[cups] Authenticated and unauthenticated queues

Rick Cochran rcc2 at cornell.edu
Thu Jul 23 09:28:11 PDT 2015 

I think I have found the log sections which cover the problem.  The first log 
excerpt is generated with the <Location printers> stanza in place.  The second 
has it removed.

For some reason, the "username" is not getting set.

Yours,
-Rick


On 7/22/15, 6:09 PM, Rick Cochran wrote:
> Michael,
>
> If you check my cupsd.conf you will find that I have a permissive <Location />.
>
> If I do not include the <Location printers> stanza, printing using "Policy
> default" (i.e. authenticated) does not work.  I get exactly one "HTTP
> Unauthorized for Send-Document" in the server log.
>
> I have been trying permutations and combinations all day.
>
> Yours,
> -Rick
>
> On 7/22/15, 11:02 AM, Michael Sweet wrote:
>> Rick,
>>
>> You'll need a core <Location /> section for access control to the entire
>> server, and then use the <Policy name> sections to control access to printers.
>>
>> See:
>>
>>      http://www.cups.org/documentation.php/policies.html
>>
>>
>>> On Jul 22, 2015, at 10:28 AM, Rick Cochran <rcc2 at cornell.edu> wrote:
>>>
>>> Michael,
>>>
>>> Thanks for your quick response!
>>>
>>> I forgot to mention:
>>>
>>> If I remove the Location stanza below, printing does not work for either
>>> authenticated or unauthenticated queues.
>>>
>>> If I place the Location stanza within a Policy definition, cupsd gives me a
>>> syntax error.
>>>
>>> So basically, I don't know how to do what you suggest.
>>>
>>> Am I missing any elements in my Limit stanzas?
>>>
>>> Yours,
>>> -Rick
>>>
>>>
>>> On 7/22/15, 8:50 AM, Michael Sweet wrote:
>>>> Rick,
>>>>
>>>> Put the AuthType and Require lines in the Policy definition.  Putting it on
>>>> /printers applies those requirements to all printers.
>>>>
>>>>
>>>>> On Jul 21, 2015, at 7:03 PM, Rick Cochran <rcc2 at cornell.edu> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I need to have both authenticated and unauthenticated queues.  The attached
>>>>> cupsd.conf _almost_ works.  The problem is in the following stanza:
>>>>>
>>>>> <Location /printers>
>>>>>   AuthType Basic
>>>>>   Encryption Required
>>>>>   Order deny,allow
>>>>>   Allow localhost
>>>>> #  Require user @SYSTEM
>>>>> </Location>
>>>>>
>>>>> If I set the AuthType to "Basic" as above, the authenticated queues work
>>>>> and the unauthenticated queues do not work.
>>>>>
>>>>> If I set the AuthType to "None", the unauthenticated queues work and the
>>>>> authenticated queues do not work.
>>>>>
>>>>> By "work", I mean prompt for ID/password (or not) and actually print.
>>>>>
>>>>> By "do not work", I mean the server just sits there and does not fully
>>>>> accept the print job.
>>>>>
>>>>> I use "-op-policy=noauth" when creating the unauthenticated queues.
>>>>>
>>>>> Any help would be appreciated.
>>>>>
>>>>> Thanks,
>>>>> -Rick
>>>>> <cupsd.conf.txt>_______________________________________________
>>>>> cups mailing list
>>>>> cups at cups.org
>>>>> https://www.cups.org/mailman/listinfo/cups
>>>>
>>>> _________________________________________________________
>>>> Michael Sweet, Senior Printing System Engineer, PWG Chair
>>>>
>>>> _______________________________________________
>>>> cups mailing list
>>>> cups at cups.org
>>>> https://www.cups.org/mailman/listinfo/cups
>>>>
>>> _______________________________________________
>>> cups mailing list
>>> cups at cups.org
>>> https://www.cups.org/mailman/listinfo/cups
>>
>> _________________________________________________________
>> Michael Sweet, Senior Printing System Engineer, PWG Chair
>>
>> _______________________________________________
>> cups mailing list
>> cups at cups.org
>> https://www.cups.org/mailman/listinfo/cups
>>
-------------- next part --------------
Working:
D [23/Jul/2015:11:02:47 -0400] Send-Document http://net-print-test2.cit.cornell.edu:631/printers/ansel-pc
d [23/Jul/2015:11:02:47 -0400] send_document(0x7f480bcc79c0[12], http://net-print-test2.cit.cornell.edu:631/printers/ansel-pc)
d [23/Jul/2015:11:02:47 -0400] validate_user(job=43, con=12, owner="rcc2", username=0x7fff1848b630, userlen=1024)
d [23/Jul/2015:11:02:47 -0400] cupsdFindPolicyOp(p=0x7f480bd61990, op=6(Send-Document))
d [23/Jul/2015:11:02:47 -0400] cupsdFindPolicyOp: Found exact match...
d [23/Jul/2015:11:02:47 -0400] cupsdIsAuthorized: con->uri="/printers/ansel-pc", con->best=0x7f480bd5f050((null))
d [23/Jul/2015:11:02:47 -0400] cupsdIsAuthorized: owner="rcc2"
d [23/Jul/2015:11:02:47 -0400] cupsdIsAuthorized: level=CUPSD_AUTH_USER, type=Basic, satisfy=CUPSD_AUTH_SATISFY_ALL, num_names=0
d [23/Jul/2015:11:02:47 -0400] cupsdIsAuthorized: op=6(Send-Document)
d [23/Jul/2015:11:02:47 -0400] cupsdIsAuthorized: auth=CUPSD_AUTH_ALLOW...
D [23/Jul/2015:11:02:47 -0400] cupsdIsAuthorized: username="rcc2"

Failing:
D [23/Jul/2015:11:03:36 -0400] Send-Document http://net-print-test2.cit.cornell.edu:631/printers/ansel-pc
d [23/Jul/2015:11:03:36 -0400] send_document(0x7f480bcc79c0[12], http://net-print-test2.cit.cornell.edu:631/printers/ansel-pc)
d [23/Jul/2015:11:03:36 -0400] validate_user(job=44, con=12, owner="rcc2", username=0x7fff1848b630, userlen=1024)
d [23/Jul/2015:11:03:36 -0400] cupsdFindPolicyOp(p=0x7f480bcacd30, op=6(Send-Document))
d [23/Jul/2015:11:03:36 -0400] cupsdFindPolicyOp: Found exact match...
d [23/Jul/2015:11:03:36 -0400] cupsdIsAuthorized: con->uri="/printers/ansel-pc", con->best=0x7f480bcbe430((null))
d [23/Jul/2015:11:03:36 -0400] cupsdIsAuthorized: owner="rcc2"
d [23/Jul/2015:11:03:36 -0400] cupsdIsAuthorized: level=CUPSD_AUTH_USER, type=Basic, satisfy=CUPSD_AUTH_SATISFY_ALL, num_names=0
d [23/Jul/2015:11:03:36 -0400] cupsdIsAuthorized: op=6(Send-Document)
d [23/Jul/2015:11:03:36 -0400] cupsdIsAuthorized: auth=CUPSD_AUTH_ALLOW...
D [23/Jul/2015:11:03:36 -0400] cupsdIsAuthorized: username=""
D [23/Jul/2015:11:03:36 -0400] Returning HTTP Unauthorized for Send-Document (http://net-print-test2.cit.cornell.edu:631/printers/ansel-pc) from 10.17.28.60

More information about the cups mailing list