[cups.general] CUPS, Kerberos, and ServerName

Michael Sweet mike at easysw.com
Thu Oct 9 15:17:12 PDT 2008 

Rick Cochran wrote:
> I finally got Kerberos authenticated printing to work.  The part I was 
> missing was that unless one wants to issue service principals for every 
> client workstation, the client command has to send the print job 
> directly to the remote server, bypassing the local spooler.  This can be 
> accomplished by using, for example, "-H remote-server-name" in the lpr 
> command.  It can also be accomplished by including "ServerName 
> remote-server-name" in the "client.conf" file on the client 
> workstation.  This raises some additional questions.
> 
> 1. The "ServerName" directive can be used in either cupsd.conf or 
> client.conf. One of my mistakes was using it in the cupsd.conf.  
> Apparently this directive has different functionality depending on which 
> of the conf files it is in.  What function does it have when used in the 
> cupsd.conf file?

It changes the default hostname that is advertised by the local
scheduler (cupsd) process.  These days the value is mostly-ignored
since we usually advertise using the interface address/hostname
instead.

> 2. Is there some way to send print jobs for some printers to the local 
> spooler, and send print jobs for other printers directly to a remote 
> spooler?  I certainly hope so.  Otherwise it would be impossible to have 
> a directly attached printer which did not require Kerberos 
> authentication and a remote printer which did.

There is currently no way to do this, and for good reason.  Local
spooling ensures that:

a) you can print at any time, not just when the server is up or
    accessible (think of spooling a job from a remote location and
    having the job start printing when you get to work)

b) you can't lose a job because the server dies before it prints
    your job

c) you can participate in load-balanced printing services

That said, we are investigating optional behavior that can be turned
on locally or on the server to force all jobs for a particular
printer to be printed "direct" to the server rather than spooling
locally.  This mode will have serious shortcomings and will likely
require changes to the various desktop environments to support it,
but it *will* allow you to use things like Kerberos on otherwise
unmanaged networks.

You can also run per-user copies of cupsd that automatically
inherit the user's Kerberos credentials so you can print both
locally and remotely without needing the local service principle.
You'll likely run into permission issues for USB/parallel/serial
printers, and there is the potential for greater information
disclosure since the print filters will have access to all of the
user's files, but it would give you the functionality you are looking
for today...

-- 
______________________________________________________________________
Michael Sweet, Easy Software Products           mike at easysw dot com

More information about the cups mailing list