Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CUPS authentication problem

Tom Schutzer-Weissmann wrote:

> On Mon, 26 Jul 2004 09:23:57 +0200
> Axel Luttgens <email@hidden> wrote:
>
>> [...]
>>
>> 1. Could you post the results of following command:
>>
>> nidump -r /users/machin .
>
> My user is called printadmin:
> {
> "name" = ( "printadmin", "printadmin" );
> "uid" = ( "1500" );
> "expire" = ( "0" );
> "home" = ( "/var/empty/" );
> "shell" = ( "/usr/bin/false" );
> "gid" = ( "80" );
> "realname" = ( "printadmin" );
> "change" = ( "0" );
> "_writers_passwd" = ( "printadmin" );
> "generateduid" = ( "15AFFF2A-DF11-11D8-81C7-000A95BB32AE" );
> "authentication_authority" = ( ";ShadowHash;" );
> "passwd" = ( "********" );
> }
>

Finally! We have an explanation!
I guess you have used the passwd(1) command to provide printadmin with a password, haven't you?
The "problem" with that command is that it has been modified with 10.3 too.
Our goal was to avoid any of the novelties brought with that OS version, so that cups (as presently compiled) has the ability to check printadmin's password.

Look at the "authentication_authority" property; it has a value of ";ShadowHash;".
This means that when the system is required to check that user's password, it will use a hash stored in a file accessible to root only; in this case, the file is:
/var/db/shadow/hash/15AFFF2A-DF11-11D8-81C7-000A95BB32AE
But this is only part of the story.

As it is presently compiled, when requested to check a user name/password combination (because of a Basic AuthType), cups will use the getpwnam(3) system call.
But, as a "man getpwnam" will tell you, the present incarnation of that function will never return some information usable by cups for authentication purposes, once the user has an authentication authority other than ";basic;" (not to be confused with cups' Basic AuthType...).

In other words, we desperatly were trying to create a user with a ";basic;" authentication authority.

Such a user:

a) must have an "auhtentication_authority" property bearing
value ";basic;" or no such property at all
b) must have a "passwd" property whose value is a traditional
unix crypt password.

So, using "NetInfo Manager.app", edit printadmin's record so that a

nidump -r /users/printadmin .

finally outputs (the properties order being indifferent):

{
"name" = ( "printadmin" );
"passwd" = ( "abdqmmqJeSFpk" );
"uid" = ( "1500" );
"gid" = ( "80" );
"change" = ( "0" );
"expire" = ( "0" );
"realname" = ( "Cups administrator" );
"home" = ( "/var/empty" );
"shell" = ( "/usr/bin/false" );
"_writers_passwd" = ( ""printadmin"" );
}

where the password is a crypted version of "somepass".
It has been obtained by executing:

openssl passwd -crypt -salt ab somepass

Of course, you may change the 2-characters salt ("ab") and the password ("somepass") to best suit your preferences.

You should now be able to authenticate in cups' web interface as "printadmin"...

And, if it works, don't forget to delete the shadow file.
No need to leave garbage ;-)

Another point.

It would be a good idea to create a "printadmin" group (with gid=1500, if not already taken) and change user printadmin group membership from "admin" (gid=80 above) to "printadmin".
And then to change cupsd.conf so that members of group "printadmin" are allowed to administer cups too.
That way, you would have a very specialised user, with exactly the needed rights, no more.

>
>> 2. The same way, could you copy/paste the text lines (including the
>> prompts) that you get in the Terminal while executing:
>>
>> su machin
>
> nothing.

Not even a prompt change?!?

>
> As soon as I switch to basic authentication (like below), I can't get in.
>
> [...]
>
> It's very odd.

Shouldn't be anymore :-)

> Out of interest: if the office got a printer with a network card, would
> we still need CUPS?

Well, I must confess I don't know why you first needed cups.
The Mac GUI does a very fine job at hiding cups.
So, I would say: it depends...
Would it be a printer with standard drivers?
Are you going to need some settings unavailable through the GUI?


Axel
_______________________________________________
macos-x-server mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/macos-x-server
Do not post admin requests to the list. They will be ignored.
When responding to messages, please keep your quotes short.


Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.