[Samba] cups printing and user names from trusted domains

[Kurt Pfeifle]

Andrew Bartlett wrote on Samba-Digest:

> [Samba] cups printing and user names from trusted domains
> Andrew Bartlett abartlet at samba.org
> Sat Mar 8 21:46:01 GMT 2003
> 
> 
> On Sat, 2003-03-08 at 06:51, Andrew Bartlett wrote:
>> On Sat, 2003-03-08 at 04:12, Wolfgang Ratzka wrote:
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > 
>> > Im currently running some tests for a samba/CUPS based print server.
>> > The print server is a member of an NT domain and uses winbind to import
>> > NT domain users. Users accessing the print server will be not from the
>> > same domain but from trusted domains.
>> > Everything basically seems to work, once you use sufficiently new
>> > versions of cups and samba. (I'm on Debian woody, so I needed to get
>> > the 2.2.7a debs from samba.org, and cupsys-* 1.1.18-2 from Debian
>> > unstable to get a version of cupsaddsmb that actually works.)
>> > 
>> > One remaining problem is that the print jobs show up in the CUPS queue as
>> > owned by "user" instead of "domain\user". Moreover, print jobs submitted by
>> > "domain1\user1" can be deleted by another user "domain2\user1" who has the same
>> > user name in a different trusted domain.
>> > 
>> > Am I doing something wrong? I remember vaguely, that during the first stage
>> > of my experiments (maybe with an older version of the cupsys packages), some
>> > printjobs showed up with a qualified name "domain\user".
>> 
>> I'll see what I can do to make them show up as the unix username used
>> for login.  This will be in HEAD, and will mean that they use the name
>> in the form 'domain\username' if you used winbind or 'username' if you
>> didn't.  (Effectively).
> 
> I've looked into this, and it looks like our CUPS printing is quite
> broken in this respect.
> 
> The first thing I noticed is the lack of error handling we don't pass
> the error back to the client when the printing fails.
> 
> However, when looking at the code in relation to your problem, I noticed
> that we send completely the wrong username to CUPS.  For both the print
> job's submission, and later attempts to cancel or pause a job, we send
> the *original* 'smb_name'.  This is the unqualified username of the user
> that originally sent the job, before any mapping.
> 
> The correct thing to send would be the unix name - possibly directly
> from current_user, but I need to check on this.

Hmmm... I'm not so sure this is what most people would desire.

CUPS logs the names in question, for example in its "page_log" for
accounting purposes. If we serve Windows clients, and if we now and
then want to evaluated the page_log and create statistics and reports
from it -- is it the Unix name or the Windows user name we want to
appear there?

> Jerry - can you put your eye to this?  From inside the print subsystem,
> what is the correct way to get the current unix username?
> 
> Andrew Bartlett

Cheers,
Kurt