Policy - User not in group
angelb
angelb at bugarin.us
Wed Jan 2 15:02:12 PST 2008
> Hello all.
>
> I've created my first policy, mktgtest, with an appropriate account,
> qadmin1, that has access to the policy but it's not working the way I
> thought it should.
>
> When trying to Disable or Enable a printer using the "qadmin1" account,
> it complains the account does not belong to "lp" group. The "lp" group
> happens to be in the default policy.
>
> My policy:
> <Policy mktgtest>
> ...
> # Requires authentication and group membership to qadmin
> <Limit Pause-Printer Resume-Printer Set-Printer-Attributes
> Enable-Printer Disable-PrinterDefault
> ...>
> AuthType Basic
> Require group qadmin
> Order deny,allow
> </Limit>
> ...
> </Policy>
>
> Printer config:
> <Printer 3668-0-p1>
> ...
> OpPolicy mktgtest
> ErrorPolicy stop-printer
> </Printer>
>
> User account: qadmin1
> [qadmin1 at stlam507 ~]$ id
> uid=1838(qadmin1) gid=1838(qadmin) groups=1838(qadmin)
>
> The account "qadmin1" is a member of group "qadmin" which is a group
> specified inside the Limits directive in the mktgtest policy. And, the
> printer, 3668-0-p1, qadmin1 is trying to modify is correctly assigned
> (using the lpadmin command) to the mktgtest policy. So, where have I
> gone wrong that prevents the group "qadmin" from being used?
Ok, it would appear I need to have the "qadmin" group included
in /admin. That allowed the user "qadmin1" to stop the printer. But
now, I'm confused why qadmin1 is allowed to stop or start, or any other
options, a printer even if the mktgtest policy only has the following
option:
<Limit CUPS-Accept-Jobs>
AuthType Basic
Require group qadmin
Order deny,allow
</Limit>
Thanks,
Angel
More information about the cups
mailing list