Re: cups / (pam?) authentication problem

From: Jason Bourne (j_bourne_treadstone_at_hotmail.com)
Date: 10/19/04

• Next message: Jason Bourne: "Re: Hotmail in Kmail"
• Previous message: chrisv: "Re: Suse 9.1 kills Windows partitions. Use Linux-->Lose Data......."
• In reply to: webclark: "cups / (pam?) authentication problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: Tue, 19 Oct 2004 15:14:52 -0400

webclark wrote:

> Suse 9.1 Pro, cups installation.
>
> Authentication to localhost:631 fails, or for other GUI routes to the
> same socket that Suse provides.
>
> /etc/pam.d/cups says:
> auth required pam_unix2.so nullok
> auth required pam_unix2.so
>
[snip]

Greetings:

 Not really sure I can be of any assistance, but I noticed my
/etc/pam.d/cups looked like this:

auth required pam_unix2.so nullok
account required pam_unix2.so

I'm also not clear on whether you are experiencing problems with
administrative login functions or are trying to set it up so that users
must log in to print. My (default setup worked out of the box so never
changed) does ask me for a login only when trying to access administrative
areas. When printing as user(s) I am using no form of authentication.

One thing to keep in mind also, is if you are trying to authenticate users
in order for them to print and using a GUI desktop like KDE you may need to
configure the desktop (kprint) to pass user/password info to cups. I've
never done this myself, but iirc I think I've seen setup screens in KDE for
this. In other words, divide and conquer: is it cups or the desktop?

Below is the Security part of my cupsd.conf for reference:

########
######## Security Options
########

#
# SystemGroup: the group name for "System" (printer administration)
# access. The default varies depending on the operating system, but
# will be "sys", "system", or "root" (checked for in that order.)
#

#SystemGroup lp

#
# RootCertDuration: How frequently the root certificate is regenerated.
# Defaults to 300 seconds.
#

#RootCertDuration 300

#
# Access permissions for each directory served by the scheduler.
# Locations are relative to DocumentRoot...
#
# AuthType: the authorization to use:
#
# None - Perform no authentication
# Basic - Perform authentication using the HTTP Basic method.
# Digest - Perform authentication using the HTTP Digest method.
#
# (Note: local certificate authentication can be substituted by
# the client for Basic or Digest when connecting to the
# localhost interface)
#
# AuthClass: the authorization class; currently only "Anonymous", "User",
# "System" (valid user belonging to group SystemGroup), and "Group"
# (valid user belonging to the specified group) are supported.
#
# AuthGroupName: the group name for "Group" authorization.
#
# Order: the order of Allow/Deny processing.
#
# Allow: allows access from the specified hostname, domain, IP address,
# network, or interface.
#
# Deny: denies access from the specified hostname, domain, IP address,
# network, or interface.
#
# Both "Allow" and "Deny" accept the following notations for addresses:
#
# All
# None
# *.domain.com
# .domain.com
# host.domain.com
# nnn.*
# nnn.nnn.*
# nnn.nnn.nnn.*
# nnn.nnn.nnn.nnn
# nnn.nnn.nnn.nnn/mm
# nnn.nnn.nnn.nnn/mmm.mmm.mmm.mmm
# @LOCAL
# @IF(name)
#
# The host and domain address require that you enable hostname lookups
# with "HostNameLookups On" above.
#
# The @LOCAL address allows or denies from all non point-to-point
# interfaces. For example, if you have a LAN and a dial-up link,
# @LOCAL could allow connections from the LAN but not from the dial-up
# link. Similarly, the @IF(name) address allows or denies from the
# named network interface, e.g. @IF(eth0) under Linux. Interfaces are
# refreshed automatically (no more than once every 60 seconds), so
# they can be used on dynamically-configured interfaces, e.g. PPP,
# 802.11, etc.
#
# Encryption: whether or not to use encryption; this depends on having
# the OpenSSL library linked into the CUPS library and scheduler.
#
# Possible values:
#
# Always - Always use encryption (SSL)
# Never - Never use encryption
# Required - Use TLS encryption upgrade
# IfRequested - Use encryption if the server requests it
#
# The default value is "IfRequested".
#

<Location />
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Allow From 127.0.0.2
Allow From @LOCAL
</Location>

#<Location /classes>
#
# You may wish to limit access to printers and classes, either with Allow
# and Deny lines, or by requiring a username and password.
#
#</Location>

#<Location /classes/name>
#
# You may wish to limit access to printers and classes, either with Allow
# and Deny lines, or by requiring a username and password.
#
#</Location>

#<Location /jobs>
#
# You may wish to limit access to job operations, either with Allow
# and Deny lines, or by requiring a username and password.
#
#</Location>

#<Location /printers>
#
# You may wish to limit access to printers and classes, either with Allow
# and Deny lines, or by requiring a username and password.
#
#</Location>

#<Location /printers/name>
#
# You may wish to limit access to printers and classes, either with Allow
# and Deny lines, or by requiring a username and password.
#

## Anonymous access (default)
#AuthType None

## Require a username and password (Basic authentication)
#AuthType Basic
#AuthClass User

## Require a username and password (Digest/MD5 authentication)
#AuthType Digest
#AuthClass User

## Restrict access to local domain
#Order Deny,Allow
#Deny From All
#Allow From .mydomain.com
#</Location>

<Location /admin>
#
# You definitely will want to limit access to the administration functions.
# The default configuration requires a local connection from a user who
# is a member of the system group to do any admin tasks. You can change
# the group name using the SystemGroup directive.
#

AuthType BasicDigest
AuthClass Group
AuthGroupName sys

## Restrict access to local domain
Order Deny,Allow
Deny From All
Allow From 127.0.0.1

#Encryption Required
</Location>

#
# End of "$Id: cupsd.conf.in,v 1.13 2003/04/10 20:14:04 mike Exp $".
#

At any rate - Best wishes for good luck to you on the problem.

-Jason

---

• Next message: Jason Bourne: "Re: Hotmail in Kmail"
• Previous message: chrisv: "Re: Suse 9.1 kills Windows partitions. Use Linux-->Lose Data......."
• In reply to: webclark: "cups / (pam?) authentication problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages Re: Cups und Samba ... # SystemGroup: the group name for "System" ... # and Deny lines, or by requiring a username and password. ... (de.comp.os.unix.networking.samba) Re: OT - Anyone here use SBC DSL with Free Agent? ... I've gotten many "authentication required" msgs as well as ... requiring authentication for use of its news servers. ... (rec.roller-coaster) Re: Internet printing - without authentication ... the user print without requiring any authentication or installation of ... No installation of the Print ... IF the Printer has loaded client drivers to ... To avoid authentication the printer must all Everyone Print but that is not ... (microsoft.public.windows.server.general) Re: CALs with FrontPage Extensions ... It's an internal site for our employees to use. ... FrontPage Extensions or via FTP without requiring a CAL. ... We want to direct his authentication to the ... Extensions for the sole purpose of uploading a web site to IIS, ... (microsoft.public.windows.server.sbs) Re: Internet printing - without authentication ... the user print without requiring any authentication or installation of ... How do i make sure that the Printers loaded with client drivers OS of the ... Instruct your users to Connect to a Network printer (rather than Create a ... To avoid authentication the printer must all Everyone Print but that is not ... (microsoft.public.windows.server.general)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

linux.derkeiler.com  > Newsgroups  > alt.os.linux.suse  > 2004-10