[cups.general] Beginner's problem with authentication policy in 1.3.0

[Michael R Sweet]

John A. Murdie wrote:
> ...
> I've not seen an illustration anywhere of how this looks like to
 > the user of one of these untrusted clients - for instance in the
 > GUI of a Mac OS X client.

Kerberized printing is not supported on Mac OS X 10.4.x.

> I obtained a MacBook with OS X 10.4.10 (and fully up-to-date with
 > software updates) to try this out. I decided to try an initial
 > Location directive which Allow-s all the subnets in use, and the
 > to have two Limit-s in the default Policy, one for the trusted
 > subnet and one for the untrusted subnet:
> 
>  <Limit Send-Document ...>
>     Allow from trusted
>     Order deny,allow
>   </Limit>
> 
>   <Limit Send-Document ...>
>     Allow from untrusted
>     Require user @OWNER @SYSTEM
>     Order deny,allow
>   </Limit>

You really want to use:

     <Limit Send-Document ...>
       Order allow,deny
       Allow from trusted
       Require user @OWNER @SYSTEM
       AuthType Default
       Satisfy any
     </Limit>

The "Satisfy any" part tells CUPS to only require authentication on
the untrusted hosts/networks.

In CUPS 1.2, the "AuthType Default" would need to be "AuthType Basic",
"AuthType Digest", or "AuthType BasicDigest".

And like I said, you can't do Kerberized CUPS printing on Mac OS X
10.4.x - even if you did install CUPS 1.3 on it, there is no GUI
support and the Kerberos is too old to support delegated credentials
properly...

-- 
______________________________________________________________________
Michael R Sweet                        Senior Printing System Engineer