[cups.general] local cupsd does not pass kerberos credentials to remote cups server for authentication

Michael Sweet msweet at apple.com
Thu Dec 30 07:25:26 PST 2010 

Do both the client and server have stable DNS hostnames?

Does the client have delegation rights from the KDC?

On Dec 30, 2010, at 8:57 AM, Matt Kinni wrote:

> Fedora 14.
> 
> cups-1.4.4-11
> krb5-libs-1.8.3-9.fc15.x86_64
> kernel-2.6.37-0.rc7.git0.2.fc15.x86_64
> 
> I have bleeding edge versions of the kernel and kerberos
> 
> On 12/29/2010 08:24 AM, Michael Sweet wrote:
>> 
>> What version of CUPS?
>> 
>> What version of Kerberos?
>> 
>> What operating system/Linux distribution?
>> 
>> On Dec 27, 2010, at 12:21 AM, Matt Kinni wrote:
>> 
>>> Hello, I'm trying to print to a printer on a remote cups queue with kerberos, using my local queue's "browse" function.
>>> 
>>> On the server with the printer attached, I have the relevant info in the config files:
>>> 
>>> --->in /etc/cups/printers.conf:
>>> 
>>> <Printer Officejet_6000_E609n>
>>> AuthInfoRequired negotiate
>>> 
>>> --->in /etc/cups/cupsd.conf:
>>> 
>>> <Policy default>
>>>   <Limit Create-Job Print-Job Print-URI>
>>>       AuthType Negotiate
>>>       Require user matt
>>> 
>>> On my client laptop, if I connect to the remote queue directly, (eg. by adding "ServerName remoteserver:631" in the clients.conf file), the print jobs properly authenticate with kerberos
>>> 
>>> However, if I try to print using my local cups which discovers the remote printer automatically using the browse function, the following occurs:
>>> 
>>> 1. system-config-printer opens up a basic authentication dialog asking for a user name and                   password (which makes no sense because it's not using basic auth): http://imgur.com/Hd7gO.png <-screenshot
>>> 
>>> 2. regardless of what information I enter into the first dialog, a second dialog opens asking for a password only for auth type negotiate, which also doesn't make sense: http://imgur.com/QnjL6.png <-screenshot
>>> 
>>> So what has to be done for my local cups to automatically use my kerberos credentials when contacting the remote server?  I know if works if I connect to the remote server directly, but that's extremely inconvenient to do on a print job by print job basis.
>>> 
>>> -- 
>>> Matthew Kinni
>>> Cal Poly State University
>>> 2640 Canyon Circle
>>> San Luis Obispo, CA 93410
>>> Cell: 925-817-0934
>>> OpenPGP: 0x2351657A
>>> _______________________________________________
>>> cups mailing list
>>> cups at easysw.com
>>> http://lists.easysw.com/mailman/listinfo/cups
>> 
>> ________________________________________________________________________
>> Michael Sweet, Senior Printing System Engineer, PWG Chair
>> 
>> 
>> _______________________________________________
>> cups mailing list
>> cups at easysw.com
>> http://lists.easysw.com/mailman/listinfo/cups
> 
> -- 
> Matthew Kinni
> Cal Poly State University
> 2640 Canyon Circle
> San Luis Obispo, CA 93410
> Cell: 925-817-0934
> OpenPGP: 0x2351657A
> _______________________________________________
> cups mailing list
> cups at easysw.com
> http://lists.easysw.com/mailman/listinfo/cups

________________________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cups.org/pipermail/cups/attachments/20101230/d53457fe/attachment-0001.html>

More information about the cups mailing list