[Pkg-cups-devel] Bug#381280: No more access from remote clients after upgrade. 'cupsdAuthorize: No authentication data provided.'
Jan Capek
jan-debian at capkovi.eu
Wed May 20 23:01:43 UTC 2009
Package: cups
Version: 1.3.10-1
Followup-For: Bug #381280
After upgrading to 1.3.10-1 all remote clients on the local network
were not able to use the CUPS server anymore
The first issue was that the clients didn't see the published printers
anymore. The fix in the configuration file was trivial - just followed
the manpage. Probably, some default has changed. The following snippet
fixed the problem and clients were able to browse the printers again:
# this enables broadcasting the printer information on all local
# interfaces
BrowseAddress @LOCAL
BrowseAllow @LOCAL
The second issue was that none of the clients was given access to the
printers. After investigation of the error log (debug level) I noticed
the 'No authentication data provided' message. This error message was
being emitted anytime the client tried even polling the printer
(e.g. by clicking on the printer in the browser of the remote client).
After some googling I didn't find any solution. There were only people
that had this error and it started magically to work after a series of
upgrades - not my case... Apparently, the default security policy of
CUPS must have changed and remote clients were no longer allowed to
perform any of the operation as before. The following snippet fixed
the problem and clients are able to print now:
# Restrict access to the server...
<Location />
AuthType None
Order allow,deny
Allow from @LOCAL
</Location>
The rest of the configuration file (admin locations + default policy
etc.) takes care of restricting the remote clients from doing anything
else but printing and managing their jobs (default provided by the
package).
Eventhough my problem has been fixed by adjusting the configuration,
the error log still contains the 'No authentication data provided'
message. To me, it looks like it is more of a warning that the client
simply didn't send any auth. data and cups will act accordingly and
would provide access that doesn't require authentication..
Hope this would save somebody's time and frustration after CUPS
upgrade.. For completeness, I am attaching my configuration file.
Cheers,
Jan
*** /tmp/reportbug-cups-20090521-25558-dMlks7
Content-Type: multipart/mixed; boundary="===============1766670036487845632=="
MIME-Version: 1.0
From: Jan Capek <jan-debian at capkovi.eu>
To: Debian Bug Tracking System <381280 at bugs.debian.org>
Subject: No more access from remote clients after upgrade. 'cupsdAuthorize: No
authentication data provided.'
Message-ID: <20090520224626.25558.12234.reportbug at localhost>
X-Mailer: reportbug 3.45
Date: Thu, 21 May 2009 00:46:26 +0200
X-Debbugs-Cc: jan-debian at capkovi.eu
This is a multi-part MIME message sent by reportbug.
--===============1766670036487845632==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Package: cups
Version: 1.3.10-1
Followup-For: Bug #381280
After upgrading to 1.3.10-1 all remote clients on the local network
were not able to use the CUPS server anymore
The first issue was that the clients didn't see the published printers
anymore. The fix in the configuration file was trivial - just followed
the manpage. Probably, some default has changed. The following snippet
fixed the problem and clients were able to browse the printers again:
# this enables broadcasting the printer information on all local
# interfaces
BrowseAddress @LOCAL
BrowseAllow @LOCAL
The second issue was that none of the clients was given access to the
printers. After investigation of the error log (debug level) I noticed
the 'No authentication data provided' message. This error message was
being emitted anytime the client tried even polling the printer
(e.g. by clicking on the printer in the browser of the remote client).
After some googling I didn't find any solution. There were only people
that had this error and it started magically to work after a series of
upgrades - not my case... Apparently, the default security policy of
CUPS must have changed and remote clients were no longer allowed to
perform any of the operation as before. The following snippet fixed
the problem and clients are able to print now:
# Restrict access to the server...
<Location />
AuthType None
Order allow,deny
Allow from @LOCAL
</Location>
The rest of the configuration file (admin locations + default policy
etc.) takes care of restricting the remote clients from doing anything
else but printing and managing their jobs (default provided by the
package).
Eventhough my problem has been fixed by adjusting the configuration,
the error log still contains the 'No authentication data provided'
message. To me, it looks like it is more of a warning that the client
simply didn't send any auth. data and cups will act accordingly and
would provide access that doesn't require authentication..
Hope this would save somebody's time and frustration after CUPS
upgrade..
Cheers,
Jan
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.29-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=cs_CZ.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages cups depends on:
ii adduser 3.110 add and remove users and groups
ii bc 1.06.94-3 The GNU bc arbitrary precision cal
ii cups-common 1.3.10-1 Common UNIX Printing System(tm) -
ii debconf [debconf-2.0 1.5.23 Debian configuration management sy
ii ghostscript 8.62.dfsg.1-3.1 The GPL Ghostscript PostScript/PDF
ii libavahi-compat-libd 0.6.23-2 Avahi Apple Bonjour compatibility
ii libc6 2.9-9 GNU C Library: Shared libraries
ii libcups2 1.3.8-1lenny1 Common UNIX Printing System(tm) -
ii libcupsimage2 1.3.8-1lenny1 Common UNIX Printing System(tm) -
ii libdbus-1-3 1.2.1-3 simple interprocess messaging syst
ii libgcc1 1:4.3.2-1 GCC support library
ii libgnutls26 2.6.6-1 the GNU TLS library - runtime libr
ii libgssapi-krb5-2 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries - k
ii libijs-0.35 0.35-6 IJS raster image transport protoco
ii libkrb5-3 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.15-1.1 OpenLDAP libraries
ii libpam0g 1.0.1-9 Pluggable Authentication Modules l
ii libpaper1 1.1.23+nmu1 library for handling paper charact
ii libpoppler4 0.10.6-1 PDF rendering library
ii libslp1 1.2.1-7.4 OpenSLP libraries
ii libstdc++6 4.3.2-1 The GNU Standard C++ Library v3
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii perl-modules 5.10.0-22 Core Perl modules
ii procps 1:3.2.7-9 /proc file system utilities
ii ssl-cert 1.0.23 simple debconf wrapper for OpenSSL
ii ttf-freefont 20090104-2 Freefont Serif, Sans and Mono True
ii xpdf-utils [poppler- 3.02-1.4 Portable Document Format (PDF) sui
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages cups recommends:
ii avahi-utils 0.6.23-2 Avahi browsing, publishing and dis
ii cups-client 1.3.10-1 Common UNIX Printing System(tm) -
ii foomatic-filters 4.0-20090311-1 OpenPrinting printer support - fil
ii smbclient 2:3.2.5-4 a LanManager-like simple client fo
Versions of packages cups suggests:
ii cups-bsd 1.3.10-1 Common UNIX Printing System(tm) -
ii cups-driver-gutenprint 5.2.3-2 printer drivers for CUPS
ii cups-pdf 2.5.0-1 PDF printer for CUPS
ii foomatic-db 20090301-2 OpenPrinting printer support - dat
ii foomatic-db-engine 4.0-20090301-1 OpenPrinting printer support - pro
ii hplip 3.9.2-3 HP Linux Printing and Imaging Syst
pn xpdf-korean | xpdf-japane <none> (no description available)
-- debconf information:
cupsys/raw-print: true
cupsys/backend: ipp, lpd, parallel, scsi, serial, socket, usb, snmp, dnssd
--===============1766670036487845632==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cupsd.conf"
#
#
# Sample configuration file for the Common UNIX Printing System (CUPS)
# scheduler. See "man cupsd.conf" for a complete description of this
# file.
#
# Log general information in error_log - change "info" to "debug" for
# troubleshooting...
#LogLevel warning
LogLevel debug
# Administrator user group...
SystemGroup lpadmin
# Only listen for connections from the local machine.
Listen localhost:631
Listen 10.66.0.1:631
Listen /var/run/cups/cups.sock
# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
# JCA: this enables broadcasting the printer information on all local
# interfaces
BrowseAddress @LOCAL
BrowseAllow @LOCAL
# Default authentication type, when authentication is required...
DefaultAuthType Basic
# Restrict access to the server...
<Location />
AuthType None
Order allow,deny
Allow from @LOCAL
</Location>
# Restrict access to the admin pages...
<Location /admin>
Encryption Required
Order allow,deny
</Location>
# Restrict access to configuration files...
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
Order allow,deny
</Location>
# # Restrict access to the admin pages...
# <Location /printers>
# AuthType None
# Order deny,allow
# Allow from all
# </Location>
# Set the default printer/job policies...
<Policy default>
# Job-related operations must be done by the owner or an administrator...
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
#
#
--===============1766670036487845632==--
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.29-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=cs_CZ.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages cups depends on:
ii adduser 3.110 add and remove users and groups
ii bc 1.06.94-3 The GNU bc arbitrary precision cal
ii cups-common 1.3.10-1 Common UNIX Printing System(tm) -
ii debconf [debconf-2.0 1.5.23 Debian configuration management sy
ii ghostscript 8.62.dfsg.1-3.1 The GPL Ghostscript PostScript/PDF
ii libavahi-compat-libd 0.6.23-2 Avahi Apple Bonjour compatibility
ii libc6 2.9-9 GNU C Library: Shared libraries
ii libcups2 1.3.8-1lenny1 Common UNIX Printing System(tm) -
ii libcupsimage2 1.3.8-1lenny1 Common UNIX Printing System(tm) -
ii libdbus-1-3 1.2.1-3 simple interprocess messaging syst
ii libgcc1 1:4.3.2-1 GCC support library
ii libgnutls26 2.6.6-1 the GNU TLS library - runtime libr
ii libgssapi-krb5-2 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries - k
ii libijs-0.35 0.35-6 IJS raster image transport protoco
ii libkrb5-3 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.15-1.1 OpenLDAP libraries
ii libpam0g 1.0.1-9 Pluggable Authentication Modules l
ii libpaper1 1.1.23+nmu1 library for handling paper charact
ii libpoppler4 0.10.6-1 PDF rendering library
ii libslp1 1.2.1-7.4 OpenSLP libraries
ii libstdc++6 4.3.2-1 The GNU Standard C++ Library v3
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii perl-modules 5.10.0-22 Core Perl modules
ii procps 1:3.2.7-9 /proc file system utilities
ii ssl-cert 1.0.23 simple debconf wrapper for OpenSSL
ii ttf-freefont 20090104-2 Freefont Serif, Sans and Mono True
ii xpdf-utils [poppler- 3.02-1.4 Portable Document Format (PDF) sui
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages cups recommends:
ii avahi-utils 0.6.23-2 Avahi browsing, publishing and dis
ii cups-client 1.3.10-1 Common UNIX Printing System(tm) -
ii foomatic-filters 4.0-20090311-1 OpenPrinting printer support - fil
ii smbclient 2:3.2.5-4 a LanManager-like simple client fo
Versions of packages cups suggests:
ii cups-bsd 1.3.10-1 Common UNIX Printing System(tm) -
ii cups-driver-gutenprint 5.2.3-2 printer drivers for CUPS
ii cups-pdf 2.5.0-1 PDF printer for CUPS
ii foomatic-db 20090301-2 OpenPrinting printer support - dat
ii foomatic-db-engine 4.0-20090301-1 OpenPrinting printer support - pro
ii hplip 3.9.2-3 HP Linux Printing and Imaging Syst
pn xpdf-korean | xpdf-japane <none> (no description available)
-- debconf information:
cupsys/raw-print: true
cupsys/backend: ipp, lpd, parallel, scsi, serial, socket, usb, snmp, dnssd
-------------- next part --------------
#
#
# Sample configuration file for the Common UNIX Printing System (CUPS)
# scheduler. See "man cupsd.conf" for a complete description of this
# file.
#
# Log general information in error_log - change "info" to "debug" for
# troubleshooting...
#LogLevel warning
LogLevel debug
# Administrator user group...
SystemGroup lpadmin
# Only listen for connections from the local machine.
Listen localhost:631
Listen 10.66.0.1:631
Listen /var/run/cups/cups.sock
# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
# JCA: this enables broadcasting the printer information on all local
# interfaces
BrowseAddress @LOCAL
BrowseAllow @LOCAL
# Default authentication type, when authentication is required...
DefaultAuthType Basic
# Restrict access to the server...
<Location />
AuthType None
Order allow,deny
Allow from @LOCAL
</Location>
# Restrict access to the admin pages...
<Location /admin>
Encryption Required
Order allow,deny
</Location>
# Restrict access to configuration files...
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
Order allow,deny
</Location>
# # Restrict access to the admin pages...
# <Location /printers>
# AuthType None
# Order deny,allow
# Allow from all
# </Location>
# Set the default printer/job policies...
<Policy default>
# Job-related operations must be done by the owner or an administrator...
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
#
#
More information about the Pkg-cups-devel
mailing list