Login error in CUPS when adding a printer (or other admin procedure)

Bug #1157318 reported by Óscar García Amor on 2013-03-19
This bug affects 13 people
Affects Status Importance Assigned to Milestone
cups (Ubuntu)

Bug Description

Using Raring (13.04):

When you go to http://localhost:631 to do admin tasks in cups, and enter your login details, the system keep asking the user/password in a loop.

In the cups log:
E [19/Mar/2013:18:20:10 +0100] [Client 17] pam_authenticate() returned 4 (System error)
E [19/Mar/2013:18:20:42 +0100] [Client 16] pam_authenticate() returned 4 (System error)
E [19/Mar/2013:18:20:49 +0100] [Client 15] pam_authenticate() returned 4 (System error)

In the auth log no info.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in cups (Ubuntu):
status: New → Confirmed
Frédéric Nass (nass) wrote :

Seems like the culprit is Apparmor :

root@iutm-inf-ghost2:/var/log# tail -300 /var/log/kern.log

Mar 25 16:37:46 iutm-inf-ghost2 kernel: [ 9297.515512] type=1400 audit(1364225866.005:10922911): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=17770 comm="cupsd" pid=17770 comm="cupsd" capability=29 capname="audit_write"

"aa-complain /etc/apparmor.d/usr.sbin.cupsd" helps, as a temporary workaround.


Till Kamppeter (till-kamppeter) wrote :

pitti, can you have a look into this AppArmor issue? Thanks.

Martin Pitt (pitti) wrote :
Changed in cups (Ubuntu):
status: Confirmed → Fix Committed
Steve (ynzenok) wrote :

I am also using Raring (13.04). Same issue. I had to install apparmor-utils (and 26 other extra packages) to use nass's workaround, but it worked!

Till Kamppeter (till-kamppeter) wrote :

Fix on its way in the upcoming cups 1.6.2-1ubuntu5.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cups - 1.6.2-1ubuntu4

cups (1.6.2-1ubuntu4) raring; urgency=low

  * debian/local/apparmor-profile: Allow "audit_write" capability.
    (LP: #1157318).
  * debian/patches/usb-backend-epson-stylus-photo-750.patch,
    debian/patches/usb-backend-more-quirk-rules.patch: Added quirk rules for
    five additional printers: Lexmark e250d (LP: #1084164), Canon PIXMA iP6000D
    (LP: #1160638), Canon MF4150 (LP: #1160638), Brother HL-1450
    (LP: #1000253), Epson Stylus Color 670 (LP: #872483), joined the quirk rule
 -- Till Kamppeter <email address hidden> Fri, 12 Apr 2013 08:31:01 +0200

Changed in cups (Ubuntu):
status: Fix Committed → Fix Released
Leonardo Borda (lborda) wrote :

It works for me! Thanks!


berry (berryme) wrote :

I have 1.6.2-1ubuntu5. I see the changelog:
cups (1.6.2-1ubuntu5) raring; urgency=low

  * debian/patches/usb-backend-more-quirk-rules.patch: Added quirk rule for the
    QinHeng CH340S USB->Parallel adapter (LP: #1000253).

 -- Till Kamppeter <email address hidden> Mon, 15 Apr 2013 15:13:01 +0200

cups (1.6.2-1ubuntu4) raring; urgency=low

  * debian/local/apparmor-profile: Allow "audit_write" capability.
    (LP: #1157318).

I assume I have the fix but I still see app armor denied in /var/log/kern.log

Let me know your thoughts. I am trying proposed package 7 for.....


berry (berryme) wrote :

package 1.6.2-1ubuntu7 package also fails for me.
I disable apparmor_parser -R usr.sbin.cupsd and I can now log in ok.
Comparing my profile settings with installed.

Rob Hills (rhills) wrote :

I believe I have the same issue, I have package cups 1.6.2-1ubuntu5.

When I try and do any admin task via the web interface, I get:

E [15/Sep/2013:18:51:03 +0800] [Client 11] Unknown MD5 username "rob"

In my cupsd.conf file, I have the following (relevant bits only):

DefaultAuthType BasicDigest (this machine is visible on a domestic LAN only)

Require user @lpadmin (in various locations that previously had "require user @SYSTEM")

I've tried the workarounds mentioned above, but these have not fixed the problem for me.

In /var/log/kern.log, I'm seeing lots of the following:
Sep 15 18:50:25 robs-computer kernel: [ 3865.265435] type=1400 audit(1379242225.411:40): apparmor="STATUS" operation="profile_replace" name="/usr/lib/cups/backend/cups-pdf" pid=18814 comm="apparmor_parser"
Sep 15 18:50:25 robs-computer kernel: [ 3865.265732] type=1400 audit(1379242225.411:41): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/cupsd" pid=18814 comm="apparmor_parser"

Rob, note that you are using Digest authentication ("DefaultAuthType BasicDigest") this form of authentication does not use the system passwords but requires to set up its own passwords with the lppasswd command. For using system passwords you must switch to Basic authentication ("DefaultAuthType Basic"). Please do not forgrt to restart CUPS after editing cupsd.conf.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers