authentication failure / Require group fails

Thu Jun 19 04:20:03 PDT 2008

> > AuthType Basic
> > Require group Staff
>
> Run the following command:
>
> grep Staff /etc/group
>
> If the command above returns empty, there's your problem.

authentication on the printserver is done via LDAP, for users and for groups. So, this command returns an empty line, because the group Staff only exists in the LDAP-database and not in /etc/group.

Does cups only look in /etc/group for members of groups, or does cups also ask the LDAP-server?

> If it comes back with a line, check to see the login id you're using
> is in the group. If the login id exist in the line, check to make sure
> cups is in /etc/pam.d and contains auth and account lines accordingly.

In /etc/pam.d/ exist a file cupsys with this contents:
@include common-auth
@include common-account
@include common-password
@include common-session

> If the above checks out, but you're still unable to login, set your
> cups config to debug level 2 and post the results.

After setting LogLevel debug2 in cupsd.conf, here the output from access.log when trying to login as member of group Staff:
137.226.116.89 - - [19/Jun/2008:13:05:51 +0200] "GET /admin HTTP/1.1" 401 0 - -
137.226.116.89 - - [19/Jun/2008:13:06:08 +0200] "GET /admin HTTP/1.1" 401 0 - -

and from error.log:
d [19/Jun/2008:13:08:01 +0200] cupsdAcceptClient(lis=0x80a2400) 3 Clients = 0
D [19/Jun/2008:13:08:01 +0200] cupsdAcceptClient: 6 from 137.226.116.89:443 (IPv4)
d [19/Jun/2008:13:08:01 +0200] cupsdAcceptClient: 6 connected to server on tanna.informatik.rwth-aachen.de:443
d [19/Jun/2008:13:08:01 +0200] cupsdAcceptClient: Adding fd 6 to InputSet...
D [19/Jun/2008:13:08:01 +0200] encrypt_client: 6 Connection from 137.226.116.89 now encrypted.
d [19/Jun/2008:13:08:01 +0200] cupsdCheckJobs: 0 active jobs, sleeping=0, reload=0
d [19/Jun/2008:13:08:01 +0200] stringpool: 169 strings, 4952 allocated, 3744 total bytes
d [19/Jun/2008:13:08:01 +0200] cupsdReadClient: 6, used=0, file=-1 state=0
D [19/Jun/2008:13:08:01 +0200] cupsdReadClient: 6 GET /admin HTTP/1.1
D [19/Jun/2008:13:08:01 +0200] cupsdReadClient: 6 Browser asked for language "en-us.utf-8"...
d [19/Jun/2008:13:08:01 +0200] cupsdFindBest: uri = "/admin"...
d [19/Jun/2008:13:08:01 +0200] cupsdFindBest: Location /admin Limit 7f
d [19/Jun/2008:13:08:01 +0200] cupsdFindBest: Location / Limit 7f
d [19/Jun/2008:13:08:01 +0200] cupsdFindBest: best = /admin
d [19/Jun/2008:13:08:01 +0200] cupsdAuthorize: con->uri="/admin", con->best=0x809fc38(/admin)
d [19/Jun/2008:13:08:01 +0200] cupsdAuthorize: Authorization="Basic dmlrdG9yOkFscywuaWNoaGV1dGVtb3JnZW4tdmtsLC5hbHM="
E [19/Jun/2008:13:08:03 +0200] cupsdAuthorize: pam_authenticate() returned 7 (Authentication failure)!
d [19/Jun/2008:13:08:03 +0200] cupsdIsAuthorized: con->uri="/admin", con->best=0x809fc38(/admin)
d [19/Jun/2008:13:08:03 +0200] cupsdIsAuthorized: level=AUTH_GROUP, type=AUTH_BASIC, satisfy=AUTH_SATISFY_ALL, num_names=2
d [19/Jun/2008:13:08:03 +0200] cupsdIsAuthorized: auth=AUTH_ALLOW...
d [19/Jun/2008:13:08:03 +0200] cupsdIsAuthorized: username=""
d [19/Jun/2008:13:08:03 +0200] cupsdReadClient: Unauthorized request for /admin...
D [19/Jun/2008:13:08:03 +0200] cupsdSendError: 6 code=401 (Unauthorized)
D [19/Jun/2008:13:08:03 +0200] cupsdCloseClient: 6
I [19/Jun/2008:13:08:03 +0200] cupsdCloseClient: SSL shutdown successful!
d [19/Jun/2008:13:08:03 +0200] cupsdCloseClient: Removing fd 6 from OutputSet...
d [19/Jun/2008:13:08:03 +0200] cupsdReadClient: 6, used=0, file=-1 state=0
d [19/Jun/2008:13:08:03 +0200] cupsdReadClient: httpGets returned EOF...
D [19/Jun/2008:13:08:03 +0200] cupsdCloseClient: 6
d [19/Jun/2008:13:08:03 +0200] cupsdCloseClient: Removing fd 6 from InputSet and OutputSet...
d [19/Jun/2008:13:08:04 +0200] select_timeout: 86400 seconds to do nothing

One line here above says:
 cupsdIsAuthorized: username=""
This lets assume me that cups really does not ask the LDAP-server. Is this right?
Anf if I'm right, can I change this behaviour of cups? Which directive must I use to tell cups to ask the LDAP-server for info about users and groups?

Thanks,
Viktor