Should Samba pass "DOMAIN\username" or just "username" to CUPS?

Kurt Pfeifle kpfeifle at
Sun Dec 7 20:25:35 GMT 2003

Andrew Bartlett wrote:
> On Sun, Dec 07, 2003 at 03:54:52PM +0100, Kurt Pfeifle wrote:
>>I am asking Samba developers for opinions about a topic I've
>>discussed with Michael Sweet (CUPS developer).
>>In smb.conf the winbind separator is defined to be "\" (i.e.
>>  "windbind separator = \"). Authentication against the ADS domain
>>works for users as expected.
>>It is CUPS 1.1.17 (and maybe later versions also) which seems to do
>>some name mangling concerning the "\" character, resulting in one
>>case in conversion to an underscore, and in the other in a stripping
>>of the username part from the complete "DOMAIN\username" string.
>>Mike argues that Samba shouldn't be passing the DOMAIN part at all,
>>since "Windows IPP and LPD code sends the username without the domain"
> We must pass the full unix username. 

Does it mean it is Samba's job to pass the username to CUPS in
the first place, and not CUPS's job to recognize the Windows
user name, or translate this into the Unix one?

> This should be available by
> reading uidtoname(current_user->uid), and may or may not have anything
> in common with the windows username currently being supplied (username
> map).  The other issue is that we currently pass this ivalue in as the
> 'requesting user' even if *another* user is attempting to remove the
> job (on the samba side).
> The Samba -> CUPS username should always be fully qualified,

What do you mean by this? Does that mean you are in favour of
passing a "MY.DOMAIN.COM\username" type of string? (Sorry for
my dumb questions, I am not an authentication expert)

> unless
> 'winbind use default domain' is set, because DOM1\fred is a very
> different user to DOM2\fred.

This (that there are 2 or more different users) is what I argued.

> Stripping the name is not a solution
> (and will therefore break really big sites).

This is what I fear too.
(Currently not so much about "breaking", but about not getting in
at all...)

> Andrew Bartlett


More information about the samba-technical mailing list