[cups.general] Kerberos authentication - help needed - take 2
Michael R Sweet
msweet at apple.com
Mon Aug 11 18:42:32 PDT 2008
Rick Cochran wrote:
> No one has responded to my original request. It would help even only to know why.
I'm pretty sure *I* did.
> ...
> Is Kerberos authentication in CUPS something which is there, but not well
> supported or used?
Kerberos authentication is there and works. However, a *lot* of sites
don't actually use Kerberos correctly which can cause problems for
client printing - the key is that the clients must have a stable
hostname and be setup with service granting tickets (SGT) so they can
forward the user credentials from the client to the server.
Also, you need to use either Heimdal Kerberos or a new enough version
of MIT Kerberos (1.6.3 or higher) to get credential caching/forwarding
to work.
> Finally, I would like to mention that there appears to be a lack of adequate
> debugging output for CUPS authentication functionality. I can't find any useful
> information as to what happened during the authentication process. The message
> "Print-Job: Forbidden" tells me nothing.
Use "cupsctl --debug-logging" or check the "log debug info" box in
the web interface - that will provide additional information about
the authentication process.
--
______________________________________________________________________
Michael R Sweet Senior Printing System Engineer
More information about the cups
mailing list