[cups.general] authentication failure / Require group fails

Joris Dobbelsteen joris at familiedobbelsteen.nl
Fri Jun 20 02:25:11 PDT 2008


Viktor wrote:
>>> AuthType Basic
>>> Require group Staff
>> Run the following command:
>>
>> grep Staff /etc/group
>>
>> If the command above returns empty, there's your problem.
> 
> authentication on the printserver is done via LDAP, for users and for groups. So, this command returns an empty line, because the group Staff only exists in the LDAP-database and not in /etc/group.
> 
> Does cups only look in /etc/group for members of groups, or does cups also ask the LDAP-server?
> 
>> If it comes back with a line, check to see the login id you're using
>> is in the group. If the login id exist in the line, check to make sure
>> cups is in /etc/pam.d and contains auth and account lines accordingly.
> 
> In /etc/pam.d/ exist a file cupsys with this contents:
> @include common-auth
> @include common-account
> @include common-password
> @include common-session

Fill the cupsys PAM file with debug output:

http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_warn.html

This would provide /var/log/auth.log (and/or friends) with the desired 
information. Than you can at least see whether CUPS is actually 
traversing the PAM chains.

> d [19/Jun/2008:13:08:01 +0200] cupsdAuthorize: con->uri="/admin", con->best=0x809fc38(/admin)
> d [19/Jun/2008:13:08:01 +0200] cupsdAuthorize: Authorization="Basic dmlrdG9yOkFscywuaWNoaGV1dGVtb3JnZW4tdmtsLC5hbHM="
> E [19/Jun/2008:13:08:03 +0200] cupsdAuthorize: pam_authenticate() returned 7 (Authentication failure)!

Here it gets an authentication failure from PAM, so you probably should 
check this out. In general these problems are a real big pain to get 
sorted out, as there is a lot of magic going on behind the scenes.

- Joris





More information about the cups mailing list