domain users with full username (username@DOMAIN) over 33 characters cannot add or delete printers in web interface

**To Reproduce**
Steps to reproduce the behavior:
1. Have a machine joined into AD domain via sssd, have `use_fully_qualified_names = True` in `/etc/sssd/sssd.conf`. (This is not limited to Active Directory, should be applicable to any full username over 33 characters, e.g. if you manage to create a local user with such a long username, you could test it that way.)
2. Install cups server.
3. In `cups-files.conf` set:
     ```
     StripUserDomain No
     SystemGroup root lpadmin
     ErrorLog /var/log/cups/error_log
     ```
4. In `cupsd.conf` set:
     ```
     LogLevel debug2
     DefaultAuthType Negotiate # or Basic
     WebInterface Yes
     ```
    Also, in all `<Location>` tags set `Allow all` or `Allow @LOCAL`.
5. Create a domain user with full username length over 33 characters, say, `really.really.long.username@company.name`. Add that user into the local `lpadmin` group.
6. Login to the CUPS web interface under that user.
7. Try to add a printer via web interface.

**Expected behavior**
You would be able to add a printer.

**Reality**
You can access the `/admin` interface, choose a printer to add, but get "access denied" on the last stage.

**Screenshots**
<img width="921" height="677" alt="Image" src="https://github.com/user-attachments/assets/f01033af-ccc8-4ca9-b01d-fed11184dc45" />

<img width="750" height="883" alt="Image" src="https://github.com/user-attachments/assets/acf95ee7-0984-4e34-8433-2e33eb3dfd3f" />

**System Information:**
 - tested on Astra Linux 1.8.4
 - CUPS version 2.4.14

**Additional context**

[error_log.txt](https://github.com/user-attachments/files/23901781/error_log.txt)

In the `/var/log/cups/error_log` I saw the following lines:

```
d [03/Dec/2025:13:18:11 +0500] [Client 68] con->uri="/admin/", con->best=0x5861b7630a10(/admin)
d [03/Dec/2025:13:18:11 +0500] cupsdFindCert(certificate=0C1B358FEB21C04D42AB52435E736E7F)
d [03/Dec/2025:13:18:11 +0500] cupsdFindCert: Returning "really.really.long.username@COMPA".
D [03/Dec/2025:13:18:11 +0500] [Client 68] Authorized as really.really.long.username@COMPA using Local.
```

Relevant code:

https://github.com/OpenPrinting/cups/blob/f3ce6d3a3b1070976cc0954b108c8b33e251f4c3/scheduler/cert.c#L353

https://github.com/OpenPrinting/cups/blob/f3ce6d3a3b1070976cc0954b108c8b33e251f4c3/scheduler/cert.h#L15

Username length seems to have a hardcoded limit of 33 characters there. Is that limit necessary?



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

domain users with full username (username@DOMAIN) over 33 characters cannot add or delete printers in web interface #1441

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

domain users with full username (username@DOMAIN) over 33 characters cannot add or delete printers in web interface #1441

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions