[cups.bugs] [HIGH] STR #2669: With DefaultAuthType Negotiate delete from /jobs webpage requires 'Require user' in <Location /jobs>

John A. Murdie john at cs.york.ac.uk
Tue Jan 15 06:07:16 PST 2008


DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

There's some odd behaviour when using 'DefaultAuthType Negotiate' that I
can't believe is intended; at least, I can find no documentation of this
behaviour. Without a:

<Location /jobs>
 ...
</Location>

an attempt to cancel (or move) a queued job from the /jobs web page shows
the user the message 'Error: Unauthorized', and the following (e.g.)
appears in error_log:

I [15/Jan/2008:13:46:14 +0000] Started "$CUPS/lib/cups/cgi-bin/jobs.cgi"
(pid=650)
D [15/Jan/2008:13:46:14 +0000] cupsdSendCommand: 8 file=11
D [15/Jan/2008:13:46:14 +0000] cupsdAcceptClient: 12 from localhost:631
(IPv4)
D [15/Jan/2008:13:46:14 +0000] cupsdReadClient: 12 POST /jobs HTTP/1.1
D [15/Jan/2008:13:46:14 +0000] cupsdAuthorize: No authentication data
provided.
D [15/Jan/2008:13:46:14 +0000] Cancel-Job ipp://localhost/jobs/71
D [15/Jan/2008:13:46:14 +0000] cupsdIsAuthorized:
requesting-user-name="guest"
E [15/Jan/2008:13:46:14 +0000] Cancel-Job: Unauthorized
D [15/Jan/2008:13:46:14 +0000] cupsdSendError: 12 code=401 (Unauthorized)
D [15/Jan/2008:13:46:14 +0000] cupsdSendHeader: WWW-Authenticate:
Negotiate
D [15/Jan/2008:13:46:14 +0000] [CGI] lang="en_GB.UTF8", locale="/en_GB"...
D [15/Jan/2008:13:46:14 +0000] [CGI] lang="en_GB.UTF8", locale="/en_GB"...
D [15/Jan/2008:13:46:14 +0000] [CGI] lang="en_GB.UTF8", locale="/en_GB"...
D [15/Jan/2008:13:46:14 +0000] cupsdCloseClient: 12
D [15/Jan/2008:13:46:14 +0000] PID 650
(/usr/local/pkg/cups-1.3.5/lib/cups/cgi-bin/jobs.cgi) exited with no
errors.

.... presumably because the user is seen as 'guest' rather than as me.

If one changes cupsd.conf to add:

<Location /jobs>
  Require user @staff
</Location>

- where 'staff' is my group - then cancelling/moving a job in this way
works, and the error_log (some addresses etc changed to protect the
innocent):

D [15/Jan/2008:13:54:02 +0000] cupsdReadClient: 8 GET /jobs/ HTTP/1.1
D [15/Jan/2008:13:54:02 +0000] get_gss_creds: Attempting to acquire
credentials for ipp at whatever...
D [15/Jan/2008:13:54:03 +0000] get_gss_creds: Credentials acquired
successfully for ipp at whatever.
D [15/Jan/2008:13:54:03 +0000] cupsdAuthorize: No delegated credentials!
D [15/Jan/2008:13:54:03 +0000] cupsdAuthorize: Authorized as john at whatever
using Negotiate
D [15/Jan/2008:13:54:03 +0000] cupsdIsAuthorized: username="john at whatever"
D [15/Jan/2008:13:54:03 +0000] [CGI] $CUPS/lib/cups/cgi-bin/jobs.cgi
started - PID = 886
I [15/Jan/2008:13:54:03 +0000] Started "$CUPS/lib/cups/cgi-bin/jobs.cgi"
(pid=886)
D [15/Jan/2008:13:54:03 +0000] cupsdSendCommand: 8 file=11
D [15/Jan/2008:13:54:03 +0000] cupsdAcceptClient: 12 from localhost:631
(IPv4)
D [15/Jan/2008:13:54:03 +0000] [CGI] lang="en_GB.UTF8", locale="/en_GB"...
D [15/Jan/2008:13:54:03 +0000] cupsdSendHeader: WWW-Authenticate:
Negotiate fiddlededee
D [15/Jan/2008:13:54:03 +0000] cupsdReadClient: 12 POST / HTTP/1.1
D [15/Jan/2008:13:54:03 +0000] cupsdAuthorize: No authentication data
provided.
D [15/Jan/2008:13:54:03 +0000] Get-Jobs ipp://localhost/jobs
D [15/Jan/2008:13:54:03 +0000] cupsdProcessIPPRequest: 12 status_code=0
(successful-ok)
D [15/Jan/2008:13:54:03 +0000] [CGI] lang="en_GB.UTF8", locale="/en_GB"...
D [15/Jan/2008:13:54:03 +0000] [CGI] lang="en_GB.UTF8", locale="/en_GB"...
D [15/Jan/2008:13:54:03 +0000] [CGI] lang="en_GB.UTF8", locale="/en_GB"...
D [15/Jan/2008:13:54:03 +0000] [CGI] lang="en_GB.UTF8", locale="/en_GB"...
D [15/Jan/2008:13:54:03 +0000] [CGI] lang="en_GB.UTF8", locale="/en_GB"...
D [15/Jan/2008:13:54:03 +0000] [CGI] lang="en_GB.UTF8", locale="/en_GB"...
D [15/Jan/2008:13:54:03 +0000] cupsdCloseClient: 12
D [15/Jan/2008:13:54:03 +0000] PID 886 ($CUPS/lib/cups/cgi-bin/jobs.cgi)
exited with no errors.

Putting 'Require valid-user' instead of 'Require user ...' doesn't effect
a fix.

Oddly, adding an explicit 'AuthType Negotiate' in the Location /jobs
causes further trouble:

D [15/Jan/2008:14:02:11 +0000] cupsdAcceptClient: 11 from localhost:631
(IPv4)
D [15/Jan/2008:14:02:11 +0000] cupsdReadClient: 11 POST /jobs HTTP/1.1
D [15/Jan/2008:14:02:11 +0000] cupsdAuthorize: Authorized as
john at whereever using Local
D [15/Jan/2008:14:02:11 +0000] cupsdIsAuthorized: username="john at wherever"
E [15/Jan/2008:14:02:11 +0000] Authorized using Basic, expected Negotiate!
D [15/Jan/2008:14:02:11 +0000] cupsdSendError: 11 code=401 (Unauthorized)
D [15/Jan/2008:14:02:11 +0000] cupsdSendHeader: WWW-Authenticate:
Negotiate
D [15/Jan/2008:14:02:11 +0000] cupsdCloseClient: 11
D [15/Jan/2008:14:02:11 +0000] cupsdAcceptClient: 11 from localhost:631
(IPv4)
D [15/Jan/2008:14:02:11 +0000] cupsdReadClient: 11 POST /jobs HTTP/1.1
D [15/Jan/2008:14:02:11 +0000] cupsdAuthorize: Authorized as john at wherever
using Local
D [15/Jan/2008:14:02:11 +0000] cupsdIsAuthorized: username="john at wherever"
E [15/Jan/2008:14:02:11 +0000] Authorized using Basic, expected Negotiate!
D [15/Jan/2008:14:02:11 +0000] cupsdSendError: 11 code=401 (Unauthorized)
D [15/Jan/2008:14:02:11 +0000] cupsdSendHeader: WWW-Authenticate:
Negotiate
D [15/Jan/2008:14:02:11 +0000] cupsdCloseClient: 11
D [15/Jan/2008:14:02:11 +0000] [CGI] lang="en_GB.UTF8", locale="/en_GB"...
D [15/Jan/2008:14:02:11 +0000] cupsdSendHeader: WWW-Authenticate:
Negotiate feefiefoefum
D [15/Jan/2008:14:02:11 +0000] [CGI] lang="en_GB.UTF8", locale="/en_GB"...
D [15/Jan/2008:14:02:11 +0000] [CGI] lang="en_GB.UTF8", locale="/en_GB"...
D [15/Jan/2008:14:02:11 +0000] PID 980 ($CUPS/lib/cups/cgi-bin/jobs.cgi)
exited with no errors.

John A. Murdie

Link: http://www.cups.org/str.php?L2669
Version: 1.3.5





More information about the cups mailing list