[cups.general] Kerberos authentication - help needed - take 2
Rick Cochran
rcc2 at cornell.edu
Tue Aug 12 11:58:38 PDT 2008
Michael R Sweet wrote:
> Rick Cochran wrote:
>> No one has responded to my original request. It would help even only to know why.
>
> I'm pretty sure *I* did.
I received no response, and there is none in the list archive.
>> ...
>> Is Kerberos authentication in CUPS something which is there, but not well
>> supported or used?
>
> Kerberos authentication is there and works. However, a *lot* of sites
> don't actually use Kerberos correctly which can cause problems for
> client printing - the key is that the clients must have a stable
> hostname and be setup with service granting tickets (SGT) so they can
> forward the user credentials from the client to the server.
I have a service principal, if that's what you mean.
> Also, you need to use either Heimdal Kerberos or a new enough version
> of MIT Kerberos (1.6.3 or higher) to get credential caching/forwarding
> to work.
I have krb5-libs-1.6.1-17.el5_1.1 on my client workstation, and
krb5-libs-1.3.4-54.el4_6.1 on my server.
>> Finally, I would like to mention that there appears to be a lack of adequate
>> debugging output for CUPS authentication functionality. I can't find any useful
>> information as to what happened during the authentication process. The message
>> "Print-Job: Forbidden" tells me nothing.
>
> Use "cupsctl --debug-logging" or check the "log debug info" box in
> the web interface - that will provide additional information about
> the authentication process.
>
page4> sudo /usr/local/netprint/cups/sbin/cupsctl --debug-logging
cupsctl: Unauthorized
So I kinited myself and tried it thusly:
page4> /usr/local/netprint/cups/sbin/cupsctl --debug-logging
cupsctl: Unauthorized
At which point I get the following in the error_log with LogLevel debug2:
D [12/Aug/2008:09:24:10 -0400] cupsdAuthorize: Authorized as
rcc2 at CIT.CORNELL.EDU using Negotiate
d [12/Aug/2008:09:24:10 -0400] cupsdIsAuthorized:
con->uri="/admin/conf/cupsd.conf", con->best=0x93c5e08(/admin/conf)
d [12/Aug/2008:09:24:10 -0400] cupsdIsAuthorized: level=CUPSD_AUTH_USER,
type=Negotiate, satisfy=CUPSD_AUTH_SATISFY_ALL, num_names=1
d [12/Aug/2008:09:24:10 -0400] cupsdIsAuthorized: auth=CUPSD_AUTH_ALLOW...
D [12/Aug/2008:09:24:10 -0400] cupsdIsAuthorized: username="rcc2 at CIT.CORNELL.EDU"
d [12/Aug/2008:09:24:10 -0400] cupsdIsAuthorized: Checking user membership...
d [12/Aug/2008:09:24:10 -0400] cupsdReadClient: Unauthorized request for
/admin/conf/cupsd.conf...
D [12/Aug/2008:09:24:10 -0400] cupsdSendError: 7 code=401 (Unauthorized)
This is semi-encouraging since it's the first time I have seen any evidence that
any Kerberos authentication is taking place.
Aha! After adjusting the authorization requirements in cupsd.conf manually,
this last command above now works. And I appear to be getting some useful
debugging information.
But now all the comments in my cupsd.conf have been removed, and I will have to
restore them from backup. Sigh.
Additionally, Kerberos works with the cupsctl command _only_ when it is executed
on the server. It does not work when the cupsctl command is executed from the
client. Is this because the server is using too old a version of MIT Kerberos?
If so, then that could explain everything.
Thanks for your help.
-Rick
More information about the cups
mailing list