Beginner's problem with authentication policyin 1.3.0

John A. Murdie john at cs.york.ac.uk
Mon Nov 26 10:24:51 PST 2007 

> > John A. Murdie wrote:
> I'm beginning to think it wise to use only Negotiate for laptops, even if it might be a hassle to help the users to install and configure the necessary software. (Mac OS X 10.4 'Tiger' users will have to upgrade to 10.5 'Leopard', for a start.) I'll experiment some more.

I hope that these my ramblings might be of some use to someone else new to Kerberised CUPS who is trying to do the same as I am. So far I've managed to find very little discussion of these matters, and hardly anything outside this forum.

I'd decided to try Kerberised IPP. Having created an ipp-cups.keytab with kadmin(8), I added:

Krb5Keytab .../conf/ipp-cups.keytab
GSSServiceName ipp

to the top of my cupsd.conf (the first is in a local non-standard place I show as "...", the second value seems to have to be in lower-case - as shown at the end of http://www.cups.org/documentation.php/kerberos.html -
to work, not upper-case as shown in http://www.cups.org/documentation.php/ref-cupsd-conf.html )

and replaced the 'AuthType Basic' lines in the same with 'AuthType Negotiate'. I restarted the CUPS server. (You'll recall that I'm only forcing authentication from laptops here, and trusting the locked-down desktop PCs.) Then, from the command line on a Linux laptop, I tried (notice that the domain given to kinit(8) has to be in upper case - weird):

$ kinit myname at MYSITE.TLD
Please enter the password for myname at MYSITE.TLD: *********
$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'

Valid Starting     Expires            Service principal
11/26/07 17:36:27  11/27/07 03:36:26  krbtgt/MYSITE.TLD at MYSITE.TLD
        renew until 11/27/07 17:36:27

$

and, hey presto, the Linux laptop could print from the command line and from GUI application software. With my ordinary user name as one of those in the list permitted access to Location /admin (Require user @SYSTEM myname ...), I can do adminstration tasks.

I tried the same thing on a MacBook with MacOS X 10.5.1 'Leopard'. I can print from the command line, as on Linux, and do administration tasks via the web page, ditto.

(It might be better to tell the Mac users here about the GUI Kerberos management command in /System/Library/CoreServices, instead of the command-line kinit(8). As others have noted, it'd be better in /Applications/Utilities.)

Something is wrong, however, as when I try to print from Safari (3.0.4) or any MacOS X GUI application, I get the error dialog:

       Print
       Error while printing.

The server's cups/error_log file shows nothing, even at LogLevel debug2.

In the case of Safari, it partially locks up. Menu operations still work, but it is not possible to view a different web page by changing the target URL. Restarting Safari cures this.

I'm scouring the Apple Leopard discussion boards and the web in general for an answer.

John A. Murdie

More information about the cups mailing list