Point and Print issues.
Igor Belyi
sambauser at katehok.ac93.org
Thu Nov 4 03:03:56 GMT 2004
Gerald (Jerry) Carter wrote:
> Igor Belyi wrote:
>
> | Now, I'm confused - where the limitation 32 bytes
> | (MAXDEVICENAME) comes from and is it really necessary?
>
> Yes. The devicename string is a 31 unicode char
> string defined (by MS) member of the device mode.
>
> | And second, I assume that Jerry's delta introducing
> | 'force printername' will not help to fix this problem
> | since driver name is taken directly from tdb database.
> | Is it correct?
>
> It's the printername so the error will still show up
> if the unc path is > 31 characters. I'll track this
> down before 3.0.8. It's just a false positive that
> gets a lot of attention.
>
> | Issue #2. I don't like to use 'root' for Samba
> | administrator so to look like a very smart person
> | I put 'admin users = domadmin' and 'invalid
> | users = root' in my smb.conf. When I've started to
> | play with Point and Print I've added 'printer admin =
> | domadmin' too. Looks good, right? :)
>
> heheh. if this makes you feel better :-)
> Basicallty if root has a different password
> in smbpasswd, then it is really the same thing
> you have here (assuming the admin line is
> in [global].
Interesting... I thought about it a little bit more and I've got another
question regarding 'invalid users'. Since this parameter lists UNIX
users and groups it should prevent users to have access to shares as a
particular UNIX users, right? Does it mean that it prevents users to
become such entities through 'username map', 'force user', 'force
group', or any other way to become a different user than a login one?
But why then it allows users listed as 'admin users' to access shares as
a 'root' user while I have 'invalid users = root'? Somehow, this
restriction kicks in only when accessing printers share for administration.
Am I missing the point of 'invalid users'? I'll look in the code for
enlightenment but if there's an easier way to grasp the concept - let me
know.
Igor
> | Unfortunately, when you login as a user in 'admin users'
> | list you are forced into uid=0 and this makes the
> | folloing statement in
> | rpc_server/srv_spoolss_nt.c:_spoolss_open_printer_ex()
> | function return False (due to 'invalid users = root'):
> |
> | user_ok(uidtoname(user.uid), snum, user.groups, user.ngroups)
>
> See above comments.
>
> | So, I wonder what was the correct solution to this
> | problem? The one I've used? Removing 'invalid users = root'
> | from smb.conf? Creating a pactch to change uidtoname(user.uid)
> | to a different way of finding out who the current user is?
> | Or is there something else as well?
>
> no real good solution right now I don't think
> except to enable root. It's really just as secure as
> what you have now.
More information about the samba-technical
mailing list