Ticket #41 (closed defect: fixed)

Opened 9 years ago

Last modified 8 years ago

strip kerberos realm name from username

Reported by: sle Owned by: jerome
Priority: minor Milestone: 1.27 final
Component: pykota Version: development
Keywords: kerberos Cc: sle@…

Description

When CUPS is configured with Kerberos authentication, the username passed to cupspykota is in the form of "USERNAME@…M" instead of just "USERNAME". This causes an "Invalid username" error.

PyKota should strip the Kerberos realm from self.UserName? in cupspykota. Ideally, the Kerberos realm would be specified in pykota.conf.

Change History

  Changed 9 years ago by jerome

  • status changed from new to accepted

This needs to be fixed. You can't even specify "username@realm" as the full username in pkusers/edpykota, unfortunately, otherwise this would have solved your problem.

I'll look at this ASAP.

follow-up: ↓ 8   Changed 9 years ago by jerome

Would you like to send your cupsd.conf file to me privately so I can see if PyKota could grab the Kerberos realm from it instead of having to introduce an additional directive in pykota.conf ?
Also, could you set "prehook: /usr/bin/printenv >/tmp/pykota.env" in your pykota.conf and print something, then send the /tmp/pykota.env file to me ? Maybe there are some informations there which would help as well.
Can a CUPS server handle print jobs from users coming from different Kerberos realms ?
Please give me some additional informations and I'll fix this problem the best way.

TIA.

  Changed 9 years ago by sle

  • cc sle@… added

cupsd.conf doesn't contain a directive with the Kerberos realm, and the CUPS documentation states that only a single Kerberos realm can be supported for authentication. I think the easiest way to get the Kerberos realm is to have it specified in pykota.conf (extracting it from other locations like /etc/krb5.conf may be problematic if CUPS was built with a customized Kerberos library).

I'll be emailing you a copy of pykota.env privately.

Thanks for your help.

  Changed 9 years ago by jerome

  • status changed from accepted to closed
  • resolution set to fixed

(In [3496]) Implemented a workaround for Kerberized usernames. This workaround
should also take care of removing instances from the principal. Now only
the primary is used as the username. IMPORTANT : in the code we
consider the component separator character is always '/' and the realm
separator character is always '@', this may not always be the case.
Fixes #41.

  Changed 9 years ago by jerome

(In [3497]) Improvement over the latest fix. References #41.

  Changed 9 years ago by sle

Thanks for providing a fix. I have been unable to test the patch because I can not backport your changes to tag 1.26-fixes, and I am running into bug #42 if I upgrade to Pykota 1.27.

  Changed 9 years ago by sle

I have tested the patch and can confirm that PyKota properly handles Kerberos authenticated users.

Thanks for the fix.

in reply to: ↑ 2   Changed 8 years ago by john3050

Replying to jerome:

Would you like to send your cupsd.conf file to me privately so I can see if PyKota could mesothelioma grab the Kerberos realm from it instead of having to introduce an additional directive in pykota.conf ?
Also, could you set "prehook: /usr/bin/printenv >/tmp/pykota.env" in your pykota.conf and print something, then send auto insurance quotes the /tmp/pykota.env file to me ? Maybe there are some informations there which would help as well.
Can a CUPS server handle print jobs from users coming from different Kerberos realms ?
Please give me some additional informations and I'll fix this problem the best way.

TIA.

Note: See TracTickets for help on using tickets.