[cups.general] Kerberos authentication - help needed - take 2

Rick Cochran rcc2 at cornell.edu
Mon Aug 11 12:33:07 PDT 2008


No one has responded to my original request.  It would help even only to know why.

Is it a stupid question for which I should already know the answer if only I 
read enough documentation?

Is Kerberos authentication in CUPS something which is there, but not well 
supported or used?

Is authentication of job submission not within the scope of CUPS Kerberos support?

Is it my under-arm deodorant?

Finally, I would like to mention that there appears to be a lack of adequate 
debugging output for CUPS authentication functionality.  I can't find any useful 
information as to what happened during the authentication process.  The message 
"Print-Job: Forbidden" tells me nothing.

Not upset, just desperate.
-Rick

-------- Original Message --------
Subject: Kerberos authentication - help needed
Date: Tue, 05 Aug 2008 17:29:28 -0400
From: Rick Cochran <rcc2 at cornell.edu>
To: cups at easysw.com

I think I have exhausted my resources (documentation, mailing lists, Google,
etc.) sufficiently to justify asking for help.

I am trying to use Kerberos authentication to get from a CUPS 1.3.8 client host
to a CUPS 1.3.7 server.  I want to be able to use Kerberos authentication to
determine the identity of the person submitting the print job.

Consider the following cupsd.conf stanza:

   <Limit Print-Job>
     AuthType Default
     Order allow,deny
     Require valid-user
   </Limit>

If I comment this stanza out, I can print, but the user who is printing is (I
think) determined by my login ID on the client host.  Certainly, my ability to
print is not inhibited by the lack of Kerberos credentials.

If I remove the comments, I get the following log entries (LogLevel debug2):

D [05/Aug/2008:17:04:40 -0400] Print-Job
ipp://page4.cit.cornell.edu:631/printers/ansel
d [05/Aug/2008:17:04:40 -0400] print_job(0x93f43a0[7],
ipp://page4.cit.cornell.edu:631/printers/ansel)
d [05/Aug/2008:17:04:40 -0400] add_job(0x93f43a0[7], 0x93d5730(ansel),
0x93c7078(application/postscript))
d [05/Aug/2008:17:04:40 -0400] cupsdFindPolicyOp(p=0x93c5b28, op=2(Print-Job))
d [05/Aug/2008:17:04:40 -0400] cupsdFindPolicyOp: Found exact match...
d [05/Aug/2008:17:04:40 -0400] cupsdIsAuthorized: con->uri="/printers/ansel",
con->best=0x93db020((null))
d [05/Aug/2008:17:04:40 -0400] cupsdIsAuthorized: level=CUPSD_AUTH_USER,
type=Negotiate, satisfy=CUPSD_AUTH_SATISFY_ALL, num_names=0
d [05/Aug/2008:17:04:40 -0400] cupsdIsAuthorized: op=2(Print-Job)
d [05/Aug/2008:17:04:40 -0400] cupsdIsAuthorized: auth=CUPSD_AUTH_DENY...
E [05/Aug/2008:17:04:40 -0400] Print-Job: Forbidden
d [05/Aug/2008:17:04:40 -0400] cupsdFindBest: uri = "/printers/ansel"...
d [05/Aug/2008:17:04:40 -0400] cupsdFindBest: Location CUPS_INTERNAL_BROWSE_ACL
Limit 0
d [05/Aug/2008:17:04:40 -0400] cupsdFindBest: Location /admin/conf Limit 7f
d [05/Aug/2008:17:04:40 -0400] cupsdFindBest: Location /admin Limit 7f
d [05/Aug/2008:17:04:40 -0400] cupsdFindBest: Location / Limit 7f
d [05/Aug/2008:17:04:40 -0400] cupsdFindBest: best = /
d [05/Aug/2008:17:04:40 -0400] cupsdFindPolicyOp(p=0x93c5b28, op=2(Print-Job))
d [05/Aug/2008:17:04:40 -0400] cupsdFindPolicyOp: Found exact match...
D [05/Aug/2008:17:04:40 -0400] cupsdSendError: 7 code=403 (Forbidden)

Not very friendly.

Where am I going wrong?

-Rick





More information about the cups mailing list