Point and Print issues.

Thu Nov 4 03:03:56 GMT 2004

Gerald (Jerry) Carter wrote:

> Igor Belyi wrote:
>
> | Now, I'm confused - where the limitation 32 bytes
> | (MAXDEVICENAME) comes from and is it really necessary?
>
> Yes.  The devicename string is a 31 unicode char
> string defined (by MS) member of the device mode.
>
> | And second, I assume that Jerry's delta introducing
> | 'force printername'  will not help to fix this problem
> | since driver name is taken directly from tdb database.
> | Is it correct?
>
> It's the printername so the error will still show up
> if the unc path is > 31 characters.  I'll track this
> down before 3.0.8.  It's just a false positive that
> gets a lot of attention.
>
> | Issue #2. I don't like to use 'root' for Samba
> | administrator so to look  like a very smart person
> | I put 'admin users = domadmin' and 'invalid
> | users = root' in my smb.conf. When I've started to
> | play with Point and  Print I've added 'printer admin =
> | domadmin' too. Looks good, right? :)
>
> heheh.  if this makes you feel better :-)
> Basicallty if root has a different password
> in smbpasswd, then it is really the same thing
> you have here (assuming the admin line is
> in [global].

Interesting... I thought about it a little bit more and I've got another 
question regarding 'invalid users'. Since this parameter lists UNIX 
users and groups it should prevent users to have access to shares as a 
particular UNIX users, right? Does it mean that it prevents users to 
become such entities through 'username map', 'force user', 'force 
group', or any other way to become a different user than a login one? 
But why then it allows users listed as 'admin users' to access shares as 
a 'root' user while I have 'invalid users = root'? Somehow, this 
restriction kicks in only when accessing printers share for administration.

Am I missing the point of 'invalid users'? I'll look in the code for 
enlightenment but if there's an easier way to grasp the concept - let me 
know.

Igor

> | Unfortunately, when you login as a user in 'admin users'
> | list you are  forced into uid=0 and this makes the
> | folloing statement in
> | rpc_server/srv_spoolss_nt.c:_spoolss_open_printer_ex()
> | function return False (due to 'invalid users = root'):
> |
> | user_ok(uidtoname(user.uid), snum, user.groups, user.ngroups)
>
> See above comments.

>
> | So, I wonder what was the correct solution to this
> | problem? The one I've used? Removing 'invalid users = root'
> | from smb.conf? Creating a pactch  to change uidtoname(user.uid)
> | to a different way of finding out who the  current user is?
> | Or is there something else as well?
>
> no real good solution right now I don't think
> except to enable root.  It's really just as secure as
> what you have now.