Invalid peer credentials for "root"
pipitas
pipitas at gmail.com
Mon Dec 6 23:19:37 PST 2010
On 12/06/2010 08:43 PM, Tom Niemiec wrote:
>> On 12/04/2010 07:58 PM, Tom Niemiec wrote:
>>>> On 12/04/2010 04:37 PM, Tom Niemiec wrote:
>>>>> Hello,
>>>>> My name's Tom Niemiec and I'm writing because of a problem, that I have with CUPS.
>>>>>
>>>>> I'm working on a project for my collage graduate work and I have to create a Print Server on a pc with Linux.
>>>>>
>>>>> I'm using SAMBA for my domain server, my shares and for printers sharing.
>>>>> I successfully added a CUPS-PDF printer to the Print Server and also I successfully added the printer to two Windows XP PCs.
>>>>
>>>> You're telling us more about your Windows ("it's XP") than about your
>>>> Linux, your Samba and your CUPS...
>>>>
>>>> So which is it in each case? Which version of Linux? Which version of
>>>> Samba? Which version of CUPS? How is your Samba configured?
>>>>
>>>>> The problem is that I can't print on them while being logged as a normal domain user ( via Windows xp ).
>>>>> To test if the printer works on Windows accounts I logged as root on the Windows machine and everything worked fine.
>>>>> The file was printed, it was created in the output folder I set in cups-pdf.conf and a successful line was written in the page_log file.
>>>>> Based on that the problem is not o the Windows side.
>>>>>
>>>>> When I tried to print something on the normal domain user account a line was created in the error_log:
>>>>>
>>>>> E [13/Nov/2010:22:47:34 +0100] Invalid peer credentials for "root" - got 1001, expected 0!
>>>>>
>>>>> Please I really need help with this. I'm working on my graduate work and this problem holds me back form completing my work.
>>>>> If there are any information you need or screen shots, configuration files, please feel free to ask.
>>>>>
>>>>> Also I talked to Dr. rer. nat. Volker Christian Behr who created cups-pdf to find out if the problem lies on the cups-pdf side.
>>>>> After a few emails He gave me a hint
>>>>> "... to disable user-based access control for
>>>>> CUPS (since I never tried to do that nor am I using any Windows I cannot give you any hints on that) "
>>>>>
>>>>> Maybe someone knows how to do this or has an other solution, please help :)
>>>>
>>>
>>> Well yes, that's why I asked if tehre are any more information you need ^^
>>> I'm using:
>>> - LINUX Debian 2.6.26
>>> - SAMBA 3.2.5
>>> - CUPS 1.3.8
>>>
>>> OK and now the SAMBA configuration:
>>> # Samba config file created using SWAT
>>> # from UNKNOWN ()
>>> # Date: 2010/11/19 13:16:23
>>>
>>> [global]
>>> workgroup = MYPROJEKT
>>> server string = SERVERDRUKU
>>> interfaces = 192.168.0.106, 192.168.1.1, 127.0.0.1
>>> bind interfaces only = Yes
>>> map to guest = Bad User
>>> log level = 2
>>> log file = /var/log/samba/log.%I
>>> max log size = 50
>>> time server = Yes
>>> add user script = /usr/sbin/useradd -d /dev/null -g machines -c 'Konto Maszyny %I' -s /bin/false -M %u
>>> add machine script = /usr/sbin/useradd -d /dev/null -g machines -c 'Konto Maszyny %I' -s /bin/false %u
>>> logon script = logon.bat
>>> logon path =
>>> logon home =
>>> domain logons = Yes
>>> os level = 200
>>> preferred master = Yes
>>> domain master = Yes
>>> wins support = Yes
>>> ldap ssl = no
>>> hosts allow = 192.168.0., 192.168.1.
>>> nt acl support = No
>>> oplocks = No
>>> level2 oplocks = No
>>>
>>> [netlogon]
>>> comment = Usługa logowania domenowego
>>> path = /etc/samba/logon
>>> guest ok = Yes
>>> browseable = No
>>> oplocks = No
>>> level2 oplocks = No
>>>
>>> [homes]
>>> comment = Home Directories
>>> path = /home/
>>> valid users = %S
>>> read only = No
>>> create mask = 0700
>>> directory mask = 0700
>>> guest ok = Yes
>>> browseable = No
>>> oplocks = No
>>> level2 oplocks = No
>>>
>>> [printers]
>>> comment = All Printers
>>> path = /var/spool/samba
>>> create mask = 0700
>>> printable = Yes
>>> browseable = No
>>> oplocks = No
>>> level2 oplocks = No
>>>
>>> [print$]
>>> comment = Printer Drivers
>>> path = /var/lib/samba/printers
>>> oplocks = No
>>> level2 oplocks = No
>>>
>>> [Wymiana]
>>> comment = Obszar transferu plikow XP - Linux
>>> path = /home/wymiana
>>> read only = No
>>> oplocks = No
>>> level2 oplocks = No
>>>
>>> [Profiles]
>>> path = /home/profiles/
>>> guest ok = Yes
>>> browseable = No
>>> vfs objects = fake_perms
>>> oplocks = No
>>> level2 oplocks = No
>>>
>>> [Drukarka_PDF]
>>> comment = Drukarka print-to-file
>>> path = /var/spool/samba
>>> read only = No
>>> create mask = 0700
>>> guest ok = Yes
>>> printable = Yes
>>> printer name = Drukarka_PDF
>>> oplocks = No
>>> share modes = No
>>
>> You should look up in your Samba log file
>>
>> /var/log/samba/log-<IPaddress-of-XP-client> :
>>
>> Which user does Samba think is trying to connect for printing? Does this
>> user have the uid 1001 according to /etc/passwd?
>>
>> Then look further up in CUPS' error_log: What kind of info does CUPS
>> receive from Samba about the user trying to print? (Watch out for lines
>> containing "envp[...]="USER=..." or "cupsdAUTH")
>>
>> Some of the config parameters used by Samba are implicitely set to some
>> default, if not set explicitely in the smb.conf. I do not know by heart
>> which values were used in Samba 3.2.5.
>>
>> To see *all* config parameters used by your Samba, run this command:
>>
>> testparm -sv
>>
>> To see all (well, most) printing related config parameters more easily,
>> run this:
>>
>> testparm -sv | grep -E '(lp|print|driver|spool|^\[)'
>>
>> You'll probably spot a setting saying
>>
>> printjob username = %U
>>
>> The %U is a Samba macro, resolving as "the username which initiated the
>> session/connection from the Windows XP client". This would be your
>> Windows user name (non-root).
>>
>> Since it looks like root (who always has uid=0) is accepted by CUPS as a
>> valid printer user, the easiest path for you may be to put
>>
>> printjob username = root
>>
>> into your smb.conf. Alternatively, you could configure CUPS to allow any
>> username for that particular printer: add a section in cupsd.conf like this:
>>
>> <Location /printers/Drukarka_PDF>
>> Allow from all
>> Deny from none
>> Order deny,allow
>> Satisfy any
>> </Location>
>>
>>
>>
>>
> Ok, I tried your advices
Your current mail does not provide any details about that.
> but it didn't work.
_WHAT_ didn't work for each step?
> Here's the log from SAMBA and 192.168.0.104 ( IPaddress-of-XP-client ):
>
> [2010/12/06 21:38:52, 2] lib/access.c:check_access(406)
> Allowed connection from 192.168.0.104 (192.168.0.104)
> [2010/12/06 21:38:52, 2] smbd/sesssetup.c:setup_new_vc_session(1363)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
> [2010/12/06 21:38:52, 2] smbd/sesssetup.c:setup_new_vc_session(1363)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
> [2010/12/06 21:38:52, 2] auth/auth.c:check_ntlm_password(308)
> check_ntlm_password: authentication for user [nowak] -> [nowak] -> [nowak] succeeded
See this line?
> [2010/12/06 21:38:52, 2] lib/access.c:check_access(406)
> Allowed connection from 192.168.0.104 (192.168.0.104)
> [2010/12/06 21:38:52, 2] lib/access.c:check_access(406)
> Allowed connection from 192.168.0.104 (192.168.0.104)
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 2] lib/access.c:check_access(406)
> Allowed connection from 192.168.0.104 (192.168.0.104)
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 2] lib/access.c:check_access(406)
> Allowed connection from 192.168.0.104 (192.168.0.104)
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 2] lib/access.c:check_access(406)
> Allowed connection from 192.168.0.104 (192.168.0.104)
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 2] lib/access.c:check_access(406)
> Allowed connection from 192.168.0.104 (192.168.0.104)
> [2010/12/06 21:38:52, 2] lib/access.c:check_access(406)
> Allowed connection from 192.168.0.104 (192.168.0.104)
> [2010/12/06 21:38:52, 2] lib/access.c:check_access(406)
> Allowed connection from 192.168.0.104 (192.168.0.104)
> [2010/12/06 21:38:52, 2] lib/access.c:check_access(406)
> Allowed connection from 192.168.0.104 (192.168.0.104)
> [2010/12/06 21:38:52, 2] lib/access.c:check_access(406)
> Allowed connection from 192.168.0.104 (192.168.0.104)
> [2010/12/06 21:38:52, 2] lib/access.c:check_access(406)
> Allowed connection from 192.168.0.104 (192.168.0.104)
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 2] lib/access.c:check_access(406)
> Allowed connection from 192.168.0.104 (192.168.0.104)
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:52, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:53, 2] lib/access.c:check_access(406)
> Allowed connection from 192.168.0.104 (192.168.0.104)
> [2010/12/06 21:38:53, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:53, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:53, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:53, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:53, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:53, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:53, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:53, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:53, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:53, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:53, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:53, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:53, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:53, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:53, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:53, 2] lib/access.c:check_access(406)
> Allowed connection from 192.168.0.104 (192.168.0.104)
> [2010/12/06 21:38:53, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:53, 0] printing/print_cups.c:cups_pull_comment_location(1270)
> Unable to get printer attributes - client-error-not-authorized
> [2010/12/06 21:38:53, 2] lib/access.c:check_access(406)
> Allowed connection from 192.168.0.104 (192.168.0.104)
>
>
> Any ideas ?
Yes: Try to answer *all* my questions.
Indirectly your log answers this *one* question only: "Which user does
Samba think is trying to connect for printing?". (The answer is "nowak".)
The next question was: "Does this user have the uid 1001 according to
/etc/passwd?". So?
Also, I adviced you to...
"look further up in CUPS' error_log: What kind of info does CUPS
receive from Samba about the user trying to print? (Watch out
for lines containing "envp[...]="USER=..." or "cupsdAUTH")"
What was the result?
Next, I asked you to...
run this:
testparm -sv | grep -E '(lp|print|driver|spool|^\[)'
You'll probably spot a setting saying
printjob username = %U
Did you do it? What is Samba's setting for "printjob username"? Did you
try to set it to "root"?
Did you also put in this additional stanza into cupsd.conf:
<Location /printers/Drukarka_PDF>
Allow from all
Deny from none
Order deny,allow
Satisfy any
</Location>
> Ow and thank you for Your help :) nice to see people want to help and stuff ^^
More information about the cups
mailing list