CUPS and Kerberos - Problem with Authentication

Timo mailtohagen at gmail.com
Tue Jan 19 12:48:15 PST 2010 

Hello folks,

I have a KDC on a Mac server and I need to authenticate CUPS (hosted on an Ubuntu server, also tested on a CentOS Server - same problem) against it. I'm struggling with this since three days and I'm really frustrated since I've googled so much and tried any suggestions available. Nothing helped, so I hope that I'll find support here.

Please find my config and log below:

cupsd.conf
Code:

# Allow remote access
Port 631
# Enable printer sharing and shared printers.
Browsing On
BrowseOrder allow,deny
BrowseAllow all
BrowseAddress @LOCAL
DefaultEncryption Never
#DefaultAuthType Basic
DefaultAuthType Negotiate
<Location />
  Allow from 10.153.158.*
  # Allow shared printing and remote administration...
  Order allow,deny
  Allow @LOCAL
</Location>
<Location /admin>
  Allow from 10.153.158.*
  # Allow remote administration...
  Order allow,deny
  Allow @LOCAL
</Location>
<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  # Allow remote access to the configuration files...
  Order allow,deny
  Allow @LOCAL
</Location>
<Policy default>
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Basic
    Require user root
    Order deny,allow
  </Limit>
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Basic
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  <Limit All>
    Order deny,allow
  </Limit>
</Policy>
</code>

excerpt from error_log
Code:

D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 POST /admin HTTP/1.1
D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication data provided.
D [19/Jan/2010:15:57:27 -0100] [CGI] /usr/lib/cups/cgi-bin/admin.cgi started - PID = 3476
I [19/Jan/2010:15:57:27 -0100] Started "/usr/lib/cups/cgi-bin/admin.cgi" (pid=3476)
D [19/Jan/2010:15:57:27 -0100] cupsdSendCommand: 26 file=34
D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: skipping getpeercon()
D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: 27 from localhost:631 (IPv4)
D [19/Jan/2010:15:57:27 -0100] [CGI] admin.cgi started...
D [19/Jan/2010:15:57:27 -0100] [CGI] http=0x8e2ce28
D [19/Jan/2010:15:57:27 -0100] [CGI] op="add-class"...
D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 27 POST /admin/ HTTP/1.1
D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication data provided.
D [19/Jan/2010:15:57:27 -0100] CUPS-Add-Modify-Class ipp://localhost/classes/se
D [19/Jan/2010:15:57:27 -0100] cupsdIsAuthorized: username=""
E [19/Jan/2010:15:57:27 -0100] CUPS-Add-Modify-Class: Unauthorized
D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 27 code=401 (Unauthorized)
D [19/Jan/2010:15:57:27 -0100] cupsdSendHeader: WWW-Authenticate: Basic realm="CUPS"
D [19/Jan/2010:15:57:27 -0100] [CGI] cgi_passwd(prompt="Password for lp on localhost? ") called!
D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 26 code=401 (Unauthorized)
D [19/Jan/2010:15:57:27 -0100] cupsdSendHeader: WWW-Authenticate: Negotiate
D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 26
I [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: SSL shutdown successful!
D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 26
D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 27
D [19/Jan/2010:15:57:27 -0100] PID 3476 (/usr/lib/cups/cgi-bin/admin.cgi) exited with no errors.
D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: skipping getpeercon()
D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: 26 from 10.153.158.201:631 (IPv4)
D [19/Jan/2010:15:57:27 -0100] encrypt_client: 26 Connection from 10.153.158.201 now encrypted.
D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 GET /cups.css HTTP/1.1
D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication data provided.
D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 26 code=304 (Not Modified)
D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 GET /favicon.ico HTTP/1.1
D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication data provided.

I think the biggest problem is that obviously, no credentials are passed to CUPS

Code:

cupsdIsAuthorized: username=""

and

Code:

cupsdAuthorize: No authentication data provided.

When I run "kinit" from the CUPS server's command line, I get a ticket, so krb5 is configured fine. Could it be that there is some issue when working on a Mac client - I think that shouldn't be the problem's root, however, as I tried so many things, I don't know how to proceed in order to get this problem solved.

I would be so thankful if somebody could help.. Thanks in advance!

Greetings,
Timo

More information about the cups mailing list