Bug 126856 - Password for SMB/NCP printers easily out of sync
Password for SMB/NCP printers easily out of sync
Product: Fedora
Classification: Fedora
Component: cups (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2004-06-28 10:05 EDT by W. Michael Petullo
Modified: 2008-12-17 11:57 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-12-17 11:57:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description W. Michael Petullo 2004-06-28 10:05:00 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7)
Gecko/20040614 Firefox/0.8

Description of problem:
In order to configure cups to print to a SMB/NCP printer, one has to
enter a static username/password pair into /etc/cups/printers.conf. 
This does not work well with systems that force users to change their
passwords occasionally.  When the password protecting the printer
changes, there is not easy way to ensure cups systems reflect this change.

If a user's SMB domain password is used to access a printer then cups'
use of an out of sync password may cause that user to be locked out of
his account.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  Find a network that allows users to use an SMB printer based on
their domain password.

2.  Configure cups to allow access to the SMB printer using a user's
domain password.

3.  Change the user's domain password.

4.  Note that /etc/cups/printers.conf still contains the old password.
 Trying to print may cause the user's account to become locked out.

Additional info:

One potential solution to this problem involves integrating cups and
gnome-keyring.  It would be nice if cups could authenticate on a
per-user basis.  If this was done, then printing clients could prompt
for a username and password if needed, much like nautilus does.  This
authentication information could be stored in gnome-keyring for future

One issue with this technique is that it requires adding password
prompting code to all printer clients (including things like lpr).

Another possible solution is to always store the password a user uses
to login to Linux in gnome-keyring.  A PAM module could ensure that
this password always reflected reality (update it when the user runs
passwd).  Cups would simply query for this password from gnome-keyring
before printing.  Assuming a system is properly configured with
pam_winbind (or another protocol's equivalent) and printer's are
managed using individual's domain accounts, this could ensure printing
passwords are in sync without ever prompting the user.

A final solution that requires no modifications is protect printers
using a global username and password that never changes.  This would
not be an acceptable solution on many networks.
Comment 2 W. Michael Petullo 2004-08-11 12:50:07 EDT
Some work by Colin Walters may help things:
Comment 3 Tim Waugh 2006-03-20 03:47:14 EST
User-defined print queues (planned) would ease this problem.
Comment 4 W. Michael Petullo 2006-10-14 09:28:23 EDT
Has there been any work on this?  Does the new printer configuration system
address this or lay the groundwork to do so?
Comment 5 Tim Waugh 2006-12-15 12:02:01 EST
There hasn't been any work done yet on user-defined print queues, no.
Comment 6 Tim Waugh 2008-12-17 11:57:48 EST
This was fixed in Fedora 10.  You can now define a queue without any authentication details in the URI, and those authentication details will be collected from the user at print job submission time.

Note You need to log in before you can comment on or make changes to this bug.