[4 Questions] "Unauthorized" -- 2lines in pag_log
Kurt Pfeifle
k1pfeifle at gmx.net
Fri Jul 20 04:48:42 PDT 2007
I'm testing CUPS (1.2.12) OpPolicies....
Trying to print from the commandline, as a user, to a (local) printer
that this user is not entitled to use, we get the password prompt:
Password for rejuser on localhost?
Entering the (correct) password, returns the same password prompt (this
is expected, because it is a "known" problem):
Password for rejuser on localhost?
Password for rejuser on localhost?
Password for rejuser on localhost?
Password for rejuser on localhost?
Password for rejuser on localhost?
(I know I can break out of this by just hitting [Enter] two times)
but it also yields these two lines in access_log:
localhost - rejuser [20/Jul/2007:13:13:19 +0200] "POST /printers/zpdf_HRPol HTTP/1.1" 401 6306 Print-Job successful-ok
localhost - rejuser [20/Jul/2007:13:13:19 +0200] "POST /printers/zpdf_HRPol HTTP/1.1" 401 6306 Print-Job successful-ok
2 questions:
(a) Why *2* lines?
(b) Why "Print-Job successful-ok"?
I know that the "401" means "Unauthorized, authentication (username +
password) is required". But the "successful-ok" is confusing... Is this
*really* because the IPP POST request did already succeed? Does it in-
deed mean that the same 6307 Bytes are re-transmitted each time when re-
trying to get the job accepted by typing the password?
The error_log (in 'debug' level) also shows a doubling of lines logged:
D [20/Jul/2007:13:13:19 +0200] cupsdAcceptClient: 9 from localhost (Domain)
D [20/Jul/2007:13:13:19 +0200] cupsdCloseClient: 5
D [20/Jul/2007:13:13:19 +0200] cupsdReadClient: 9 POST /printers/zpdf_HRPol HTTP/1.1
D [20/Jul/2007:13:13:19 +0200] cupsdAuthorize: username="rejuser"
D [20/Jul/2007:13:13:19 +0200] Print-Job ipp://localhost/printers/zpdf_HRPol
D [20/Jul/2007:13:13:19 +0200] print_job: auto-typing file...
D [20/Jul/2007:13:13:19 +0200] print_job: request file type is text/plain.
E [20/Jul/2007:13:13:19 +0200] Print-Job: Unauthorized
D [20/Jul/2007:13:13:19 +0200] cupsdSendError: 9 code=401 (Unauthorized)
D [20/Jul/2007:13:13:19 +0200] cupsdCloseClient: 9
D [20/Jul/2007:13:13:19 +0200] cupsdAcceptClient: 5 from localhost (Domain)
D [20/Jul/2007:13:13:19 +0200] cupsdReadClient: 5 POST /printers/zpdf_HRPol HTTP/1.1
D [20/Jul/2007:13:13:19 +0200] cupsdAuthorize: username="rejuser"
D [20/Jul/2007:13:13:19 +0200] Print-Job ipp://localhost/printers/zpdf_HRPol
D [20/Jul/2007:13:13:19 +0200] print_job: auto-typing file...
D [20/Jul/2007:13:13:19 +0200] print_job: request file type is text/plain.
E [20/Jul/2007:13:13:19 +0200] Print-Job: Unauthorized
D [20/Jul/2007:13:13:19 +0200] cupsdSendError: 5 code=401 (Unauthorized)
This causes a 3rd question for me:
(c) Is the job submission and auto-typing done *in parallel* to the check
of the authorization? (If it is sequential, why then first accept the
jobfile, auto-type it and only then check user's authorization and
probably reject the job? This could be a job that does not just trans-
mit 6306 Bytes, but one that is 1.000 times or 10.000 times bigger...)
Next, I deliberately type a wrong password into the forever looping
password question (see above). Here I get this in the access_log:
localhost - - [20/Jul/2007:13:23:53 +0200] "POST /printers/zpdf_HRPol HTTP/1.1" 401 6306 Print-Job successful-ok
localhost - - [20/Jul/2007:13:23:55 +0200] "POST /printers/zpdf_HRPol HTTP/1.1" 401 6306 Print-Job successful-ok
Aha! The 3rd field (authenticated user name) now misses the previously
logged user name "rejuser".
Here is what my wrong password logged into the error_log (note again
the doubling of the entries):
D [20/Jul/2007:13:23:53 +0200] cupsdAcceptClient: 5 from localhost (Domain)
D [20/Jul/2007:13:23:53 +0200] cupsdReadClient: 5 POST /printers/zpdf_HRPol HTTP/1.1
E [20/Jul/2007:13:23:55 +0200] cupsdAuthorize: pam_authenticate() returned 7 (Authentication failure)!
D [20/Jul/2007:13:23:55 +0200] Print-Job ipp://localhost/printers/zpdf_HRPol
D [20/Jul/2007:13:23:55 +0200] print_job: auto-typing file...
D [20/Jul/2007:13:23:55 +0200] print_job: request file type is text/plain.
E [20/Jul/2007:13:23:55 +0200] Print-Job: Unauthorized
D [20/Jul/2007:13:23:55 +0200] cupsdSendError: 5 code=401 (Unauthorized)
D [20/Jul/2007:13:23:55 +0200] cupsdCloseClient: 5
D [20/Jul/2007:13:23:55 +0200] cupsdAcceptClient: 5 from localhost (Domain)
D [20/Jul/2007:13:23:55 +0200] cupsdReadClient: 5 POST /printers/zpdf_HRPol HTTP/1.1
E [20/Jul/2007:13:23:58 +0200] cupsdAuthorize: pam_authenticate() returned 7 (Authentication failure)!
D [20/Jul/2007:13:23:58 +0200] Print-Job ipp://localhost/printers/zpdf_HRPol
D [20/Jul/2007:13:23:58 +0200] print_job: auto-typing file...
D [20/Jul/2007:13:23:58 +0200] print_job: request file type is text/plain.
E [20/Jul/2007:13:23:58 +0200] Print-Job: Unauthorized
D [20/Jul/2007:13:23:58 +0200] cupsdSendError: 5 code=401 (Unauthorized)
Which leads me to the 4th question:
(d) If CUPS can clearly differentiate between....
... a wrong password (that leads to "Authentication failure" +
"Unauthorized") and ...
... a correctly authenticated user 'rejuser' (who just also happens
to be "Unauthorized", because by OpPolicy he has to be rejected
for using the 'zpdf'_HRPol printer) --
...why do both paths lead to the same looping-forever password prompt?
Wouldn't it be better to terminate the first path by an error message
"Authenticated as user 'rejuser', but rejuser is not allowed to print
to printer 'zpdf-HRPol' instead of prompting again for the password?
--
Kurt Pfeifle
System & Network Printing Consultant ---- Linux/Unix/Windows/Samba/CUPS
Infotec Deutschland GmbH ..................... Hedelfinger Strasse 58
A RICOH Company ........................... D-70327 Stuttgart/Germany
More information about the cups
mailing list