error when adding a CUPS printer through web interface: cupsdAuthorize: pam_authenticate() returned 7 (Authentication failure)

Please read /usr/share/doc/cupsys/README.Debian.gz
you will find that administration over the web interface is disabled by default... you must do a
adduser cupsys shadow to change that.

@VETSEL

Can I reopen this bug? The information in the /usr/share/doc/cupsys/README.Debian.gz should instead be shown when trying to access cups web interface. Actually, the README.Debian does not seem the proper place for Ubuntu to add information.

@VETSEL

If you agree, I can produce a patch to implement my proposal.

I support manu's proposition.

I'm a quite experienced sysadmin and programmer, but reading a README file for a different distribution to get information which could easily be embedded in the user interface is one of the more counter-intuitive things one could imagine...

Also, the message should not mention GNOME or KDE in particular.

The web interface clearly says that administrative functions are disabled and points to the README.Debian file.

@Martin

Honestly, there are a lot of weak points in your "argument". I don't have a Dapper right now but I think that the message currently says (correct me if I am wrong):

"Administrative commands are disabled in the web interface for security reasons. Please use the GNOME CUPS manager (System > Administration > Printing). /usr/share/doc/cupsys/README.Debian.gz describes the details and how to reenable it again."

1) There is no GNOME CUPS manager in Kubuntu!

2) /usr/share/doc/cupsys/README.Debian.gz is a large doc full of worple worple and more worple stuff.

3) Ubuntu modifying README.Debian is at least unpolite.

4) There is no GNOME CUPS manager in Kubuntu ! ! !

Anyway, I am not requesting you (or anyone) to change this. Just saying that it should be changed, and I hope to have some time to look at it.

I lost 3 days hunting this "bug", after reading the code and experiencing with many file permissions, I've found how to "fix" it... then I was about to report this "bug" I found this report... holy sh*t.

Guys, if you want to disable the web admin, do it properly... or don't do it at all.

I can just support what MANU said.

Also, if you use the web-admin the way ubuntu ships you get 100% CPU usage, the cupsd process loops forever and you can hang your machine (if it's a slow one, like mine).

@Gustova
FYI, the web interface is already enabled by default on Edgy (see bug #50886). So this bug is fixed for Edgy and later versions of Ubuntu.

Pascal,

That's the problem, see my report on that bug. The web-ui is enabled, but you cannot login/auth because they have added an external application that is suid to cupsys:shadow, but cupsys is not in shadow group, so the application fails. If you run it (cupsd) as root, this same app is o-x (not executable by others) and root cannot run it... in every case it triggers cupsd to consume 100% CPU :-(

I think the problem has not been solved yet. I installed an Edgy desktop and it works, but in an Edgy server I am unable to switch on the admin login window again. Even if I put the cupsys into the shadow group, the login window does not receive the root password. So I can not configure a new printer on the server.

I support re-opening the bug.

The Web Interface does NOT display any message stating administrating is disabled. Nor does it point to /usr/share/doc/cupsys/README.Debian.gz. E.g., http://localhost:631/admin or https://localhost:631/admin simply come up. I can click "Manage printers", a link to /printers. But when I try to do anything, e.g., "Set as Default", a dialog pops up "Enter username and password for "CUPS" at https://localhost:631", and, as the original poster noted, it just keeps coming back, no matter if I enter my password or root.

Yes, I am in group lpadmin.
Yes, cupsys is in group shadow.
Yes, /etc/shadow is readable by group shadow.

CUPS logs this:

  I [28/Jul/2008:13:59:54 -0400] Started "/usr/lib/cups/cgi-bin/admin.cgi" (pid=1139)
  E [28/Jul/2008:13:59:54 -0400] CUPS-Set-Default: Unauthorized
  I [28/Jul/2008:13:59:54 -0400] cupsdCloseClient: SSL shutdown successful!

I have some version of Ubuntu (maybe Dapper or Edgy, uname -a doesn't know, how can I find out?).

Quigi;
Click on Applications, System Tools, Sysinfo, then select System. You should get something like this: Ubuntu 8.04 (hardy).

I am appalled that this problem is still with us. It has been going on for years through several releases.

Whitt

On Mon, Jul 28, 2008 at 2:29 PM, Graham M. Whittenberg <
<email address hidden>> wrote:

> Quigi;
> Click on Applications, System Tools, Sysinfo, then select System. You
> should get something like this: Ubuntu 8.04 (hardy).

I have Applications, System Tools, but no Sysinfo. But you got me looking
in the right place: System, About Ubuntu brings up a window that starts:
    "Thank you for your interest in Ubuntu 6.06 LTS - the Dapper Drake -
released in June 2006."

So that answers the question (I'm used to something simple like "cat
/etc/redhat-release"). I've occasionally applied updates, and presumably
one of them took away my ability to manage CUPS through localhost:631
(because once upon a time it was working). Oh well, I'll soon upgrade to
Hardy Heron, and maybe that fixes things, or maybe some day I figure it out.

Thank you Whitt, for the pointer!

Quigi, this bug has been fixed properly in Feisty (7.04) by completely reshuffling the security hardening. This cannot be transitioned to dapper. However, it has always worked for me with cupsys being in shadow, thus I'm a bit baffled why it doesn't work for you.

I'm not so sure it has been fixed. I have tried with my system on Intrepid to access the web interface and it fails to authenticate me. Just as the post above mentions and adding to shadow doesn't help anymore.

Does anyone know if there has been cups management regressions on intrepid?

Well, I never figured out how to fix the problem I was having, which was to delete a printer via web management. However, I solved it manually by deleting the printer in the /etc/cups/printers.conf file, and then manually on the clients that mapped it. This is definitely a step backwards in printer support, but I wonder if it isn't my server since it hasn't been cleanly installed with Intrepid. I don't have this problem on my laptop. It wasn't cleanly installed either, but it never saw as many upgrades as my server has.

Jeremy, if you have that problem, it's unrelated to this bug report. Please open a new one, do "cupsctl --debug-logging", try to authenticate in the web ui, and attach /var/log/cups/error_log afterwards. Thanks!

On Wed, Dec 3, 2008 at 3:28 PM, Jeremy Wilkins <email address hidden> wrote:

> I'm not so sure it has been fixed. I have tried with my system on
> Intrepid to access the web interface and it fails to authenticate me.

I recently installed Hardy Heron. At https://localhost:631, authentication
with my normal user name and password works. Something apparently was fixed
between Dapper and Heron.

/Christian

> At https://localhost:631, authentication
> with my normal user name and password works.

Not on Ubuntu 11.04 Natty. I wish they put in with large letters, when you log in to localhost:631:

"...

NOTE: THIS ADMINISTRATION ACCOUNT IS DISABLED!! YOU WILL NOT BE ABLE TO ADD PRINTERS!!
PLEASE READ /whatever/you/say/README TO SEE HOW TO ADD PRINTERS!!

...
"

.. so instead of me looking for hours through bugs, I'd at least know what to do..