Should Samba pass "DOMAIN\username" or just "username" to CUPS?

Andrew Bartlett abartlet at samba.org
Sun Dec 7 21:02:39 GMT 2003


On Sun, Dec 07, 2003 at 09:25:35PM +0100, Kurt Pfeifle wrote:
> Andrew Bartlett wrote:
> > On Sun, Dec 07, 2003 at 03:54:52PM +0100, Kurt Pfeifle wrote:
> > 
> >>Hi,
> >>
> >>I am asking Samba developers for opinions about a topic I've
> >>discussed with Michael Sweet (CUPS developer).
> > 
> > 
> >>In smb.conf the winbind separator is defined to be "\" (i.e.
> >>  "windbind separator = \"). Authentication against the ADS domain
> >>works for users as expected.
> >>
> >>It is CUPS 1.1.17 (and maybe later versions also) which seems to do
> >>some name mangling concerning the "\" character, resulting in one
> >>case in conversion to an underscore, and in the other in a stripping
> >>of the username part from the complete "DOMAIN\username" string.
> >>
> >>Mike argues that Samba shouldn't be passing the DOMAIN part at all,
> >>since "Windows IPP and LPD code sends the username without the domain"
> >>also.
> > 
> > 
> > We must pass the full unix username. 
> 
> Does it mean it is Samba's job to pass the username to CUPS in
> the first place, and not CUPS's job to recognize the Windows
> user name, or translate this into the Unix one?

Correct - there should be a bug in our bugzilla for exactly this, but
I can't find it.

> > This should be available by
> > reading uidtoname(current_user->uid), and may or may not have anything
> > in common with the windows username currently being supplied (username
> > map).  The other issue is that we currently pass this ivalue in as the
> > 'requesting user' even if *another* user is attempting to remove the
> > job (on the samba side).
> > 
> > The Samba -> CUPS username should always be fully qualified,
> 
> What do you mean by this? Does that mean you are in favour of
> passing a "MY.DOMAIN.COM\username" type of string? (Sorry for
> my dumb questions, I am not an authentication expert)

IF that is unix username.  if they are a local user, then they are
typically unqulaified.

> > unless
> > 'winbind use default domain' is set, because DOM1\fred is a very
> > different user to DOM2\fred.
> 
> This (that there are 2 or more different users) is what I argued.
> 
> > Stripping the name is not a solution
> > (and will therefore break really big sites).
> > 
> 
> This is what I fear too.
> (Currently not so much about "breaking", but about not getting in
> at all...)
> 
> > Andrew Bartlett
> > 
> 
> Cheers,
> Kurt

Andrew Bartlett


More information about the samba-technical mailing list