Comment 2 for bug 152061

The user account created as the first one on the system (or accounts created as privileged accounts) are in the group "lpadmin" (see /etc/group). They can do CUPS administration without password. They can call commands like system-config-printer or lpadmin without sudo. Check whether the desired accounts are in the lpadmin group. In the web interface of CUPS (http://localhost:631/) these users use their own user names and passwords.

For other users and for access with basic authentication passwords are needed. I do not know how CUPS exactly verifies the passwords. AFAIR it uses PAM. The problem looks for me that AppArmor prevents the access to the passwords. The AppArmor configuration (/etc/apparmor.d/usr.sbin.cupsd) of CUPS seems to need a change. Note that the protection also applies to sub processes. So if CUPS calls some module of PAM, the PAM module is probably also restricted.

For a test try

sudo aa-complain cupsd

for AppArmor not blocking anything, only giving warnings in the log file. Does it work then.

sudo aa-enforce cupsd

gets you back to the default state.