CUPS and Kerberos - Problem with Authentication

Timo mailtohagen at gmail.com
Tue Jan 19 23:33:07 PST 2010 

> You can't do Kerberos without encryption...
>

Thank you for replying. Ok, I did not know that. However, I added the entry "DefaultEncryption Never" after I have tried with normal encryption, just to test if this could bring me closer to a solution.

I've read a message here where someone added an entry in his config in order to point to the keytab - I found nothing about that in the official documentation. Is this entry needed?

Any help is still appreciated very much! Thank you

> On Jan 19, 2010, at 12:48 PM, Timo wrote:
>
> > Hello folks,
> >=20
> > I have a KDC on a Mac server and I need to authenticate CUPS (hosted =
> on an Ubuntu server, also tested on a CentOS Server - same problem) =
> against it. I'm struggling with this since three days and I'm really =
> frustrated since I've googled so much and tried any suggestions =
> available. Nothing helped, so I hope that I'll find support here.
> >=20
> > Please find my config and log below:
> >=20
> > cupsd.conf
> > Code:
> >=20
> > # Allow remote access
> > Port 631
> > # Enable printer sharing and shared printers.
> > Browsing On
> > BrowseOrder allow,deny
> > BrowseAllow all
> > BrowseAddress @LOCAL
> > DefaultEncryption Never
> > #DefaultAuthType Basic
> > DefaultAuthType Negotiate
> > <Location />
> >  Allow from 10.153.158.*
> >  # Allow shared printing and remote administration...
> >  Order allow,deny
> >  Allow @LOCAL
> > </Location>
> > <Location /admin>
> >  Allow from 10.153.158.*
> >  # Allow remote administration...
> >  Order allow,deny
> >  Allow @LOCAL
> > </Location>
> > <Location /admin/conf>
> >  AuthType Default
> >  Require user @SYSTEM
> >  # Allow remote access to the configuration files...
> >  Order allow,deny
> >  Allow @LOCAL
> > </Location>
> > <Policy default>
> >  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job =
> Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription =
> Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job =
> Suspend-Current-Job Resume-Job CUPS-Move-Job>
> >    Require user @OWNER @SYSTEM
> >    Order deny,allow
> >  </Limit>
> >  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer =
> CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
> >    AuthType Basic
> >    Require user root
> >    Order deny,allow
> >  </Limit>
> >  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer =
> Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs =
> Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer =
> Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs =
> CUPS-Reject-Jobs>
> >    AuthType Basic
> >    Require user @SYSTEM
> >    Order deny,allow
> >  </Limit>
> >  <Limit Cancel-Job CUPS-Authenticate-Job>
> >    Require user @OWNER @SYSTEM
> >    Order deny,allow
> >  </Limit>
> >  <Limit All>
> >    Order deny,allow
> >  </Limit>
> > </Policy>
> > </code>
> >=20
> > excerpt from error_log
> > Code:
> >=20
> > D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 POST /admin =
> HTTP/1.1
> > D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication data =
> provided.
> > D [19/Jan/2010:15:57:27 -0100] [CGI] /usr/lib/cups/cgi-bin/admin.cgi =
> started - PID =3D 3476
> > I [19/Jan/2010:15:57:27 -0100] Started =
> "/usr/lib/cups/cgi-bin/admin.cgi" (pid=3D3476)
> > D [19/Jan/2010:15:57:27 -0100] cupsdSendCommand: 26 file=3D34
> > D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: skipping =
> getpeercon()
> > D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: 27 from =
> localhost:631 (IPv4)
> > D [19/Jan/2010:15:57:27 -0100] [CGI] admin.cgi started...
> > D [19/Jan/2010:15:57:27 -0100] [CGI] http=3D0x8e2ce28
> > D [19/Jan/2010:15:57:27 -0100] [CGI] op=3D"add-class"...
> > D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 27 POST /admin/ =
> HTTP/1.1
> > D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication data =
> provided.
> > D [19/Jan/2010:15:57:27 -0100] CUPS-Add-Modify-Class =
> ipp://localhost/classes/se
> > D [19/Jan/2010:15:57:27 -0100] cupsdIsAuthorized: username=3D""
> > E [19/Jan/2010:15:57:27 -0100] CUPS-Add-Modify-Class: Unauthorized
> > D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 27 code=3D401 =
> (Unauthorized)
> > D [19/Jan/2010:15:57:27 -0100] cupsdSendHeader: WWW-Authenticate: =
> Basic realm=3D"CUPS"
> > D [19/Jan/2010:15:57:27 -0100] [CGI] cgi_passwd(prompt=3D"Password for =
> lp on localhost? ") called!
> > D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 26 code=3D401 =
> (Unauthorized)
> > D [19/Jan/2010:15:57:27 -0100] cupsdSendHeader: WWW-Authenticate: =
> Negotiate
> > D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 26
> > I [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: SSL shutdown =
> successful!
> > D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 26
> > D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 27
> > D [19/Jan/2010:15:57:27 -0100] PID 3476 =
> (/usr/lib/cups/cgi-bin/admin.cgi) exited with no errors.
> > D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: skipping =
> getpeercon()
> > D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: 26 from =
> 10.153.158.201:631 (IPv4)
> > D [19/Jan/2010:15:57:27 -0100] encrypt_client: 26 Connection from =
> 10.153.158.201 now encrypted.
> > D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 GET /cups.css =
> HTTP/1.1
> > D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication data =
> provided.
> > D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 26 code=3D304 (Not =
> Modified)
> > D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 GET /favicon.ico =
> HTTP/1.1
> > D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication data =
> provided.
> >=20
> > I think the biggest problem is that obviously, no credentials are =
> passed to CUPS
> >=20
> > Code:
> >=20
> > cupsdIsAuthorized: username=3D""
> >=20
> > and
> >=20
> > Code:
> >=20
> > cupsdAuthorize: No authentication data provided.
> >=20
> > When I run "kinit" from the CUPS server's command line, I get a =
> ticket, so krb5 is configured fine. Could it be that there is some issue =
> when working on a Mac client - I think that shouldn't be the problem's =
> root, however, as I tried so many things, I don't know how to proceed in =
> order to get this problem solved.
> >=20
> > I would be so thankful if somebody could help.. Thanks in advance!
> >=20
> > Greetings,
> > Timo
> > _______________________________________________
> > cups mailing list
> > cups at easysw.com
> > http://lists.easysw.com/mailman/listinfo/cups
>
> ___________________________________________________
> Michael Sweet, Senior Printing System Engineer
>
>
>

More information about the cups mailing list