Localhost authentication certificates

[Tim]

Hi there.

I'm having a problem with local users running lpq, lpstat, etc.

What I want is for any communications with the CUPS server to be from a logged-in system user so that all printing (including test-pages) is assignable to a user for billing purposes. So I've added "AuthType Basic" and "AuthClass User" to <Location />. Only now, when a user runs lpq, lpstat, etc., they are asked for their password multiple times! It looks as if they are asked for each (it seems) request to the server on localhost, although I couldn't be sure...

Users in the "SystemGroup" group are not asked for a password (and it's the same for normal users if they have read permission on /etc/cups/certs/0). But then those users appear in the access_log (and maybe page_log?) as user "root"...

I'm a complete newcomer to CUPS (which otherwise seems to be a fantastic package!) and I can't seem to find much documentation on how these localhost authentication certificates work. I've read the docs at http://www.cups.org/sam.html#CERTIFICATES but they dont go in to too much depth. I'm assuming my problem has something to do with these certificates - as I understand it, the user-tools use them to communicate to the server on localhost. Or am I missing something here?

If it helps, here's my cupsd.conf with all comments removed:
ServerName ########.local
ServerAdmin admin@########.org
DocumentRoot /usr/share/cups/doc/
LogLevel debug2
ServerCertificate /etc/cups/ssl/cupscrt.pem
ServerKey /etc/cups/ssl/cupskey.pem
Listen localhost:631
SSLListen #######.local:631
HostNameLookups On
<Location />
AuthType Basic
AuthClass User
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Allow From 192.168.0.0/16
</Location>
<Location /admin>
AuthType Basic
AuthClass System
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Allow From 192.168.0.0/16
</Location>