authentication failure / Require group fails

Viktor viktor at cs.rwth-aachen.de
Tue Jun 24 05:43:11 PDT 2008


> Fill the cupsys PAM file with debug output:
> http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_warn.html
>
> This would provide /var/log/auth.log (and/or friends) with the desired
> information. Than you can at least see whether CUPS is actually
> traversing the PAM chains.
>
> > d [19/Jun/2008:13:08:01 +0200] cupsdAuthorize: con->uri="/admin", con->best=0x809fc38(/admin)
> > d [19/Jun/2008:13:08:01 +0200] cupsdAuthorize: Authorization="Basic dmlrdG9yOkFscywuaWNoaGV1dGVtb3JnZW4tdmtsLC5hbHM="
> > E [19/Jun/2008:13:08:03 +0200] cupsdAuthorize: pam_authenticate() returned 7 (Authentication failure)!
>
> Here it gets an authentication failure from PAM, so you probably should
> check this out. In general these problems are a real big pain to get
> sorted out, as there is a lot of magic going on behind the scenes.
>
> - Joris

Thank you for the hint with pam_warn. This helped me find out that in fact it has to be a problem within cups, because all other authentication methods worked fine, and there was no error message in the logs.

Here the solution:
I added in /etc/cups/cupsd.conf the line
SystemGroup Staff

It seems that cups only lets authenticate those groups for administration tasks which are mentioned in the directive SystemGroup. The only use of the directive Require in a Location is not sufficient.

I'm not sure if this is a real good solution or only a work-around, but after having made this change authentication for cups work as requested.

I made a test with another group (hiwis). The same behavior: only after adding the group hiwis in the directive Systemgroup, cups accepted authentication of members of the group hiwis.

Thanks all folks for your help,
Viktor




More information about the cups mailing list