[cups.general] kerberos: is there any useful documentation out there?

Rick Cochran rcc2 at cornell.edu
Mon Sep 22 06:51:34 PDT 2008


Norberto,

I am also trying to get this working, and have not yet succeeded.

I suggest you check recent postings in the list archives.  You will find helpful 
information on this subject.

   http://www.cups.org/newsgroups.php?s70+gcups.general+T0+Qkerberos

Specifically, you may need a newer version of Kerberos.

-Rick

Norberto Bensa wrote:
> Hello everyone,
> 
> I'm trying to get cups with kerberos auth working on Linux but I'm stuck.
> 
> * I've added the principal HTTP/hostname.domain.tld
> * I've added the principal (service?) ipp/hostname.domain.tld (-randkey)
> * I've run "ktadd -k /etc/cups/cupsd.keytab ipp/hostname.domain.tld"
> * I've told cupsd where the keytab is
> * I've added user ipp (necessary?)
> * I've ipp and my-username are both members of lpadmin group.
> * I've configured Firefox to use kerberos negotiation
> * I've tried Konqueror too.
> * cupsd version is 1.3.8
> 
> # cat /etc/cups/cupsd.conf:
> 
> LogLevel debug
> 
> SystemGroup lpadmin
> 
> Port 631
> Listen /var/run/cups/cups.sock
> 
> Browsing On
> BrowseOrder deny,allow
> BrowseAddress @LOCAL
> DefaultAuthType Negotiate
> Krb5Keytab /etc/cups/cupsd.keytab
> 
> <Location />
>   Allow all
>   # Allow shared printing and remote administration...
>   Order allow,deny
>   Allow all
> </Location>
> 
> <Location /admin>
>   Encryption Required
>   Allow all
>   # Allow remote administration...
>   Order allow,deny
>   Allow all
> </Location>
> 
> <Location /admin/conf>
>   AuthType Default
>   Require user @SYSTEM
>   Allow all
>   # Allow remote access to the configuration files...
>   Order allow,deny
>   Allow all
> </Location>
> 
> <Policy default>
>   <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
>     Require user @OWNER @SYSTEM
>     Order deny,allow
>   </Limit>
> 
>   <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
>     AuthType Default
>     Require user @SYSTEM
>     Order deny,allow
>   </Limit>
> 
>   <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
>     AuthType Default
>     Require user @SYSTEM
>     Order deny,allow
>   </Limit>
> 
>   <Limit Cancel-Job CUPS-Authenticate-Job>
>     Require user @OWNER @SYSTEM
>     Order deny,allow
>   </Limit>
> 
>   <Limit All>
>     Order deny,allow
>   </Limit>
> </Policy>
> 
> 
> Snip of /var/log/cups/error_log while trying to modify printer options:
> 
> 
> D [22/Sep/2008:01:45:50 -0300] get_gss_creds: Attempting to acquire credentials for ipp at hostname.domain.tld...
> D [22/Sep/2008:01:45:50 -0300] get_gss_creds: Credentials acquired successfully for ipp at hostname.domain.tld.
> D [22/Sep/2008:01:45:50 -0300] cupsdAuthorize: Error accepting GSSAPI security context: Unspecified GSS failure.  Minor code may provide more information, No error
> 
> Heh... Error is: No error. Great!
> 
> 
> D [22/Sep/2008:01:45:50 -0300] [CGI] /usr/libexec/cups/cgi-bin/admin.cgi started - PID = 3941
> I [22/Sep/2008:01:45:50 -0300] Started "/usr/libexec/cups/cgi-bin/admin.cgi" (pid=3941)
> D [22/Sep/2008:01:45:50 -0300] cupsdSendCommand: 22 file=20
> D [22/Sep/2008:01:45:50 -0300] [CGI] admin.cgi started...
> D [22/Sep/2008:01:45:50 -0300] cupsdAcceptClient: 14 from localhost (Domain)
> D [22/Sep/2008:01:45:50 -0300] [CGI] http=0x10bc690
> D [22/Sep/2008:01:45:50 -0300] [CGI] op="set-printer-options"...
> D [22/Sep/2008:01:45:50 -0300] [CGI] do_set_options(http=0x10bc690, is_class=0)
> D [22/Sep/2008:01:45:50 -0300] [CGI] printer="EPSON_Stylus_CX5900_USB_1", uri="ipp://localhost/printers/EPSON_Stylus_CX5900_USB_1"...
> D [22/Sep/2008:01:45:50 -0300] cupsdReadClient: 14 POST / HTTP/1.1
> D [22/Sep/2008:01:45:50 -0300] cupsdAuthorize: No authentication data provided.
> D [22/Sep/2008:01:45:50 -0300] Get-Printer-Attributes ipp://localhost/printers/EPSON_Stylus_CX5900_USB_1
> D [22/Sep/2008:01:45:50 -0300] cupsdProcessIPPRequest: 14 status_code=0 (successful-ok)
> D [22/Sep/2008:01:45:50 -0300] cupsdReadClient: 14 GET /printers/EPSON_Stylus_CX5900_USB_1.ppd HTTP/1.1
> D [22/Sep/2008:01:45:50 -0300] cupsdAuthorize: No authentication data provided.
> D [22/Sep/2008:01:45:50 -0300] [CGI] Got PPD file: "/var/spool/cups/tmp/48d722fe99b1e"
> D [22/Sep/2008:01:45:50 -0300] [CGI] Setting options...
> D [22/Sep/2008:01:45:50 -0300] cupsdReadClient: 14 POST /admin/ HTTP/1.1
> D [22/Sep/2008:01:45:50 -0300] cupsdAuthorize: No authentication data provided.
> D [22/Sep/2008:01:45:50 -0300] CUPS-Add-Modify-Printer ipp://localhost/printers/EPSON_Stylus_CX5900_USB_1
> D [22/Sep/2008:01:45:50 -0300] cupsdIsAuthorized: username=""
> 
> username="". Shouldn't it be username="my-username" ?
> 
> 
> E [22/Sep/2008:01:45:50 -0300] CUPS-Add-Modify-Printer: Unauthorized
> D [22/Sep/2008:01:45:50 -0300] cupsdSendError: 14 code=401 (Unauthorized)
> D [22/Sep/2008:01:45:50 -0300] cupsdSendHeader: WWW-Authenticate: Negotiate
> D [22/Sep/2008:01:45:50 -0300] cupsdSendError: 22 code=401 (Unauthorized)
> D [22/Sep/2008:01:45:50 -0300] cupsdSendHeader: WWW-Authenticate: Negotiate
> D [22/Sep/2008:01:45:50 -0300] cupsdCloseClient: 22
> D [22/Sep/2008:01:45:50 -0300] SSL shutdown successful!
> D [22/Sep/2008:01:45:50 -0300] cupsdCloseClient: 22
> D [22/Sep/2008:01:45:50 -0300] cupsdCloseClient: 14
> D [22/Sep/2008:01:45:50 -0300] PID 3941 (/usr/libexec/cups/cgi-bin/admin.cgi) exited with no errors.
> 
> 
> Did anyone got it working?
> 
> Thanks in advance,
> Norberto
> 
> _______________________________________________
> cups mailing list
> cups at easysw.com
> http://lists.easysw.com/mailman/listinfo/cups





More information about the cups mailing list