[cups.general] lpadmin and lprm will not work without a password

Michael Sweet msweet at apple.com
Tue Dec 13 16:28:48 PST 2011 

On Dec 13, 2011, at 2:17 PM, Rob Parenti wrote:
> I connect the same way on my production system. Logged in as root over ssh.
> 
> I used the vmware console, thinking that would be as local as I could get, and gave it a try with the same results.
> 
> I changed the AuthTypes to Basic, intending to use local Unix credentials.  No go.
> 
> I logged in as an AD domain user (grasping at straws here). Nope.
> 
> Can you point me to a summary of how to configure CUPS to allow the root user to perform lpadmin functions, or best practices?

The default CUPS configuration gives you this.  If you do anything with client.conf, the CUPS_SERVER environment variable, or the "-h" option to point to a server then you have to provide username and password.

(and if Basic authentication doesn't work, check the error_log for errors from PAM which supplies the authentication framework on Linux...)

A very insecure option would be to disable authentication in the default policy, or to whitelist access from specific addresses with "Allow address" and "Satisfy any" in the policy.

> 
> Thanks ...
> 
>> You are connecting to the cupsd on your test system remotely; the local =
>> certificate/peer credential stuff only works over domain sockets.
>> 
>> 
>> On Dec 13, 2011, at 11:19 AM, Rob Parenti wrote:
>> 
>>> I feel I=92ve tried everything, and don=92t see anything relevant in =
>> the forums.  I have two separate CUPS/1.4.6 servers, SLES 11.1, one =
>> Production and one Testing.  The CUPS configurations are virtually =
>> identical in every way I can see.  The Production server always works =
>> great.  The Testing server always requires me to enter the root password =
>> for every lpadmin command.  Otherwise I get =93lpadmin: Unauthorized=94. =
>> I use scripts, as root, to submit batches of lpadmin commands, so the =
>> password really interferes with a large batch.  But more importantly, it =
>> needs to work exactly like the Production machine.
>>> =20
>>> I=92m including access_log, error_log, and cupsd.conf.  Everything on =
>> the web interface works just fine.  I=92m trying to use lpadmin, as =
>> root, connected with ssh.  Could it be file permissions I missed =
>> somewhere?
>>> =20
>>> Regards
>>> RobP
>>> =20
>>> Access_log
>>> 147.70.10.205 - - [13/Dec/2011:14:06:17 -0500] POST /admin/ HTTP/1.1 =
>> 401 0 - -
>>> =20
>>> Error_log
>>> D [13/Dec/2011:14:06:17 -0500] cupsdAcceptClient: 9 from =
>> 147.70.10.205:631 (IPv4)
>>> D [13/Dec/2011:14:06:17 -0500] cupsdReadClient: 9 POST /admin/ =
>> HTTP/1.1
>>> D [13/Dec/2011:14:06:17 -0500] cupsdSetBusyState: Active clients
>>> D [13/Dec/2011:14:06:17 -0500] cupsdAuthorize: No authentication data =
>> provided.
>>> D [13/Dec/2011:14:06:17 -0500] cupsdIsAuthorized: username=3D
>>> D [13/Dec/2011:14:06:17 -0500] cupsdSendHeader: 9 WWW-Authenticate: =
>> Basic realm=3DCUPS
>>> D [13/Dec/2011:14:06:17 -0500] cupsdCloseClient: 9
>>> D [13/Dec/2011:14:06:17 -0500] cupsdSetBusyState: Not busy
>>> =20
>>> LogLevel debug
>>> ErrorLog /var/log/cups/error_log
>>> ServerAdmin a at b.com
>>> MaxLogSize 0
>>> AccessLog /var/log/cups/access_log
>>> AccessLogLevel all
>>> PageLog /var/log/cups/page_log
>>> PageLogFormat %p %j %P %u %T %{job-name} Printcap MaxJobs 0 =
>> MaxPrinterHistory 0 PreserveJobFiles Yes
>>> =20
>>> SystemGroup root operators
>>> User lp
>>> Group lp
>>> RemoteRoot remote
>>> Port 631
>>> =20
>>> Browsing On
>>> BrowseOrder Allow,Deny
>>> BrowseAllow 999.99.13.*
>>> =20
>>> DefaultAuthType None
>>> DefaultEncryption Never
>>> =20
>>> <Location />
>>> Order Allow,Deny
>>> Allow =46rom 127.0.0.1
>>> Allow =46rom 999.99.4.*
>>> Allow =46rom 999.99.8.*
>>> Allow =46rom 999.99.10.*
>>> Allow =46rom 999.99.11.*
>>> Allow =46rom 999.99.13.*
>>> </Location>
>>> =20
>>> <Location /admin>
>>> AuthType Basic
>>> AuthClass System
>>> Order Allow,Deny
>>> Allow =46rom 127.0.0.1
>>> Allow =46rom 999.99.10.*
>>> Allow =46rom 999.99.13.*
>>> </Location>
>>> =20
>>> <Location /admin/conf>
>>> AuthType Basic
>>> Require user @SYSTEM
>>> Order Allow,Deny
>>> Allow =46rom 127.0.0.1
>>> Allow =46rom 999.99.10.*
>>> Allow =46rom 999.99.13.*
>>> </Location>
>>> =20
>>> <Location /jobs>
>>> Order Allow,Deny
>>> Allow =46rom 127.0.0.1
>>> Allow =46rom 999.99.13.*
>>> </Location>
>>> =20
>>> <Location /printers>
>>> Order Allow,Deny
>>> Allow =46rom 127.0.0.1
>>> Allow =46rom 999.99.13.*
>>> </Location>
>>> =20
>>> =20
>>> =20
>>> _______________________________________________
>>> cups mailing list
>>> cups at easysw.com
>>> http://lists.easysw.com/mailman/listinfo/cups
>> 
>> _________________________________________________________
>> Michael Sweet, Senior Printing System Engineer, PWG Chair
>> 
> 
> _______________________________________________
> cups mailing list
> cups at easysw.com
> http://lists.easysw.com/mailman/listinfo/cups

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

More information about the cups mailing list