CUPS authentication through Active Directory groups may fail
Issue
-
I'm trying to set up Active Directory group authorization for the CUPS Web UI. We have a user defined in AD that is part of a group that should have CUPS administrative privileges. We can veify that the user is defined in AD and is part of the group:
# id jbloe id: jbloe : no such user # id jbloe@test.example uid=12345678(jbloe@test.example) gid=13456789(domain users@test.example) groups=12456789(domain users@test.example),12356789(admin-cups@test.example) # getent group admin-cups@test.example admin-cups@test.example:*:12345678:jbloe@test.exampleIf we give the user administrative privileges (as shown in the cupsd.conf snippet below), it works:
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices> AuthType Default Require user @SYSTEM jbloe Order deny,allow </Limit>But giving the group administrative privileges (as in the example below) doesn't work:
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices> AuthType Default Require user @SYSTEM @ADMIN-CUPS Order deny,allow </Limit> -
The system is configured to authenticate through Active Directory using SSSD (not Winbind). CUPS is configured to allow the "cups-admin@adtest.local" group to perform print queue manipulation functions:
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices> AuthType Default Require lpuser @SYSTEM Require group cups-admin@adtest.local Order deny,allowAnd "lpuser@adtest.local" is a member of the "cups-admin@adtest.local" group:
# getent group cups-admin@adtest.local cups-admin@adtest.local:*:123456789:lpuser@adtest.localHowever, entering the credentials for lpuser into the CUPS Web UI doesn't work. the system re-prompts for the credentials as if they aren't valid.
Environment
- Red Hat Enterprise Linux 7.0-7.5
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
