Login error in CUPS when adding a printer (or other admin procedure)

Status changed to 'Confirmed' because the bug affects multiple users.

Seems like the culprit is Apparmor :

root@iutm-inf-ghost2:/var/log# tail -300 /var/log/kern.log

Mar 25 16:37:46 iutm-inf-ghost2 kernel: [ 9297.515512] type=1400 audit(1364225866.005:10922911): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=17770 comm="cupsd" pid=17770 comm="cupsd" capability=29 capname="audit_write"

"aa-complain /etc/apparmor.d/usr.sbin.cupsd" helps, as a temporary workaround.

F. NASS

pitti, can you have a look into this AppArmor issue? Thanks.

http://anonscm.debian.org/gitweb/?p=pkg-cups/cups.git;a=commitdiff;h=b69db9caef

I am also using Raring (13.04). Same issue. I had to install apparmor-utils (and 26 other extra packages) to use nass's workaround, but it worked!

Fix on its way in the upcoming cups 1.6.2-1ubuntu5.

This bug was fixed in the package cups - 1.6.2-1ubuntu4

---------------
cups (1.6.2-1ubuntu4) raring; urgency=low

  * debian/local/apparmor-profile: Allow "audit_write" capability.
    (LP: #1157318).
  * debian/patches/usb-backend-epson-stylus-photo-750.patch,
    debian/patches/usb-backend-more-quirk-rules.patch: Added quirk rules for
    five additional printers: Lexmark e250d (LP: #1084164), Canon PIXMA iP6000D
    (LP: #1160638), Canon MF4150 (LP: #1160638), Brother HL-1450
    (LP: #1000253), Epson Stylus Color 670 (LP: #872483), joined the quirk rule
    patches.
 -- Till Kamppeter <email address hidden> Fri, 12 Apr 2013 08:31:01 +0200

It works for me! Thanks!

Leo

I have 1.6.2-1ubuntu5. I see the changelog:
cups (1.6.2-1ubuntu5) raring; urgency=low

  * debian/patches/usb-backend-more-quirk-rules.patch: Added quirk rule for the
    QinHeng CH340S USB->Parallel adapter (LP: #1000253).

 -- Till Kamppeter <email address hidden> Mon, 15 Apr 2013 15:13:01 +0200

cups (1.6.2-1ubuntu4) raring; urgency=low

  * debian/local/apparmor-profile: Allow "audit_write" capability.
    (LP: #1157318).

I assume I have the fix but I still see app armor denied in /var/log/kern.log

Let me know your thoughts. I am trying proposed package 7 for.....

Regards
Matt

package 1.6.2-1ubuntu7 package also fails for me.
I disable apparmor_parser -R usr.sbin.cupsd and I can now log in ok.
Comparing my profile settings with installed.

I believe I have the same issue, I have package cups 1.6.2-1ubuntu5.

When I try and do any admin task via the web interface, I get:

E [15/Sep/2013:18:51:03 +0800] [Client 11] Unknown MD5 username "rob"

In my cupsd.conf file, I have the following (relevant bits only):

DefaultAuthType BasicDigest (this machine is visible on a domestic LAN only)

Require user @lpadmin (in various locations that previously had "require user @SYSTEM")

I've tried the workarounds mentioned above, but these have not fixed the problem for me.

In /var/log/kern.log, I'm seeing lots of the following:
Sep 15 18:50:25 robs-computer kernel: [ 3865.265435] type=1400 audit(1379242225.411:40): apparmor="STATUS" operation="profile_replace" name="/usr/lib/cups/backend/cups-pdf" pid=18814 comm="apparmor_parser"
Sep 15 18:50:25 robs-computer kernel: [ 3865.265732] type=1400 audit(1379242225.411:41): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/cupsd" pid=18814 comm="apparmor_parser"

Rob, note that you are using Digest authentication ("DefaultAuthType BasicDigest") this form of authentication does not use the system passwords but requires to set up its own passwords with the lppasswd command. For using system passwords you must switch to Basic authentication ("DefaultAuthType Basic"). Please do not forgrt to restart CUPS after editing cupsd.conf.