Red Hat Bugzilla – Bug 126856
Password for SMB/NCP printers easily out of sync
Last modified: 2008-12-17 11:57:48 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7)
Description of problem:
In order to configure cups to print to a SMB/NCP printer, one has to
enter a static username/password pair into /etc/cups/printers.conf.
This does not work well with systems that force users to change their
passwords occasionally. When the password protecting the printer
changes, there is not easy way to ensure cups systems reflect this change.
If a user's SMB domain password is used to access a printer then cups'
use of an out of sync password may cause that user to be locked out of
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Find a network that allows users to use an SMB printer based on
their domain password.
2. Configure cups to allow access to the SMB printer using a user's
3. Change the user's domain password.
4. Note that /etc/cups/printers.conf still contains the old password.
Trying to print may cause the user's account to become locked out.
One potential solution to this problem involves integrating cups and
gnome-keyring. It would be nice if cups could authenticate on a
per-user basis. If this was done, then printing clients could prompt
for a username and password if needed, much like nautilus does. This
authentication information could be stored in gnome-keyring for future
One issue with this technique is that it requires adding password
prompting code to all printer clients (including things like lpr).
Another possible solution is to always store the password a user uses
to login to Linux in gnome-keyring. A PAM module could ensure that
this password always reflected reality (update it when the user runs
passwd). Cups would simply query for this password from gnome-keyring
before printing. Assuming a system is properly configured with
pam_winbind (or another protocol's equivalent) and printer's are
managed using individual's domain accounts, this could ensure printing
passwords are in sync without ever prompting the user.
A final solution that requires no modifications is protect printers
using a global username and password that never changes. This would
not be an acceptable solution on many networks.
Some work by Colin Walters may help things:
User-defined print queues (planned) would ease this problem.
Has there been any work on this? Does the new printer configuration system
address this or lay the groundwork to do so?
There hasn't been any work done yet on user-defined print queues, no.
This was fixed in Fedora 10. You can now define a queue without any authentication details in the URI, and those authentication details will be collected from the user at print job submission time.