Should Samba pass "DOMAIN\username" or just "username" to CUPS?

Andrew Bartlett abartlet at
Sun Dec 7 20:07:34 GMT 2003

On Sun, Dec 07, 2003 at 03:54:52PM +0100, Kurt Pfeifle wrote:
> Hi,
> I am asking Samba developers for opinions about a topic I've
> discussed with Michael Sweet (CUPS developer).

> In smb.conf the winbind separator is defined to be "\" (i.e.
>   "windbind separator = \"). Authentication against the ADS domain
> works for users as expected.
> It is CUPS 1.1.17 (and maybe later versions also) which seems to do
> some name mangling concerning the "\" character, resulting in one
> case in conversion to an underscore, and in the other in a stripping
> of the username part from the complete "DOMAIN\username" string.
> Mike argues that Samba shouldn't be passing the DOMAIN part at all,
> since "Windows IPP and LPD code sends the username without the domain"
> also.

We must pass the full unix username.  This should be available by
reading uidtoname(current_user->uid), and may or may not have anything
in common with the windows username currently being supplied (username
map).  The other issue is that we currently pass this ivalue in as the
'requesting user' even if *another* user is attempting to remove the
job (on the samba side).

The Samba -> CUPS username should always be fully qualified, unless
'winbind use default domain' is set, because DOM1\fred is a very
different user to DOM2\fred.  Stripping the name is not a solution
(and will therefore break really big sites).

Andrew Bartlett

More information about the samba-technical mailing list