Policy with multiple cases for different clients

voravit voravit at kth.se
Thu Jan 24 07:53:52 PST 2008 

I have tried but it still doesn't work. It seems authentication is still the problem. My clients've never got authenticate by the print server (or at least never been ask for any username password). It always shows "No authentication data provided" in the debug message.

Could anyone explain how client authentication should be done?
And also "Satisfy any" doesnt really seem to work as it should.
I have tried the following configuration:

  <Limit All>
    Order allow,deny
    Allow from 192.168.0.0/24
    Require user test
#    Require valid-user
    Satisfy any
  </Limit>

When I use "require user test", everything stop working. Even machine in my allow network cannot print.

When I use "require valid-user", I can still print from the allow network but not from others. (It seems that valid-user accepts any users!)

Another problem I got is the same as what John A. Murdie mentioned.
The user shows in CUPS web interface is a user from a local client machine. I got a feeling that this is the cause of all the problem. The clients simply use their local user as user and never really authenticate against the server (in my case againt system user in the print server)

Best regards,
Voravit T.





> > Hi,
> >
> > I would like to set up CUPS policy to have different rules for different machines from different networks. Does anyone have any suggestion?
> >
> > My scenario is that I would like to allow all machines in one network to be able to print. But those machines from other networks will need to be authenticated before printing.
> >
> > I tried to search on the Internet but couldn't find a way to have policy that check cases like I want to. For example, allow from 192.168.1.0/24 otherwise authenticate for valid user from all other networks.
> >
> > My server is Ubuntu 7.10 server without GUI.
> > I follow "managing operation policies" on cups website to create something similar to creating a computer lab example. But, I can only limit printing from a certain network.
> >
> > I tried to test the authentication to see how it work by adding a "Require" statement as shown in the configuration below, but it doesn't seem to work like I expect.
>
> I think that you're only missing a "Satisfy any" in there. I do something similar at my site for desktops (which are trusted to print) and laptops (whose users must authenticate to print):
>
> <Policy default>
>   # Job-related operations must be done by the owner or an adminstrator...
>
>   # Desktops trusted, laptops must authenticate.
>   <Limit Create-Job Print-Job Send-Document Send-URI>
>     Order allow,deny
>     Allow from a.b.c.0/x       # desktops
>     Require valid-user         # laptops
>     Satisfy any
>   </Limit>
>   <Limit Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
>     Order allow,deny
>     Require user @OWNER @SYSTEM @admins
>   </Limit>
>   ...
>
> See my very recent posting - http://www.cups.org/newsgroups.php?gcups.general+v:31740 for the entire cupsd.conf.
>
> John A. Murdie

More information about the cups mailing list