[Samba] cups printing and user names from trusted domains

Andrew Bartlett abartlet at samba.org
Sat Mar 8 10:46:01 GMT 2003


On Sat, 2003-03-08 at 06:51, Andrew Bartlett wrote:
> On Sat, 2003-03-08 at 04:12, Wolfgang Ratzka wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > 
> > Im currently running some tests for a samba/CUPS based print server.
> > The print server is a member of an NT domain and uses winbind to import
> > NT domain users. Users accessing the print server will be not from the
> > same domain but from trusted domains.
> > Everything basically seems to work, once you use sufficiently new
> > versions of cups and samba. (I'm on Debian woody, so I needed to get
> > the 2.2.7a debs from samba.org, and cupsys-* 1.1.18-2 from Debian
> > unstable to get a version of cupsaddsmb that actually works.)
> > 
> > One remaining problem is that the print jobs show up in the CUPS queue as
> > owned by "user" instead of "domain\user". Moreover, print jobs submitted by
> > "domain1\user1" can be deleted by another user "domain2\user1" who has the same
> > user name in a different trusted domain.
> > 
> > Am I doing something wrong? I remember vaguely, that during the first stage
> > of my experiments (maybe with an older version of the cupsys packages), some
> > printjobs showed up with a qualified name "domain\user".
> 
> I'll see what I can do to make them show up as the unix username used
> for login.  This will be in HEAD, and will mean that they use the name
> in the form 'domain\username' if you used winbind or 'username' if you
> didn't.  (Effectively).

I've looked into this, and it looks like our CUPS printing is quite
broken in this respect.

The first thing I noticed is the lack of error handling we don't pass
the error back to the client when the printing fails.

However, when looking at the code in relation to your problem, I noticed
that we send completely the wrong username to CUPS.  For both the print
job's submission, and later attempts to cancel or pause a job, we send
the *original* 'smb_name'.  This is the unqualified username of the user
that originally sent the job, before any mapping.

The correct thing to send would be the unix name - possibly directly
from current_user, but I need to check on this.

Jerry - can you put your eye to this?  From inside the print subsystem,
what is the correct way to get the current unix username?

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030308/65a08533/attachment.bin


More information about the samba mailing list