[cups.bugs] [MOD] STR #2581: GSSAPI doesn't support multi-realm

William Yang wyang at tjhsst.edu
Wed Oct 31 15:20:53 PDT 2007


DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

We have two Kerberos realms here, A.COM and B.COM.  A.COM is configured to
trust B.COM.  CUPS was compiled to use the host keytab entry (instead of
looking for an ipp service keytab entry; this is for purposes of
convenience).  /etc/krb5.keytab contains an entry for
host/hostname.us.com at A.COM.  If a user has a principal from A.COM, he can
authenticate to CUPS using GSSAPI.  If a user has a principal from B.COM,
he cannot.  B.COM is the default realm, although changing the default
realm to A.COM doesn't make a difference in this respect.  GSSAPI using
SSH works for users in either A.COM or B.COM since /etc/krb5.conf contains
auth_to_local mappings for cross-realm functionality between the two.  We
are using Solaris 10 8/07 on SPARC with the MIT Kerberos 1.6.2 libraries
(installed in /usr/local).  B.COM uses Windows Server 2003 R1 and A.COM
uses Heimdal KDCs.
==
An attempt without tickets looks like this in the error_log:
D [31/Oct/2007:18:07:16 +0500] cupsdAcceptClient: 8 from localhost
(Domain)
D [31/Oct/2007:18:07:16 +0500] cupsdReadClient: 8 POST / HTTP/1.1
D [31/Oct/2007:18:07:16 +0500] cupsdAuthorize: No authentication data
provided.
D [31/Oct/2007:18:07:16 +0500] CUPS-Get-Printers
D [31/Oct/2007:18:07:16 +0500] cupsdProcessIPPRequest: 8 status_code=0
(successful-ok)
D [31/Oct/2007:18:07:16 +0500] cupsdReadClient: 8 POST / HTTP/1.1
D [31/Oct/2007:18:07:16 +0500] cupsdAuthorize: No authentication data
provided.
D [31/Oct/2007:18:07:16 +0500] CUPS-Get-Classes
D [31/Oct/2007:18:07:16 +0500] cupsdProcessIPPRequest: 8 status_code=0
(successful-ok)
D [31/Oct/2007:18:07:16 +0500] cupsdReadClient: 8 POST / HTTP/1.1
D [31/Oct/2007:18:07:16 +0500] cupsdAuthorize: No authentication data
provided.
D [31/Oct/2007:18:07:16 +0500] CUPS-Get-Default
D [31/Oct/2007:18:07:16 +0500] cupsdProcessIPPRequest: 8 status_code=0
(successful-ok)
D [31/Oct/2007:18:07:16 +0500] cupsdCloseClient: 8
D [31/Oct/2007:18:07:16 +0500] cupsdAcceptClient: 8 from localhost
(Domain)
D [31/Oct/2007:18:07:16 +0500] cupsdReadClient: 8 POST
/printers/printer_name HTTP/1.1
D [31/Oct/2007:18:07:16 +0500] cupsdAuthorize: No authentication data
provided.
D [31/Oct/2007:18:07:16 +0500] Print-Job
ipp://localhost/printers/printer_name
D [31/Oct/2007:18:07:16 +0500] print_job: auto-typing file...
D [31/Oct/2007:18:07:16 +0500] cupsdIsAuthorized: username=""
E [31/Oct/2007:18:07:16 +0500] Print-Job: Unauthorized
D [31/Oct/2007:18:07:16 +0500] cupsdSendError: 8 code=401 (Unauthorized)
D [31/Oct/2007:18:07:16 +0500] cupsdSendHeader: WWW-Authenticate:
Negotiate
D [31/Oct/2007:18:07:16 +0500] cupsdCloseClient: 8
==
with B.COM tickets:
D [31/Oct/2007:18:08:52 +0500] cupsdAcceptClient: 8 from localhost
(Domain)
D [31/Oct/2007:18:08:52 +0500] cupsdReadClient: 8 POST / HTTP/1.1
D [31/Oct/2007:18:08:52 +0500] cupsdAuthorize: No authentication data
provided.
D [31/Oct/2007:18:08:52 +0500] CUPS-Get-Printers
D [31/Oct/2007:18:08:52 +0500] cupsdProcessIPPRequest: 8 status_code=0
(successful-ok)
D [31/Oct/2007:18:08:52 +0500] cupsdReadClient: 8 POST / HTTP/1.1
D [31/Oct/2007:18:08:52 +0500] cupsdAuthorize: No authentication data
provided.
D [31/Oct/2007:18:08:52 +0500] CUPS-Get-Classes
D [31/Oct/2007:18:08:52 +0500] cupsdProcessIPPRequest: 8 status_code=0
(successful-ok)
D [31/Oct/2007:18:08:52 +0500] cupsdReadClient: 8 POST / HTTP/1.1
D [31/Oct/2007:18:08:52 +0500] cupsdAuthorize: No authentication data
provided.
D [31/Oct/2007:18:08:52 +0500] CUPS-Get-Default
D [31/Oct/2007:18:08:52 +0500] cupsdProcessIPPRequest: 8 status_code=0
(successful-ok)
D [31/Oct/2007:18:08:52 +0500] cupsdCloseClient: 8
D [31/Oct/2007:18:08:52 +0500] cupsdAcceptClient: 8 from localhost
(Domain)
D [31/Oct/2007:18:08:52 +0500] cupsdReadClient: 8 POST
/printers/printer_name HTTP/1.1
D [31/Oct/2007:18:08:52 +0500] cupsdAuthorize: No authentication data
provided.
D [31/Oct/2007:18:08:52 +0500] Print-Job
ipp://localhost/printers/printer_name
D [31/Oct/2007:18:08:52 +0500] print_job: auto-typing file...
D [31/Oct/2007:18:08:52 +0500] cupsdIsAuthorized: username=""
E [31/Oct/2007:18:08:52 +0500] Print-Job: Unauthorized
D [31/Oct/2007:18:08:52 +0500] cupsdSendError: 8 code=401 (Unauthorized)
D [31/Oct/2007:18:08:52 +0500] cupsdSendHeader: WWW-Authenticate:
Negotiate
D [31/Oct/2007:18:08:52 +0500] cupsdCloseClient: 8
D [31/Oct/2007:18:08:52 +0500] cupsdAcceptClient: 8 from localhost
(Domain)
D [31/Oct/2007:18:08:52 +0500] cupsdReadClient: 8 POST
/printers/printer_name HTTP/1.1
D [31/Oct/2007:18:08:52 +0500] get_gss_creds: Attempting to acquire
credentials for host at hostname.us.com...
D [31/Oct/2007:18:08:52 +0500] get_gss_creds: Credentials acquired
successfully for host at hostname.us.com.
D [31/Oct/2007:18:08:52 +0500] cupsdAuthorize: Error accepting GSSAPI
security context: Invalid token was supplied, Token header is malformed or
corrupt
D [31/Oct/2007:18:08:52 +0500] Print-Job
ipp://localhost/printers/printer_name
D [31/Oct/2007:18:08:52 +0500] print_job: auto-typing file...
D [31/Oct/2007:18:08:52 +0500] cupsdIsAuthorized: username=""
E [31/Oct/2007:18:08:52 +0500] Print-Job: Unauthorized
D [31/Oct/2007:18:08:52 +0500] cupsdSendError: 8 code=401 (Unauthorized)
D [31/Oct/2007:18:08:52 +0500] cupsdSendHeader: WWW-Authenticate:
Negotiate
D [31/Oct/2007:18:08:52 +0500] cupsdCloseClient: 8
D [31/Oct/2007:18:08:52 +0500] cupsdAcceptClient: 8 from localhost
(Domain)
D [31/Oct/2007:18:08:52 +0500] cupsdReadClient: 8 POST
/printers/printer_name HTTP/1.1
D [31/Oct/2007:18:08:52 +0500] get_gss_creds: Attempting to acquire
credentials for host at hostname.us.com...
D [31/Oct/2007:18:08:52 +0500] get_gss_creds: Credentials acquired
successfully for host at hostname.us.com.
D [31/Oct/2007:18:08:52 +0500] cupsdAuthorize: Error accepting GSSAPI
security context: Invalid token was supplied, Token header is malformed or
corrupt
D [31/Oct/2007:18:08:52 +0500] Print-Job
ipp://localhost/printers/printer_name
D [31/Oct/2007:18:08:52 +0500] print_job: auto-typing file...
D [31/Oct/2007:18:08:52 +0500] cupsdIsAuthorized: username=""
E [31/Oct/2007:18:08:52 +0500] Print-Job: Unauthorized
D [31/Oct/2007:18:08:52 +0500] cupsdSendError: 8 code=401 (Unauthorized)
D [31/Oct/2007:18:08:52 +0500] cupsdSendHeader: WWW-Authenticate:
Negotiate
D [31/Oct/2007:18:08:52 +0500] cupsdCloseClient: 8

klist also indicates that krbtgt/B.COM at B.COM, krbtgt/A.COM at B.COM, and
host/hostname.us.com at A.COM tickets were obtained.
==
with A.COM tickets:
D [31/Oct/2007:18:14:19 +0500] cupsdAcceptClient: 8 from localhost
(Domain)
D [31/Oct/2007:18:14:19 +0500] cupsdReadClient: 8 POST / HTTP/1.1
D [31/Oct/2007:18:14:19 +0500] cupsdAuthorize: No authentication data
provided.
D [31/Oct/2007:18:14:19 +0500] CUPS-Get-Printers
D [31/Oct/2007:18:14:19 +0500] cupsdProcessIPPRequest: 8 status_code=0
(successful-ok)
D [31/Oct/2007:18:14:19 +0500] cupsdReadClient: 8 POST / HTTP/1.1
D [31/Oct/2007:18:14:19 +0500] cupsdAuthorize: No authentication data
provided.
D [31/Oct/2007:18:14:19 +0500] CUPS-Get-Classes
D [31/Oct/2007:18:14:19 +0500] cupsdProcessIPPRequest: 8 status_code=0
(successful-ok)
D [31/Oct/2007:18:14:19 +0500] cupsdReadClient: 8 POST / HTTP/1.1
D [31/Oct/2007:18:14:19 +0500] cupsdAuthorize: No authentication data
provided.
D [31/Oct/2007:18:14:19 +0500] CUPS-Get-Default
D [31/Oct/2007:18:14:19 +0500] cupsdProcessIPPRequest: 8 status_code=0
(successful-ok)
D [31/Oct/2007:18:14:19 +0500] cupsdCloseClient: 8
D [31/Oct/2007:18:14:19 +0500] cupsdAcceptClient: 8 from localhost
(Domain)
D [31/Oct/2007:18:14:19 +0500] cupsdReadClient: 8 POST
/printers/printer_name HTTP/1.1
D [31/Oct/2007:18:14:19 +0500] cupsdAuthorize: No authentication data
provided.
D [31/Oct/2007:18:14:19 +0500] Print-Job
ipp://localhost/printers/printer_name
D [31/Oct/2007:18:14:19 +0500] print_job: auto-typing file...
D [31/Oct/2007:18:14:19 +0500] cupsdIsAuthorized: username=""
E [31/Oct/2007:18:14:19 +0500] Print-Job: Unauthorized
D [31/Oct/2007:18:14:19 +0500] cupsdSendError: 8 code=401 (Unauthorized)
D [31/Oct/2007:18:14:19 +0500] cupsdSendHeader: WWW-Authenticate:
Negotiate
D [31/Oct/2007:18:14:19 +0500] cupsdCloseClient: 8
D [31/Oct/2007:18:14:19 +0500] cupsdAcceptClient: 8 from localhost
(Domain)
D [31/Oct/2007:18:14:19 +0500] cupsdReadClient: 8 POST
/printers/printer_name HTTP/1.1
D [31/Oct/2007:18:14:19 +0500] get_gss_creds: Attempting to acquire
credentials for host at hostname.us.com...
D [31/Oct/2007:18:14:19 +0500] get_gss_creds: Credentials acquired
successfully for host at hostname.us.com.
D [31/Oct/2007:18:14:19 +0500] cupsdAuthorize: Authorized as user at A.COM
using Negotiate
D [31/Oct/2007:18:14:19 +0500] Print-Job
ipp://localhost/printers/printer_name
D [31/Oct/2007:18:14:19 +0500] print_job: auto-typing file...
D [31/Oct/2007:18:14:19 +0500] cupsdIsAuthorized: username="user at A.COM"
E [31/Oct/2007:18:14:19 +0500] Unable to create new credentials cache
(-1765328188/File exists)
I [31/Oct/2007:18:14:19 +0500] [Job 14] Adding start banner page "none".
D [31/Oct/2007:18:14:19 +0500] Discarding unused job-created event...
I [31/Oct/2007:18:14:19 +0500] [Job 14] Adding job file of type
text/plain.
I [31/Oct/2007:18:14:19 +0500] [Job 14] Adding end banner page "none".
I [31/Oct/2007:18:14:19 +0500] [Job 14] Queued on "printer_name" by
"user at A.COM".
D [31/Oct/2007:18:14:19 +0500] [Job 14] hold_until = 0
D [31/Oct/2007:18:14:19 +0500] [Job 14] Sending job to queue tagged as
raw...
D [31/Oct/2007:18:14:19 +0500] Discarding unused printer-state-changed
event...
D [31/Oct/2007:18:14:19 +0500] [Job 14] job-sheets=none,none
D [31/Oct/2007:18:14:19 +0500] [Job 14] banner_page = 0
D [31/Oct/2007:18:14:19 +0500] [Job 14] argv[0]="printer_name"
D [31/Oct/2007:18:14:19 +0500] [Job 14] argv[1]="14"
D [31/Oct/2007:18:14:19 +0500] [Job 14] argv[2]="user at A.COM"
D [31/Oct/2007:18:14:19 +0500] [Job 14] argv[3]="printers.conf"
D [31/Oct/2007:18:14:19 +0500] [Job 14] argv[4]="1"
D [31/Oct/2007:18:14:19 +0500] [Job 14] argv[5]="finishings=3 number-up=1
job-uuid=urn:uuid:a8cc2f45-e6f0-3b76-7a51-e8ff8dd5260e"
D [31/Oct/2007:18:14:19 +0500] [Job 14]
argv[6]="/var/spool/cups/d00014-001"
D [31/Oct/2007:18:14:19 +0500] [Job 14]
envp[0]="CUPS_CACHEDIR=/var/cache/cups"
D [31/Oct/2007:18:14:19 +0500] [Job 14]
envp[1]="CUPS_DATADIR=/usr/share/cups"
D [31/Oct/2007:18:14:19 +0500] [Job 14]
envp[2]="CUPS_DOCROOT=/usr/share/doc/cups"
D [31/Oct/2007:18:14:19 +0500] [Job 14]
envp[3]="CUPS_FONTPATH=/usr/share/cups/fonts"
D [31/Oct/2007:18:14:19 +0500] [Job 14]
envp[4]="CUPS_REQUESTROOT=/var/spool/cups"
D [31/Oct/2007:18:14:19 +0500] [Job 14]
envp[5]="CUPS_SERVERBIN=/usr/lib/cups"
D [31/Oct/2007:18:14:19 +0500] [Job 14]
envp[6]="CUPS_SERVERROOT=/etc/cups"
D [31/Oct/2007:18:14:19 +0500] [Job 14]
envp[7]="CUPS_STATEDIR=/var/run/cups"
D [31/Oct/2007:18:14:19 +0500] [Job 14]
envp[8]="PATH=/usr/lib/cups/filter:/usr/bin:/usr/sbin:/bin:/usr/bin"
D [31/Oct/2007:18:14:19 +0500] [Job 14]
envp[9]="SERVER_ADMIN=root at hostname.us.com"
D [31/Oct/2007:18:14:19 +0500] [Job 14] envp[10]="SOFTWARE=CUPS/1.3.3"
D [31/Oct/2007:18:14:19 +0500] [Job 14]
envp[11]="TMPDIR=/var/spool/cups/tmp"
D [31/Oct/2007:18:14:19 +0500] [Job 14] envp[12]="TZ=US/Eastern"
D [31/Oct/2007:18:14:19 +0500] [Job 14] envp[13]="USER=root"
D [31/Oct/2007:18:14:19 +0500] [Job 14]
envp[14]="CUPS_SERVER=/var/run/cups/cups.sock"
D [31/Oct/2007:18:14:19 +0500] [Job 14]
envp[15]="CUPS_ENCRYPTION=IfRequested"
D [31/Oct/2007:18:14:19 +0500] [Job 14] envp[16]="IPP_PORT=631"
D [31/Oct/2007:18:14:19 +0500] [Job 14] envp[17]="CHARSET=utf-8"
D [31/Oct/2007:18:14:19 +0500] [Job 14] envp[18]="LANG=en_US.UTF8"
D [31/Oct/2007:18:14:19 +0500] [Job 14]
envp[19]="PPD=/etc/cups/ppd/printer_name.ppd"
D [31/Oct/2007:18:14:19 +0500] [Job 14] envp[20]="RIP_MAX_CACHE=8m"
D [31/Oct/2007:18:14:19 +0500] [Job 14] envp[21]="CONTENT_TYPE=text/plain"
D [31/Oct/2007:18:14:19 +0500] [Job 14]
envp[22]="DEVICE_URI=file:/dev/null"
D [31/Oct/2007:18:14:19 +0500] [Job 14] envp[23]="PRINTER=printer_name"
D [31/Oct/2007:18:14:19 +0500] [Job 14] envp[24]="AUTH_U****"
D [31/Oct/2007:18:14:19 +0500] [Job 14] envp[25]="AUTH_P****"
I [31/Oct/2007:18:14:19 +0500] [Job 14] Started filter
/usr/lib/cups/filter/gziptoany (PID 2697)
D [31/Oct/2007:18:14:19 +0500] Discarding unused job-state event...
D [31/Oct/2007:18:14:19 +0500] cupsdProcessIPPRequest: 8 status_code=0
(successful-ok)
D [31/Oct/2007:18:14:19 +0500] cupsdSendHeader: WWW-Authenticate:
Negotiate
YIGWBgkqhkiG9xIBAgICAG+BhjCBg6ADAgEFoQMCAQ+idzB1oAMCARCibgRsyURkOHsB81XJgfoMP3p+cEjka1GByxMUYNZ89Domo4VDGiyL++yeldZIfQcN5+5QRJ3IxehSPhA6WkB3gCuNd7Dr0pHxiBStz1ntZZ25PO9Clg8ZaI8akutoJ8W7TR+m2cxaeYNR6I+oajW4
D [31/Oct/2007:18:14:19 +0500] cupsdCloseClient: 8
D [31/Oct/2007:18:14:19 +0500] Discarding unused job-progress event...
D [31/Oct/2007:18:14:19 +0500] PID 2697 (/usr/lib/cups/filter/gziptoany)
exited with no errors.
D [31/Oct/2007:18:14:19 +0500] [Job 14] File 0 is complete.
I [31/Oct/2007:18:14:19 +0500] [Job 14] Completed successfully.
D [31/Oct/2007:18:14:19 +0500] Discarding unused printer-state-changed
event...
D [31/Oct/2007:18:14:19 +0500] Discarding unused job-completed event...
D [31/Oct/2007:18:14:20 +0500] [Job 14] Unloading...

klist also indicates that krbtgt/A.COM at A.COM and
host/hostname.us.com at A.COM tickets were obtained.

Link: http://www.cups.org/str.php?L2581
Version: 1.3.3





More information about the cups mailing list