[cups.general] Kerberos authentication - help needed - take 2
Rick Cochran
rcc2 at cornell.edu
Mon Aug 11 12:33:07 PDT 2008
No one has responded to my original request. It would help even only to know why.
Is it a stupid question for which I should already know the answer if only I
read enough documentation?
Is Kerberos authentication in CUPS something which is there, but not well
supported or used?
Is authentication of job submission not within the scope of CUPS Kerberos support?
Is it my under-arm deodorant?
Finally, I would like to mention that there appears to be a lack of adequate
debugging output for CUPS authentication functionality. I can't find any useful
information as to what happened during the authentication process. The message
"Print-Job: Forbidden" tells me nothing.
Not upset, just desperate.
-Rick
-------- Original Message --------
Subject: Kerberos authentication - help needed
Date: Tue, 05 Aug 2008 17:29:28 -0400
From: Rick Cochran <rcc2 at cornell.edu>
To: cups at easysw.com
I think I have exhausted my resources (documentation, mailing lists, Google,
etc.) sufficiently to justify asking for help.
I am trying to use Kerberos authentication to get from a CUPS 1.3.8 client host
to a CUPS 1.3.7 server. I want to be able to use Kerberos authentication to
determine the identity of the person submitting the print job.
Consider the following cupsd.conf stanza:
<Limit Print-Job>
AuthType Default
Order allow,deny
Require valid-user
</Limit>
If I comment this stanza out, I can print, but the user who is printing is (I
think) determined by my login ID on the client host. Certainly, my ability to
print is not inhibited by the lack of Kerberos credentials.
If I remove the comments, I get the following log entries (LogLevel debug2):
D [05/Aug/2008:17:04:40 -0400] Print-Job
ipp://page4.cit.cornell.edu:631/printers/ansel
d [05/Aug/2008:17:04:40 -0400] print_job(0x93f43a0[7],
ipp://page4.cit.cornell.edu:631/printers/ansel)
d [05/Aug/2008:17:04:40 -0400] add_job(0x93f43a0[7], 0x93d5730(ansel),
0x93c7078(application/postscript))
d [05/Aug/2008:17:04:40 -0400] cupsdFindPolicyOp(p=0x93c5b28, op=2(Print-Job))
d [05/Aug/2008:17:04:40 -0400] cupsdFindPolicyOp: Found exact match...
d [05/Aug/2008:17:04:40 -0400] cupsdIsAuthorized: con->uri="/printers/ansel",
con->best=0x93db020((null))
d [05/Aug/2008:17:04:40 -0400] cupsdIsAuthorized: level=CUPSD_AUTH_USER,
type=Negotiate, satisfy=CUPSD_AUTH_SATISFY_ALL, num_names=0
d [05/Aug/2008:17:04:40 -0400] cupsdIsAuthorized: op=2(Print-Job)
d [05/Aug/2008:17:04:40 -0400] cupsdIsAuthorized: auth=CUPSD_AUTH_DENY...
E [05/Aug/2008:17:04:40 -0400] Print-Job: Forbidden
d [05/Aug/2008:17:04:40 -0400] cupsdFindBest: uri = "/printers/ansel"...
d [05/Aug/2008:17:04:40 -0400] cupsdFindBest: Location CUPS_INTERNAL_BROWSE_ACL
Limit 0
d [05/Aug/2008:17:04:40 -0400] cupsdFindBest: Location /admin/conf Limit 7f
d [05/Aug/2008:17:04:40 -0400] cupsdFindBest: Location /admin Limit 7f
d [05/Aug/2008:17:04:40 -0400] cupsdFindBest: Location / Limit 7f
d [05/Aug/2008:17:04:40 -0400] cupsdFindBest: best = /
d [05/Aug/2008:17:04:40 -0400] cupsdFindPolicyOp(p=0x93c5b28, op=2(Print-Job))
d [05/Aug/2008:17:04:40 -0400] cupsdFindPolicyOp: Found exact match...
D [05/Aug/2008:17:04:40 -0400] cupsdSendError: 7 code=403 (Forbidden)
Not very friendly.
Where am I going wrong?
-Rick
More information about the cups
mailing list