CUPS authorization through Active Directory groups may fail

Solution Unverified - Updated -

Issue

  • I'm trying to set up Active Directory group authorization for the CUPS Web UI. We have a user defined in AD that is part of a group that should have CUPS administrative privileges. We can veify that the user is defined in AD and is part of the group:

    # id jbloe
id: jbloe : no such user

# id jbloe@test.example
uid=12345678(jbloe@test.example) gid=13456789(domain users@test.example)
groups=12456789(domain users@test.example),12356789(admin-cups@test.example)

# getent group admin-cups@test.example
admin-cups@test.example:*:12345678:jbloe@test.example

    If we give the user administrative privileges (as shown in the cupsd.conf snippet below), it works:

      <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class
   CUPS-Set-Default CUPS-Get-Devices>
      AuthType Default
      Require user @SYSTEM jbloe
      Order deny,allow
  </Limit>

    But giving the group administrative privileges (as in the example below) doesn't work:

      <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class
   CUPS-Set-Default CUPS-Get-Devices>
      AuthType Default
      Require user @SYSTEM @ADMIN-CUPS
      Order deny,allow
  </Limit>

  • The system is configured to authenticate through Active Directory using SSSD (not Winbind). CUPS is configured to allow the "cups-admin@adtest.local" group to perform print queue manipulation functions:

    <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer
 CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default
 CUPS-Get-Devices>
  AuthType Default
  Require lpuser @SYSTEM
  Require group cups-admin@adtest.local
  Order deny,allow

    And "lpuser@adtest.local" is a member of the "cups-admin@adtest.local" group:

    # getent group cups-admin@adtest.local
cups-admin@adtest.local:*:123456789:lpuser@adtest.local

    However, entering the credentials for lpuser into the CUPS Web UI doesn't work. the system re-prompts for the credentials as if they aren't valid.

Environment

  • Red Hat Enterprise Linux 7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content