> From [EMAIL PROTECTED] Thu Feb 28 06:59:32 2002 > Date: Thu, 28 Feb 2002 13:57:59 GMT > From: Toby Blake <[EMAIL PROTECTED]> > Subject: LPRng: Re: more on kerberos and permissions > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > > OK, I think I've figured out why AUTH* permissions aren't working > properly when using kerberos authentication with LPRng 3.8.6. > > Yesterday, I commented on the AUTH* values being <NULL> when the > permissions are checked. I've discovered that for an lpr request, the > permissions are evaluated twice, once for service 'R' and again for > service 'P'. This seems to be where the problem lies, as the AUTH* > values are correct for the initial check, then are <NULL> for the > second check, thus resulting in permissions being denied: > > 2002-02-28-10:57:26.159 host1 [16657] RCVSEC lp: user 'toby', rmtuser 'toby', >printer 'lp', service 'R', lpc '<NULL>' > ... > 2002-02-28-10:57:26.160 host1 [16657] RCVSEC lp: authtype 'kerberos', authfrom >'[EMAIL PROTECTED]', authuser '[EMAIL PROTECTED]' > ... > 2002-02-28-10:57:26.163 host1 [16657] RCVSEC lp: Perms_check: P_AUTH authuser >'[EMAIL PROTECTED]' > ... > 2002-02-28-10:57:26.164 host1 [16657] RCVSEC lp: Perms_check: final result 1 >'ACCEPT' > 2002-02-28-10:57:26.164 host1 [16657] RCVSEC lp: Do_perm_check: permission 'ACCEPT' > ... > > 2002-02-28-10:57:26.232 host1 [16657] (Server) lp: user 'toby', rmtuser 'toby', >printer 'lp', service 'P', lpc '<NULL>' > ... > 2002-02-28-10:57:26.233 host1 [16657] (Server) lp: authtype '<NULL>', authfrom >'<NULL>', authuser '<NULL>' > ... > 2002-02-28-10:57:26.236 host1 [16657] (Server) lp: Perms_check: P_AUTH authuser >'<NULL>' > ... > 2002-02-28-10:57:26.236 host1 [16657] (Server) lp: Perms_check: final result -1 >'REJECT' > 2002-02-28-10:57:26.237 host1 [16657] (Server) lp: Check_print_perms: permission >'REJECT' > > > Examining this more closely, I note that the permissions checking is > called from 'lpd_rcvjob.c:Do_perm_check' in the first instance and > 'lpd_jobs.c:Check_print_perms' in the second instance. > > These two functions both call 'permissions.c:Perms_check'. However, > the main difference between these two functions is that Do_perm_check > uses the extern Perm_check structure, which has already had the AUTH* > values correctly set in it (as part of the Do_secure_work function). > However, Check_print_perms uses a local structure which *does not* > have the AUTH* values set and this appears to be why printing is being > refused. > > This could be fixed by setting perm.authuser = Perm_check.authuser, > etc. in Check_print_perms. However, I don't know whether there are > deeper issues afoot here that I'm missing. > > Toby
It appears that the 'authentication' information is being tossed and not stored. I will look at this in a bit of detail. Patrick ----------------------------------------------------------------------------- YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRNG MAILING LIST The address you post from MUST be your subscription address If you need help, send email to [EMAIL PROTECTED] (or lprng-requests or lprng-digest-requests) with the word 'help' in the body. For the impatient, to subscribe to a list with name LIST, send mail to [EMAIL PROTECTED] with: | example: subscribe LIST <mailaddr> | subscribe lprng-digest [EMAIL PROTECTED] unsubscribe LIST <mailaddr> | unsubscribe lprng [EMAIL PROTECTED] If you have major problems, send email to [EMAIL PROTECTED] with the word LPRNGLIST in the SUBJECT line. -----------------------------------------------------------------------------
