Bug 30450 - Free printing prohibits printing for everyone else
Free printing prohibits printing for everyone else
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: UMC - Computer room
UCS@school 3.0
Other Linux
: P1 normal (vote)
: UCS@school 3.1-errata
Assigned To: Sönke Schwardt-Krummrich
Florian Best
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-02-14 15:23 CET by Janis Meybohm
Modified: 2013-05-02 16:37 CEST (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Janis Meybohm univentionstaff 2013-02-14 15:23:44 CET
When a computer rooms "Print mode" is set to "Free printing", the IPs of all clients get written to "hosts allow" of the print shares (in Samba).
This prohibits printing of _every_ client except those actively selected for "Free printing" via a computer room.
Comment 1 Janis Meybohm univentionstaff 2013-02-14 15:29:04 CET
Workaround:
Force IP whitelist to be empty. The drawback of this workaround is that access to printers restricted via UDM "Access control" can't be forced.

# ucr set --force samba/printmode/hosts/all=""; /etc/init.d/samba reload
Comment 2 Alexander Kläser univentionstaff 2013-02-22 10:37:11 CET
The easiest workaround would remove the functionality of allowing free printing or to remove the functionality of controlling printer access via the computer room module.
Comment 3 Arvid Requate univentionstaff 2013-02-25 15:20:45 CET
The current source code says:

 /* if theres no deny list and no allow list then allow access */

 /* if there is an allow list but no deny list then allow only hosts
    on the allow list */

 /* if theres a deny list but no allow list then allow
    all hosts not on the deny list */

 /* if there are both types of list then allow all hosts on the
    allow list */

 /* if there are both types of list and it's not on the allow then
    allow it if its not on the deny */


So from this I would guess generally defining a deny list should do fix the problem. E.g. the workaround

ucr set --force samba/printmode/hosts/none='""'; /etc/init.d/samba reload

allows access from all adresses. So I guess it would help if univention/lib/share_restrictions.py would set this as a default in case a "hosts allow" list is configured and the "hosts deny" list would be empty.
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2013-03-21 12:02:20 CET
The computer room module now sets samba/printmode/hosts/none to '""' if no other IP address will be set in this variable. '""' gets removed, if at least one IP address will be added to the deny list.

Updatehint has been added in SVN:
doku/branches/ucs-3.1/errata-ucs-school/README_UPDATE_3.1.2

The package has been built in the scopes "ucsschool" and "ucsschool-3.1-R2".
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2013-03-22 09:43:09 CET
QA: please enable/disable/reset printing mode for a specific room and test if
- the setting applies to computers of the selected room
- the setting does not affect computers of other rooms
- the setting does not affect the domaincontroller slave itself
Comment 6 Florian Best univentionstaff 2013-04-24 10:59:30 CEST
(In reply to comment #4)
> The computer room module now sets samba/printmode/hosts/none to '""' if no
> other IP address will be set in this variable. '""' gets removed, if at least
> one IP address will be added to the deny list.
OK

> Updatehint has been added in SVN:
> doku/branches/ucs-3.1/errata-ucs-school/README_UPDATE_3.1.2
OK
Changelog OK

> The package has been built in the scopes "ucsschool" and "ucsschool-3.1-R2".
OK

(In reply to comment #5)
> QA: please enable/disable/reset printing mode for a specific room and test if
> - the setting applies to computers of the selected room
> - the setting does not affect computers of other rooms
> - the setting does not affect the domaincontroller slave itself
OK
Comment 7 Alexander Kläser univentionstaff 2013-05-02 16:37:50 CEST
UCS@school 3.1 rev1 has been release in the App Center.