[cups.bugs] [HIGH] STR #2685: Unable to authenticate with Kerberos

John A. Murdie john at cs.york.ac.uk
Thu Jan 24 06:11:31 PST 2008 

DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

After building CUPS 1.3.5 on Slackware Linux 12.0 with patches applied for
STR #2606 and STR #2669, although the patches fix the symptoms of the
reported problems which prompted them, an untrusted client is still unable
to authenticate with Kerberos.

I am using a MacBook with MacOS X 10.5.1 as the untrusted client. I added
the following lines to its cupsd.conf (via
http://localhost:631?op=config-server):

BrowseProtocols all
BrowseRemoteProtocols all
BrowsePoll ourcupsserver:631
BrowsePort 631

where our Linux CUPS server is 'ourcupsserver') and restarted its server.
The MacOS 'Print & Fax' GUI then displays the printers served by the Linux
CUPS server on host 'ourcupsserver'.

I am logged into the MacBook as 'jam', but connected via WiFi and 802.1X
authentication as 'john' and have a Kerberos ticket as 'john at REALM'.

The problem is is that the print is performed and logged in the name
'jam', not the desired and expected name 'john'.

The Linux CUPS server has as its cupsd.conf (some real names and IP
addresses elided):

-----------------------------------------------------------------------
ServerName ourcupsserver

Krb5Keytab /.../ipp-cups.keytab
GSSServiceName ipp

# Log general information in error_log - change to "info" or "debug" for
# troubleshooting...
LogLevel debug

# Administrator user group...
SystemGroup sys root

# Listen
Listen 631

ServerCertificate /.../cups.crt
ServerKey /.../cups.key

# Send browse packets (printer descriptions) to:
BrowseAddress desktops
BrowseAddress laptops
Browsing On

# Don't accept browse packets from other CUPS servers:
BrowseOrder allow,deny
BrowseAllow from none
BrowseDeny from all

# Default authentication type, when authentication is required...
DefaultAuthType Negotiate

# Restrict access to the server...
<Location />
  Order allow,deny
  Allow from desktops
  Allow from laptops
  Encryption Required
</Location>

# Restrict access to the admin pages...
<Location /admin>
  Require user @SYSTEM @admins
  Encryption Required
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
  Require user @SYSTEM @admins
  Encryption Required
</Location>

<Location /jobs>
  Encryption Required
</Location>

# Set the default printer/job policies...
<Policy default>
  # Job-related operations must be done by the owner or an adminstrator...

  # Staff desktops trusted, laptops must authenticate.
  <Limit Create-Job Print-Job Send-Document Send-URI>
    Order allow,deny
    Allow from desktops
    Require valid-user
    Satisfy any
  </Limit>
  <Limit Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes
Create-Job-Subscription Renew-Subscription Cancel-Subscription
Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job
Resume-Job CUPS-Move-Job>
    Order allow,deny
    Require user @OWNER @SYSTEM @admins
  </Limit>

  # All administration operations require an adminstrator to
authenticate...
  <Limit Pause-Printer Resume-Printer Set-Printer-Attributes
Enable-Printer Disable-Printer Pause-Printer-After-Current-Job
Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer
Restart-Printer Shutdown-Printer Startup-Printer Promote-Job
Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class
CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
    Order deny,allow
    Require user @SYSTEM @admins
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM @admins
    Order deny,allow
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>

</Policy>
-----------------------------------------------------------------------

When I print from Safari on the Mac, I am first asked to authenticate,
which I do successfully as 'john', but then I see in the server error_log:

-----------------------------------------------------------------------
D [24/Jan/2008:12:17:04 +0000] cupsdAcceptClient: 10 from laptop-IP:631
(IPv4)
D [24/Jan/2008:12:17:04 +0000] cupsdReadClient: 10 POST /printers/cp04
HTTP/1.1
D [24/Jan/2008:12:17:04 +0000] cupsdAuthorize: No authentication data
provided.
D [24/Jan/2008:12:17:04 +0000] Get-Printer-Attributes
ipp://ourcupsserver:631/printers/cp04
D [24/Jan/2008:12:17:04 +0000] cupsdProcessIPPRequest: 10 status_code=0
(successful-ok)
D [24/Jan/2008:12:17:04 +0000] cupsdReadClient: 10 POST /printers/cp04
HTTP/1.1
D [24/Jan/2008:12:17:04 +0000] cupsdAuthorize: No authentication data
provided.
D [24/Jan/2008:12:17:05 +0000] Print-Job
ipp://ourcupsserver:631/printers/cp04
D [24/Jan/2008:12:17:05 +0000] add_job: requesting-user-name="jam"
I [24/Jan/2008:12:17:05 +0000] [Job 97] Adding start banner page "none".
D [24/Jan/2008:12:17:05 +0000] Discarding unused job-created event...
I [24/Jan/2008:12:17:05 +0000] [Job 97] Adding job file of type
application/pdf.
I [24/Jan/2008:12:17:05 +0000] [Job 97] Adding end banner page "none".
I [24/Jan/2008:12:17:05 +0000] [Job 97] Queued on "cp04" by "jam".
D [24/Jan/2008:12:17:05 +0000] [Job 97] hold_until = 0
D [24/Jan/2008:12:17:05 +0000] Discarding unused printer-state-changed
event...
D [24/Jan/2008:12:17:05 +0000] [Job 97] job-sheets=none,none
D [24/Jan/2008:12:17:05 +0000] [Job 97] banner_page = 0
D [24/Jan/2008:12:17:05 +0000] [Job 97] argv[0]="cp04"
D [24/Jan/2008:12:17:05 +0000] [Job 97] argv[1]="97"
D [24/Jan/2008:12:17:05 +0000] [Job 97] argv[2]="jam"
D [24/Jan/2008:12:17:05 +0000] [Job 97] argv[3]="Apple - Start"
D [24/Jan/2008:12:17:05 +0000] [Job 97] argv[4]="1"
D [24/Jan/2008:12:17:05 +0000] [Job 97] argv[5]="AP_D_InputSlot...
-----------------------------------------------------------------------

If I add an explicit 'AuthType Negotiate' before 'Require valid-user' in
the cupsd.conf file, and restart the Linux CUPS server and the MacBook
(logging in again to it and to the network, and getting a new Kerberos
ticket and autheticating to print) I see instead:

-----------------------------------------------------------------------
D [24/Jan/2008:12:01:45 +0000] cupsdReadClient: 8 POST / HTTP/1.1
D [24/Jan/2008:12:01:45 +0000] cupsdAuthorize: No authentication data
provided.
D [24/Jan/2008:12:01:45 +0000] CUPS-Get-Printers
D [24/Jan/2008:12:01:45 +0000] cupsdProcessIPPRequest: 8 status_code=0
(successful-ok)
D [24/Jan/2008:12:01:45 +0000] cupsdAcceptClient: 10 from
144.32.161.243:631 (IPv4)
D [24/Jan/2008:12:01:45 +0000] cupsdReadClient: 10 POST /printers/cp04
HTTP/1.1
D [24/Jan/2008:12:01:45 +0000] cupsdAuthorize: No authentication data
provided.
D [24/Jan/2008:12:01:45 +0000] Get-Printer-Attributes
ipp://ourcupsserver:631/printers/cp04
D [24/Jan/2008:12:01:45 +0000] cupsdProcessIPPRequest: 10 status_code=0
(successful-ok)
D [24/Jan/2008:12:01:45 +0000] cupsdReadClient: 10 POST /printers/cp04
HTTP/1.1
D [24/Jan/2008:12:01:45 +0000] cupsdAuthorize: No authentication data
provided.
D [24/Jan/2008:12:01:46 +0000] Print-Job
ipp://ourcupsserver:631/printers/cp04
D [24/Jan/2008:12:01:46 +0000] cupsdIsAuthorized: username=""
E [24/Jan/2008:12:01:46 +0000] Print-Job: Unauthorized
D [24/Jan/2008:12:01:46 +0000] cupsdSendError: 10 code=426 (Upgrade
Required)
D [24/Jan/2008:12:01:46 +0000] cupsdCloseClient: 10
D [24/Jan/2008:12:01:46 +0000] cupsdAcceptClient: 10 from laptop-IP:631
(IPv4)
D [24/Jan/2008:12:01:46 +0000] cupsdReadClient: 10 OPTIONS * HTTP/1.1
D [24/Jan/2008:12:01:46 +0000] cupsdAuthorize: No authentication data
provided.
D [24/Jan/2008:12:01:46 +0000] encrypt_client: 10 Connection from
laptop-IP now encrypted.
D [24/Jan/2008:12:01:46 +0000] cupsdReadClient: 10 POST /printers/cp04
HTTP/1.1
D [24/Jan/2008:12:01:46 +0000] cupsdAuthorize: No authentication data
provided.
D [24/Jan/2008:12:01:46 +0000] Print-Job
ipp://ourcupsserver:631/printers/cp04
D [24/Jan/2008:12:01:46 +0000] cupsdIsAuthorized: username=""
E [24/Jan/2008:12:01:46 +0000] Print-Job: Unauthorized
D [24/Jan/2008:12:01:46 +0000] cupsdSendError: 10 code=401 (Unauthorized)
D [24/Jan/2008:12:01:46 +0000] cupsdSendHeader: WWW-Authenticate:
Negotiate
D [24/Jan/2008:12:01:46 +0000] cupsdCloseClient: 10
I [24/Jan/2008:12:01:46 +0000] cupsdCloseClient: SSL shutdown successful!
D [24/Jan/2008:12:01:46 +0000] cupsdCloseClient: 10
D [24/Jan/2008:12:01:46 +0000] cupsdAcceptClient: 10 from laptop-IP:631
(IPv4)
D [24/Jan/2008:12:01:46 +0000] cupsdReadClient: 10 OPTIONS * HTTP/1.1
D [24/Jan/2008:12:01:46 +0000] cupsdAuthorize: No authentication data
provided.
D [24/Jan/2008:12:01:46 +0000] encrypt_client: 10 Connection from
laptop-IP now encrypted.
D [24/Jan/2008:12:01:46 +0000] cupsdReadClient: 10 POST /printers/cp04
HTTP/1.1
D [24/Jan/2008:12:01:46 +0000] cupsdAuthorize: No authentication data
provided.
D [24/Jan/2008:12:01:46 +0000] Get-Printer-Attributes
ipp://ourcupsserver:631/printers/cp04
D [24/Jan/2008:12:01:46 +0000] cupsdProcessIPPRequest: 10 status_code=0
(successful-ok)
D [24/Jan/2008:12:01:46 +0000] cupsdCloseClient: 10
I [24/Jan/2008:12:01:46 +0000] cupsdCloseClient: SSL shutdown successful!
D [24/Jan/2008:12:01:46 +0000] cupsdCloseClient: 10
-----------------------------------------------------------------------

John A. Murdie

PS As a final experiment, I stopped the Linux CUPS server and changed
'DefaultAuthType Negotiate' to ditto 'Basic', restarted, rebooted and
logged in to the MacBook etc once more (no need to get a Kerberos ticket).
Now when I print, Safari crashes. (This situation is reproducible.) I
pressed 'Report' on the 'Report to Apple' dialogue box that comes up.

Link: http://www.cups.org/str.php?L2685
Version: 1.3.5

More information about the cups-devel mailing list