CUPS kerberos/GSSAPI in 1.3

Jacob Brown jacob_brown at
Mon Jun 4 15:18:31 PDT 2007

Hi. I'm trying to setup my cups server to use kerberos authentication.  I'm using the latest version of 1.3svn. I've tried setting up my cupsd.conf to use:

Listen *:631
Listen /usr/local/cups//var/run/cups/cups.sock
ServerCertificate /etc/cups/ssl/server.crt
ServerKey /etc/cups/ssl/server.key
Krb5Keytab /etc/krb5.keytab
GSSServiceName HTTP

and changed all my AuthType and DefaultAuthType to Negotiate

So far, it doesn't seem to work and I'm not getting any errors telling me why. I've used wireshark to look at the stream and it never gives my client HTTP Authentication required error that I'm expecting.  I'm assuming it should get an error like that and tell the client that the support method is "Negotiate".  I have apache setup and working on the same computer just fine.  Also, I have ssh and samba using kerberos just fine as well (well, except winbind is half-broken as usual but yeah)

Is there something special I need to do to get it to work?  If I change the AuthType to Basic, it will give me an error message when trying to delete jobs and when adding a new printer and stuff, but when I use Negotiate, I don't get any HTTP errors.

What type of functionality is currently working?  Can windows XP/Vista clients authenticate with Negotiate?  Can other cups clients authenticate?  Is firefox working?
I understand that 1.3 is still in development and probably has bugs.  I can post any bug fixes I do (I just found a bug earlier today that caused a segfault)


More information about the cups mailing list