Univention Bugzilla – Bug 35076
Control of print share access via computer room module is not working properly (Samba4)
Last modified: 2018-07-04 18:08:43 CEST
Related to 30331 Control of print share access via computer room module is not working properly (Samba4) System UCS@school 3.2 R2 Temporary deactivate printing: 1. "Allow all users." access to print share in "Access control"-TAB. 2. Test-Student has access to print share and can print. -> ok 3. "Change settings" in "Computer room"-Modul to "Printing deactivated" 4. Connection to print share is forbidden for Test-Student -> ok Reactivate printing: 5. "Change settings" in "Computer room"-Modul to "Free printing" 6. Connection to print share is forbidden for Test-Student -> not ok 7. "Change settings" in "Computer room"-Modul to "Default (global settings)" 8. Connection to print share is forbidden for Test-Student -> not ok 9. Restart Samba 10. Connection to print share is allowed for Test-Student -> ok Temporary activate printing: 1. "Deny choosen users/groups." (schueler-schule) access to print share in "Access control"-TAB. 2. Test-Student has no access to print share and can't print. -> ok 3. "Change settings" in "Computer room"-Modul to "Free printing" 4. Connection to print share is forbidden for Test-Student -> not ok 5. Restart of Samba doesn't help. 6. Waited "some time (1-4 min)" just as it was written in the comment 11 on #30331. /etc/samba/local.config.d/printer.brother.local.config.conf [brother] invalid users = @schueler-schule hosts deny = "" hosts allow = 10.1.0.45 10.1.0.44 /etc/samba/printers.conf.d/brother [brother] printer name = brother path = /tmp guest ok = yes printable = yes invalid users = @schueler-schule The "invalid users = @schueler-schule" seems to override the "hosts allow = 10.1.0.45 10.1.0.44"
Still reproducible in UCS@school 4.1R2?
@Richard: as a first step please try to reprocude Michels findings with a current UCS@school 4.1 R2 v9 with UCS 4.1-4
I've tried to replicate Michel's findings on a UCS@school 4.1R2 system and identified three problems: 1. Changes of a printer's access-control in the "Computer room"-module won't get applied immediately. When I waited ~2min between the steps Michel's first test scenario caused no trouble. 2. The "invalid users" entry won't automatically be removed from /etc/samba/local.config.d/printer.$PRINTER.local.config.conf when it gets removed from /etc/samba/printers.conf.d/$PRINTER . I've opened Bug #43227 for this. 3. The problem in Michel's second test scenario seems to be that the "invalid users" entry (created when modifying access in a printer's "Access control"-tab) in a printer's config file has priority over the "hosts allow" entry (created when modifying access in the "Computer room"-module). According to "$ man smb.conf" of the current samba version this is the wanted behavior (on "invalid users"): "This is really a paranoid check to absolutely ensure an improper setting does not breach your security."
Created attachment 8340 [details] This patch removes the "Free printing" option To solve problem 3 from Comment #3 I would suggest removing the "Free printing" option in the "Computer room"-module.
There is a Customer ID set so I set the flag "School Customer affected".
Regarding comment 3: Please check if all 3 point are still reproducible. If the last point is still reproducible, please check and apply the attached patch.
To 1. I cannot reproduce that (correct) behavior. When I have a printer with allowed for all and I deactivate it in the room module I can still print. (The deny host entry is present though). I also restarted samba service to be sure. To 2. I can still reproduce it as well To3. I can still reproduce, patch will be applied.
Correction to 1: I must have made some mistake. I restested again today and Number 1 works as expected
Package: ucs-school-umc-computerroom Version: 10.0.2-1A~4.3.0.201804261344
[4.3 3a9090d29] Bug #35076: Remove print mode 'all' from test
[4.3 fc0371284] Bug #35076: Remove print mode 'all' from test (2)
For completeness: Ole removed the printMode "all" that in the past allowed the teacher to allow all users of this room to use all printers, even if the printers ACLs would have refused to use the printer. Since samba does no longer provide a sinple solution to override, the item "all" has been removed. OK: code change OK: functional change FIXED: tests (All test steps were executed, but only if the last test step failed was the script terminated with an error code.) OK: changelog entry FIXED: advisory OK: package built and installable I think a backport to UCS@school 4.2 is not required. Package: ucs-test-ucsschool Version: 5.0.2-67A~4.3.0.201806221609 Branch: ucs_4.3-0 Scope: ucs-school-4.3
UCS@school 4.3 v4 has been released. https://docs.software-univention.de/changelog-ucsschool-4.3v4-de.html If this error occurs again, please clone this bug.