Bug 126856

Summary: Password for SMB/NCP printers easily out of sync
Product: [Fedora] Fedora Reporter: W. Michael Petullo <redhat>
Component: cupsAssignee: Tim Waugh <twaugh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: caillon, walters
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-12-17 16:57:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description W. Michael Petullo 2004-06-28 14:05:00 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7)
Gecko/20040614 Firefox/0.8

Description of problem:
In order to configure cups to print to a SMB/NCP printer, one has to
enter a static username/password pair into /etc/cups/printers.conf. 
This does not work well with systems that force users to change their
passwords occasionally.  When the password protecting the printer
changes, there is not easy way to ensure cups systems reflect this change.

If a user's SMB domain password is used to access a printer then cups'
use of an out of sync password may cause that user to be locked out of
his account.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.  Find a network that allows users to use an SMB printer based on
their domain password.

2.  Configure cups to allow access to the SMB printer using a user's
domain password.

3.  Change the user's domain password.

4.  Note that /etc/cups/printers.conf still contains the old password.
 Trying to print may cause the user's account to become locked out.

Additional info:

One potential solution to this problem involves integrating cups and
gnome-keyring.  It would be nice if cups could authenticate on a
per-user basis.  If this was done, then printing clients could prompt
for a username and password if needed, much like nautilus does.  This
authentication information could be stored in gnome-keyring for future
use.

One issue with this technique is that it requires adding password
prompting code to all printer clients (including things like lpr).

Another possible solution is to always store the password a user uses
to login to Linux in gnome-keyring.  A PAM module could ensure that
this password always reflected reality (update it when the user runs
passwd).  Cups would simply query for this password from gnome-keyring
before printing.  Assuming a system is properly configured with
pam_winbind (or another protocol's equivalent) and printer's are
managed using individual's domain accounts, this could ensure printing
passwords are in sync without ever prompting the user.

A final solution that requires no modifications is protect printers
using a global username and password that never changes.  This would
not be an acceptable solution on many networks.
Comment 2 W. Michael Petullo 2004-08-11 16:50:07 UTC 
Some work by Colin Walters may help things:
http://verbum.org/blog/freesoftware/eggcups-fun
Comment 3 Tim Waugh 2006-03-20 08:47:14 UTC 
User-defined print queues (planned) would ease this problem.
Comment 4 W. Michael Petullo 2006-10-14 13:28:23 UTC 
Has there been any work on this?  Does the new printer configuration system
address this or lay the groundwork to do so?
Comment 5 Tim Waugh 2006-12-15 17:02:01 UTC 
There hasn't been any work done yet on user-defined print queues, no.
Comment 6 Tim Waugh 2008-12-17 16:57:48 UTC 
This was fixed in Fedora 10.  You can now define a queue without any authentication details in the URI, and those authentication details will be collected from the user at print job submission time.