[cups.bugs] [HIGH] STR #3972: Printing with Negotiate not working when using "AllowUser @<$GROUP>"

jbrauchle joschibrauchle at gmx.de
Fri Nov 4 07:13:32 PDT 2011


DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

Description:
We would like to use Kerberos/Negotiate auth for CUPS. That is, our
/etc/cups/cupsd.conf includes:
----
DefaultAuthType         Negotiate
----
and
----
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job
Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription
Cancel-Subscriptio$
    Authtype Default
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
----

Some of our printers are restricted to certain groups, i.e. our
printers.conf includes:
----
<DefaultPrinter>
....
AllowUser @<$GROUP>
....
</DefaultPrinter>
----

The user acquires a valid kerberos ticket to the CUPS server and sends a
print job, but printing is DENIED!

Here is part of the error_log using "debug2" debug level (I replaced the
username, realm, printer name and group with $VARIABLES):
----
D [03/Nov/2011:18:09:26 +0100] cupsdReadClient: 13 1.1 Create-Job 1
d [03/Nov/2011:18:09:26 +0100] cupsdProcessIPPRequest(0x7f03911743f0[13]):
operation_id = 0005
D [03/Nov/2011:18:09:26 +0100] Create-Job
ipp://localhost:631/printers/<$PRINTER>
d [03/Nov/2011:18:09:26 +0100] create_job(0x7f03911743f0[13],
ipp://localhost:631/printers/<$PRINTER>)
d [03/Nov/2011:18:09:26 +0100] add_job(0x7f03911743f0[13],
0x7f0391170050(<$PRINTER>), (nil)(none/none))
d [03/Nov/2011:18:09:26 +0100] cupsdFindPolicyOp(p=0x7f03911515e0,
op=5(Create-Job))
d [03/Nov/2011:18:09:26 +0100] cupsdFindPolicyOp: Found wildcard match...
d [03/Nov/2011:18:09:26 +0100] cupsdIsAuthorized:
con->uri="/printers/<$PRINTER>", con->best=0x7f0391155200((null))
d [03/Nov/2011:18:09:26 +0100] cupsdIsAuthorized: level=CUPSD_AUTH_ANON,
type=None, satisfy=CUPSD_AUTH_SATISFY_ALL, num_names=0
d [03/Nov/2011:18:09:26 +0100] cupsdIsAuthorized: op=0(unknown-0000)
d [03/Nov/2011:18:09:26 +0100] cupsdIsAuthorized: auth=CUPSD_AUTH_ALLOW...
d [03/Nov/2011:18:09:26 +0100] check_quotas(0x7f03911743f0[13],
0x7f0391170050[<$PRINTER>])
d [03/Nov/2011:18:09:26 +0100]
cupsdCheckGroup(username="<$USERNAME>@<$REALM>", user=(nil),
groupname="<$GROUP>")
d [03/Nov/2011:18:09:26 +0100]
get_md5_password(username="<$USERNAME>@<$REALM>", group="<$GROUP>",
passwd=0x7fff4f59d140)
I [03/Nov/2011:18:09:26 +0100] Denying user "<$USERNAME>@<$REALM>" access
to printer "<$PRINTER>"...
D [03/Nov/2011:18:09:26 +0100] Create-Job client-error-not-authorized: Not
allowed to print.
E [03/Nov/2011:18:09:26 +0100] Returning IPP client-error-not-authorized
for Create-Job (ipp://localhost:631/printers/<$PRINTER>) from 192.168.1.1
----

The problem lies in the function "check_quotas" (and "check_group" and
possibly others?) in "scheduler/ipp.c": the Kerberos realm is NOT stripped
from the username, thus the quota check and/or group membership check
fails.

I attached a patch that strips the realm at the beginning of
"check_quota". This function now passes the correct username to
"check_group", but possibly, some other function could send the incorrect
username to "check_group", thus "check_group" should strip the realm as
well! The best solution would possibly be to strip the Kerberos realm from
the username contained in the connection object! Basically, all functions
that are using the username with some kind of system function need to
strip the Kerberos realm.

This bug is found in CUPS 1.3.11, 1.4.8 and 1.5.0!

Link: http://www.cups.org/str.php?L3972
Version: 1.5.0
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: cups1.5.0.patch
URL: <http://lists.cups.org/pipermail/cups-devel/attachments/20111104/5b054d27/attachment.ksh>


More information about the cups-devel mailing list