[cups.development] Kerberos multiple personalities

Andy Polyakov appro at fy.chalmers.se
Thu Nov 6 10:20:22 PST 2008


>> Next I create HTTP/server principal [and naturally merge corresponding 
>> keys to cupsd's keytab]. Attempt to connect results in end-less loop in 
>> Firefox, i.e. it attempts to connect and reconnects, and reconnects, 
>> etc. Nothing is logged in error_log unless I increase LogLevel to debug. 
>> In which case I can see following debug messages:
>>
>> cupsdAcceptClient: 11 from xx.xx.xx.xx:631 (IPv4)
>> cupsdReadClient: 11 GET /admin HTTP/1.1
>> get_gss_creds: Attempting to acquire credentials for ipp at server...
>> get_gss_creds: Credentials acquired successfully for ipp at server.
>> cupsdAuthorize: Error accepting GSSAPI security context: Unspecified GSS 
>> failure.  Minor code may provide more information, Unknown code krb5 144
> 
> Sounds like a mismatch in Kerberos versions on that system or a
> bad install.  It could also be a bug in the version of Kerberos you
> have installed...

Could be...

>  > ...
>> KDC is Heimdal, while cupsd and clients are linked with [various 
>> versions of] MIT libraries.
> 
> You need recent releases of MIT Kerberos for things to work at all.
> Older MIT Kerberos releases have too many bugs to work with CUPS...

Well, I managed to get it working anyway. As mentioned, we have large 
and diverse environment and it's utterly impractical to chase individual 
clients and get rid of "bad" Kerberos versions. Essentially we would end 
up complaining to multiple Linux "vendors" or maintain own packages. It 
makes more sense (to us) to adapt the server. Cheers. A.





More information about the cups mailing list