Univention Bugzilla – Bug 43227
Control of print share access via printer and computerroom module is not working properly (Samba4)
Last modified: 2018-10-24 17:26:53 CEST
The content of the file /etc/samba/local.config.d/printer.$PRINTERNAME.local.config.conf is not correct in some scenarios. It is possible that there is a "invalid users = USERNAME" entry in this file, although "Allow all users." is set in the printers "Access control"-TAB and "Free printing" is chosen in the settings of the "Computer room"-Module. Here is one way to replicate this behavior: 1. "Deny choosen users/groups." USERNAME access to print share in the printers "Access control"-TAB. 2. "Change settings" in "Computer room"-module to "Free printing". 3. Set "Allow all users." in the printers "Access control"-TAB. If one now looks at the file the "invalid users = USERNAME" entry can be found. To resolve the problem one could for example do the following: "Change settings" in "Computer room"-module to "Default (global settings)" +++ This bug was initially created as a clone of Bug #35076 +++ Related to 30331 Control of print share access via computer room module is not working properly (Samba4) System UCS@school 3.2 R2 Temporary deactivate printing: 1. "Allow all users." access to print share in "Access control"-TAB. 2. Test-Student has access to print share and can print. -> ok 3. "Change settings" in "Computer room"-Modul to "Printing deactivated" 4. Connection to print share is forbidden for Test-Student -> ok Reactivate printing: 5. "Change settings" in "Computer room"-Modul to "Free printing" 6. Connection to print share is forbidden for Test-Student -> not ok 7. "Change settings" in "Computer room"-Modul to "Default (global settings)" 8. Connection to print share is forbidden for Test-Student -> not ok 9. Restart Samba 10. Connection to print share is allowed for Test-Student -> ok Temporary activate printing: 1. "Deny choosen users/groups." (schueler-schule) access to print share in "Access control"-TAB. 2. Test-Student has no access to print share and can't print. -> ok 3. "Change settings" in "Computer room"-Modul to "Free printing" 4. Connection to print share is forbidden for Test-Student -> not ok 5. Restart of Samba doesn't help. 6. Waited "some time (1-4 min)" just as it was written in the comment 11 on #30331. /etc/samba/local.config.d/printer.brother.local.config.conf [brother] invalid users = @schueler-schule hosts deny = "" hosts allow = 10.1.0.45 10.1.0.44 /etc/samba/printers.conf.d/brother [brother] printer name = brother path = /tmp guest ok = yes printable = yes invalid users = @schueler-schule The "invalid users = @schueler-schule" seems to override the "hosts allow = 10.1.0.45 10.1.0.44"
Created attachment 8312 [details] patch The UCR configuration is not renewed when the listener changes some printers. The patch does this. I think it may be moved to the postrun() function?
There is a Customer ID set so I set the flag "School Customer affected".
Please check if this issue is still reproducible and (if yes) if the attached patch still fixes the issue. If this is also the case, please apply the patch to UCS@school 4.3.
The bug still exists more or less. Free printing is not available anymore in the computer room module, but the following behavior can be observed: Changing the ACLs in the printer module changes the corresponding ldap values accordingly. Though no config file for the printer is edited or created. When changing the printer mode in the computer room module a config file for the printer is created respecting also the options set in the printer umc module. Editing the ACLs now does not have any effect. Changing the printer modus of the computer room module back to global settings results in the config file being deleted. After applying the proposed patch the behavior is very much the same, with one exception: When the print mode in the computer room is set to deactivated (only other option available) the config is created/updated accordingly. But now changing the ACLs in the printer module also updates the config file. Setting printer mode to global again deletes the config file and changes in the printer module have no effect again.
My previous comment can be ignored since it eluded me that there are actually two configuration files and I misinterpreted the problem. Yes the problem is reproducible, even if it has not much effect (the only option in the computer room module is disable printing or global options anyway since the free for all was removed). The patch solves the issue and will be applied to prevent future problems should we extend the available options again.
Package: univention-printserver Version: 11.0.1-1A~4.3.0.201809281124
The changes are done in ucs not ucsschool. Is that correct?
What I tested: share_restrictions.py is now called by the listener module -> OK
<http://errata.software-univention.de/ucs/4.3/290.html>