2k views • 62 slides
CS 5150 So(ware Engineering Requirements Analysis William

CS 5150 So(ware Engineering Requirements Analysis William

Cornell University Compu1ng and Informa1on Science CS 5150 So(ware Engineering Requirements Analysis William Y. Arms Process Step: Requirements

911 views • 28 slides

More recommend