samba - Mar 2003 - cups printing and user names from trusted domains

-----BEGIN PGP SIGNED MESSAGE-----

Im currently running some tests for a samba/CUPS based print server.
The print server is a member of an NT domain and uses winbind to import
NT domain users. Users accessing the print server will be not from the
same domain but from trusted domains.
Everything basically seems to work, once you use sufficiently new
versions of cups and samba. (I'm on Debian woody, so I needed to get
the 2.2.7a debs from samba.org, and cupsys-* 1.1.18-2 from Debian
unstable to get a version of cupsaddsmb that actually works.)

One remaining problem is that the print jobs show up in the CUPS queue as
owned by "user" instead of "domain\user". Moreover, print
jobs submitted by
"domain1\user1" can be deleted by another user
"domain2\user1" who has the same
user name in a different trusted domain.

Am I doing something wrong? I remember vaguely, that during the first stage
of my experiments (maybe with an older version of the cupsys packages), some
printjobs showed up with a qualified name "domain\user".

Kind regards,
Wolfgang Ratzka

- --------------------------------smb.conf-----------------------------------
[global]

~   workgroup = MYDOMAIN
~   server string = %h print server running samba %v
~   load printers = yes
~   printcap name = cups
~   printing = cups

~   printer admin = @MYDOMAIN\Druck-Admins
~   admin users = @MYDOMAIN\Druck-Admins

~   guest account = nobody
~   log file = /var/log/samba/log.%m
~   max log size = 1000

~   syslog = 0

~   security = domain
~   password server = *
~   encrypt passwords = true

~   socket options = TCP_NODELAY
~   wins server = <edited out>
~   dns proxy = no

~   passwd program = /usr/bin/passwd %u
~   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
~   obey pam restrictions = yes

~   winbind uid = 10000-60000
~   winbind gid = 10000-60000

~   character set = ISO8859-1
~   client code page = 850

[printers]
~   comment = All Printers
~   browseable = yes
~   path = /tmp
~   printable = yes
~   public = no
~   writable = no
~   create mode = 0700
~   printer admin = @MYDOMAIN\Druck-Admins

[print$]
~   comment = Printer Drivers
~   path = /var/lib/samba/drivers
~   browseable = yes
~   guest ok = no
~   read only = yes
~   write list = @MYDOMAIN\Druck-Admins
~   create mask = 0755
~   directory mask = 0755

- --
Wolfgang Ratzka  Phone: +49 6421 2823531  FAX: +49 6421 2826994
Uni Marburg,  HRZ, Hans-Meerwein-Str., D-35032 Marburg, Germany
~          http://www.uni-marburg.de/hrz/mitarbeiter/ratzka.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBPmjTFRwiO5rz0xULAQHiZwf9HH6OcbQHGF9kUnveS+JEDIauoBYQeBb0
bMgOe60CnKzhKt0+aRHVdBaK2hzQ+x66NdtmW3nPmmSvChqCzeY/plMcFPnxFN02
PA8h1ycD9dfAjVoMLr/+XZkTvpEKz5tXlZFg5WuSreBMYfA+MNZ11VXvLk2W6Y9N
O9ReJFbZNJzvKrjOKNUODzsfMIljzBzvRGDgKotrnXZM5ytlIkofWKnfKmmYU58i
sdBZRrSBjn/x5CHDOdC2i8Tv/uRTFW1CDJCxb1ow6DKSue2rrrjTKhQZlyLqVBEO
yQD+X/LqAsrnXkC8GhWOBeHZb28f4CcgGMAmmf/N6lmbgMjRua3SSg==NLPa
-----END PGP SIGNATURE-----

On Sat, 2003-03-08 at 04:12, Wolfgang Ratzka wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> Im currently running some tests for a samba/CUPS based print server.
> The print server is a member of an NT domain and uses winbind to import
> NT domain users. Users accessing the print server will be not from the
> same domain but from trusted domains.
> Everything basically seems to work, once you use sufficiently new
> versions of cups and samba. (I'm on Debian woody, so I needed to get
> the 2.2.7a debs from samba.org, and cupsys-* 1.1.18-2 from Debian
> unstable to get a version of cupsaddsmb that actually works.)
> 
> One remaining problem is that the print jobs show up in the CUPS queue as
> owned by "user" instead of "domain\user". Moreover,
print jobs submitted by
> "domain1\user1" can be deleted by another user
"domain2\user1" who has the same
> user name in a different trusted domain.
> 
> Am I doing something wrong? I remember vaguely, that during the first stage
> of my experiments (maybe with an older version of the cupsys packages),
some
> printjobs showed up with a qualified name "domain\user".
I'll see what I can do to make them show up as the unix username used
for login.  This will be in HEAD, and will mean that they use the name
in the form 'domain\username' if you used winbind or 'username'
if you
didn't.  (Effectively).

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20030308/851f0286/attachment.bin

Andrew Bartlett wrote on Samba-Digest:
> [Samba] cups printing and user names from trusted domains
> Andrew Bartlett abartlet at samba.org
> Sat Mar 8 21:46:01 GMT 2003
> 
> 
> On Sat, 2003-03-08 at 06:51, Andrew Bartlett wrote:
>> On Sat, 2003-03-08 at 04:12, Wolfgang Ratzka wrote:
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > 
>> > Im currently running some tests for a samba/CUPS based print
server.
>> > The print server is a member of an NT domain and uses winbind to
import
>> > NT domain users. Users accessing the print server will be not from
the
>> > same domain but from trusted domains.
>> > Everything basically seems to work, once you use sufficiently new
>> > versions of cups and samba. (I'm on Debian woody, so I needed
to get
>> > the 2.2.7a debs from samba.org, and cupsys-* 1.1.18-2 from Debian
>> > unstable to get a version of cupsaddsmb that actually works.)
>> > 
>> > One remaining problem is that the print jobs show up in the CUPS
queue as
>> > owned by "user" instead of "domain\user".
Moreover, print jobs submitted by
>> > "domain1\user1" can be deleted by another user
"domain2\user1" who has the same
>> > user name in a different trusted domain.
>> > 
>> > Am I doing something wrong? I remember vaguely, that during the
first stage
>> > of my experiments (maybe with an older version of the cupsys
packages), some
>> > printjobs showed up with a qualified name "domain\user".
>> 
>> I'll see what I can do to make them show up as the unix username
used
>> for login.  This will be in HEAD, and will mean that they use the name
>> in the form 'domain\username' if you used winbind or
'username' if you
>> didn't.  (Effectively).
> 
> I've looked into this, and it looks like our CUPS printing is quite
> broken in this respect.
> 
> The first thing I noticed is the lack of error handling we don't pass
> the error back to the client when the printing fails.
> 
> However, when looking at the code in relation to your problem, I noticed
> that we send completely the wrong username to CUPS.  For both the print
> job's submission, and later attempts to cancel or pause a job, we send
> the *original* 'smb_name'.  This is the unqualified username of the
user
> that originally sent the job, before any mapping.
> 
> The correct thing to send would be the unix name - possibly directly
> from current_user, but I need to check on this.
Hmmm... I'm not so sure this is what most people would desire.

CUPS logs the names in question, for example in its "page_log" for
accounting purposes. If we serve Windows clients, and if we now and
then want to evaluated the page_log and create statistics and reports
from it -- is it the Unix name or the Windows user name we want to
appear there?
> Jerry - can you put your eye to this?  From inside the print subsystem,
> what is the correct way to get the current unix username?
> 
> Andrew Bartlett
Cheers,
Kurt

Kurt Pfeifle wrote:
>
> Andrew Bartlett wrote on Samba-Digest:
(...) 
> > I've looked into this, and it looks like our CUPS printing is
quite
> > broken in this respect.
> >
> > (...)
> >
> > However, when looking at the code in relation to your problem, I
noticed
> > that we send completely the wrong username to CUPS.  For both the
print
> > job's submission, and later attempts to cancel or pause a job, we
send
> > the *original* 'smb_name'.  This is the unqualified username
of the user
> > that originally sent the job, before any mapping.
> >
> > The correct thing to send would be the unix name - possibly directly
> > from current_user, but I need to check on this.
>
> Hmmm... I'm not so sure this is what most people would desire.
>
> CUPS logs the names in question, for example in its "page_log"
for
> accounting purposes. If we serve Windows clients, and if we now and
> then want to evaluate the page_log and create statistics and reports
> from it -- is it the Unix name or the Windows user name we want to
> appear there?
Well, in my case (using winbind) the Unix name would just be 
"<Windows Domain Name>\<Winbind User Name>", which would
fit my
purposes quite nicely. I can, however, imagine some setups where
the unix username does not contain any information (e.g. printing 
without authentication with unix users generally mapped to "nobody").

Kind regards,
Wolfgang Ratzka