[cups.bugs] [HIGH] STR #2670: Kerberos Authentification with /etc/cups/printers.conf and Allow User parameter

petit patrice.petit at cea.fr
Tue Jan 15 13:59:44 PST 2008


DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

I use "AuthType Negociate" with cups 1.3.3 and I can connect with firefox
or lpstat to my cups server without problems. For example, I can  add a
printer or modify printer configuration with my "ppetit at MYREALM" account,
because of parameter "require user ppetit" in cupsd.conf.

Although, if I want protect access to my printers, I have to indicate
logins with the format "login at KDC" with parameter "Allow User" in
/etc/cups/printers.conf.

For example, in /etc/cups/printers.conf for any printer :
Allow user ppetit at MYREALM john at MYREALM ...

If I want to use a unix group, it doesn't work.
For example :
If /etc/group contains "admins:*:ppetit", "Allow user @admins" doesn't
work.
If /etc/group contains "admins:*:ppetit at MYREALM", "Allow user @admins"
works. But It's not standard.

If I read the sources, scheduler/auth.c or scheduler/quota.c contains :

 /*
  * Strip any @domain or @KDC from the username and owner...
  */

  if ((ptr = strchr(username, '@')) != NULL)
    *ptr = '\0';

But, ipp.c and user_allowed function doesn't contain theses instructions.

I think It is not normal. 

What do you think about ?

Thank you.

Excuse me for my bad english.

Link: http://www.cups.org/str.php?L2670
Version: 1.3.3





More information about the cups-devel mailing list