Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kerberos Authentification with /etc/cups/printers.conf and Allow User parameter #2670

Closed
michaelrsweet opened this Issue Jan 15, 2008 · 2 comments

Comments

Projects
None yet
1 participant
@michaelrsweet
Copy link
Collaborator

michaelrsweet commented Jan 15, 2008

Version: 1.3.3
CUPS.org User: ppetit

I use "AuthType Negociate" with cups 1.3.3 and I can connect with firefox or lpstat to my cups server without problems. For example, I can add a printer or modify printer configuration with my "ppetit@MYREALM" account, because of parameter "require user ppetit" in cupsd.conf.

Although, if I want protect access to my printers, I have to indicate logins with the format "login@KDC" with parameter "Allow User" in /etc/cups/printers.conf.

For example, in /etc/cups/printers.conf for any printer :
Allow user ppetit@MYREALM john@MYREALM ...

If I want to use a unix group, it doesn't work.
For example :
If /etc/group contains "admins::ppetit", "Allow user @admins" doesn't work.
If /etc/group contains "admins:
:ppetit@MYREALM", "Allow user @admins" works. But It's not standard.

If I read the sources, scheduler/auth.c or scheduler/quota.c contains :

/*

  • Strip any @Domain or @kdc from the username and owner...
    */

    if ((ptr = strchr(username, '@')) != NULL)
    *ptr = '\0';

But, ipp.c and user_allowed function doesn't contain theses instructions.

I think It is not normal.

What do you think about ?

Thank you.

Excuse me for my bad english.

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

michaelrsweet commented Jan 21, 2008

CUPS.org User: mike

Fixed in Subversion repository.

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

michaelrsweet commented Jan 21, 2008

"str2670.patch":

Index: ipp.c

--- ipp.c (revision 7233)
+++ ipp.c (working copy)
@@ -9975,6 +9975,8 @@
{
int i; /* Looping var /
struct passwd *pw; /
User password data */

  • char baseuser[256], /* Base username */

  •   *baseptr;       /* Pointer to "@" in base username */
    

    if (p->num_users == 0)
    @@ -9983,6 +9985,20 @@
    if (!strcmp(username, "root"))
    return (1);

  • if (strchr(username, '@'))

  • {

  • /*

  • * Strip @realm for username check...

  • */

  • strlcpy(baseuser, username, sizeof(baseuser));
  • if ((baseptr = strchr(baseuser, '@')) != NULL)
  •  *baseptr = '\0';
    
  • username = baseuser;
  • }

pw = getpwnam(username);
endpwent();

@michaelrsweet michaelrsweet added this to the Stable milestone Mar 17, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.