CUPS on Raspberry Pi - Unable to authenticate

cups 2.2.1 on Raspberry Pi 3b+ Linux 4.19.66-v7+ #1253 SMP Thu Aug 15 11:49:46 BST 2019 armv7l GNU/Linux

When I attempt to authenticate to perform administrative functions through the web interface, I am repeatedly prompted to authenticate and not allowed to add a printer. I can authenticate to view the error log, which generates the following error after each failed attempt to log in as user=pi. pi was made a member of the lpadmin group. (sudo usermod -a -G lpadmin pi)

E [28/Sep/2019:12:08:03 -0400] [Client 10] Local authentication certificate not found.

Earlier in the log, there are other errors. A representative list follows:

E [28/Sep/2019:08:43:57 -0400] Unable to open listen socket for address [v1.::1]:631 - Address already in use.
E [28/Sep/2019:08:43:57 -0400] Unable to open listen socket for address 127.0.0.1:631 - Address already in use.

Any diagnostic help would be appreciated. Thank you.

My /etc/cups/cupsd.conf follows below.

#
# Configuration file for the CUPS scheduler.  See "man cupsd.conf" for a
# complete description of this file.
#

# Log general information in error_log - change "warn" to "debug"
# for troubleshooting...
LogLevel warn
PageLogFormat

# Deactivate CUPS' internal logrotating, as we provide a better one, especially
# LogLevel debug2 gets usable now
MaxLogSize 0

# Only listen for connections from the local machine.
# Listen localhost:631
Port 631
Listen /var/run/cups/cups.sock

# Show shared printers on the local network.
Browsing On
BrowseLocalProtocols dnssd

# Default authentication type, when authentication is required...
DefaultAuthType Basic

# Web interface setting...
WebInterface Yes

# Restrict access to the server...
<Location />
  Order allow,deny
  Allow @local
</Location>

# Restrict access to the admin pages...
<Location /admin>
  Order allow,deny
  Allow @local
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  Order allow,deny
  Allow @local
</Location>

# Restrict access to log files...
<Location /admin/log>
  AuthType Default
  Require user @SYSTEM
  Order allow,deny
</Location>

# Set the default printer/job policies...
<Policy default>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default

  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    Order deny,allow
  </Limit>

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-   Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

# Set the authenticated printer/job policies...
<Policy authenticated>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default

  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    AuthType Default
    Order deny,allow
  </Limit>

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    AuthType Default
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    AuthType Default
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

New information (29-Sep-2019): cups-browsed is in a CLOSE-WAIT state.

pi@rpi3bp:~ $ sudo ss -lpn | grep -e ":631" -e "Netid"
Netid  State      Recv-Q Send-Q Local Address:Port   Peer Address:Port
tcp    LISTEN     0      5         *:631                   *:*       users:(("cupsd",pid=398,fd=9))
tcp    LISTEN     0      5        :::631                  :::*       users:(("cupsd",pid=398,fd=10))

pi@rpi3bp:~ $ ps -ef | grep -e cups -e UID | grep -v grep
UID        PID  PPID  C STIME TTY          TIME CMD
root       398     1  0 Sep21 ?        00:00:08 /usr/sbin/cupsd -l
root     15529     1  0 06:25 ?        00:00:00 /usr/sbin/cupsd -l
root     15530     1  0 06:25 ?        00:00:00 /usr/sbin/cups-browsed
lp       15545 15529  0 06:25 ?        00:00:00 /usr/lib/cups/notifier/dbus dbus://
lp       15546 15529  0 06:25 ?        00:00:00 /usr/lib/cups/notifier/dbus dbus://
lp       15547 15529  0 06:25 ?        00:00:00 /usr/lib/cups/notifier/dbus dbus://

pi@rpi3bp:~ $ sudo ss -pn | grep -e "15530" -e "Netid"
Netid  State      Recv-Q Send-Q Local Address:Port  Peer Address:Port
u_str  ESTAB      0      0         * 429953                * 0        users:(("cups-browsed",pid=15530,fd=2),("cups-browsed",pid=15530,fd=1))
u_str  ESTAB      0      0         * 430354                * 0        users:(("cups-browsed",pid=15530,fd=6))
u_str  ESTAB      0      0         * 430356                * 0        users:(("cups-browsed",pid=15530,fd=8))
tcp    CLOSE-WAIT 1      0       ::1:36556               ::1:631      users:(("cups-browsed",pid=15530,fd=4))
tcp    CLOSE-WAIT 1      0       ::1:36554               ::1:631      users:(("cups-browsed",pid=15530,fd=3))

BalooRM

Posted 2019-09-28T17:24:32.533

Reputation: 1

The cups-browsed process is in a CLOSE-WAIT state. New information has been added to the post. – BalooRM – 2019-09-29T12:10:32.303

CUPS on Raspberry Pi - Unable to authenticate

Answers