[cups.general] Printing to smb with kerberos authentication

Michael R Sweet msweet at apple.com
Thu Jan 29 08:59:58 PST 2009


Martin wrote:
>>>> Martin wrote:
>>>>> Hi all,
>>>>>
>>>>> I'm trying to print to a printer connected to a Windows server in our AD from a linux machine. I managed to get kerberos working and can access the server with the samba client utilities. I can even do (as user me)
>>>>>
>>>>> DEVICE_URI=smb://server.domain.name/PRINTER /usr/lib/cups/backend/smb 1234 me test 1 none something.txt
>>>>>
>>>>> to print without being asked for a password. However, when I print via the local cups, I get
>>>>>
>>>>> E [14/Jan/2009:08:51:06 +0100] [Job 496] Session setup failed: NT_STATUS_LOGON_FAILURE
>>>>> D [14/Jan/2009:08:51:06 +0100] Discarding unused printer-state-changed event...
>>>>> D [14/Jan/2009:08:51:06 +0100] [Job 496] get_exit_code(cli=0x270f570, nt_status=c000006d)
>>>>> I [14/Jan/2009:08:51:06 +0100] Saving printers.conf...
>>>>> E [14/Jan/2009:08:51:06 +0100] [Job 496] Session setup failed: NT_STATUS_NO_SUCH_FILE
>>>>> D [14/Jan/2009:08:51:06 +0100] Discarding unused printer-state-changed event...
>>>>> D [14/Jan/2009:08:51:06 +0100] [Job 496] get_exit_code(cli=0x270f570, nt_status=c000000f)
>>>>> E [14/Jan/2009:08:51:06 +0100] [Job 496] Session setup failed: NT_STATUS_LOGON_FAILURE
>>>>> D [14/Jan/2009:08:51:06 +0100] Discarding unused printer-state-changed event...
>>>>> D [14/Jan/2009:08:51:06 +0100] [Job 496] get_exit_code(cli=0x27100c0, nt_status=c000006d)
>>>>> I [14/Jan/2009:08:51:06 +0100] Saving printers.conf...
>>>>> E [14/Jan/2009:08:51:06 +0100] [Job 496] Tree connect failed (NT_STATUS_ACCESS_DENIED)
>>>>>
>>>>> My guess is that KRB5CCNAME is not set up correctly when the smb backend is invoked. A work-around solution would be a wrapper script that switches user id to the owner of the print job and then invokes smbspool, but surely, I just missed some important configuration in cups to make this work smoothly.
>>>>>
>>>>> Any hints, anyone?
>>>>>
>>>>> For completeness, I'm using cups 1.3.8, samba 3.2.5, MIT krb5 1.6 (from Debian lenny).
>>>>  From the Using Kerberos help document:
>>>>
>>>>      http://www.cups.org/documentation.php/doc-1.4/kerberos.html
>>>>      (also on your local system...)
>>>>
>>>> you need MIT Kerberos 1.6.3 or later.
>>>>
>>> Oops, sorry for the confusion, I lost a .4 somewhere, so that's Kerberos 1.6.4.
>>>
>>>> You also need to setup your system with the KDC so you can forward
>>>> credentials from your user account through CUPS to the Windows system.
>>> Well, yes, I guess this is where the error is... is there some howto or other detailed documentation about this around somewhere? Or at least some guideline to figure out what component to tweak?
>>>
>>> From my client perspective, it looks like this: My TGT has FPRIA flags. Printing through cups (trying to, that is) does not add anything to the credentials cache; furthermore, with wireshark I can confirm that no ticket requests are made. Invoking the smb backend directly from my user account, I get a ticket for the server$@REALM service principal (and a printout).
>>>
>>> I do have
>>> DefaultAuthType Negotiate
>>> in my cupsd.conf, but I'm not even sure whether this is necessary. Does cups request a ticket from the user upon submitting the print job, or does it use the users credentials cache (for a local user) to acquire a ticket in his name? From your remark I gather that the former is true, correct?
>>>
>>> Thanks
>>> Martin
>> Update:
>> After adding AuthType Default to <Limit All> in my default policy, I get cups to request a kerberos ticket from clients*). The ticket in the client users cache has FPRA flags. Now the backend gets the KRB5CCNAME variable set, but still...
>>
>> D [15/Jan/2009:08:30:27 +0100] [Job 504] envp[26]="KRB5CCNAME=FILE:/tmp/tktsz8E8O"
>> [...]
>> E [15/Jan/2009:08:30:27 +0100] [Job 504] Session setup failed: NT_STATUS_UNSUCCESSFUL
>> D [15/Jan/2009:08:30:27 +0100] [Job 504] get_exit_code(cli=0xbb5570, nt_status=c0000001)
>> D [15/Jan/2009:08:30:27 +0100] Discarding unused printer-state-changed event...
>> E [15/Jan/2009:08:30:27 +0100] [Job 504] Session setup failed: NT_STATUS_LOGON_FAILURE
>> D [15/Jan/2009:08:30:27 +0100] Discarding unused printer-state-changed event...
>> D [15/Jan/2009:08:30:27 +0100] [Job 504] get_exit_code(cli=0xbb60c0, nt_status=c000006d)
>> I [15/Jan/2009:08:30:27 +0100] Saving printers.conf...
>> E [15/Jan/2009:08:30:27 +0100] [Job 504] Tree connect failed (NT_STATUS_ACCESS_DENIED)
>>
>> The /tmp/tktsz8E8O file does contain my TGT with FfPRA flags. Furthermore,
>>
>> KRB5CCNAME=FILE:/tmp/tktsz8E8O DEVICE_URI=smb://server.domain.name/PRINTER /usr/lib/cups/backend/smb 1234 me test 1 none something.txt
>>
>> as root does print successfully and adds a server$@REALM entry to /tmp/tktsz8E8O. What's the difference when run by cups?
>>
>> I feel I'm a step further, any more useful hints?
>>
>> *) I have to access cups through its public interface, though. Accessing it through 127.0.0.1 makes cups use the service principal ipp/localhost which doesn't work.
>>
>> Thanks
>> Martin
> 
> Coming back after some time, the solution was (more or less) obvious: The smb backend was run as user lp and hence could not access the ticket cache file. After chmod'ing smb to 0700, I can now successfully print to SMB print servers with complete Kerberos authentication. Maybe this helps someone with similar problems...
> 
> Two points remain:
> - I have to access the local CUPS through its public ip address, otherwise the wrong service principal is used. This is not too bad, but I would like to restrict CUPS to listen on the loopback interface only. Any hints?

This is a side-effect of how Kerberos over HTTP works - the client
uses the hostname it connects to for the principle when it generates
a ticket, and so the server must do this as well.

> - Not too many clients seem to support passing Kerberos to CUPS (using GSS) in the first place; essentially, I am limited to printing from the command line at the moment. Hopefully, this will improve with newer client versions...

They probably aren't using the cupsDoAuthentication APi in their
interfaces, which has been around since CUPS 1.1.20...

If these are GNOME or KDE apps, file a bug with the GNOME or KDE
folks.  In particular, GNOME currently uses their own wrappers
around the low-level HTTP/IPP APIs in libcups which means they
probably aren't automatically picking up Kerberos support.

-- 
______________________________________________________________________
Michael R Sweet                        Senior Printing System Engineer





More information about the cups mailing list