[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1005841: debian-edu-config: No TJENER print queues appearing on Debian Edu clients, print queues named not like queue name on TJENER

Hi Wolfgang,

On  Mi 16 Feb 2022 00:10:16 CET, Wolfgang Schweer wrote:

Hi Mike,

[ Mike Gabriel, 2022-02-15 ]
Package: debian-edu-config
Severity: important
Version: 2.12.16
Control: found -1 2.11.56+deb11u3

If allowing read access to /etc/cups/cups-browsed-debian-edu.conf in
apparmor (see #1005813), the current configuration won't create remote CUPS
printer queues on Debian Edu workstations.

To make CUPS printer queues on TJENER available on Debian Edu workstations,
one needs to set "CreateRemoteCUPSPrinterQueues Yes" in

"CreateRemoteCUPSPrinterQueues No" has been used intentionally.

Hmm... ok...

The existing (centralized) approach has been documented, see:

I fully agree with the non-self-advertising policy described in that part of the documentation.

The problem is that I think that the cups-browsing (or more strictly spoken cups-browsed-debian-edu.conf) never got really fully tested, because cups-browsed fails/failed to read cups-browsed-debian-edu.conf due to apparmor blocking. On diskless workstations, apparmor is not running (at least here, I wonder if I should work on enabling that for diskless machines, too), so on DLWs without apparmor, the cups-browsed-debian-edu.conf config is applied to the cups-browsed service and configured settings are active.

On normal workstations, I sense that some cups-browsed defaults kick into place (as the cups-browsed-debian-edu.conf is being blocked from reading at cups-browsed service startup) and that these defaults provide CUPS queues on TJENER to the clients via dnssd and the printer naming scheme is <make>_<model>_<host> (which is an unwanted naming scheme here).

The apparmor DENIED action can be observed when watching "journalctl -f | grep cups-browsed" on Debian Edu clients.

With my tests here, after having added an additional path for /etc/cups/cups-browsed-debian-edu.conf to /etc/apparmor.d/local/usr.sbin.cups-browsed, network printers don't appear in "lpstat -a" anymore on Debian Edu workstation. Only when enabling CreateRemoteCUPSPrinterQueues, I see those queues with their correct name (TJENER queue name -> workstation queue name).

I'll investigate this a little more and check if my puppet rules [1] do the correct thing when applied to other clients on other customer school networks.


[1] https://code.it-zukunft-schule.de/cgit/puppet.KATH/commit/?id=aa3a3b386680887232942e36e91559e214362a06

c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpV0JYQyqf1K.pgp
Description: Digitale PGP-Signatur

Reply to: