[cups.general] Beginner's problem with authentication policy in 1.3.0
Michael R Sweet
msweet at apple.com
Mon Sep 17 09:58:42 PDT 2007
John A. Murdie wrote:
> ...
> I've not seen an illustration anywhere of how this looks like to
> the user of one of these untrusted clients - for instance in the
> GUI of a Mac OS X client.
Kerberized printing is not supported on Mac OS X 10.4.x.
> I obtained a MacBook with OS X 10.4.10 (and fully up-to-date with
> software updates) to try this out. I decided to try an initial
> Location directive which Allow-s all the subnets in use, and the
> to have two Limit-s in the default Policy, one for the trusted
> subnet and one for the untrusted subnet:
>
> <Limit Send-Document ...>
> Allow from trusted
> Order deny,allow
> </Limit>
>
> <Limit Send-Document ...>
> Allow from untrusted
> Require user @OWNER @SYSTEM
> Order deny,allow
> </Limit>
You really want to use:
<Limit Send-Document ...>
Order allow,deny
Allow from trusted
Require user @OWNER @SYSTEM
AuthType Default
Satisfy any
</Limit>
The "Satisfy any" part tells CUPS to only require authentication on
the untrusted hosts/networks.
In CUPS 1.2, the "AuthType Default" would need to be "AuthType Basic",
"AuthType Digest", or "AuthType BasicDigest".
And like I said, you can't do Kerberized CUPS printing on Mac OS X
10.4.x - even if you did install CUPS 1.3 on it, there is no GUI
support and the Kerberos is too old to support delegated credentials
properly...
--
______________________________________________________________________
Michael R Sweet Senior Printing System Engineer
More information about the cups
mailing list