OK, I think I've figured out why AUTH* permissions aren't working properly when using kerberos authentication with LPRng 3.8.6.
Yesterday, I commented on the AUTH* values being <NULL> when the permissions are checked. I've discovered that for an lpr request, the permissions are evaluated twice, once for service 'R' and again for service 'P'. This seems to be where the problem lies, as the AUTH* values are correct for the initial check, then are <NULL> for the second check, thus resulting in permissions being denied: 2002-02-28-10:57:26.159 host1 [16657] RCVSEC lp: user 'toby', rmtuser 'toby', printer 'lp', service 'R', lpc '<NULL>' ... 2002-02-28-10:57:26.160 host1 [16657] RCVSEC lp: authtype 'kerberos', authfrom '[EMAIL PROTECTED]', authuser '[EMAIL PROTECTED]' ... 2002-02-28-10:57:26.163 host1 [16657] RCVSEC lp: Perms_check: P_AUTH authuser '[EMAIL PROTECTED]' ... 2002-02-28-10:57:26.164 host1 [16657] RCVSEC lp: Perms_check: final result 1 'ACCEPT' 2002-02-28-10:57:26.164 host1 [16657] RCVSEC lp: Do_perm_check: permission 'ACCEPT' ... 2002-02-28-10:57:26.232 host1 [16657] (Server) lp: user 'toby', rmtuser 'toby', printer 'lp', service 'P', lpc '<NULL>' ... 2002-02-28-10:57:26.233 host1 [16657] (Server) lp: authtype '<NULL>', authfrom '<NULL>', authuser '<NULL>' ... 2002-02-28-10:57:26.236 host1 [16657] (Server) lp: Perms_check: P_AUTH authuser '<NULL>' ... 2002-02-28-10:57:26.236 host1 [16657] (Server) lp: Perms_check: final result -1 'REJECT' 2002-02-28-10:57:26.237 host1 [16657] (Server) lp: Check_print_perms: permission 'REJECT' Examining this more closely, I note that the permissions checking is called from 'lpd_rcvjob.c:Do_perm_check' in the first instance and 'lpd_jobs.c:Check_print_perms' in the second instance. These two functions both call 'permissions.c:Perms_check'. However, the main difference between these two functions is that Do_perm_check uses the extern Perm_check structure, which has already had the AUTH* values correctly set in it (as part of the Do_secure_work function). However, Check_print_perms uses a local structure which *does not* have the AUTH* values set and this appears to be why printing is being refused. This could be fixed by setting perm.authuser = Perm_check.authuser, etc. in Check_print_perms. However, I don't know whether there are deeper issues afoot here that I'm missing. Toby ----------------------------------------------------------------------------- YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRNG MAILING LIST The address you post from MUST be your subscription address If you need help, send email to [EMAIL PROTECTED] (or lprng-requests or lprng-digest-requests) with the word 'help' in the body. For the impatient, to subscribe to a list with name LIST, send mail to [EMAIL PROTECTED] with: | example: subscribe LIST <mailaddr> | subscribe lprng-digest [EMAIL PROTECTED] unsubscribe LIST <mailaddr> | unsubscribe lprng [EMAIL PROTECTED] If you have major problems, send email to [EMAIL PROTECTED] with the word LPRNGLIST in the SUBJECT line. -----------------------------------------------------------------------------
