Beginner's problem with authentication policyin1.3.0

John A. Murdie john at cs.york.ac.uk
Tue Nov 27 09:04:31 PST 2007 

> John A. Murdie wrote:
> > ...
> > Something is wrong, however, as when I try to print from Safari (3.0.4) or any MacOS X GUI application, I get the error dialog:
> >
> >        Print
> >        Error while printing.
> >
> > The server's cups/error_log file shows nothing, even at LogLevel debug2.
>
> How about in the client's error_log file?
>
> --
> ______________________________________________________________________
> Michael R Sweet                        Senior Printing System Engineer
>

My apologies - it was late and I was tired. I should have said something along the lines of "I'll continue tomorrow."

Some preamble: This time, I used the Kerberos application to obtain a ticket under MacOS X 10.5.1 Leopard. I created the client configuration of the printer with the "Print & Fax" System Preference dialogue by choosing IP -> Protocol: Internet Printing Protocol (IPP); Address: domain name of CUPS server; Queue: the name of the queue (not prefixed by "printers/"), and by specifying the printer make and model. I then tried to print an Apple sales document in PDF from Safari. In the client log, I see:

I [27/Nov/2007:13:55:17 +0000] [Job 71] Adding start banner page "none".
I [27/Nov/2007:13:55:17 +0000] [Job 71] Adding job file of type application/pdf.
I [27/Nov/2007:13:55:17 +0000] [Job 71] Adding end banner page "none".
I [27/Nov/2007:13:55:17 +0000] [Job 71] Queued on "cups" by "john".
I [27/Nov/2007:13:55:17 +0000] [Job 71] Started filter /usr/libexec/cups/filter/cgpdftops (PID 193)
I [27/Nov/2007:13:55:17 +0000] [Job 71] Started filter /usr/libexec/cups/filter/pstops (PID 194)
I [27/Nov/2007:13:55:17 +0000] [Job 71] Started filter /Library/Printers/hp/filter/hpPostProcessing.bundle/Contents/MacOS/hpPostProcessing (PID 195)
I [27/Nov/2007:13:55:17 +0000] [Job 71] Started backend /usr/libexec/cups/backend/ipp (PID 196)
E [27/Nov/2007:13:55:20 +0000] [Job 71] Destination printer does not exist!
E [27/Nov/2007:13:55:20 +0000] PID 196 (/usr/libexec/cups/backend/ipp) stopped with status 4!
I [27/Nov/2007:13:55:20 +0000] Hint: Try setting the LogLevel to "debug" to find out more.
I [27/Nov/2007:13:55:20 +0000] [Job 71] Backend returned status 4 (stop printer)

I deleted the printer, and recreated it as before but with the queue name "printers/cp04", and the error above goes away. (This is bad - how is the average Mac user meant to know that they have to put "printers/" there?) I printed a Safari page and saw just:

E [27/Nov/2007:13:58:56 +0000] Print-Job: Unauthorized

in the local error_log. Nothing appears in the cups server error_log.

I realise now that (of course!):

$ lpr -Hcups -Pcp04 'About Stacks.pdf'

works from the MacBook because the job is not going through the local cupsd, but directly to our print server. Jobs from the GUI applications are going through the local cups server and, as I wish to use negotiated authentication, I had better arrange that the cups server use this also. So, I became root on the MacBook (use Directory Utility from Applications/Utilities), changed 'DefaultAuthType Basic' to 'DefaultAuthType Negotiate' and added an 'AuthType Default' in each of the 'Limit' sections except the last 'Limit all' (that really fouls things up). I then restarted the Mac and remembered to use the Kerberos app again but, alas, I still get the 'Print-Job: Unauthorized' error in the Mac CUPS error_log.

I wonder how doing this - when it works - will affect other printing from the Mac - e.g. if one of our laptop users has a home print server which doesn't use Kerberos negotiation. Will some 'Location' configuration in the MacOS Print & Fax GUI ('Location' in the Mac networking sense, rather than in the CUPS sense) be needed, or is there an aim to have everyone using Bonjour? (Never having set that up, I don't know whether that can carry a 'This print server is accessible using Kerberos authentication only' tag which can be interpreted and acted upon automatically.)

We have our Linux laptops print successfully with AuthType Negotiate by having them contact the local cups server directly, with 'ServerName cups' in /etc/client.conf. I tried this on the Mac, but the Print & Fax dialogue now shows just the spinning beach-ball.

John A. Murdie

More information about the cups mailing list