[cups.bugs] [HIGH] STR #2748: Negotiate Authentication Failure on Web Interface
Richard Fuller
rpfuller-cups at cs.york.ac.uk
Tue Mar 11 09:13:31 PDT 2008
DO NOT REPLY TO THIS MESSAGE. INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.
[STR New]
This is a follow-on to bug #2606.
When accessing certain administrative functions using Negotiate (Kerberos)
authentication (e.g. add/remove class, add printer) it fails, and
"Authorized using Basic, expected Negotiate!" is written to the error log.
Some investigation reveals the problem to be as follows. The initial
authentication works fine, then it uses the Local authentication type to
send the IPP commands. You get:
cupsdAuthorize: Authorized as <username> using Local
which is fine, but then it sets con->type to CUPSD_AUTH_BASIC, auth.c:559
con->type = CUPSD_AUTH_BASIC;
Now when it comes to do the check in auth.c:2010 it fails because
con->type isn't the same as type (Basic vs Negotiate):
if (con->type != type && type != CUPSD_AUTH_NONE &&
(con->type != CUPSD_AUTH_BASIC || type != CUPSD_AUTH_BASICDIGEST))
{
cupsdLogMessage(CUPSD_LOG_ERROR, "Authorized using %s, expected
%s!",
types[con->type], types[type]);
return (HTTP_UNAUTHORIZED);
}
To confirm this, as I'm not using Basic, only Negotiate, I changed
auth.c:559 to:
con->type = CUPSD_AUTH_NEGOTIATE;
and it works fine.
So, either con->type must be set to Negotiate if the original
authentication was Negotiate, or the check that the correct authentication
type was used needs to be relaxed.
Do let me know if you want any more information.
Link: http://www.cups.org/str.php?L2748
Version: 1.3.6
More information about the cups-devel
mailing list