Invalid peer credentials for "root"

Tom Niemiec ps2maniak at gmail.com
Tue Dec 7 09:58:05 PST 2010


> On 12/06/2010 08:43 PM, Tom Niemiec wrote:
> >> On 12/04/2010 07:58 PM, Tom Niemiec wrote:
> >>>> On 12/04/2010 04:37 PM, Tom Niemiec wrote:
> >>>>> Hello,
> >>>>> My name's Tom Niemiec and I'm writing because of a problem, that I have with CUPS.
> >>>>>
> >>>>> I'm working on a project for my collage graduate work and I have to create a Print Server on a pc with Linux.
> >>>>>
> >>>>> I'm using SAMBA for my domain server, my shares and for printers sharing.
> >>>>> I successfully added a CUPS-PDF printer to the Print Server and also I successfully added the printer to two Windows XP PCs.
> >>>>
> >>>> You're telling us more about your Windows ("it's XP") than about your
> >>>> Linux, your Samba and your CUPS...
> >>>>
> >>>> So which is it in each case? Which version of Linux? Which version of
> >>>> Samba? Which version of CUPS? How is your Samba configured?
> >>>>
> >>>>> The problem is that I can't print on them while being logged as a normal domain user ( via Windows xp ).
> >>>>> To test if the printer works on Windows accounts I logged as root on the Windows machine and everything worked fine.
> >>>>> The file was printed, it was created in the output folder I set in cups-pdf.conf and a successful line was written in the page_log file.
> >>>>> Based on that the problem is not o the Windows side.
> >>>>>
> >>>>> When I tried to print something on the normal domain user account a line was created in the error_log:
> >>>>>
> >>>>> E [13/Nov/2010:22:47:34 +0100] Invalid peer credentials for "root" - got 1001, expected 0!
> >>>>>
> >>>>> Please I really need help with this. I'm working on my graduate work and this problem holds me back form  completing my work.
> >>>>> If there are any information you need or screen shots, configuration files, please feel free to ask.
> >>>>>
> >>>>> Also I talked to Dr. rer. nat. Volker Christian Behr who created cups-pdf to find out if the problem lies on the cups-pdf side.
> >>>>> After a few emails He gave me a hint
> >>>>> "... to disable user-based access control for
> >>>>> CUPS (since I never tried to do that nor am I using any Windows I cannot give you any hints on that) "
> >>>>>
> >>>>> Maybe someone knows how to do this or has an other solution, please help :)
> >>>>
> >>>
> >>> Well yes, that's why I asked if tehre are any more information you need ^^
> >>> I'm using:
> >>> - LINUX Debian 2.6.26
> >>> - SAMBA 3.2.5
> >>> - CUPS 1.3.8
> >>>
> >>> OK and now the SAMBA configuration:
> >>> # Samba config file created using SWAT
> >>> # from UNKNOWN ()
> >>> # Date: 2010/11/19 13:16:23
> >>>
> >>> [global]
> >>> 	workgroup = MYPROJEKT
> >>> 	server string = SERVERDRUKU
> >>> 	interfaces = 192.168.0.106, 192.168.1.1, 127.0.0.1
> >>> 	bind interfaces only = Yes
> >>> 	map to guest = Bad User
> >>> 	log level = 2
> >>> 	log file = /var/log/samba/log.%I
> >>> 	max log size = 50
> >>> 	time server = Yes
> >>> 	add user script = /usr/sbin/useradd -d /dev/null -g machines -c 'Konto Maszyny %I' -s /bin/false -M %u
> >>> 	add machine script = /usr/sbin/useradd -d /dev/null -g machines -c 'Konto Maszyny %I' -s /bin/false %u
> >>> 	logon script = logon.bat
> >>> 	logon path =
> >>> 	logon home =
> >>> 	domain logons = Yes
> >>> 	os level = 200
> >>> 	preferred master = Yes
> >>> 	domain master = Yes
> >>> 	wins support = Yes
> >>> 	ldap ssl = no
> >>> 	hosts allow = 192.168.0., 192.168.1.
> >>> 	nt acl support = No
> >>> 	oplocks = No
> >>> 	level2 oplocks = No
> >>>
> >>> [netlogon]
> >>> 	comment = Usługa logowania domenowego
> >>> 	path = /etc/samba/logon
> >>> 	guest ok = Yes
> >>> 	browseable = No
> >>> 	oplocks = No
> >>> 	level2 oplocks = No
> >>>
> >>> [homes]
> >>> 	comment = Home Directories
> >>> 	path = /home/
> >>> 	valid users = %S
> >>> 	read only = No
> >>> 	create mask = 0700
> >>> 	directory mask = 0700
> >>> 	guest ok = Yes
> >>> 	browseable = No
> >>> 	oplocks = No
> >>> 	level2 oplocks = No
> >>>
> >>> [printers]
> >>> 	comment = All Printers
> >>> 	path = /var/spool/samba
> >>> 	create mask = 0700
> >>> 	printable = Yes
> >>> 	browseable = No
> >>> 	oplocks = No
> >>> 	level2 oplocks = No
> >>>
> >>> [print$]
> >>> 	comment = Printer Drivers
> >>> 	path = /var/lib/samba/printers
> >>> 	oplocks = No
> >>> 	level2 oplocks = No
> >>>
> >>> [Wymiana]
> >>> 	comment = Obszar transferu plikow  XP - Linux
> >>> 	path = /home/wymiana
> >>> 	read only = No
> >>> 	oplocks = No
> >>> 	level2 oplocks = No
> >>>
> >>> [Profiles]
> >>> 	path = /home/profiles/
> >>> 	guest ok = Yes
> >>> 	browseable = No
> >>> 	vfs objects = fake_perms
> >>> 	oplocks = No
> >>> 	level2 oplocks = No
> >>>
> >>> [Drukarka_PDF]
> >>> 	comment = Drukarka print-to-file
> >>> 	path = /var/spool/samba
> >>> 	read only = No
> >>> 	create mask = 0700
> >>> 	guest ok = Yes
> >>> 	printable = Yes
> >>> 	printer name = Drukarka_PDF
> >>> 	oplocks = No
> >>> 	share modes = No
> >>
> >> You should look up in your Samba log file
> >>
> >>        /var/log/samba/log-<IPaddress-of-XP-client>  :
> >>
> >> Which user does Samba think is trying to connect for printing? Does this
> >> user have the uid 1001 according to /etc/passwd?
> >>
> >> Then look further up in CUPS' error_log: What kind of info does CUPS
> >> receive from Samba about the user trying to print? (Watch out for lines
> >> containing "envp[...]="USER=..." or "cupsdAUTH")
> >>
> >> Some of the config parameters used by Samba are implicitely set to some
> >> default, if not set explicitely in the smb.conf. I do not know by heart
> >> which values were used in Samba 3.2.5.
> >>
> >> To see *all* config parameters used by your Samba, run this command:
> >>
> >>      testparm -sv
> >>
> >> To see all (well, most) printing related config parameters more easily,
> >> run this:
> >>
> >>      testparm -sv | grep -E '(lp|print|driver|spool|^\[)'
> >>
> >> You'll probably spot a setting saying
> >>
> >>      printjob username = %U
> >>
> >> The %U is a Samba macro, resolving as "the username which initiated the
> >> session/connection from the Windows XP client". This would be your
> >> Windows user name (non-root).
> >>
> >> Since it looks like root (who always has uid=0) is accepted by CUPS as a
> >> valid printer user, the easiest path for you may be to put
> >>
> >>      printjob username = root
> >>
> >> into your smb.conf. Alternatively, you could configure CUPS to allow any
> >> username for that particular printer: add a section in cupsd.conf like this:
> >>
> >> <Location /printers/Drukarka_PDF>
> >>     Allow from   all
> >>     Deny from    none
> >>     Order        deny,allow
> >>     Satisfy      any
> >> </Location>
> >>
> >>
> >>
> >>
> > Ok, I tried your advices
>
> Your current mail does not provide any details about that.
>
> > but it didn't work.
>
> _WHAT_ didn't work for each step?
>
> > Here's the log from SAMBA and 192.168.0.104 ( IPaddress-of-XP-client ):
> >
> > [2010/12/06 21:38:52,  2] lib/access.c:check_access(406)
> >    Allowed connection from 192.168.0.104 (192.168.0.104)
> > [2010/12/06 21:38:52,  2] smbd/sesssetup.c:setup_new_vc_session(1363)
> >    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
> > [2010/12/06 21:38:52,  2] smbd/sesssetup.c:setup_new_vc_session(1363)
> >    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
> > [2010/12/06 21:38:52,  2] auth/auth.c:check_ntlm_password(308)
> >    check_ntlm_password:  authentication for user [nowak] ->  [nowak] ->  [nowak] succeeded
>
> See this line?
>
> > [2010/12/06 21:38:52,  2] lib/access.c:check_access(406)
> >    Allowed connection from 192.168.0.104 (192.168.0.104)
> > [2010/12/06 21:38:52,  2] lib/access.c:check_access(406)
> >    Allowed connection from 192.168.0.104 (192.168.0.104)
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  2] lib/access.c:check_access(406)
> >    Allowed connection from 192.168.0.104 (192.168.0.104)
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  2] lib/access.c:check_access(406)
> >    Allowed connection from 192.168.0.104 (192.168.0.104)
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  2] lib/access.c:check_access(406)
> >    Allowed connection from 192.168.0.104 (192.168.0.104)
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  2] lib/access.c:check_access(406)
> >    Allowed connection from 192.168.0.104 (192.168.0.104)
> > [2010/12/06 21:38:52,  2] lib/access.c:check_access(406)
> >    Allowed connection from 192.168.0.104 (192.168.0.104)
> > [2010/12/06 21:38:52,  2] lib/access.c:check_access(406)
> >    Allowed connection from 192.168.0.104 (192.168.0.104)
> > [2010/12/06 21:38:52,  2] lib/access.c:check_access(406)
> >    Allowed connection from 192.168.0.104 (192.168.0.104)
> > [2010/12/06 21:38:52,  2] lib/access.c:check_access(406)
> >    Allowed connection from 192.168.0.104 (192.168.0.104)
> > [2010/12/06 21:38:52,  2] lib/access.c:check_access(406)
> >    Allowed connection from 192.168.0.104 (192.168.0.104)
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  2] lib/access.c:check_access(406)
> >    Allowed connection from 192.168.0.104 (192.168.0.104)
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:52,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:53,  2] lib/access.c:check_access(406)
> >    Allowed connection from 192.168.0.104 (192.168.0.104)
> > [2010/12/06 21:38:53,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:53,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:53,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:53,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:53,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:53,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:53,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:53,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:53,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:53,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:53,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:53,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:53,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:53,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:53,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:53,  2] lib/access.c:check_access(406)
> >    Allowed connection from 192.168.0.104 (192.168.0.104)
> > [2010/12/06 21:38:53,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:53,  0] printing/print_cups.c:cups_pull_comment_location(1270)
> >    Unable to get printer attributes - client-error-not-authorized
> > [2010/12/06 21:38:53,  2] lib/access.c:check_access(406)
> >    Allowed connection from 192.168.0.104 (192.168.0.104)
> >
> >
> > Any ideas ?
>
> Yes: Try to answer *all* my questions.
>
> Indirectly your log answers this *one* question only: "Which user does
> Samba think is trying to connect for printing?". (The answer is "nowak".)
>
> The next question was: "Does this user have the uid 1001 according to
> /etc/passwd?".  So?

Yes, in both smbpasswd and passwd nowak is 1001...

> Also, I adviced you to...
>
>      "look further up in CUPS' error_log: What kind of info does CUPS
>       receive from Samba about the user trying to print? (Watch out
>       for lines containing "envp[...]="USER=..." or "cupsdAUTH")"
>
> What was the result?
>
> Next, I asked you to...
>
>     run this:
>         testparm -sv | grep -E '(lp|print|driver|spool|^\[)'
>      You'll probably spot a setting saying
>         printjob username = %U
>

> Did you do it? What is Samba's setting for "printjob username"? Did you
> try to set it to "root"?
>
> Did you also put in this additional stanza into cupsd.conf:
>
>     <Location /printers/Drukarka_PDF>
>         Allow from   all
>         Deny from    none
>         Order        deny,allow
>         Satisfy      any
>     </Location>
>
>
> > Ow and thank you for Your help :) nice to see people want to help and stuff ^^
>

 ----[ It worked!]----

Sorry, but the funny thing is that I did everything you told me, every last one of your suggestions ( the change of "printjob username", the change of  <Location /printers/Drukarka_PDF> ) and I was sure they didn't work because the error message in error_log in CUPS was still the same. But they actually did work xD. The *.pdf files were successfully created in the home folder of each user. The page_log entries are also correct to what and from where is printed...
Everything is OK, just the error log still gives the same error message about "invalid perr credential for root....."

Well, It doesn't matter much now, with this working I've just made i big step forward in my work :)
Thank you for your time and again I'm very grateful You cared ^^
If you come to Poland give me a hint, the beers are on me ^^




More information about the cups mailing list