[cups] authentication of Linux users against /etc/shadow *and* LDAP

Michael Sweet msweet at apple.com
Thu Sep 28 10:31:40 PDT 2017 

You want to update the /etc/nsswitch.conf file to tell the C library where to get the groups and users.

> On Sep 28, 2017, at 8:11 AM, Matthias Apitz <guru at unixarea.de> wrote:
> 
> 
> Hello,
> 
> We encounter Linux systems which do have a file /etc/shadow and CUPS was
> compiled to use it, but some of the users do not have an entry there,
> and are authenticated on login/ssh against LDAP.
> 
> The used C-call to getspnam() does silently hide this fact and the
> returned password for users without an entry in /etc/shadow is just '*';
> if cups now wants to compare the calculated hash of the password provided
> by the user it fails. It took me some moment of debugging to understand
> the problem which can simulated with these lines of code:
> 
> 
> # grep sisis /etc/passwd /etc/shadow
> /etc/passwd:sisis:x:900118:900118:SunRise user:/home/sisis:/bin/bash
> 
> 
> #include <shadow.h>
> 
> main()
> {
> 
>    struct spwd *spw;
> 
>    spw =  getspnam ("guru");
>    endspent();
>    printf("guru: %s\n", spw->sp_pwdp);
> 
>    spw = getspnam("sisis");
>    endspent();
>    printf("sisis: %s\n", spw->sp_pwdp);
> 
> }
> 
> which gives for me 'guru' the hash from /etc/shadow, but for the user 'sisis' only a '*':
> 
> guru: $6$SQrGx4fi$Utjdng/IHXm6ar2smqF.sVVCM5qBdeptlcXY4QLNeoMn.ZuszPUD90nyVmCfBn.PaTE5lxsJ3tZxL/cbysOhM/
> sisis: *
> 
> and so the authentication fails in CUPS for 'sisis' and works for me as 'guru';
> 
> Is this a problem in the LDAP?
> 
> 
>         matthias
> -- 
> Matthias Apitz               |  /"\   ASCII Ribbon Campaign:
> E-mail: guru at unixarea.de     |  \ /   - No HTML/RTF in E-mail
> WWW: http://www.unixarea.de/ |   X    - No proprietary attachments
> phone: +49-176-38902045      |  / \   - Respect for open standards
>                             | en.wikipedia.org/wiki/ASCII_Ribbon_Campaign
> _______________________________________________
> cups mailing list
> cups at cups.org
> https://lists.cups.org/mailman/listinfo/cups

_________________________________________________________
Michael Sweet, Senior Printing System Engineer

More information about the cups mailing list