[cups] authentication of Linux users against /etc/shadow *and* LDAP
Michael Sweet
msweet at apple.com
Thu Sep 28 10:31:40 PDT 2017
You want to update the /etc/nsswitch.conf file to tell the C library where to get the groups and users.
> On Sep 28, 2017, at 8:11 AM, Matthias Apitz <guru at unixarea.de> wrote:
>
>
> Hello,
>
> We encounter Linux systems which do have a file /etc/shadow and CUPS was
> compiled to use it, but some of the users do not have an entry there,
> and are authenticated on login/ssh against LDAP.
>
> The used C-call to getspnam() does silently hide this fact and the
> returned password for users without an entry in /etc/shadow is just '*';
> if cups now wants to compare the calculated hash of the password provided
> by the user it fails. It took me some moment of debugging to understand
> the problem which can simulated with these lines of code:
>
>
> # grep sisis /etc/passwd /etc/shadow
> /etc/passwd:sisis:x:900118:900118:SunRise user:/home/sisis:/bin/bash
>
>
> #include <shadow.h>
>
> main()
> {
>
> struct spwd *spw;
>
> spw = getspnam ("guru");
> endspent();
> printf("guru: %s\n", spw->sp_pwdp);
>
> spw = getspnam("sisis");
> endspent();
> printf("sisis: %s\n", spw->sp_pwdp);
>
> }
>
> which gives for me 'guru' the hash from /etc/shadow, but for the user 'sisis' only a '*':
>
> guru: $6$SQrGx4fi$Utjdng/IHXm6ar2smqF.sVVCM5qBdeptlcXY4QLNeoMn.ZuszPUD90nyVmCfBn.PaTE5lxsJ3tZxL/cbysOhM/
> sisis: *
>
> and so the authentication fails in CUPS for 'sisis' and works for me as 'guru';
>
> Is this a problem in the LDAP?
>
>
> matthias
> --
> Matthias Apitz | /"\ ASCII Ribbon Campaign:
> E-mail: guru at unixarea.de | \ / - No HTML/RTF in E-mail
> WWW: http://www.unixarea.de/ | X - No proprietary attachments
> phone: +49-176-38902045 | / \ - Respect for open standards
> | en.wikipedia.org/wiki/ASCII_Ribbon_Campaign
> _______________________________________________
> cups mailing list
> cups at cups.org
> https://lists.cups.org/mailman/listinfo/cups
_________________________________________________________
Michael Sweet, Senior Printing System Engineer
More information about the cups
mailing list