[cups.general] local cupsd does not pass kerberos credentials to remote cups server for authentication

Thu Dec 30 14:42:48 PST 2010

Ya, the computers have working DNS and kerberos works fine with other services like the
cups web administration and ssh.

Also, I did generate the kerberos keys with +ok_as_delegate, so the clients do have the
rights.  I will follow up on this with a bug report on cups.org per your direction, thanks
for your help Michael :)

On 12/30/2010 07:25 AM, Michael Sweet wrote:
> Do both the client and server have stable DNS hostnames?
>
> Does the client have delegation rights from the KDC?
>
> On Dec 30, 2010, at 8:57 AM, Matt Kinni wrote:
>
>> Fedora 14.
>>
>> cups-1.4.4-11
>> krb5-libs-1.8.3-9.fc15.x86_64
>> kernel-2.6.37-0.rc7.git0.2.fc15.x86_64
>>
>> I have bleeding edge versions of the kernel and kerberos
>>
>> On 12/29/2010 08:24 AM, Michael Sweet wrote:
>>> What version of CUPS?
>>>
>>> What version of Kerberos?
>>>
>>> What operating system/Linux distribution?
>>>
>>> On Dec 27, 2010, at 12:21 AM, Matt Kinni wrote:
>>>
>>>> Hello, I'm trying to print to a printer on a remote cups queue with kerberos, using
>>>> my local queue's "browse" function.
>>>>
>>>> On the server with the printer attached, I have the relevant info in the config files:
>>>>
>>>> --->in /etc/cups/printers.conf:
>>>>
>>>> <Printer Officejet_6000_E609n>
>>>> AuthInfoRequired negotiate
>>>>
>>>> --->in /etc/cups/cupsd.conf:
>>>>
>>>> <Policy default>
>>>>   <Limit Create-Job Print-Job Print-URI>
>>>>       AuthType Negotiate
>>>>       Require user matt
>>>>
>>>> On my client laptop, if I connect to the remote queue directly, (eg. by adding
>>>> "ServerName remoteserver:631" in the clients.conf file), the print jobs properly
>>>> authenticate with kerberos
>>>>
>>>> However, if I try to print using my local cups which discovers the remote printer
>>>> automatically using the browse function, the following occurs:
>>>>
>>>> 1. system-config-printer opens up a basic authentication dialog asking for a user
>>>> name and password (which makes no sense because it's not using basic auth):
>>>> http://imgur.com/Hd7gO.png <-screenshot
>>>>
>>>> 2. regardless of what information I enter into the first dialog, a second dialog
>>>> opens asking for a password only for auth type negotiate, which also doesn't make
>>>> sense: http://imgur.com/QnjL6.png <-screenshot
>>>>
>>>> So what has to be done for my local cups to automatically use my kerberos credentials
>>>> when contacting the remote server?  I know if works if I connect to the remote server
>>>> directly, but that's extremely inconvenient to do on a print job by print job basis.
>>>>
>>>> -- 
>>>> Matthew Kinni
>>>> Cal Poly State University
>>>> 2640 Canyon Circle
>>>> San Luis Obispo, CA 93410
>>>> Cell: 925-817-0934
>>>> OpenPGP: 0x2351657A
>>>> _______________________________________________
>>>> cups mailing list
>>>> cups at easysw.com <mailto:cups at easysw.com>
>>>> http://lists.easysw.com/mailman/listinfo/cups
>>>
>>> ________________________________________________________________________
>>> Michael Sweet, Senior Printing System Engineer, PWG Chair
>>>
>>>
>>> _______________________________________________
>>> cups mailing list
>>> cups at easysw.com
>>> http://lists.easysw.com/mailman/listinfo/cups
>>
>> -- 
>> Matthew Kinni
>> Cal Poly State University
>> 2640 Canyon Circle
>> San Luis Obispo, CA 93410
>> Cell: 925-817-0934
>> OpenPGP: 0x2351657A
>> _______________________________________________
>> cups mailing list
>> cups at easysw.com <mailto:cups at easysw.com>
>> http://lists.easysw.com/mailman/listinfo/cups
>
> ________________________________________________________________________
> Michael Sweet, Senior Printing System Engineer, PWG Chair
>
>
> _______________________________________________
> cups mailing list
> cups at easysw.com
> http://lists.easysw.com/mailman/listinfo/cups

-- 
Matthew Kinni
Cal Poly State University
2640 Canyon Circle
San Luis Obispo, CA 93410
Cell: 925-817-0934
OpenPGP: 0x2351657A

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cups.org/pipermail/cups/attachments/20101230/99abf60a/attachment-0001.html>