[cups.bugs] [HIGH] STR #3763: local cups does not pass kerberos credentials to remote cups for auth

richard cummings sexynaya2010 at hotmail.com
Fri Dec 31 06:50:01 PST 2010 

DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

I originally posted this on the mailing list and was instructed to file a
bug :)

I'm trying to print to a printer on a remote cups queue with kerberos,
using my local queue's "browse" function.

On the server with the printer attached, I have the relevant info in the
config files:

--->in /etc/cups/printers.conf:

<Printer Officejet_6000_E609n>
AuthInfoRequired negotiate

--->in /etc/cups/cupsd.conf:

<Policy default>
  <Limit Create-Job Print-Job Print-URI>
      AuthType Negotiate
      Require user matt

On my client laptop, if I connect to the remote queue directly, (eg. by
adding "ServerName remoteserver:631" in the clients.conf file), the print
jobs properly authenticate with kerberos and all is well.

However, if I try to print using my local cups which discovers the remote
printer automatically using the browse function, the following occurs:

1. system-config-printer opens up a basic authentication dialog asking for
a user name and password (which makes no sense because it's not using basic
auth): http://imgur.com/Hd7gO.png <-screenshot

2. regardless of what information I enter into the first dialog, a second
dialog opens asking for a password only for auth type negotiate, which
also doesn't make sense: http://imgur.com/QnjL6.png <-screenshot

While it does work if I connect to the remote server directly, but that's
inconvenient to do on a print job by print job basis.

I use Fedora 14 and have cups-1.4.4-11,
krb5-libs-1.8.3-9,
kernel-2.6.37-0.rc7.git0.2

The client has delegation rights from the KDC, and DNS is working fine
(and also kerberos)

On the mailing list, Michael Sweet said "for some reason the Send-Document
operation is getting stale credentials and thinks this is a replay attack."

Thank you for your time, and keep up the good work :)

Link: http://www.cups.org/str.php?L3763
Version: 1.4.4

More information about the cups mailing list