error when adding a CUPS printer through web interface: cupsdAuthorize: pam_authenticate() returned 7 (Authentication failure)

Bug #47892 reported by AleksanderAdamowski on 2006-06-01
42
This bug affects 3 people
Affects Status Importance Assigned to Milestone
cupsys (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: cupsys

I've just installed Ubuntu 6.06 (actually it's a daily alternate ISO from 2006-05-29 that was dist-upgraded to the final Dapper release).

I cannot add new printers with the web administration interface (I'm connectiong through localhost, of course).

The CUPS config is the default one.

Steps to reproduce:

1) Launch Firefox
2) Go to http://localhost:631
3) Choose "Add Printer"
4) Supply all the parameters and tyr to add the new printer
5) An authentication prompt pops up. Supply either your login/password, or root login/password (if you have set the password for root).

The result: the password prompt reappears again.
CUPS logs the following errors to /var/log/cups/error_log:

E [01/Jun/2006:19:42:44 +0200] cupsdAuthorize: pam_authenticate() returned 7 (Authentication failure)!
E [01/Jun/2006:19:42:45 +0200] CUPS-Add-Modify-Printer: Unauthorized

No printer is added, of course.

My user is in the lpadmin group, and the default cupsd.conf contains all the necessary directives:

SystemGroup lpadmin
...
<Location /admin/conf>
  AuthType Basic
  Require user @SYSTEM
  Order allow,deny
  Allow localhost
</Location>
...
  <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
    AuthType Basic
    Require user @SYSTEM
    Order deny,allow
  </Limit>

What's interesting, adding a printer using gnome-cups-manager works fine. But this is not an acceptable solution on a server.

Patrice Vetsel (vetsel-patrice) wrote :

Please read /usr/share/doc/cupsys/README.Debian.gz
you will find that administration over the web interface is disabled by default... you must do a
adduser cupsys shadow to change that.

Changed in cupsys:
status: Unconfirmed → Rejected

@VETSEL

Can I reopen this bug? The information in the /usr/share/doc/cupsys/README.Debian.gz should instead be shown when trying to access cups web interface. Actually, the README.Debian does not seem the proper place for Ubuntu to add information.

@VETSEL

If you agree, I can produce a patch to implement my proposal.

I support manu's proposition.

I'm a quite experienced sysadmin and programmer, but reading a README file for a different distribution to get information which could easily be embedded in the user interface is one of the more counter-intuitive things one could imagine...

Also, the message should not mention GNOME or KDE in particular.

Martin Pitt (pitti) wrote :

The web interface clearly says that administrative functions are disabled and points to the README.Debian file.

@Martin

Honestly, there are a lot of weak points in your "argument". I don't have a Dapper right now but I think that the message currently says (correct me if I am wrong):

"Administrative commands are disabled in the web interface for security reasons. Please use the GNOME CUPS manager (System > Administration > Printing). /usr/share/doc/cupsys/README.Debian.gz describes the details and how to reenable it again."

1) There is no GNOME CUPS manager in Kubuntu!

2) /usr/share/doc/cupsys/README.Debian.gz is a large doc full of worple worple and more worple stuff.

3) Ubuntu modifying README.Debian is at least unpolite.

4) There is no GNOME CUPS manager in Kubuntu ! ! !

Anyway, I am not requesting you (or anyone) to change this. Just saying that it should be changed, and I hope to have some time to look at it.

I lost 3 days hunting this "bug", after reading the code and experiencing with many file permissions, I've found how to "fix" it... then I was about to report this "bug" I found this report... holy sh*t.

Guys, if you want to disable the web admin, do it properly... or don't do it at all.

I can just support what MANU said.

Also, if you use the web-admin the way ubuntu ships you get 100% CPU usage, the cupsd process loops forever and you can hang your machine (if it's a slow one, like mine).

@Gustova
FYI, the web interface is already enabled by default on Edgy (see bug #50886). So this bug is fixed for Edgy and later versions of Ubuntu.

Pascal,

That's the problem, see my report on that bug. The web-ui is enabled, but you cannot login/auth because they have added an external application that is suid to cupsys:shadow, but cupsys is not in shadow group, so the application fails. If you run it (cupsd) as root, this same app is o-x (not executable by others) and root cannot run it... in every case it triggers cupsd to consume 100% CPU :-(

Denes Kiss (kiss-denes) wrote :

I think the problem has not been solved yet. I installed an Edgy desktop and it works, but in an Edgy server I am unable to switch on the admin login window again. Even if I put the cupsys into the shadow group, the login window does not receive the root password. So I can not configure a new printer on the server.

Quigi (brechbuehler) wrote :

I support re-opening the bug.

The Web Interface does NOT display any message stating administrating is disabled. Nor does it point to /usr/share/doc/cupsys/README.Debian.gz. E.g., http://localhost:631/admin or https://localhost:631/admin simply come up. I can click "Manage printers", a link to /printers. But when I try to do anything, e.g., "Set as Default", a dialog pops up "Enter username and password for "CUPS" at https://localhost:631", and, as the original poster noted, it just keeps coming back, no matter if I enter my password or root.

Yes, I am in group lpadmin.
Yes, cupsys is in group shadow.
Yes, /etc/shadow is readable by group shadow.

CUPS logs this:

  I [28/Jul/2008:13:59:54 -0400] Started "/usr/lib/cups/cgi-bin/admin.cgi" (pid=1139)
  E [28/Jul/2008:13:59:54 -0400] CUPS-Set-Default: Unauthorized
  I [28/Jul/2008:13:59:54 -0400] cupsdCloseClient: SSL shutdown successful!

I have some version of Ubuntu (maybe Dapper or Edgy, uname -a doesn't know, how can I find out?).

Quigi;
Click on Applications, System Tools, Sysinfo, then select System. You should get something like this: Ubuntu 8.04 (hardy).

I am appalled that this problem is still with us. It has been going on for years through several releases.

Whitt

On Mon, Jul 28, 2008 at 2:29 PM, Graham M. Whittenberg <
<email address hidden>> wrote:

> Quigi;
> Click on Applications, System Tools, Sysinfo, then select System. You
> should get something like this: Ubuntu 8.04 (hardy).

I have Applications, System Tools, but no Sysinfo. But you got me looking
in the right place: System, About Ubuntu brings up a window that starts:
    "Thank you for your interest in Ubuntu 6.06 LTS - the Dapper Drake -
released in June 2006."

So that answers the question (I'm used to something simple like "cat
/etc/redhat-release"). I've occasionally applied updates, and presumably
one of them took away my ability to manage CUPS through localhost:631
(because once upon a time it was working). Oh well, I'll soon upgrade to
Hardy Heron, and maybe that fixes things, or maybe some day I figure it out.

Thank you Whitt, for the pointer!

Martin Pitt (pitti) wrote :

Quigi, this bug has been fixed properly in Feisty (7.04) by completely reshuffling the security hardening. This cannot be transitioned to dapper. However, it has always worked for me with cupsys being in shadow, thus I'm a bit baffled why it doesn't work for you.

Jeremy Wilkins (wjeremy) wrote :

I'm not so sure it has been fixed. I have tried with my system on Intrepid to access the web interface and it fails to authenticate me. Just as the post above mentions and adding to shadow doesn't help anymore.

Jeremy Wilkins (wjeremy) wrote :

Does anyone know if there has been cups management regressions on intrepid?

Jeremy Wilkins (wjeremy) wrote :

Well, I never figured out how to fix the problem I was having, which was to delete a printer via web management. However, I solved it manually by deleting the printer in the /etc/cups/printers.conf file, and then manually on the clients that mapped it. This is definitely a step backwards in printer support, but I wonder if it isn't my server since it hasn't been cleanly installed with Intrepid. I don't have this problem on my laptop. It wasn't cleanly installed either, but it never saw as many upgrades as my server has.

Martin Pitt (pitti) wrote :

Jeremy, if you have that problem, it's unrelated to this bug report. Please open a new one, do "cupsctl --debug-logging", try to authenticate in the web ui, and attach /var/log/cups/error_log afterwards. Thanks!

Quigi (brechbuehler) wrote :

On Wed, Dec 3, 2008 at 3:28 PM, Jeremy Wilkins <email address hidden> wrote:

> I'm not so sure it has been fixed. I have tried with my system on
> Intrepid to access the web interface and it fails to authenticate me.

I recently installed Hardy Heron. At https://localhost:631, authentication
with my normal user name and password works. Something apparently was fixed
between Dapper and Heron.

/Christian

sdaau (sd-imi) wrote :

> At https://localhost:631, authentication
> with my normal user name and password works.

Not on Ubuntu 11.04 Natty. I wish they put in with large letters, when you log in to localhost:631:

"...

NOTE: THIS ADMINISTRATION ACCOUNT IS DISABLED!! YOU WILL NOT BE ABLE TO ADD PRINTERS!!
PLEASE READ /whatever/you/say/README TO SEE HOW TO ADD PRINTERS!!

...
"

.. so instead of me looking for hours through bugs, I'd at least know what to do..

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related questions