#1130668 cups-daemon: Using sssd for PAM user auth can result in apparmor blocking cupsd from accessing various files.

Package:
cups-daemon
Source:
cups-daemon
Description:
Common UNIX Printing System(tm) - daemon
Submitter:
Patrick Hibbs
Date:
2026-03-13 23:35:02 UTC
Severity:
normal
#1130668#5
Date:
2026-03-13 23:33:35 UTC
From:
To:
Dear Maintainer,

Attempting to use cups with sssd for local user auth (Host is joined to a
Samba4 AD domain controller.), results in various apparmor denials in dmesg and
journal.

Snip:
***
[2597432.773237] audit: type=1400 audit(1773438364.533:252): apparmor="DENIED"
operation="open" profile="/usr/sbin/cupsd"
name="/var/lib/sss/pubconf/kdcinfo.EXAMPLE.COM" pid=1272377 comm="cupsd"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
***

Adding '/var/lib/sss/pubconf/* r,' to the /etc/apparmor.d/local/usr.sbin.cupsd
file and reloading the apparmor profiles fixed that one.

I should also point out that I was also getting an apparmor denial for
/tmp/krb5cc*. I'm not sure if that's due to PAM using SSSD or because of CUPS
itself having Kerberos support enabled in it's config, but as Kerberos support
been deprecated in upstream CUPS, I'm not sure if this one should be fixed in
the package or not. (I'm including it here for the sake of completeness.) :
***
[2597540.497594] audit: type=1400 audit(1773438472.257:316): apparmor="DENIED"
operation="open" profile="/usr/sbin/cupsd" name="/tmp/krb5cc_1254001189_9iCQrt"
pid=1272377 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=0
ouid=1254001189
***

Either way adding '/tmp/krb5cc* kw,' to the
/etc/apparmor.d/local/usr.sbin.cupsd file and reloading the apparmor profiles
fixed that one.

The last one was cupsd trying to get a file lock on /run/utmp.
***
[2597528.684960] audit: type=1400 audit(1773438460.445:313): apparmor="DENIED"
operation="file_lock" profile="/usr/sbin/cupsd" name="/run/utmp" pid=1272377
comm="cupsd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
***

Adding '/run/utmp k,' /etc/apparmor.d/local/usr.sbin.cupsd to fixed that one.

Finally I'll add that in my case, bug #980974 applies to my system as does the
"solution" with the addition of 'sys_admin' capability as well....:
***
[2594412.199660] audit: type=1400 audit(1773435343.960:19): apparmor="DENIED"
operation="capable" profile="/usr/sbin/cupsd" pid=1271741 comm="usb"
capability=21  capname="sys_admin"
[2595749.893101] audit: type=1400 audit(1773436681.651:36): apparmor="DENIED"
operation="capable" profile="/usr/sbin/cupsd" pid=1271741 comm="usb"
capability=12  capname="net_admin"
***

Have a good Day!
-Patrick Hibbs