AuthType failover?

[John A. Murdie]

I'm helping move my site's CUPS server version from 1.2.12 on Solaris, which we have configured to use AuthType Basic, to 1.3.4 on Linux, currently also configured to use AuthType Basic. (All this works fine.) We have been introducing Kerberos authentication for all services, however, and would like to use AuthType Negotiate on the new CUPS server. This poses no problems for us with the desktop PCs we manage, as we have installed and configured Kerberos there, and provided them with CUPS 1.3.

Things are more difficult with the Linux, Mac OS X and Windows laptops belonging to our users, which laptops we do not control. Some will not have Kerberos installed, some will not have a Kerberos-capable installation of CUPS or other IPP printing client. We don't really want to have a subsidiary print server for the clients that can't talk IPP and AuthType Negotiate (e.g. an SMB print server that feeds into the CUPS print server, as an extra 'hop'). Neither do we wish to switch to the new CUPS server and Kerberos in an instant, and break printing for many of the laptops.

Might it be possible to have the new CUPS server accept connections from the laptops - all on the same subnet - and have some use AuthType Basic and some AuthType Negotiate, simultaneously? (Without listing by IP address which can Negotiate and which can not - simply too many of them to do this without headaches!) This way, we could make the switch instantly, knowing that (simply by changing the physical translation of our network Canonic Name `cups' from the old CUPS server to the new) that laptops which can use AuthType Negotiate can do that as they are newly configured to do so, but that laptops which are currently using AuthType Basic can continue that, as if nothing had changed - perhaps by a kind of 'failover', when AuthType Negotiate does not work for them.

Of course, this would be a transitional situation - we'd aim to have everything use AuthType Negotiate before very long.

John A. Murdie