kerberos: is there any useful documentation out there?

Norberto Bensa nbensa at gmail.com
Sun Sep 21 21:55:14 PDT 2008 

Hello everyone,

I'm trying to get cups with kerberos auth working on Linux but I'm stuck.

* I've added the principal HTTP/hostname.domain.tld
* I've added the principal (service?) ipp/hostname.domain.tld (-randkey)
* I've run "ktadd -k /etc/cups/cupsd.keytab ipp/hostname.domain.tld"
* I've told cupsd where the keytab is
* I've added user ipp (necessary?)
* I've ipp and my-username are both members of lpadmin group.
* I've configured Firefox to use kerberos negotiation
* I've tried Konqueror too.
* cupsd version is 1.3.8

# cat /etc/cups/cupsd.conf:

LogLevel debug

SystemGroup lpadmin

Port 631
Listen /var/run/cups/cups.sock

Browsing On
BrowseOrder deny,allow
BrowseAddress @LOCAL
DefaultAuthType Negotiate
Krb5Keytab /etc/cups/cupsd.keytab

<Location />
  Allow all
  # Allow shared printing and remote administration...
  Order allow,deny
  Allow all
</Location>

<Location /admin>
  Encryption Required
  Allow all
  # Allow remote administration...
  Order allow,deny
  Allow all
</Location>

<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  Allow all
  # Allow remote access to the configuration files...
  Order allow,deny
  Allow all
</Location>

<Policy default>
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>


Snip of /var/log/cups/error_log while trying to modify printer options:


D [22/Sep/2008:01:45:50 -0300] get_gss_creds: Attempting to acquire credentials for ipp at hostname.domain.tld...
D [22/Sep/2008:01:45:50 -0300] get_gss_creds: Credentials acquired successfully for ipp at hostname.domain.tld.
D [22/Sep/2008:01:45:50 -0300] cupsdAuthorize: Error accepting GSSAPI security context: Unspecified GSS failure.  Minor code may provide more information, No error

Heh... Error is: No error. Great!


D [22/Sep/2008:01:45:50 -0300] [CGI] /usr/libexec/cups/cgi-bin/admin.cgi started - PID = 3941
I [22/Sep/2008:01:45:50 -0300] Started "/usr/libexec/cups/cgi-bin/admin.cgi" (pid=3941)
D [22/Sep/2008:01:45:50 -0300] cupsdSendCommand: 22 file=20
D [22/Sep/2008:01:45:50 -0300] [CGI] admin.cgi started...
D [22/Sep/2008:01:45:50 -0300] cupsdAcceptClient: 14 from localhost (Domain)
D [22/Sep/2008:01:45:50 -0300] [CGI] http=0x10bc690
D [22/Sep/2008:01:45:50 -0300] [CGI] op="set-printer-options"...
D [22/Sep/2008:01:45:50 -0300] [CGI] do_set_options(http=0x10bc690, is_class=0)
D [22/Sep/2008:01:45:50 -0300] [CGI] printer="EPSON_Stylus_CX5900_USB_1", uri="ipp://localhost/printers/EPSON_Stylus_CX5900_USB_1"...
D [22/Sep/2008:01:45:50 -0300] cupsdReadClient: 14 POST / HTTP/1.1
D [22/Sep/2008:01:45:50 -0300] cupsdAuthorize: No authentication data provided.
D [22/Sep/2008:01:45:50 -0300] Get-Printer-Attributes ipp://localhost/printers/EPSON_Stylus_CX5900_USB_1
D [22/Sep/2008:01:45:50 -0300] cupsdProcessIPPRequest: 14 status_code=0 (successful-ok)
D [22/Sep/2008:01:45:50 -0300] cupsdReadClient: 14 GET /printers/EPSON_Stylus_CX5900_USB_1.ppd HTTP/1.1
D [22/Sep/2008:01:45:50 -0300] cupsdAuthorize: No authentication data provided.
D [22/Sep/2008:01:45:50 -0300] [CGI] Got PPD file: "/var/spool/cups/tmp/48d722fe99b1e"
D [22/Sep/2008:01:45:50 -0300] [CGI] Setting options...
D [22/Sep/2008:01:45:50 -0300] cupsdReadClient: 14 POST /admin/ HTTP/1.1
D [22/Sep/2008:01:45:50 -0300] cupsdAuthorize: No authentication data provided.
D [22/Sep/2008:01:45:50 -0300] CUPS-Add-Modify-Printer ipp://localhost/printers/EPSON_Stylus_CX5900_USB_1
D [22/Sep/2008:01:45:50 -0300] cupsdIsAuthorized: username=""

username="". Shouldn't it be username="my-username" ?


E [22/Sep/2008:01:45:50 -0300] CUPS-Add-Modify-Printer: Unauthorized
D [22/Sep/2008:01:45:50 -0300] cupsdSendError: 14 code=401 (Unauthorized)
D [22/Sep/2008:01:45:50 -0300] cupsdSendHeader: WWW-Authenticate: Negotiate
D [22/Sep/2008:01:45:50 -0300] cupsdSendError: 22 code=401 (Unauthorized)
D [22/Sep/2008:01:45:50 -0300] cupsdSendHeader: WWW-Authenticate: Negotiate
D [22/Sep/2008:01:45:50 -0300] cupsdCloseClient: 22
D [22/Sep/2008:01:45:50 -0300] SSL shutdown successful!
D [22/Sep/2008:01:45:50 -0300] cupsdCloseClient: 22
D [22/Sep/2008:01:45:50 -0300] cupsdCloseClient: 14
D [22/Sep/2008:01:45:50 -0300] PID 3941 (/usr/libexec/cups/cgi-bin/admin.cgi) exited with no errors.


Did anyone got it working?

Thanks in advance,
Norberto

More information about the cups mailing list