Beginner's problem with authentication policy in 1.3.0

John A. Murdie john at cs.york.ac.uk
Mon Sep 10 10:20:17 PDT 2007 

I've just intalled CUPS 1.3.0 on Linux as an experimental print server for the first time. We have Kerberos up and working here (but not yet with CUPS) so the Linux box has correct /etc/krb5.conf and /etc/krb5.keytab. We need to have the CUPS server configured so that some clients addressing it - our desktop machines, on a certain subnet - are trusted (i.e. the username passed to the server for a print submission or other operation is not questioned), but so that print requests or other operations submitted from 'untrusted' clients on another subnet would require authentication (either for a session of printing or perhaps even per print operation). With:

DefaultAuthType Negotiate

the authentication should require each user's Kerberos password.

I've not seen an illustration anywhere of how this looks like to the user of one of these untrusted clients - for instance in the GUI of a Mac OS X client.

I obtained a MacBook with OS X 10.4.10 (and fully up-to-date with software updates) to try this out. I decided to try an initial Location directive which Allow-s all the subnets in use, and then to have two Limit-s in the default Policy, one for the trusted subnet and one for the untrusted subnet:

 <Limit Send-Document ...>
    Allow from trusted
    Order deny,allow
  </Limit>

  <Limit Send-Document ...>
    Allow from untrusted
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

Unfortunately, when I try this, at no point is the user on the untrusted MacBook asked for their username and password. The print job is seen on the server with the username of the untrusted user on the MacBook which may well be different from their authorised username on the Departmental network.

I'm just beginning with this - what have I overlooked or misunderstood, please? Is this a problem with Mac OS X's IPP (CUPS) implementation or setup, or likely to be my mistake in cupsd.conf? (I can borrow Linux and Windows untrusted clients to test, I think.)

If the problem is that I have to have two different Policies, how do I associate each policy with the appropriate subnet? (I might imagine Allow directives in the Location part which each have an associated Policy qualifier e.g.

  Allow from untrusted Policy untrusted;
  Allow from trusted Policy trusted;

John A. Murdie

More information about the cups mailing list