A fix for broken CUPS admin interface login in 10.3

Aug 26, '05 08:35:00AM

Contributed by: Anonymous

I found recently that I couldn't log in to the CUPS administrative web interface on OS X 10.3.9 with all the updates as of 2005 August 20. I looked on Mac OS X Hints, and found at least one hint relating to this problem, but its proposed solution appeared to be obsolete, as the lines they suggested changing in the CUPS config file were different. At the web site for the makers of CUPS software, though, I found a solution in their FAQ:

MacOS X 10.3.x broke user authentication in the web interface. The following comes from the folks at Apple:

What's happening here is OS X 10.3 (Panther) switched to a form of shadow passwords that cupsd isn't able to read. The getpwent(3) man page discusses the details:

As of Mac OS X 10.3, there are now different per-user behaviours of this function, based on the AuthenticationAuthority value stored for the queried user in DirectoryServices.

If the queried user is still a legacy crypt password user, or now has an AuthenticationAuthority value containing ";basic;", these routines will behave in their standard BSD fashion. These functions will "shadow" the password file, e.g. allow only certain programs to have access to the encrypted password. If the process which calls them has an effective uid of 0, the encrypted password will be returned, otherwise, the password field of the returned structure will point to the string '*'.

By default in Mac OS X 10.3 and later all users will have an AuthenticationAuthority will contain the value ";ShadowHash;". These users will have a visible password value of "********". These functions will have no access to the encrypted password whatsoever. Setting or changing an user password must be done entirely through the DirectoryService APIs for this default user.

Two workarounds for now are:

The CUPS CVS repositories (both Darwin's and ESP's) have been updated to install a pam(8) configuration file that works with these passwords via the pam_securityserver module. This will solve the problem in Tiger.

The Radar bug tracking this is : 7F44: Cannot access CUPS web admin after Security Update 2004-04-05

[robg adds: I haven't tested this one, but note that it does not affect 10.4 and newer...]

Comments (3)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20050820204528452