[cups.general] Kerberos authentication - help needed - take 2 (Rick Cochran)

henri henri at stmargarets.school.nz
Tue Aug 12 21:25:31 PDT 2008 

Another possibility is that some work could be done on PrintAgent so  
the web-based login is Kerberized. However, I have no experience  
Kerberizing web services. I also have no idea regarding the  
feasibility of Kerberizing web services.

The following URL has some information regarding the use of Kerberos  
to secure web services at Cornell : http://www.ja-sig.org/wiki/pages/viewinfo.action?pageId=19472

PrintAgent is able to use PAM for authentication. However, I am not  
really sure if PrintAgent is a good fit for will do what you want. It  
will depend on whether you would like users to be able to check their  
print balances etc...

Print Agent details are available from : http://www.lucidsystems.org/printingworks/printagent/

If you have any experience or interest with Kerberizing services then  
let us know if you would like to discuss the possibility of  
collaborating on such a project.

Keep in touch.

>
> Michael R Sweet wrote:
> > Rick Cochran wrote:
> >> No one has responded to my original request.  It would help even  
> only to know why.
> >
> > I'm pretty sure *I* did.
>
> I received no response, and there is none in the list archive.
>
> >> ...
> >> Is Kerberos authentication in CUPS something which is there, but  
> not well
> >> supported or used?
> >
> > Kerberos authentication is there and works.  However, a *lot* of  
> sites
> > don't actually use Kerberos correctly which can cause problems for
> > client printing - the key is that the clients must have a stable
> > hostname and be setup with service granting tickets (SGT) so they  
> can
> > forward the user credentials from the client to the server.
>
> I have a service principal, if that's what you mean.
>
> > Also, you need to use either Heimdal Kerberos or a new enough  
> version
> > of MIT Kerberos (1.6.3 or higher) to get credential caching/ 
> forwarding
> > to work.
>
> I have krb5-libs-1.6.1-17.el5_1.1 on my client workstation, and
> krb5-libs-1.3.4-54.el4_6.1 on my server.
>
> >> Finally, I would like to mention that there appears to be a lack  
> of adequate
> >> debugging output for CUPS authentication functionality.  I can't  
> find any useful
> >> information as to what happened during the authentication  
> process.  The message
> >> "Print-Job: Forbidden" tells me nothing.
> >
> > Use "cupsctl --debug-logging" or check the "log debug info" box in
> > the web interface - that will provide additional information about
> > the authentication process.
> >
>
> page4> sudo /usr/local/netprint/cups/sbin/cupsctl --debug-logging
> cupsctl: Unauthorized
>
> So I kinited myself and tried it thusly:
>
> page4> /usr/local/netprint/cups/sbin/cupsctl --debug-logging
> cupsctl: Unauthorized
>
> At which point I get the following in the error_log with LogLevel  
> debug2:
>
> D [12/Aug/2008:09:24:10 -0400] cupsdAuthorize: Authorized as
> rcc2 at CIT.CORNELL.EDU using Negotiate
> d [12/Aug/2008:09:24:10 -0400] cupsdIsAuthorized:
> con->uri="/admin/conf/cupsd.conf", con->best=0x93c5e08(/admin/conf)
> d [12/Aug/2008:09:24:10 -0400] cupsdIsAuthorized:  
> level=CUPSD_AUTH_USER,
> type=Negotiate, satisfy=CUPSD_AUTH_SATISFY_ALL, num_names=1
> d [12/Aug/2008:09:24:10 -0400] cupsdIsAuthorized:  
> auth=CUPSD_AUTH_ALLOW...
> D [12/Aug/2008:09:24:10 -0400] cupsdIsAuthorized: username="rcc2 at CIT.CORNELL.EDU 
> "
> d [12/Aug/2008:09:24:10 -0400] cupsdIsAuthorized: Checking user  
> membership...
> d [12/Aug/2008:09:24:10 -0400] cupsdReadClient: Unauthorized request  
> for
> /admin/conf/cupsd.conf...
> D [12/Aug/2008:09:24:10 -0400] cupsdSendError: 7 code=401  
> (Unauthorized)
>
> This is semi-encouraging since it's the first time I have seen any  
> evidence that
> any Kerberos authentication is taking place.
>
> Aha!  After adjusting the authorization requirements in cupsd.conf  
> manually,
> this last command above now works.  And I appear to be getting some  
> useful
> debugging information.
>
> But now all the comments in my cupsd.conf have been removed, and I  
> will have to
> restore them from backup.  Sigh.
>
> Additionally, Kerberos works with the cupsctl command _only_ when it  
> is executed
> on the server.  It does not work when the cupsctl command is  
> executed from the
> client.  Is this because the server is using too old a version of  
> MIT Kerberos?
>   If so, then that could explain everything.
>
> Thanks for your help.
> -Rick
>

More information about the cups mailing list