Hi Wolfgang, On Mi 16 Feb 2022 00:10:16 CET, Wolfgang Schweer wrote:
Hi Mike, [ Mike Gabriel, 2022-02-15 ]Package: debian-edu-config Severity: important Version: 2.12.16 Control: found -1 2.11.56+deb11u3 If allowing read access to /etc/cups/cups-browsed-debian-edu.conf in apparmor (see #1005813), the current configuration won't create remote CUPS printer queues on Debian Edu workstations. To make CUPS printer queues on TJENER available on Debian Edu workstations, one needs to set "CreateRemoteCUPSPrinterQueues Yes" in /etc/cups/cups-browsed(-debian-edu).conf."CreateRemoteCUPSPrinterQueues No" has been used intentionally.
Hmm... ok...
The existing (centralized) approach has been documented, see: https://wiki.debian.org/DebianEdu/Documentation/Bullseye/GettingStarted#Printer_Management
I fully agree with the non-self-advertising policy described in that part of the documentation.
The problem is that I think that the cups-browsing (or more strictly spoken cups-browsed-debian-edu.conf) never got really fully tested, because cups-browsed fails/failed to read cups-browsed-debian-edu.conf due to apparmor blocking. On diskless workstations, apparmor is not running (at least here, I wonder if I should work on enabling that for diskless machines, too), so on DLWs without apparmor, the cups-browsed-debian-edu.conf config is applied to the cups-browsed service and configured settings are active.
On normal workstations, I sense that some cups-browsed defaults kick into place (as the cups-browsed-debian-edu.conf is being blocked from reading at cups-browsed service startup) and that these defaults provide CUPS queues on TJENER to the clients via dnssd and the printer naming scheme is <make>_<model>_<host> (which is an unwanted naming scheme here).
The apparmor DENIED action can be observed when watching "journalctl -f | grep cups-browsed" on Debian Edu clients.
With my tests here, after having added an additional path for /etc/cups/cups-browsed-debian-edu.conf to /etc/apparmor.d/local/usr.sbin.cups-browsed, network printers don't appear in "lpstat -a" anymore on Debian Edu workstation. Only when enabling CreateRemoteCUPSPrinterQueues, I see those queues with their correct name (TJENER queue name -> workstation queue name).
I'll investigate this a little more and check if my puppet rules [1] do the correct thing when applied to other clients on other customer school networks.
Greets, Mike[1] https://code.it-zukunft-schule.de/cgit/puppet.KATH/commit/?id=aa3a3b386680887232942e36e91559e214362a06
-- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgpV0JYQyqf1K.pgp
Description: Digitale PGP-Signatur