(Issue #990)
- Fixed issues with cupsGetDestMediaByXxx (Issue #993)
- Fixed adding and modifying of printers via the web interface (Issue #998)
+- Fixed HTTP PeerCred authentication for domain users (Issue #1001)
- Fixed checkbox support (Issue #1008)
- Fixed printer state notifications (Issue #1013)
# List of events that are considered fatal errors for the scheduler...
#FatalErrors @CUPS_FATAL_ERRORS@
+# Strip domain in local username?
+#StripUserDomain No
+
# Do we call fsync() after writing configuration or status files?
#SyncOnClose @CUPS_SYNC_ON_CLOSE@
<dt><a name="StateDir"></a><b>StateDir </b><i>directory</i>
<dd style="margin-left: 5.0em">Specifies the directory to use for PID and local certificate files.
The default is "/var/run/cups" or "/etc/cups" depending on the platform.
+<dt><a name="StripUserDomain"></a><b>StripUserDomain Yes</b>
+<dd style="margin-left: 5.0em"><dt><b>StripUserDomain No</b>
+<dd style="margin-left: 5.0em">Specifies whether to remove domain from user name during local user authentication (e.g., "user@example.com" –> "user").
+This practice can be beneficial for maintaining compatibility with older versions of Kerberos.
+However, enabling this option can have negative consequences.
+It may result in confusion between domain and local users with identical names, potentially leading
+to incorrect assignment of user permissions and unintentional permission escalation,
+thus creating a security risk. Therefore, it is advisable to avoid using this option in most cases.
<dt><a name="SyncOnClose"></a><b>SyncOnClose Yes</b>
<dd style="margin-left: 5.0em"><dt><b>SyncOnClose No</b>
<dd style="margin-left: 5.0em">Specifies whether the scheduler calls
\fBStateDir \fIdirectory\fR
Specifies the directory to use for PID and local certificate files.
The default is "/var/run/cups" or "/etc/cups" depending on the platform.
+.\"#StripUserDomain
+.TP 5
+\StripUserDomain Yes\fR
+.TP 5
+\StripUserDomain No\fR
+Specifies whether to remove domain from user name during local user authentication (e.g., "user@example.com" –> "user").
+This practice can be beneficial for maintaining compatibility with older versions of Kerberos.
+However, enabling this option can have negative consequences.
+It may result in confusion between domain and local users with identical names, potentially leading
+to incorrect assignment of user permissions and unintentional permission escalation,
+thus creating a security risk. Therefore, it is advisable to avoid using this option in most cases.
.\"#SyncOnClose
.TP 5
\fBSyncOnClose Yes\fR
* Strip any @domain or @KDC from the username and owner...
*/
- if ((ptr = strchr(username, '@')) != NULL)
+ if (StripUserDomain && (ptr = strchr(username, '@')) != NULL)
*ptr = '\0';
if (owner)
{
strlcpy(ownername, owner, sizeof(ownername));
- if ((ptr = strchr(ownername, '@')) != NULL)
+ if (StripUserDomain && (ptr = strchr(ownername, '@')) != NULL)
*ptr = '\0';
}
else
#endif /* HAVE_TLS */
{ "ServerRoot", &ServerRoot, CUPSD_VARTYPE_PATHNAME },
{ "StateDir", &StateDir, CUPSD_VARTYPE_STRING },
+ { "StripUserDomain", &StripUserDomain, CUPSD_VARTYPE_BOOLEAN },
{ "SyncOnClose", &SyncOnClose, CUPSD_VARTYPE_BOOLEAN },
#ifdef HAVE_AUTHORIZATION_H
{ "SystemGroupAuthKey", &SystemGroupAuthKey, CUPSD_VARTYPE_STRING },
LogFilePerm = CUPS_DEFAULT_LOG_FILE_PERM;
LogFileGroup = Group;
LogLevel = CUPSD_LOG_WARN;
+ StripUserDomain = FALSE;
LogTimeFormat = CUPSD_TIME_STANDARD;
MaxClients = 100;
MaxClientsPerHost = 0;
/* Group ID for log files */
VAR cupsd_loglevel_t LogLevel VALUE(CUPSD_LOG_WARN);
/* Error log level */
+VAR int StripUserDomain VALUE(FALSE);
+ /* Strip domain in local username? */
VAR cupsd_time_t LogTimeFormat VALUE(CUPSD_TIME_STANDARD);
/* Log file time format */
VAR cups_file_t *LogStderr VALUE(NULL);
projects / thirdparty / cups.git / commitdiff
