Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
CUPS permissions
821 views
Skip to first unread message
Peter Ehlert
Aug 25, 2021, 8:50:04 AM8/25/21
to
CUPS permissions
when I go to http://localhost:631/admin the dashboard is displayed as
expected.
Manage Printers does display my MFCL3770CDW and I am (apparently) able
to manage and edit the settings.
however
Add Printer gives> Unable to add printer: Forbidden
is this normal behavior? I do want to add another printer
when I go to http://localhost:631/admin the dashboard is displayed as
expected.
Manage Printers does display my MFCL3770CDW and I am (apparently) able
to manage and edit the settings.
however
Add Printer gives> Unable to add printer: Forbidden
is this normal behavior? I do want to add another printer
Henning Follmann
Aug 25, 2021, 12:30:04 PM8/25/21
to
you should get a login dialog.
What works here depends. In most settings root/root-password will work.
-H
--
Henning Follmann | hfol...@itcfollmann.com
Peter Ehlert
Aug 25, 2021, 2:50:05 PM8/25/21
to
On 8/25/21 9:27 AM, Henning Follmann wrote:
> On Wed, Aug 25, 2021 at 05:40:36AM -0700, Peter Ehlert wrote:
>> CUPS permissions
>>
>> when I go to http://localhost:631/admin the dashboard is displayed as
>> expected.
>>
>> Manage Printers does display my MFCL3770CDW and I am (apparently) able to
>> manage and edit the settings.
>>
>> however
>> Add Printer gives> Unable to add printer: Forbidden
>>
>> is this normal behavior? I do want to add another printer
>>
> Yes, that is normal.
> you should get a login dialog.
It does not ask for a root password, it goes straight to "forbidden"
> What works here depends. In most settings root/root-password will work.
>
> -H
>
Greg Wooledge
Aug 25, 2021, 3:20:04 PM8/25/21
to
On Wed, Aug 25, 2021 at 11:47:33AM -0700, Peter Ehlert wrote:
>
> On 8/25/21 9:27 AM, Henning Follmann wrote:
> > On Wed, Aug 25, 2021 at 05:40:36AM -0700, Peter Ehlert wrote:
> > > CUPS permissions
> > >
> > > when I go to http://localhost:631/admin the dashboard is displayed as
> > > expected.
> > >
> > > Manage Printers does display my MFCL3770CDW and I am (apparently) able to
> > > manage and edit the settings.
> > >
> > > however
> > > Add Printer gives> Unable to add printer: Forbidden
> > >
> > > is this normal behavior? I do want to add another printer
> > >
> > Yes, that is normal.
> > you should get a login dialog.
> oops, I forgot this part:
>
> It does not ask for a root password, it goes straight to "forbidden"
I'm guessing you entered the "wrong" username earlier, and now your
>
> On 8/25/21 9:27 AM, Henning Follmann wrote:
> > On Wed, Aug 25, 2021 at 05:40:36AM -0700, Peter Ehlert wrote:
> > > CUPS permissions
> > >
> > > when I go to http://localhost:631/admin the dashboard is displayed as
> > > expected.
> > >
> > > Manage Printers does display my MFCL3770CDW and I am (apparently) able to
> > > manage and edit the settings.
> > >
> > > however
> > > Add Printer gives> Unable to add printer: Forbidden
> > >
> > > is this normal behavior? I do want to add another printer
> > >
> > Yes, that is normal.
> > you should get a login dialog.
> oops, I forgot this part:
>
> It does not ask for a root password, it goes straight to "forbidden"
browser is remembering it and isn't giving you the option to change it.
https://superuser.com/questions/596225/entered-wrong-username-at-cups-and-now-i-cant-manage-printers
Some people report restarting the browser is enough. Some claim they
have to reboot. Who knows.
Keith Bainbridge
Aug 25, 2021, 7:40:04 PM8/25/21
to
--
All the best
Keith Bainbridge
keith.bain...@gmail.com
0447 667 468
Peter Ehlert
Aug 26, 2021, 8:10:04 AM8/26/21
to
I got the login dialog box
after login as (user)
Add Printer gives> Unable to add printer: Forbidden
back to square one
Brian
Aug 26, 2021, 8:10:05 AM8/26/21
to
On Thu 26 Aug 2021 at 09:16:31 +1000, Keith Bainbridge wrote:
> On 25/8/21 22:40, Peter Ehlert wrote:
> > CUPS permissions
> >
> > when I go to http://localhost:631/admin the dashboard is displayed as
> > expected.
> >
> > Manage Printers does display my MFCL3770CDW and I am (apparently) able
> > to manage and edit the settings.
> >
> > however
> > Add Printer gives> Unable to add printer: Forbidden
> >
> > is this normal behavior? I do want to add another printer
> >
>
> Have you (username) joined lpadmin (group)?
It would be useful to have the outputs of
> On 25/8/21 22:40, Peter Ehlert wrote:
> > CUPS permissions
> >
> > when I go to http://localhost:631/admin the dashboard is displayed as
> > expected.
> >
> > Manage Printers does display my MFCL3770CDW and I am (apparently) able
> > to manage and edit the settings.
> >
> > however
> > Add Printer gives> Unable to add printer: Forbidden
> >
> > is this normal behavior? I do want to add another printer
> >
>
> Have you (username) joined lpadmin (group)?
groups
and
grep SystemGroup /etc/cups/cups-files.conf
from the OP.
--
Brian.
Tixy
Aug 26, 2021, 8:30:05 AM8/26/21
to
On Thu, 2021-08-26 at 04:59 -0700, Peter Ehlert wrote:
[...]
any plugins that might might block that do you? E.g. I needed noscript
set to enable scripts on localhost. Also, I don't know if Firefox's
'Block pop-up windows' setting may affect things.
--
Tixy
[...]
>
> thanks. restarting firefox worked.
> I got the login dialog box
>
> after login as (user)
> Add Printer gives> Unable to add printer: Forbidden
>
> back to square one
>
I think the authentication dialog box uses javascript, you don't have
> thanks. restarting firefox worked.
> I got the login dialog box
>
> after login as (user)
> Add Printer gives> Unable to add printer: Forbidden
>
> back to square one
>
any plugins that might might block that do you? E.g. I needed noscript
set to enable scripts on localhost. Also, I don't know if Firefox's
'Block pop-up windows' setting may affect things.
--
Tixy
Eduardo M KALINOWSKI
Aug 26, 2021, 8:40:05 AM8/26/21
to
On 26/08/2021 08:59, Peter Ehlert wrote:
> thanks. restarting firefox worked.
> I got the login dialog box
>
> after login as (user)
> Add Printer gives> Unable to add printer: Forbidden
>
> back to square one
Users don't ordinarily have permission to add printers, you should login
> thanks. restarting firefox worked.
> I got the login dialog box
>
> after login as (user)
> Add Printer gives> Unable to add printer: Forbidden
>
> back to square one
as root.
It's possible to grant this permission to users, but you'll have to look
it up how this is done.
--
Alive without breath,
As cold as death;
Never thirsty, ever drinking,
All in mail never clinking.
Eduardo M KALINOWSKI
edu...@kalinowski.com.br
Brian
Aug 26, 2021, 8:40:05 AM8/26/21
to
On Thu 26 Aug 2021 at 13:23:58 +0100, mick crane wrote:
> I've got a print server working but I've forgotten how.
> added a new printer a year or so ago.
> Might have been lpadmin or something.
> I do know always have to reboot after making changes.
Rebooting after adding a printer is *never* needed.
--
Brian.
> added a new printer a year or so ago.
> Might have been lpadmin or something.
> I do know always have to reboot after making changes.
Rebooting after adding a printer is *never* needed.
--
Brian.
Charles Curley
Aug 26, 2021, 8:50:05 AM8/26/21
to
On Thu, 26 Aug 2021 04:59:42 -0700
Peter Ehlert <pb...@sdi-baja.com> wrote:
> thanks. restarting firefox worked.
> I got the login dialog box
>
> after login as (user)
> Add Printer gives> Unable to add printer: Forbidden
>
> back to square one
Try logging in as root.
Peter Ehlert <pb...@sdi-baja.com> wrote:
> thanks. restarting firefox worked.
> I got the login dialog box
>
> after login as (user)
> Add Printer gives> Unable to add printer: Forbidden
>
> back to square one
--
Does anybody read signatures any more?
https://charlescurley.com
https://charlescurley.com/blog/
Greg Wooledge
Aug 26, 2021, 9:00:05 AM8/26/21
to
I suspect there's some *really* basic misunderstanding going on at some
level. Let's start from the beginning.
In order to administer a printer in CUPS, you do the following things:
1) Make sure the root account has a PASSWORD. Make sure you know it.
Access to sudo doesn't count.
2) Install cups.
3) Visit http://localhost:631/ in a GUI web browser. Make sure Javascript
is allowed.
4) At some point, when you try to do stuff to the printers in the browser,
you will be prompted for a username and password, using HTTP basic
authentication. When this occurs, you should login as root, using
root's password.
5) If you screwed up and logged in as yourself, restart the web browser
so that you can get the HTTP basic authentication dialog box again. Go
to step 4.
6) Once the printer is set up via the browser, you should be able to see
it and print to it from the command line. "lpstat -t" to see all of
the printers and their status. "lp" or "lpr" to print a text file.
Any variants on this procedure will require knowledge that I don't
personally possess. E.g. if for some reason you refuse to set a root
password, then you may have to set up a printer-admin account which
has the appropriate privileges, and a password, and then use that
instead of root. I don't know what those privs would be.
Peter Ehlert
Aug 26, 2021, 9:20:06 AM8/26/21
to
On 8/26/21 5:07 AM, Brian wrote:
> On Thu 26 Aug 2021 at 09:16:31 +1000, Keith Bainbridge wrote:
>
>> On 25/8/21 22:40, Peter Ehlert wrote:
>>> CUPS permissions
>>>
>>> when I go to http://localhost:631/admin the dashboard is displayed as
>>> expected.
>>>
>>> Manage Printers does display my MFCL3770CDW and I am (apparently) able
>>> to manage and edit the settings.
>>>
>>> however
>>> Add Printer gives> Unable to add printer: Forbidden
>>>
>>> is this normal behavior? I do want to add another printer
>>>
>> Have you (username) joined lpadmin (group)?
> It would be useful to have the outputs of
>
> groups
peter cdrom floppy audio dip video plugdev netdev
>
> and
>
> grep SystemGroup /etc/cups/cups-files.conf
$ grep SystemGroup /etc/cups/cups-files.conf
SystemGroup lpadmin
>
> from the OP.
>
Brian
Aug 26, 2021, 10:50:04 AM8/26/21
to
On Thu 26 Aug 2021 at 06:18:21 -0700, Peter Ehlert wrote:
[...]
[...]
> > It would be useful to have the outputs of
> >
> > groups
> $ groups
> peter cdrom floppy audio dip video plugdev netdev
> >
> > and
> >
> > grep SystemGroup /etc/cups/cups-files.conf
> $ grep SystemGroup /etc/cups/cups-files.conf
> SystemGroup lpadmin
> >
> > from the OP.
Follow Keith Bainbridge's advice and add your user to the lpadmin
> >
> > groups
> $ groups
> peter cdrom floppy audio dip video plugdev netdev
> >
> > and
> >
> > grep SystemGroup /etc/cups/cups-files.conf
> $ grep SystemGroup /etc/cups/cups-files.conf
> SystemGroup lpadmin
> >
> > from the OP.
group. Edit /etc/group and /etc/group- to do this. I would use 'vigr'
and 'vigr -s'.
--
Brian.
Greg Wooledge
Aug 26, 2021, 11:00:04 AM8/26/21
to
and shouldn't be edited. You might be thinking of /etc/gshadow, which
has something to do with group passwords, which are a thing I have *never*
dealt with in my entire life.
Brian
Aug 26, 2021, 11:20:04 AM8/26/21
to
On Thu 26 Aug 2021 at 08:53:19 -0400, Greg Wooledge wrote:
[...]
> I suspect there's some *really* basic misunderstanding going on at some
> level. Let's start from the beginning.
>
> In order to administer a printer in CUPS, you do the following things:
>
>
> 1) Make sure the root account has a PASSWORD. Make sure you know it.
> Access to sudo doesn't count.
I have no experience of using sudo for the task in hand. Ubuntu uses
it by default but also puts the first user in the lpadmin group. Issues
with this seem to be almost non-existent.
> 2) Install cups.
>
> 3) Visit http://localhost:631/ in a GUI web browser. Make sure Javascript
> is allowed.
Mmm. I invariabely use Lynx without a problem to access the CUPS web
interface and install a printer. Lynx doen't support Javascript.
> 4) At some point, when you try to do stuff to the printers in the browser,
> you will be prompted for a username and password, using HTTP basic
> authentication. When this occurs, you should login as root, using
> root's password.
Being asked for a username and password and logging in as root is my
experience too.
> 5) If you screwed up and logged in as yourself, restart the web browser
> so that you can get the HTTP basic authentication dialog box again. Go
> to step 4.
I do not think CUPS allows logging in as a user unless that user is a
member of the lpadmin group. FWIW, my opinion is that "Unable to add
printer: Forbidden" is a conswquence of not being in that group.
> 6) Once the printer is set up via the browser, you should be able to see
> it and print to it from the command line. "lpstat -t" to see all of
> the printers and their status. "lp" or "lpr" to print a text file.
Agreed.
--
Brian.
[...]
> I suspect there's some *really* basic misunderstanding going on at some
> level. Let's start from the beginning.
>
> In order to administer a printer in CUPS, you do the following things:
>
>
> 1) Make sure the root account has a PASSWORD. Make sure you know it.
> Access to sudo doesn't count.
it by default but also puts the first user in the lpadmin group. Issues
with this seem to be almost non-existent.
> 2) Install cups.
>
> 3) Visit http://localhost:631/ in a GUI web browser. Make sure Javascript
> is allowed.
interface and install a printer. Lynx doen't support Javascript.
> 4) At some point, when you try to do stuff to the printers in the browser,
> you will be prompted for a username and password, using HTTP basic
> authentication. When this occurs, you should login as root, using
> root's password.
experience too.
> 5) If you screwed up and logged in as yourself, restart the web browser
> so that you can get the HTTP basic authentication dialog box again. Go
> to step 4.
member of the lpadmin group. FWIW, my opinion is that "Unable to add
printer: Forbidden" is a conswquence of not being in that group.
> 6) Once the printer is set up via the browser, you should be able to see
> it and print to it from the command line. "lpstat -t" to see all of
> the printers and their status. "lp" or "lpr" to print a text file.
--
Brian.
Brian
Aug 26, 2021, 11:30:04 AM8/26/21
to
check the name of the file 'vigr -s' opens. The OP may not want to
us vigr, so it is important to have the correct file names (/etc/group
and /etc/gshadow).
--
Brian.
Brian
Aug 26, 2021, 11:30:04 AM8/26/21
to
On Thu 26 Aug 2021 at 10:56:55 -0400, Greg Wooledge wrote:
log back in.
--
Brian.
Greg Wooledge
Aug 26, 2021, 11:40:04 AM8/26/21
to
Does the CUPS daemon connect to some already-running process of the
user that you log into the web agent with? Does that mean you have to
run the web browser *as* the user you plan to use for printer admin, not
just log into the CUPS web agent with that user?
That doesn't sound right, given the fact that you can log into the web
agent as "root" without logging into Linux as root, or running the web
browser as root.
Given the above, I'd expect that the web agent spawns a brand new process
as root, and then inside of that, it drops privileges down to the user
that you specified.
Unless "root" is a special hard-coded exception somehow...?
Andrew M.A. Cater
Aug 26, 2021, 12:50:05 PM8/26/21
to
On Thu, Aug 26, 2021 at 11:31:30AM -0400, Greg Wooledge wrote:
> On Thu, Aug 26, 2021 at 04:25:54PM +0100, Brian wrote:
> > On Thu 26 Aug 2021 at 10:56:55 -0400, Greg Wooledge wrote:
> >
> > > On Thu, Aug 26, 2021 at 03:49:23PM +0100, Brian wrote:
> > > > On Thu 26 Aug 2021 at 06:18:21 -0700, Peter Ehlert wrote:
> > > >
> > > > [...]
> > > >
> > > > > > It would be useful to have the outputs of
> > > > > >
> > > > > > groups
> > > > > $ groups
> > > > > peter cdrom floppy audio dip video plugdev netdev
> > > > > >
> > > > > > and
> > > > > >
> > > > > > grep SystemGroup /etc/cups/cups-files.conf
> > > > > $ grep SystemGroup /etc/cups/cups-files.conf
> > > > > SystemGroup lpadmin
> > > > > >
> > > > > > from the OP.
> > > >
> > > > Follow Keith Bainbridge's advice and add your user to the lpadmin
> > > > group. Edit /etc/group and /etc/group- to do this. I would use 'vigr'
> > > > and 'vigr -s'.
> > >
> > > Near as I can tell, /etc/group- is simply a backup copy of /etc/group
> > > and shouldn't be edited. You might be thinking of /etc/gshadow, which
> > > has something to do with group passwords, which are a thing I have *never*
> > > dealt with in my entire life.
> >
> > I also forgot: after carrying out the corrected procedure, log out and
> > log back in.
_DON'T_ edit groups / shadow password files by hand unless really, absolutely
> On Thu, Aug 26, 2021 at 04:25:54PM +0100, Brian wrote:
> > On Thu 26 Aug 2021 at 10:56:55 -0400, Greg Wooledge wrote:
> >
> > > On Thu, Aug 26, 2021 at 03:49:23PM +0100, Brian wrote:
> > > > On Thu 26 Aug 2021 at 06:18:21 -0700, Peter Ehlert wrote:
> > > >
> > > > [...]
> > > >
> > > > > > It would be useful to have the outputs of
> > > > > >
> > > > > > groups
> > > > > $ groups
> > > > > peter cdrom floppy audio dip video plugdev netdev
> > > > > >
> > > > > > and
> > > > > >
> > > > > > grep SystemGroup /etc/cups/cups-files.conf
> > > > > $ grep SystemGroup /etc/cups/cups-files.conf
> > > > > SystemGroup lpadmin
> > > > > >
> > > > > > from the OP.
> > > >
> > > > Follow Keith Bainbridge's advice and add your user to the lpadmin
> > > > group. Edit /etc/group and /etc/group- to do this. I would use 'vigr'
> > > > and 'vigr -s'.
> > >
> > > Near as I can tell, /etc/group- is simply a backup copy of /etc/group
> > > and shouldn't be edited. You might be thinking of /etc/gshadow, which
> > > has something to do with group passwords, which are a thing I have *never*
> > > dealt with in my entire life.
> >
> > I also forgot: after carrying out the corrected procedure, log out and
> > log back in.
necessary - the potential for mistakes is too high.
adduser [username] lpadmin as root/root equivalent using sudo is all that's
needed.
You don't need to reboot to do this: but you might need to log out/log back
in to pick up the added/changed groups for the user.
>
> This is the part that I don't quite understand. How does that matter?
> Does the CUPS daemon connect to some already-running process of the
> user that you log into the web agent with? Does that mean you have to
> run the web browser *as* the user you plan to use for printer admin, not
> just log into the CUPS web agent with that user?
>
> That doesn't sound right, given the fact that you can log into the web
> agent as "root" without logging into Linux as root, or running the web
> browser as root.
>
> Given the above, I'd expect that the web agent spawns a brand new process
> as root, and then inside of that, it drops privileges down to the user
> that you specified.
>
> Unless "root" is a special hard-coded exception somehow...?
>
All best, as ever,
> This is the part that I don't quite understand. How does that matter?
> Does the CUPS daemon connect to some already-running process of the
> user that you log into the web agent with? Does that mean you have to
> run the web browser *as* the user you plan to use for printer admin, not
> just log into the CUPS web agent with that user?
>
> That doesn't sound right, given the fact that you can log into the web
> agent as "root" without logging into Linux as root, or running the web
> browser as root.
>
> Given the above, I'd expect that the web agent spawns a brand new process
> as root, and then inside of that, it drops privileges down to the user
> that you specified.
>
> Unless "root" is a special hard-coded exception somehow...?
>
Andy Cater
Brian
Aug 26, 2021, 1:30:05 PM8/26/21
to
On Thu 26 Aug 2021 at 11:31:30 -0400, Greg Wooledge wrote:
> On Thu, Aug 26, 2021 at 04:25:54PM +0100, Brian wrote:
[...]
> On Thu, Aug 26, 2021 at 04:25:54PM +0100, Brian wrote:
> > I also forgot: after carrying out the corrected procedure, log out and
> > log back in.
>
> This is the part that I don't quite understand. How does that matter?
consult it.
> Does the CUPS daemon connect to some already-running process of the
> user that you log into the web agent with? Does that mean you have to
> run the web browser *as* the user you plan to use for printer admin, not
> just log into the CUPS web agent with that user?
>
> That doesn't sound right, given the fact that you can log into the web
> agent as "root" without logging into Linux as root, or running the web
> browser as root.
>
> Given the above, I'd expect that the web agent spawns a brand new process
> as root, and then inside of that, it drops privileges down to the user
> that you specified.
>
> Unless "root" is a special hard-coded exception somehow...?
1. Administration operations in CUPS require an administrator to
authenticate.
2. An administrator is either the root user or a member of the
lpadmin group. The group is distro-specific.
3. Either of the two previous users have to be authorised by
username/password when the web interface is used. This is not
the case for lpadmin use.
4. The browser is run as the user. Authentication to CUPS is a
separate issue.
5. pam comes into this somewhere, but I give up at that point.
--
Brian.
to...@tuxteam.de
Aug 26, 2021, 2:20:04 PM8/26/21
to
On Thu, Aug 26, 2021 at 06:24:01PM +0100, Brian wrote:
> On Thu 26 Aug 2021 at 11:31:30 -0400, Greg Wooledge wrote:
>
> > On Thu, Aug 26, 2021 at 04:25:54PM +0100, Brian wrote:
>
> [...]
>
> > > I also forgot: after carrying out the corrected procedure, log out and
> > > log back in.
> >
> > This is the part that I don't quite understand. How does that matter?
>
> The system needs to be updated on the groups the user is in. CUPS will
> consult it.
there is also newgrp(1), that might do it (I haven't tried it explicitly).
> On Thu 26 Aug 2021 at 11:31:30 -0400, Greg Wooledge wrote:
>
> > On Thu, Aug 26, 2021 at 04:25:54PM +0100, Brian wrote:
>
> [...]
>
> > > I also forgot: after carrying out the corrected procedure, log out and
> > > log back in.
> >
> > This is the part that I don't quite understand. How does that matter?
>
> The system needs to be updated on the groups the user is in. CUPS will
> consult it.
Cheers
- t
Greg Wooledge
Aug 26, 2021, 2:30:05 PM8/26/21
to
Why would opening a shell with a new set of group privileges inside your
interactive session change how a daemonized CUPS web agent acts?
Logging out and back in is necessary for ensuring that your interactive
shells, your word processors, your web browsers, and so forth, are running
with your newly acquired privileges. But we're not running printer
administration commands from the shell here, so our shell doesn't actually
need these privileges, as far as I can see.
(If you were in fact going to try disabling/enabling/adding printers
from the shell, then yeah. Logging out and back in, or running
"exec su - $LOGNAME" or an equivalent command in one of your shells, would
be a good starting point.)
to...@tuxteam.de
Aug 26, 2021, 3:00:05 PM8/26/21
to
On Thu, Aug 26, 2021 at 02:26:54PM -0400, Greg Wooledge wrote:
> On Thu, Aug 26, 2021 at 08:16:23PM +0200, to...@tuxteam.de wrote:
> > On Thu, Aug 26, 2021 at 06:24:01PM +0100, Brian wrote:
> > > On Thu 26 Aug 2021 at 11:31:30 -0400, Greg Wooledge wrote:
> > >
> > > > On Thu, Aug 26, 2021 at 04:25:54PM +0100, Brian wrote:
> > >
> > > [...]
> > >
> > > > > I also forgot: after carrying out the corrected procedure, log out and
> > > > > log back in.
> > > >
> > > > This is the part that I don't quite understand. How does that matter?
> > >
> > > The system needs to be updated on the groups the user is in. CUPS will
> > > consult it.
> >
> > there is also newgrp(1), that might do it (I haven't tried it explicitly).
>
> Do what? What's "it"?
>
> Why would opening a shell with a new set of group privileges inside your
> interactive session change how a daemonized CUPS web agent acts?
I haven't looked into it. I don't even want to know how the client
> On Thu, Aug 26, 2021 at 08:16:23PM +0200, to...@tuxteam.de wrote:
> > On Thu, Aug 26, 2021 at 06:24:01PM +0100, Brian wrote:
> > > On Thu 26 Aug 2021 at 11:31:30 -0400, Greg Wooledge wrote:
> > >
> > > > On Thu, Aug 26, 2021 at 04:25:54PM +0100, Brian wrote:
> > >
> > > [...]
> > >
> > > > > I also forgot: after carrying out the corrected procedure, log out and
> > > > > log back in.
> > > >
> > > > This is the part that I don't quite understand. How does that matter?
> > >
> > > The system needs to be updated on the groups the user is in. CUPS will
> > > consult it.
> >
> > there is also newgrp(1), that might do it (I haven't tried it explicitly).
>
> Do what? What's "it"?
>
> Why would opening a shell with a new set of group privileges inside your
> interactive session change how a daemonized CUPS web agent acts?
passes the creds to the server (if at all) [1]. It seems (is it
confirmed?) that belonging to some group (lpadmin?) does the trick.
> Logging out and back in is necessary for ensuring that your interactive
> shells, your word processors, your web browsers, and so forth, are running
That's the part I was proposing newgrp might "do", instead of logging
in anew.
Cheers
[1] I fear I'd get some depression if it is like that and I
find out ;-)
- t
Brian
Aug 26, 2021, 3:00:05 PM8/26/21
to
On Thu 26 Aug 2021 at 16:48:14 +0000, Andrew M.A. Cater wrote:
[...]
> _DON'T_ edit groups / shadow password files by hand unless really, absolutely
> necessary - the potential for mistakes is too high.
I suppose finding the line with lpadmin in it and editing it is prone
to mistakes. Heaven help us! vigr is (or was) the recommended utility
to use. It comes in the required package, passwd
> adduser [username] lpadmin as root/root equivalent using sudo is all that's
> needed.
That give the OP another technique.
> You don't need to reboot to do this: but you might need to log out/log back
> in to pick up the added/changed groups for the user.
log out/log back is *definitely* necessary. Not "might need to...".
--
Brian.
[...]
> _DON'T_ edit groups / shadow password files by hand unless really, absolutely
> necessary - the potential for mistakes is too high.
to mistakes. Heaven help us! vigr is (or was) the recommended utility
to use. It comes in the required package, passwd
> adduser [username] lpadmin as root/root equivalent using sudo is all that's
> needed.
> You don't need to reboot to do this: but you might need to log out/log back
> in to pick up the added/changed groups for the user.
--
Brian.
Peter Ehlert
Aug 28, 2021, 10:20:04 AM8/28/21
to
On 8/26/21 5:53 AM, Greg Wooledge wrote:
On Thu, Aug 26, 2021 at 01:37:49PM +0100, Brian wrote:
On Thu 26 Aug 2021 at 13:23:58 +0100, mick crane wrote:Agreed.
On 2021-08-26 12:59, Peter Ehlert wrote:Rebooting after adding a printer is *never* needed.
On 8/25/21 12:11 PM, Greg Wooledge wrote:I've got a print server working but I've forgotten how.
Some people report restarting the browser is enough. Some claim theythanks. restarting firefox worked.
have to reboot. Who knows.
I got the login dialog box
after login as (user)
Add Printer gives> Unable to add printer: Forbidden
back to square one
added a new printer a year or so ago.
Might have been lpadmin or something.
I do know always have to reboot after making changes.
I suspect there's some *really* basic misunderstanding going on at some
level. Let's start from the beginning.
Thanks for this list of basics. I am now beginning to understand.
In order to administer a printer in CUPS, you do the following things:
1) Make sure the root account has a PASSWORD. Make sure you know it.
Access to sudo doesn't count.
I never use sudo, no users get sudo privileges on any of my
machines.
* cups was not installed by default. The Brother installer did flag that first off, easily corrected
2) Install cups.
3) Visit http://localhost:631/ in a GUI web browser. Make sure Javascript
is allowed.
4) At some point, when you try to do stuff to the printers in the browser,
you will be prompted for a username and password, using HTTP basic
authentication. When this occurs, you should login as root, using
root's password.
BINGO: I was not using root
5) If you screwed up and logged in as yourself, restart the web browser
so that you can get the HTTP basic authentication dialog box again. Go
to step 4.
6) Once the printer is set up via the browser, you should be able to see
it and print to it from the command line. "lpstat -t" to see all of
the printers and their status. "lp" or "lpr" to print a text file.
$ lpstat -t
scheduler is running
no system default destination
device for MFCL3770CDW: dnssd://Brother%20MFC-L3770CDW%20series._ipp._tcp.local/?uuid=e3248000-80ce-11db-8000-b4220033103b
MFCL3770CDW accepting requests since Sun 22 Aug 2021 05:44:11 AM PDT
printer MFCL3770CDW is idle. enabled since Sun 22 Aug 2021 05:44:11 AM PDT
scheduler is running
no system default destination
device for MFCL3770CDW: dnssd://Brother%20MFC-L3770CDW%20series._ipp._tcp.local/?uuid=e3248000-80ce-11db-8000-b4220033103b
MFCL3770CDW accepting requests since Sun 22 Aug 2021 05:44:11 AM PDT
printer MFCL3770CDW is idle. enabled since Sun 22 Aug 2021 05:44:11 AM PDT
Any variants on this procedure will require knowledge that I don't
personally possess. E.g. if for some reason you refuse to set a root
password, then you may have to set up a printer-admin account which
has the appropriate privileges, and a password, and then use that
instead of root. I don't know what those privs would be.
Summary:
I removed my browser cookie for "localhost"
restarted the browser
when CUPS requested a password I used "root"
I am now able to add printers and edit all options
Thanks to all for the assistance and Education
I removed my browser cookie for "localhost"
restarted the browser
when CUPS requested a password I used "root"
I am now able to add printers and edit all options
Thanks to all for the assistance and Education
Peter Ehlert
Aug 28, 2021, 10:40:05 AM8/28/21
to
On 8/26/21 5:53 AM, Greg Wooledge wrote:
> On Thu, Aug 26, 2021 at 01:37:49PM +0100, Brian wrote:
>> On Thu 26 Aug 2021 at 13:23:58 +0100, mick crane wrote:
>>
>>> On 2021-08-26 12:59, Peter Ehlert wrote:
>>>> On 8/25/21 12:11 PM, Greg Wooledge wrote:
>>>>> Some people report restarting the browser is enough. Some claim they
>>>>> have to reboot. Who knows.
>>>>>
>>>> thanks. restarting firefox worked.
>>>> I got the login dialog box
>>>>
>>>> after login as (user)
>>>> Add Printer gives> Unable to add printer: Forbidden
>>>>
>>>> back to square one
>>> I've got a print server working but I've forgotten how.
>>> added a new printer a year or so ago.
>>> Might have been lpadmin or something.
>>> I do know always have to reboot after making changes.
>> Rebooting after adding a printer is *never* needed.
> Agreed.
>
> I suspect there's some *really* basic misunderstanding going on at some
> level. Let's start from the beginning.
>> On Thu 26 Aug 2021 at 13:23:58 +0100, mick crane wrote:
>>
>>> On 2021-08-26 12:59, Peter Ehlert wrote:
>>>> On 8/25/21 12:11 PM, Greg Wooledge wrote:
>>>>> Some people report restarting the browser is enough. Some claim they
>>>>> have to reboot. Who knows.
>>>>>
>>>> thanks. restarting firefox worked.
>>>> I got the login dialog box
>>>>
>>>> after login as (user)
>>>> Add Printer gives> Unable to add printer: Forbidden
>>>>
>>>> back to square one
>>> I've got a print server working but I've forgotten how.
>>> added a new printer a year or so ago.
>>> Might have been lpadmin or something.
>>> I do know always have to reboot after making changes.
>> Rebooting after adding a printer is *never* needed.
> Agreed.
>
> I suspect there's some *really* basic misunderstanding going on at some
> level. Let's start from the beginning.
Thanks for this list of basics. I am now beginning to understand.
>
>
> In order to administer a printer in CUPS, you do the following things:
>
>
> 1) Make sure the root account has a PASSWORD. Make sure you know it.
> Access to sudo doesn't count.
>
>
> 1) Make sure the root account has a PASSWORD. Make sure you know it.
> Access to sudo doesn't count.
I never use sudo, no users get sudo privileges on any of my machines.
>
> 2) Install cups.
* cups was not installed by default. The Brother installer did flag that
first off, easily corrected
>
>
> 2) Install cups.
* cups was not installed by default. The Brother installer did flag that
first off, easily corrected
>
> 3) Visit http://localhost:631/ in a GUI web browser. Make sure Javascript
> is allowed.
>
> 4) At some point, when you try to do stuff to the printers in the browser,
> you will be prompted for a username and password, using HTTP basic
> authentication. When this occurs, you should login as root, using
> root's password.
> is allowed.
>
> 4) At some point, when you try to do stuff to the printers in the browser,
> you will be prompted for a username and password, using HTTP basic
> authentication. When this occurs, you should login as root, using
> root's password.
BINGO: I was not using root
>
>
> 5) If you screwed up and logged in as yourself, restart the web browser
> so that you can get the HTTP basic authentication dialog box again. Go
> to step 4.
>
> 6) Once the printer is set up via the browser, you should be able to see
> it and print to it from the command line. "lpstat -t" to see all of
> the printers and their status. "lp" or "lpr" to print a text file.
> so that you can get the HTTP basic authentication dialog box again. Go
> to step 4.
>
> 6) Once the printer is set up via the browser, you should be able to see
> it and print to it from the command line. "lpstat -t" to see all of
> the printers and their status. "lp" or "lpr" to print a text file.
$ lpstat -t
scheduler is running
no system default destination
device for MFCL3770CDW:
dnssd://Brother%20MFC-L3770CDW%20series._ipp._tcp.local/?uuid=e3248000-80ce-11db-8000-b4220033103b
MFCL3770CDW accepting requests since Sun 22 Aug 2021 05:44:11 AM PDT
printer MFCL3770CDW is idle. enabled since Sun 22 Aug 2021 05:44:11 AM PDT
>
scheduler is running
no system default destination
device for MFCL3770CDW:
dnssd://Brother%20MFC-L3770CDW%20series._ipp._tcp.local/?uuid=e3248000-80ce-11db-8000-b4220033103b
MFCL3770CDW accepting requests since Sun 22 Aug 2021 05:44:11 AM PDT
printer MFCL3770CDW is idle. enabled since Sun 22 Aug 2021 05:44:11 AM PDT
>
> Any variants on this procedure will require knowledge that I don't
> personally possess. E.g. if for some reason you refuse to set a root
> password, then you may have to set up a printer-admin account which
> has the appropriate privileges, and a password, and then use that
> instead of root. I don't know what those privs would be.
>
> personally possess. E.g. if for some reason you refuse to set a root
> password, then you may have to set up a printer-admin account which
> has the appropriate privileges, and a password, and then use that
> instead of root. I don't know what those privs would be.
>
Greg Wooledge
Aug 28, 2021, 3:40:05 PM8/28/21
to
On Sat, Aug 28, 2021 at 08:31:56PM +0100, Brian wrote:
> Nobody should be logging into the web interface as root.
As far as "nobody should...", I don't see the harm. It's not like the
password is going over a network cable (or wireless EM). It's just
loopback.
Also note the official instructions from the CUPS web site:
http://www.cups.org/doc/overview.html
When you are asked for a username and password, enter your login
username and password or the "root" username and password. On macOS®,
the login username (or "short name") is typically your first and last
name in lowercase.
Conveniently, there are no useful instructions on this page that tell
you how to arrange it so that your regular username and password will
work. That only leaves "root".
Then again, there are no useful instructions on this page about how
to actually *get to* the web interface. You have to find that on your
own.
There's truly a lot to be desired about this documentation.
> Nobody should be logging into the web interface as root.
As far as "nobody should...", I don't see the harm. It's not like the
password is going over a network cable (or wireless EM). It's just
loopback.
Also note the official instructions from the CUPS web site:
http://www.cups.org/doc/overview.html
When you are asked for a username and password, enter your login
username and password or the "root" username and password. On macOS®,
the login username (or "short name") is typically your first and last
name in lowercase.
Conveniently, there are no useful instructions on this page that tell
you how to arrange it so that your regular username and password will
work. That only leaves "root".
Then again, there are no useful instructions on this page about how
to actually *get to* the web interface. You have to find that on your
own.
There's truly a lot to be desired about this documentation.
Brian
Aug 28, 2021, 3:40:05 PM8/28/21
to
On Sat 28 Aug 2021 at 07:11:55 -0700, Peter Ehlert wrote:
>
> On 8/26/21 5:53 AM, Greg Wooledge wrote:
[...]
>
> On 8/26/21 5:53 AM, Greg Wooledge wrote:
> > 2) Install cups.
> * cups was not installed by default. The Brother installer did flag that
> first off, easily corrected
was present when you first posted.
> > 3) Visit http://localhost:631/ in a GUI web browser. Make sure Javascript
> > is allowed.
> >
> > 4) At some point, when you try to do stuff to the printers in the browser,
> > you will be prompted for a username and password, using HTTP basic
> > authentication. When this occurs, you should login as root, using
> > root's password.
>
> BINGO: I was not using root
correct conclusiom. You, root and the user are not the same entities.
What does "I" refer to?
A responsible administrator does not hand out administrator priviledges
to anyone who comes along. Put the user into the lpadmin group.
Nobody should be logging into the web interface as root.
(Incidentally, why you have any need for the Brother drivers is beyond
me).
--
Brian.
Brian
Aug 28, 2021, 4:10:04 PM8/28/21
to
htps://github.com/OpenPrinting/cups/issues
Your points are pertinent.
--
Brian.
>
0 new messages