Printing to smb with kerberos authentication
Martin
hol at hsuhh.de
Wed Jan 14 23:18:50 PST 2009
> Martin wrote:
> > Hi all,
> >
> > I'm trying to print to a printer connected to a Windows server in our AD from a linux machine. I managed to get kerberos working and can access the server with the samba client utilities. I can even do (as user me)
> >
> > DEVICE_URI=smb://server.domain.name/PRINTER /usr/lib/cups/backend/smb 1234 me test 1 none something.txt
> >
> > to print without being asked for a password. However, when I print via the local cups, I get
> >
> > E [14/Jan/2009:08:51:06 +0100] [Job 496] Session setup failed: NT_STATUS_LOGON_FAILURE
> > D [14/Jan/2009:08:51:06 +0100] Discarding unused printer-state-changed event...
> > D [14/Jan/2009:08:51:06 +0100] [Job 496] get_exit_code(cli=0x270f570, nt_status=c000006d)
> > I [14/Jan/2009:08:51:06 +0100] Saving printers.conf...
> > E [14/Jan/2009:08:51:06 +0100] [Job 496] Session setup failed: NT_STATUS_NO_SUCH_FILE
> > D [14/Jan/2009:08:51:06 +0100] Discarding unused printer-state-changed event...
> > D [14/Jan/2009:08:51:06 +0100] [Job 496] get_exit_code(cli=0x270f570, nt_status=c000000f)
> > E [14/Jan/2009:08:51:06 +0100] [Job 496] Session setup failed: NT_STATUS_LOGON_FAILURE
> > D [14/Jan/2009:08:51:06 +0100] Discarding unused printer-state-changed event...
> > D [14/Jan/2009:08:51:06 +0100] [Job 496] get_exit_code(cli=0x27100c0, nt_status=c000006d)
> > I [14/Jan/2009:08:51:06 +0100] Saving printers.conf...
> > E [14/Jan/2009:08:51:06 +0100] [Job 496] Tree connect failed (NT_STATUS_ACCESS_DENIED)
> >
> > My guess is that KRB5CCNAME is not set up correctly when the smb backend is invoked. A work-around solution would be a wrapper script that switches user id to the owner of the print job and then invokes smbspool, but surely, I just missed some important configuration in cups to make this work smoothly.
> >
> > Any hints, anyone?
> >
> > For completeness, I'm using cups 1.3.8, samba 3.2.5, MIT krb5 1.6 (from Debian lenny).
>
> From the Using Kerberos help document:
>
> http://www.cups.org/documentation.php/doc-1.4/kerberos.html
> (also on your local system...)
>
> you need MIT Kerberos 1.6.3 or later.
>
Oops, sorry for the confusion, I lost a .4 somewhere, so that's Kerberos 1.6.4.
> You also need to setup your system with the KDC so you can forward
> credentials from your user account through CUPS to the Windows system.
Well, yes, I guess this is where the error is... is there some howto or other detailed documentation about this around somewhere? Or at least some guideline to figure out what component to tweak?
>From my client perspective, it looks like this: My TGT has FPRIA flags. Printing through cups (trying to, that is) does not add anything to the credentials cache; furthermore, with wireshark I can confirm that no ticket requests are made. Invoking the smb backend directly from my user account, I get a ticket for the server$@REALM service principal (and a printout).
I do have
DefaultAuthType Negotiate
in my cupsd.conf, but I'm not even sure whether this is necessary. Does cups request a ticket from the user upon submitting the print job, or does it use the users credentials cache (for a local user) to acquire a ticket in his name? From your remark I gather that the former is true, correct?
Thanks
Martin
More information about the cups
mailing list