Bug 43227 - Control of print share access via printer and computerroom module is not working properly (Samba4)
Control of print share access via printer and computerroom module is not work...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Printserver
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-2-errata
Assigned To: Ole Schwiegert
Jürn Brodersen
:
Depends on:
Blocks: 35076
  Show dependency treegraph
 
Reported: 2016-12-20 12:53 CET by Richard Ulmer
Modified: 2018-10-24 17:26 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.137
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
best: Patch_Available+


Attachments
patch (1.00 KB, patch)
2016-12-20 13:35 CET, Florian Best
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Richard Ulmer univentionstaff 2016-12-20 12:53:52 CET
The content of the file /etc/samba/local.config.d/printer.$PRINTERNAME.local.config.conf is not correct in some scenarios.

It is possible that there is a "invalid users = USERNAME" entry in this file, although "Allow all users." is set in the printers "Access control"-TAB and "Free printing" is chosen in the settings of the "Computer room"-Module.

Here is one way to replicate this behavior:
1. "Deny choosen users/groups." USERNAME access to print share in the printers "Access control"-TAB.
2. "Change settings" in "Computer room"-module to "Free printing".
3. Set "Allow all users." in the printers "Access control"-TAB.
If one now looks at the file the "invalid users = USERNAME" entry can be found.

To resolve the problem one could for example do the following:
"Change settings" in "Computer room"-module to "Default (global settings)"

+++ This bug was initially created as a clone of Bug #35076 +++

Related to 30331
Control of print share access via computer room module is not working properly (Samba4)

System UCS@school 3.2 R2
Temporary deactivate printing: 
1. "Allow all users." access to print share in "Access control"-TAB.
2. Test-Student has access to print share and can print. -> ok
3. "Change settings" in "Computer room"-Modul to "Printing deactivated"
4. Connection to print share is forbidden for Test-Student -> ok
Reactivate printing:
5. "Change settings" in "Computer room"-Modul to "Free printing"
6. Connection to print share is forbidden for Test-Student -> not ok
7. "Change settings" in "Computer room"-Modul to "Default (global settings)"
8. Connection to print share is forbidden for Test-Student -> not ok
9. Restart Samba
10. Connection to print share is allowed for Test-Student -> ok

Temporary activate printing:
1. "Deny choosen users/groups." (schueler-schule) access to print share in "Access control"-TAB.
2. Test-Student has no access to print share and can't print. -> ok
3. "Change settings" in "Computer room"-Modul to "Free printing"
4. Connection to print share is forbidden for Test-Student -> not ok
5. Restart of Samba doesn't help.
6. Waited "some time (1-4 min)" just as it was written in the comment 11 on #30331. 

/etc/samba/local.config.d/printer.brother.local.config.conf
[brother]    
invalid users = @schueler-schule
hosts deny = ""    
hosts allow = 10.1.0.45 10.1.0.44

/etc/samba/printers.conf.d/brother
[brother] 
printer name = brother           
path = /tmp                           
guest ok = yes  
printable = yes
invalid users =  @schueler-schule  

The "invalid users = @schueler-schule" seems to override the "hosts allow = 10.1.0.45 10.1.0.44"
Comment 1 Florian Best univentionstaff 2016-12-20 13:35:49 CET
Created attachment 8312 [details]
patch

The UCR configuration is not renewed when the listener changes some printers. The patch does this. I think it may be moved to the postrun() function?
Comment 2 Florian Best univentionstaff 2017-06-28 14:56:53 CEST
There is a Customer ID set so I set the flag "School Customer affected".
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2018-07-05 09:49:52 CEST
Please check if this issue is still reproducible and (if yes) if the attached patch still fixes the issue. If this is also the case, please apply the patch to UCS@school 4.3.
Comment 4 Ole Schwiegert univentionstaff 2018-09-28 10:14:53 CEST
The bug still exists more or less. Free printing is not available anymore in the computer room module, but the following behavior can be observed:

Changing the ACLs in the printer module changes the corresponding ldap values accordingly. Though no config file for the printer is edited or created.

When changing the printer mode in the computer room module a config file for the printer is created respecting also the options set in the printer umc module.

Editing the ACLs now does not have any effect. Changing the printer modus of the computer room module back to global settings results in the config file being deleted.

After applying the proposed patch the behavior is very much the same, with one exception:

When the print mode in the computer room is set to deactivated (only other option available) the config is created/updated accordingly. But now changing the ACLs in the printer module also updates the config file. Setting printer mode to global again deletes the config file and changes in the printer module have no effect again.
Comment 5 Ole Schwiegert univentionstaff 2018-09-28 11:05:53 CEST
My previous comment can be ignored since it eluded me that there are actually two configuration files and I misinterpreted the problem.

Yes the problem is reproducible, even if it has not much effect (the only option in the computer room module is disable printing or global options anyway since the free for all was removed).

The patch solves the issue and will be applied to prevent future problems should we extend the available options again.
Comment 6 Ole Schwiegert univentionstaff 2018-09-28 11:27:47 CEST
Package: univention-printserver
Version: 11.0.1-1A~4.3.0.201809281124
Comment 7 Jürn Brodersen univentionstaff 2018-10-16 15:14:17 CEST
The changes are done in ucs not ucsschool. Is that correct?
Comment 8 Jürn Brodersen univentionstaff 2018-10-17 16:04:16 CEST
What I tested:
share_restrictions.py is now called by the listener module -> OK
Comment 9 Arvid Requate univentionstaff 2018-10-24 17:26:53 CEST
<http://errata.software-univention.de/ucs/4.3/290.html>