[cups.bugs] [MOD] STR #3847: KRB5CCNAME should be set before invoking a backend
Etienne Goyer
etienne.goyer at canonical.com
Thu May 26 06:12:33 PDT 2011
DO NOT REPLY TO THIS MESSAGE. INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.
[STR New]
This problem was investigated on Ubuntu 10.10 (cups 1.4.4) and 11.04 (cups
1.4.6).
When trying to print to a Kerberos-authenticated print queue over SMB (ie,
in an Active Directory), if the backend is not invoked as the user
submitting the job (ie, it is run as root), Kerberos authentication cannot
proceed. That's because the backend cannot access the user's Kerberos
credential cache.
I presume the situation is the same with other network protocol that does
Kerberos authentication, although I have tested only with SMB.
The smbspool binary, provided by Samba and used as the CUPS smb backend in
Ubuntu and other distros, has the ability to pick up the Kerberos
credential cache to use from the KRB5CCNAME environment variable. CUPS
1.4.x actually set that environment variable (in scheduler/ipp.c), but
only when printing to IPP AFAICT.
It would be useful if CUPS would set the KRB5CCNAME environment variable
before invoking the backend. That way, smbspool and other backend could
do the right thing when Kerberos authentication is required.
Link: http://www.cups.org/str.php?L3847
Version: 1.4.4
More information about the cups-devel
mailing list