Still unable to authenticate with Kerberos in CUPS 1.3.5
John A. Murdie
john at cs.york.ac.uk
Wed Jan 23 10:35:36 PST 2008
I fear I am still unable to authenticate correctly with Kerberos and a CUPS 1.3.5 server installation on Linux (patches for STR#2606 and STR#2669 applied). I'm using a MacBook as client connected to the server's subnet via WiFi logged in as user 'jam' but getting a Kerberos ticket in the name john at REALM. We wish dekstops to be trusted, but laptop users to be forced to authenticate via Kerberos using their authorized user name and password.
I've modified my MacBook's (MacOS X 10.5.1, CUPS 1.3.3) cupsd.conf file as described in http://discussions.apple.com/thread.jspa?threadID=1203691&tstart=0
The first time I print after having logged in, I'm prompted for a login name and password, and I give 'john' and the corresponding password. I then send a web page for printing from Safari and it prints, but in the user name 'jam' (not 'john'), which just happens to be the name of a different user here. Clearly, it should print in the name of the authenticating user ('john'). (One can print from desktops in one's correct name withut a problem.)
The CUPS server's cupsd.conf file looks like (some edits to remove specific names/addresses):
-----------------------------------------------------------------------
ServerName cups...uk
Krb5Keytab /.../ipp-cups.keytab
GSSServiceName ipp
# Log general information in error_log - change to "info" or "debug" for
# troubleshooting...
LogLevel debug
# Administrator user group...
SystemGroup sys root
# Listen
Listen 631
ServerCertificate /.../cups.crt
ServerKey /.../cups.key
# Send browse packets (printer descriptions) to:
BrowseAddress a.b.c.0/24 # desktops
BrowseAddress a.b.d.0/24 # laptops
Browsing On
# Don't accept browse packets from other CUPS servers:
BrowseOrder allow,deny
BrowseAllow from none
BrowseDeny from all
# Default authentication type, when authentication is required...
DefaultAuthType Negotiate
# Restrict access to the server...
<Location />
Order allow,deny
Allow from a.b.c.0/24 # desktops
Allow from a.b.d.0/24 # laptops
Encryption Required
</Location>
# Restrict access to the admin pages...
<Location /admin>
Require user @SYSTEM @admins
Encryption Required
</Location>
# Restrict access to configuration files...
<Location /admin/conf>
Require user @SYSTEM @admins
Encryption Required
</Location>
<Location /jobs>
# Require user @staff
Encryption Required
</Location>
# Set the default printer/job policies...
<Policy default>
# Job-related operations must be done by the owner or an adminstrator...
# Desktops trusted, laptops must authenticate.
<Limit Create-Job Print-Job Send-Document Send-URI>
Order allow,deny
Allow from a.b.c.0/x # desktops
Require valid-user # laptops
Satisfy any
</Limit>
<Limit Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
Order allow,deny
Require user @OWNER @SYSTEM @admins
</Limit>
# All administration operations require an adminstrator to authenticate...
<Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
Order deny,allow
Require user @SYSTEM @admins
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM @admins
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
-----------------------------------------------------------------------
and I see this in the server's error_log:
-----------------------------------------------------------------------
D [23/Jan/2008:18:06:46 +0000] cupsdAcceptClient: 10 from a.b.c.f:631 (IPv4)
D [23/Jan/2008:18:06:46 +0000] cupsdReadClient: 10 POST /printers/cp04 HTTP/1.1
D [23/Jan/2008:18:06:46 +0000] cupsdAuthorize: No authentication data provided.
D [23/Jan/2008:18:06:46 +0000] Get-Printer-Attributes ipp://cups...:631/printers/cp04
D [23/Jan/2008:18:06:46 +0000] cupsdProcessIPPRequest: 10 status_code=0 (successful-ok)
D [23/Jan/2008:18:06:46 +0000] cupsdReadClient: 10 POST /printers/cp04 HTTP/1.1
D [23/Jan/2008:18:06:46 +0000] cupsdAuthorize: No authentication data provided.
D [23/Jan/2008:18:06:47 +0000] Print-Job ipp://cups...:631/printers/cp04
D [23/Jan/2008:18:06:47 +0000] add_job: requesting-user-name="jam"
I [23/Jan/2008:18:06:47 +0000] [Job 93] Adding start banner page "none".
D [23/Jan/2008:18:06:47 +0000] Discarding unused job-created event...
I [23/Jan/2008:18:06:47 +0000] [Job 93] Adding job file of type application/pdf.
I [23/Jan/2008:18:06:47 +0000] [Job 93] Adding end banner page "none".
I [23/Jan/2008:18:06:47 +0000] [Job 93] Queued on "cp04" by "jam".
D [23/Jan/2008:18:06:47 +0000] [Job 93] hold_until = 0
D [23/Jan/2008:18:06:47 +0000] Discarding unused printer-state-changed event...
D [23/Jan/2008:18:06:47 +0000] [Job 93] job-sheets=none,none
D [23/Jan/2008:18:06:47 +0000] [Job 93] banner_page = 0
D [23/Jan/2008:18:06:47 +0000] [Job 93] argv[0]="cp04"
D [23/Jan/2008:18:06:47 +0000] [Job 93] argv[1]="93"
D [23/Jan/2008:18:06:47 +0000] [Job 93] argv[2]="jam"
D [23/Jan/2008:18:06:47 +0000] [Job 93] argv[3]="Slashdot: News for nerds, stuff that matters"
D [23/Jan/2008:18:06:47 +0000] [Job 93] argv[4]="1"
D [23/Jan/2008:18:06:47 +0000] [Job 93] argv[5]="AP_D_ ...
-----------------------------------------------------------------------
The last time I had a similar problem it was because I had omitted a Policy for Create-Job + Print-Job + Send-Document, but not this time.
Is this another bug, or do I still not understand how to write cupsd configuration files?!
John A. Murdie
More information about the cups
mailing list