Should Samba pass "DOMAIN\username" or just "username" to CUPS?
Andrew Bartlett
abartlet at samba.org
Sun Dec 7 21:02:39 GMT 2003
On Sun, Dec 07, 2003 at 09:25:35PM +0100, Kurt Pfeifle wrote:
> Andrew Bartlett wrote:
> > On Sun, Dec 07, 2003 at 03:54:52PM +0100, Kurt Pfeifle wrote:
> >
> >>Hi,
> >>
> >>I am asking Samba developers for opinions about a topic I've
> >>discussed with Michael Sweet (CUPS developer).
> >
> >
> >>In smb.conf the winbind separator is defined to be "\" (i.e.
> >> "windbind separator = \"). Authentication against the ADS domain
> >>works for users as expected.
> >>
> >>It is CUPS 1.1.17 (and maybe later versions also) which seems to do
> >>some name mangling concerning the "\" character, resulting in one
> >>case in conversion to an underscore, and in the other in a stripping
> >>of the username part from the complete "DOMAIN\username" string.
> >>
> >>Mike argues that Samba shouldn't be passing the DOMAIN part at all,
> >>since "Windows IPP and LPD code sends the username without the domain"
> >>also.
> >
> >
> > We must pass the full unix username.
>
> Does it mean it is Samba's job to pass the username to CUPS in
> the first place, and not CUPS's job to recognize the Windows
> user name, or translate this into the Unix one?
Correct - there should be a bug in our bugzilla for exactly this, but
I can't find it.
> > This should be available by
> > reading uidtoname(current_user->uid), and may or may not have anything
> > in common with the windows username currently being supplied (username
> > map). The other issue is that we currently pass this ivalue in as the
> > 'requesting user' even if *another* user is attempting to remove the
> > job (on the samba side).
> >
> > The Samba -> CUPS username should always be fully qualified,
>
> What do you mean by this? Does that mean you are in favour of
> passing a "MY.DOMAIN.COM\username" type of string? (Sorry for
> my dumb questions, I am not an authentication expert)
IF that is unix username. if they are a local user, then they are
typically unqulaified.
> > unless
> > 'winbind use default domain' is set, because DOM1\fred is a very
> > different user to DOM2\fred.
>
> This (that there are 2 or more different users) is what I argued.
>
> > Stripping the name is not a solution
> > (and will therefore break really big sites).
> >
>
> This is what I fear too.
> (Currently not so much about "breaking", but about not getting in
> at all...)
>
> > Andrew Bartlett
> >
>
> Cheers,
> Kurt
Andrew Bartlett
More information about the samba-technical
mailing list