Web interface + Kerberos
Erik Karlsson
pilo at ayeon.org
Wed May 6 02:41:08 PDT 2009
Hello.
I have set up CUPS 1.3.10 to use Kerberos for authentication, which works for CLI and IPP but not via the Web interface.
For normal operations, i.e. GET the authentication works alright, for instance if I set authentication in the <Limit All> section of the default policy.
The following appears in the log when using GET on an administrative task (Stop-Printer). Similar messages occur for POST actions.
D [06/May/2009:11:27:56 +0200] get_gss_creds: Attempting to acquire credentials for ipp at fqdn...
D [06/May/2009:11:27:56 +0200] get_gss_creds: Credentials acquired successfully for ipp at fqdn.
D [06/May/2009:11:27:56 +0200] cupsdAuthorize: Authorized as pilo at KDC using Negotiate
D [06/May/2009:11:27:56 +0200] cupsdIsAuthorized: username="pilo at KDC"
E [06/May/2009:11:27:56 +0200] Unable to import client credentials cache: Invalid credential was supplied, No error
D [06/May/2009:11:27:56 +0200] [CGI] /usr/libexec/cups/cgi-bin/admin.cgi started - PID = 27696
I [06/May/2009:11:27:56 +0200] Started "/usr/libexec/cups/cgi-bin/admin.cgi" (pid=27696)
D [06/May/2009:11:27:56 +0200] cupsdSendCommand: 23 file=24
D [06/May/2009:11:27:56 +0200] [CGI] admin.cgi started...
D [06/May/2009:11:27:56 +0200] cupsdAcceptClient: 25 from localhost (Domain)
D [06/May/2009:11:27:56 +0200] [CGI] http=0x920b0e0
D [06/May/2009:11:27:56 +0200] [CGI] op="stop-printer"...
D [06/May/2009:11:27:56 +0200] cupsdReadClient: 25 POST /admin/ HTTP/1.1
D [06/May/2009:11:27:56 +0200] cupsdAuthorize: No authentication data provided.
D [06/May/2009:11:27:56 +0200] cupsdIsAuthorized: username=""
D [06/May/2009:11:27:56 +0200] cupsdSendError: 25 code=401 (Unauthorized)
D [06/May/2009:11:27:56 +0200] cupsdSendHeader: WWW-Authenticate: Negotiate
D [06/May/2009:11:27:56 +0200] cupsdCloseClient: 25
D [06/May/2009:11:27:56 +0200] cupsdAcceptClient: 25 from localhost (Domain)
D [06/May/2009:11:27:56 +0200] cupsdReadClient: 25 POST /admin/ HTTP/1.1
D [06/May/2009:11:27:56 +0200] cupsdAuthorize: Authorized as pilo at KDC using Local
D [06/May/2009:11:27:56 +0200] cupsdIsAuthorized: username="pilo at KDC"
E [06/May/2009:11:27:56 +0200] Authorized using Basic, expected Negotiate!
D [06/May/2009:11:27:56 +0200] cupsdSendError: 25 code=401 (Unauthorized)
D [06/May/2009:11:27:56 +0200] cupsdSendHeader: WWW-Authenticate: Negotiate
D [06/May/2009:11:27:56 +0200] cupsdCloseClient: 25
It appears as if cups is trying to connect to itself with the hostname localhost, which could break the ticket forwarding chain, if it forwards tickets to itself.
Also, the GSS error about credential cache might be relevant, but I've only been able to locate one reference to this message which did not explain how to "fix" it.
Also, the "Authorized using Basic, expected Negotiate!" might be relevant, but I was under the impression that this was fixed in 1.3.10?
Thanks,
Erik
More information about the cups
mailing list