[cups.general] CUPS and Kerberos - Problem with Authentication

Michael Sweet msweet at apple.com
Tue Jan 19 16:49:02 PST 2010 

You can't do Kerberos without encryption...

On Jan 19, 2010, at 12:48 PM, Timo wrote:

> Hello folks,
> 
> I have a KDC on a Mac server and I need to authenticate CUPS (hosted on an Ubuntu server, also tested on a CentOS Server - same problem) against it. I'm struggling with this since three days and I'm really frustrated since I've googled so much and tried any suggestions available. Nothing helped, so I hope that I'll find support here.
> 
> Please find my config and log below:
> 
> cupsd.conf
> Code:
> 
> # Allow remote access
> Port 631
> # Enable printer sharing and shared printers.
> Browsing On
> BrowseOrder allow,deny
> BrowseAllow all
> BrowseAddress @LOCAL
> DefaultEncryption Never
> #DefaultAuthType Basic
> DefaultAuthType Negotiate
> <Location />
>  Allow from 10.153.158.*
>  # Allow shared printing and remote administration...
>  Order allow,deny
>  Allow @LOCAL
> </Location>
> <Location /admin>
>  Allow from 10.153.158.*
>  # Allow remote administration...
>  Order allow,deny
>  Allow @LOCAL
> </Location>
> <Location /admin/conf>
>  AuthType Default
>  Require user @SYSTEM
>  # Allow remote access to the configuration files...
>  Order allow,deny
>  Allow @LOCAL
> </Location>
> <Policy default>
>  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
>    Require user @OWNER @SYSTEM
>    Order deny,allow
>  </Limit>
>  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
>    AuthType Basic
>    Require user root
>    Order deny,allow
>  </Limit>
>  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
>    AuthType Basic
>    Require user @SYSTEM
>    Order deny,allow
>  </Limit>
>  <Limit Cancel-Job CUPS-Authenticate-Job>
>    Require user @OWNER @SYSTEM
>    Order deny,allow
>  </Limit>
>  <Limit All>
>    Order deny,allow
>  </Limit>
> </Policy>
> </code>
> 
> excerpt from error_log
> Code:
> 
> D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 POST /admin HTTP/1.1
> D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication data provided.
> D [19/Jan/2010:15:57:27 -0100] [CGI] /usr/lib/cups/cgi-bin/admin.cgi started - PID = 3476
> I [19/Jan/2010:15:57:27 -0100] Started "/usr/lib/cups/cgi-bin/admin.cgi" (pid=3476)
> D [19/Jan/2010:15:57:27 -0100] cupsdSendCommand: 26 file=34
> D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: skipping getpeercon()
> D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: 27 from localhost:631 (IPv4)
> D [19/Jan/2010:15:57:27 -0100] [CGI] admin.cgi started...
> D [19/Jan/2010:15:57:27 -0100] [CGI] http=0x8e2ce28
> D [19/Jan/2010:15:57:27 -0100] [CGI] op="add-class"...
> D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 27 POST /admin/ HTTP/1.1
> D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication data provided.
> D [19/Jan/2010:15:57:27 -0100] CUPS-Add-Modify-Class ipp://localhost/classes/se
> D [19/Jan/2010:15:57:27 -0100] cupsdIsAuthorized: username=""
> E [19/Jan/2010:15:57:27 -0100] CUPS-Add-Modify-Class: Unauthorized
> D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 27 code=401 (Unauthorized)
> D [19/Jan/2010:15:57:27 -0100] cupsdSendHeader: WWW-Authenticate: Basic realm="CUPS"
> D [19/Jan/2010:15:57:27 -0100] [CGI] cgi_passwd(prompt="Password for lp on localhost? ") called!
> D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 26 code=401 (Unauthorized)
> D [19/Jan/2010:15:57:27 -0100] cupsdSendHeader: WWW-Authenticate: Negotiate
> D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 26
> I [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: SSL shutdown successful!
> D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 26
> D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 27
> D [19/Jan/2010:15:57:27 -0100] PID 3476 (/usr/lib/cups/cgi-bin/admin.cgi) exited with no errors.
> D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: skipping getpeercon()
> D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: 26 from 10.153.158.201:631 (IPv4)
> D [19/Jan/2010:15:57:27 -0100] encrypt_client: 26 Connection from 10.153.158.201 now encrypted.
> D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 GET /cups.css HTTP/1.1
> D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication data provided.
> D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 26 code=304 (Not Modified)
> D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 GET /favicon.ico HTTP/1.1
> D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication data provided.
> 
> I think the biggest problem is that obviously, no credentials are passed to CUPS
> 
> Code:
> 
> cupsdIsAuthorized: username=""
> 
> and
> 
> Code:
> 
> cupsdAuthorize: No authentication data provided.
> 
> When I run "kinit" from the CUPS server's command line, I get a ticket, so krb5 is configured fine. Could it be that there is some issue when working on a Mac client - I think that shouldn't be the problem's root, however, as I tried so many things, I don't know how to proceed in order to get this problem solved.
> 
> I would be so thankful if somebody could help.. Thanks in advance!
> 
> Greetings,
> Timo
> _______________________________________________
> cups mailing list
> cups at easysw.com
> http://lists.easysw.com/mailman/listinfo/cups

___________________________________________________
Michael Sweet, Senior Printing System Engineer

More information about the cups mailing list