[cups.bugs] [HIGH] STR #2670: Kerberos Authentification with /etc/cups/printers.conf and Allow User parameter
patrice.petit at cea.fr
Tue Jan 15 13:59:44 PST 2008
DO NOT REPLY TO THIS MESSAGE. INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.
I use "AuthType Negociate" with cups 1.3.3 and I can connect with firefox
or lpstat to my cups server without problems. For example, I can add a
printer or modify printer configuration with my "ppetit at MYREALM" account,
because of parameter "require user ppetit" in cupsd.conf.
Although, if I want protect access to my printers, I have to indicate
logins with the format "login at KDC" with parameter "Allow User" in
For example, in /etc/cups/printers.conf for any printer :
Allow user ppetit at MYREALM john at MYREALM ...
If I want to use a unix group, it doesn't work.
For example :
If /etc/group contains "admins:*:ppetit", "Allow user @admins" doesn't
If /etc/group contains "admins:*:ppetit at MYREALM", "Allow user @admins"
works. But It's not standard.
If I read the sources, scheduler/auth.c or scheduler/quota.c contains :
* Strip any @domain or @KDC from the username and owner...
if ((ptr = strchr(username, '@')) != NULL)
*ptr = '\0';
But, ipp.c and user_allowed function doesn't contain theses instructions.
I think It is not normal.
What do you think about ?
Excuse me for my bad english.
More information about the cups-devel