[cups.general] Kerberos printing to SMB printers

John Hodrien johnh at comp.leeds.ac.uk
Fri Dec 14 07:40:35 PST 2007


I'm trying to configure a cups server to forward jobs on to existing windows
print queues.  The whole system is tied together with Active Directory.

I've configured CUPS 1.3.4 on the server, and generated an ipp/fqdn service
principal.

Using kerberos to authenticate client->CUPS server appears to work fine.  But
then it all goes a bit wrong.  I was hoping someone could give me a pointer on
what I should look at doing next.  The line that's bothering me is:

E [14/Dec/2007:15:13:12 +0000] Unable to create new credentials cache (-1765328188/File exists)

Here's a full trace trying to print a text file.  Seriously, any suggestions appreciated.

D [14/Dec/2007:15:13:12 +0000] cupsdAcceptClient: skipping getpeercon()
D [14/Dec/2007:15:13:12 +0000] cupsdAcceptClient: 11 from localhost (Domain)
D [14/Dec/2007:15:13:12 +0000] cupsdReadClient: 11 POST / HTTP/1.1
D [14/Dec/2007:15:13:12 +0000] cupsdAuthorize: No authentication data provided.
D [14/Dec/2007:15:13:12 +0000] CUPS-Get-Printers
D [14/Dec/2007:15:13:12 +0000] cupsdProcessIPPRequest: 11 status_code=0 (successful-ok)
D [14/Dec/2007:15:13:12 +0000] cupsdReadClient: 11 POST / HTTP/1.1
D [14/Dec/2007:15:13:12 +0000] cupsdAuthorize: No authentication data provided.
D [14/Dec/2007:15:13:12 +0000] CUPS-Get-Classes
D [14/Dec/2007:15:13:12 +0000] cupsdProcessIPPRequest: 11 status_code=0 (successful-ok)
D [14/Dec/2007:15:13:12 +0000] cupsdCloseClient: 11
D [14/Dec/2007:15:13:12 +0000] cupsdAcceptClient: skipping getpeercon()
D [14/Dec/2007:15:13:12 +0000] cupsdAcceptClient: 11 from localhost (Domain)
D [14/Dec/2007:15:13:12 +0000] cupsdReadClient: 11 POST /printers/pre-lp2 HTTP/1.1
D [14/Dec/2007:15:13:12 +0000] cupsdAuthorize: No authentication data provided.
D [14/Dec/2007:15:13:12 +0000] Print-Job ipp://localhost/printers/pre-lp2
D [14/Dec/2007:15:13:12 +0000] print_job: auto-typing file...
D [14/Dec/2007:15:13:12 +0000] cupsdIsAuthorized: username=""
E [14/Dec/2007:15:13:12 +0000] Print-Job: Unauthorized
D [14/Dec/2007:15:13:12 +0000] cupsdSendError: 11 code=401 (Unauthorized)
D [14/Dec/2007:15:13:12 +0000] cupsdSendHeader: WWW-Authenticate: Negotiate
D [14/Dec/2007:15:13:12 +0000] cupsdCloseClient: 11
D [14/Dec/2007:15:13:12 +0000] cupsdAcceptClient: skipping getpeercon()
D [14/Dec/2007:15:13:12 +0000] cupsdAcceptClient: 11 from localhost (Domain)
D [14/Dec/2007:15:13:12 +0000] cupsdReadClient: 11 POST /printers/pre-lp2 HTTP/1.1
D [14/Dec/2007:15:13:12 +0000] get_gss_creds: Attempting to acquire credentials for ipp at server.ourdomain...
D [14/Dec/2007:15:13:12 +0000] get_gss_creds: Credentials acquired successfully for ipp at server.ourdomain.
D [14/Dec/2007:15:13:12 +0000] cupsdAuthorize: Authorized as myuser at OUR.REALM using Negotiate
D [14/Dec/2007:15:13:12 +0000] Print-Job ipp://localhost/printers/pre-lp2
D [14/Dec/2007:15:13:12 +0000] print_job: auto-typing file...
D [14/Dec/2007:15:13:12 +0000] cupsdIsAuthorized: username="myuser at OUR.REALM"
D [14/Dec/2007:15:13:12 +0000] add_job: setting context of job to UNKNOWN SL
E [14/Dec/2007:15:13:12 +0000] Unable to create new credentials cache (-1765328188/File exists)
I [14/Dec/2007:15:13:12 +0000] [Job 20] Adding start banner page "none".
D [14/Dec/2007:15:13:12 +0000] Discarding unused job-created event...
I [14/Dec/2007:15:13:12 +0000] [Job 20] Adding job file of type text/plain.
I [14/Dec/2007:15:13:12 +0000] [Job 20] Adding end banner page "none".
I [14/Dec/2007:15:13:12 +0000] [Job 20] Queued on "pre-lp2" by "myuser at OUR.REALM".
D [14/Dec/2007:15:13:12 +0000] [Job 20] hold_until = 0
D [14/Dec/2007:15:13:12 +0000] cupsdProcessIPPRequest: 11 status_code=0 (successful-ok)
D [14/Dec/2007:15:13:12 +0000] cupsdSendHeader: WWW-Authenticate: Negotiate YIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWgBHBwMxqniS2Qzwz2qgwZBAOrkSJ6h7RVrTjkkWAu/fBmYsQDjznqrcyFuGLSfThhx1DYHGjIsa3G7OVNJ9BS2dFeeHb9JOiquu5Dt004GGOE5PHnTEPZGxtg==
D [14/Dec/2007:15:13:12 +0000] cupsdCloseClient: 11

cupsd.conf

#
# "$Id: cupsd.conf.in 6720 2007-07-25 00:40:03Z mike $"
#
#   Sample configuration file for the Common UNIX Printing System (CUPS)
#   scheduler.  See "man cupsd.conf" for a complete description of this
#   file.
#

# Log general information in error_log - change "info" to "debug" for
# troubleshooting...
LogLevel debug

# Administrator user group...
SystemGroup sys root


# Only listen for connections from the local machine.
Listen 631
Listen /var/run/cups/cups.sock

# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow all

# Default authentication type, when authentication is required...
DefaultAuthType Negotiate

# Restrict access to the server...
<Location />
   Order allow,deny
   Allow localhost
</Location>

# Restrict access to the admin pages...
<Location /admin>
   Encryption Required
   Order allow,deny
   Allow localhost
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
   AuthType Default
   Require user @SYSTEM
   Order allow,deny
   Allow localhost
</Location>
# Set the default printer/job policies...
<Policy default>
   # Job-related operations must be done by the owner or an administrator...
   <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
     AuthType Default
     Require user @OWNER @SYSTEM
     Order deny,allow
   </Limit>

   # All administration operations require an administrator to authenticate...
   <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
     AuthType Default
     Require user @SYSTEM
     Order deny,allow
   </Limit>

   # All printer operations require a printer operator to authenticate...
   <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
     AuthType Default
     Require user @SYSTEM
     Order deny,allow
   </Limit>

   # Only the owner or an administrator can cancel or authenticate a job...
   <Limit Cancel-Job CUPS-Authenticate-Job>
     AuthType Default
     Require user @OWNER @SYSTEM
     Order deny,allow
   </Limit>

   <Limit Create-Job Print-Job Print-URI>
# Putting AuthType Default seemed to completely confuse everything, and the client tried Basic instead
     AuthType Negotiate
     Require valid-user
     Order deny,allow
   </Limit>

   <Limit All>
     Order deny,allow
   </Limit>
</Policy>

#
# End of "$Id: cupsd.conf.in 6720 2007-07-25 00:40:03Z mike $".
#

jh

-- 
"Long Island represents the American's idea of what God would have done with
  Nature if he'd had the money."                      -- Peter Fleming





More information about the cups mailing list