[cups.general] cups-1.1.22rc1 - Pausing via samba unauthorized depending on order of SystemGroup conf

pipitas k1pfeifle at gmx.net
Thu Oct 14 09:34:09 PDT 2004


daniel.jarboe at custserv.com wrote:

> I have two groups that need to manage print functions like pausing a
> queue.  They are both listed in CUPS's SystemGroup and Samba's printer
> admin.
> 
> cupsd.conf:
> 
> LogLevel debug2
> Port 631
> ImplicitClasses Off
> SystemGroup "TCS_MAIN_DOM\Domain Print Ops", TCS_MAIN_DOM\Helpdesk
> <Location />
> Order Deny,Allow
> Allow From All
> </Location>
> <Location /jobs>
> </Location>
> <Location /admin>
> AuthType Basic
> AuthClass System
> </Location>
> 
> The SystemGroup ordering does not seem to matter when going in through
> the cups web interface (either order works).  However, when pausing via 
> Samba, only members of the first SystemGroup listed are authorized.
> Others get client-error-not-authorized (according to
> ippErrorString(cupsLastError())).

Stabbing into the dark now....

There are 2 processes happening:

 1. Windows client accesses Samba
 2. Samba accesses CUPS

Are you sure that the credentials from 1 are used for 2 also? Have you
established evidence that Samba is passing the correct credentials to
CUPS, with CUPS rejecting them? *Which* credentials are in fact used
by Samba towards CUPS in the not-working cases?

Have tried to put the second System Group also into quotation marks?

  SystemGroup "TCS_MAIN_DOM\Domain Print Ops", "TCS_MAIN_DOM\Helpdesk"

Have you tried to get a debuglevel >=3 (you may need 10) to see what
credentials the clients really submit to Samba, and what Samba passes
on to CUPS? (Ethereal may help here too, or an "smbcontrol smbd debug 5"
command to increase the debuglevel of a running smbd on-the-fly to 5
or so).

> Again, the only thing that changes between it working and not working
> for one group or the other is the order of the CUPS SystemGroup conf.

Oh, if you change the order to

  SystemGroup TCS_MAIN_DOM\Helpdesk, "TCS_MAIN_DOM\Domain Print Ops"

it works for Helpdesk but not for Domain Print Ops? This would render
my "theory" invalid.

Have you ever tried to get a "LogLevel debug2" error_log of the
process?

> Is this a local configuration problem or a known issue or something
> else?

Sorry for not being of more help.
 
> This is a Samba 3.0.7 which builds a request with ippNew and ultimately
> calls cupsDoRequest.
> 
> Thanks for any info,
> ~ Daniel

Cheers,
Kurt




More information about the cups mailing list