CUPS and Kerberos - Problem with Authentication

Timo mailtohagen at gmail.com
Wed Jan 20 00:39:33 PST 2010


I also tried to install the current version (1.4.2) from source, but I still get the same error:

D [20/Jan/2010:07:37:09 -0100] cupsdIsAuthorized: username=""
D [20/Jan/2010:07:37:09 -0100] Returning HTTP Unauthorized for CUPS-Delete-Class (ipp://localhost/classes/df) from localhost
D [20/Jan/2010:07:37:09 -0100] cupsdSendHeader: 12 WWW-Authenticate: Basic realm="CUPS"
D [20/Jan/2010:07:37:09 -0100] [CGI] cgi_passwd(prompt="Password for lp on localhost? ") called!
D [20/Jan/2010:07:37:09 -0100] Script header: Status: 401
D [20/Jan/2010:07:37:09 -0100] cupsdSendHeader: 9 WWW-Authenticate: Negotiate


Why does CUPS use this wrong realm?
D [20/Jan/2010:07:37:09 -0100] cupsdSendHeader: 12 WWW-Authenticate: Basic realm="CUPS"

My realm is not "CUPS" - of course


> > You can't do Kerberos without encryption...
> >
>
> Thank you for replying. Ok, I did not know that. However, I added the entry "DefaultEncryption Never" after I have tried with normal encryption, just to test if this could bring me closer to a solution.
>
> I've read a message here where someone added an entry in his config in order to point to the keytab - I found nothing about that in the official documentation. Is this entry needed?
>
> Any help is still appreciated very much! Thank you
>
> > On Jan 19, 2010, at 12:48 PM, Timo wrote:
> >
> > > Hello folks,
> > >=20
> > > I have a KDC on a Mac server and I need to authenticate CUPS (hosted =
> > on an Ubuntu server, also tested on a CentOS Server - same problem) =
> > against it. I'm struggling with this since three days and I'm really =
> > frustrated since I've googled so much and tried any suggestions =
> > available. Nothing helped, so I hope that I'll find support here.
> > >=20
> > > Please find my config and log below:
> > >=20
> > > cupsd.conf
> > > Code:
> > >=20
> > > # Allow remote access
> > > Port 631
> > > # Enable printer sharing and shared printers.
> > > Browsing On
> > > BrowseOrder allow,deny
> > > BrowseAllow all
> > > BrowseAddress @LOCAL
> > > DefaultEncryption Never
> > > #DefaultAuthType Basic
> > > DefaultAuthType Negotiate
> > > <Location />
> > >  Allow from 10.153.158.*
> > >  # Allow shared printing and remote administration...
> > >  Order allow,deny
> > >  Allow @LOCAL
> > > </Location>
> > > <Location /admin>
> > >  Allow from 10.153.158.*
> > >  # Allow remote administration...
> > >  Order allow,deny
> > >  Allow @LOCAL
> > > </Location>
> > > <Location /admin/conf>
> > >  AuthType Default
> > >  Require user @SYSTEM
> > >  # Allow remote access to the configuration files...
> > >  Order allow,deny
> > >  Allow @LOCAL
> > > </Location>
> > > <Policy default>
> > >  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job =
> > Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription =
> > Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job =
> > Suspend-Current-Job Resume-Job CUPS-Move-Job>
> > >    Require user @OWNER @SYSTEM
> > >    Order deny,allow
> > >  </Limit>
> > >  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer =
> > CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
> > >    AuthType Basic
> > >    Require user root
> > >    Order deny,allow
> > >  </Limit>
> > >  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer =
> > Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs =
> > Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer =
> > Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs =
> > CUPS-Reject-Jobs>
> > >    AuthType Basic
> > >    Require user @SYSTEM
> > >    Order deny,allow
> > >  </Limit>
> > >  <Limit Cancel-Job CUPS-Authenticate-Job>
> > >    Require user @OWNER @SYSTEM
> > >    Order deny,allow
> > >  </Limit>
> > >  <Limit All>
> > >    Order deny,allow
> > >  </Limit>
> > > </Policy>
> > > </code>
> > >=20
> > > excerpt from error_log
> > > Code:
> > >=20
> > > D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 POST /admin =
> > HTTP/1.1
> > > D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication data =
> > provided.
> > > D [19/Jan/2010:15:57:27 -0100] [CGI] /usr/lib/cups/cgi-bin/admin.cgi =
> > started - PID =3D 3476
> > > I [19/Jan/2010:15:57:27 -0100] Started =
> > "/usr/lib/cups/cgi-bin/admin.cgi" (pid=3D3476)
> > > D [19/Jan/2010:15:57:27 -0100] cupsdSendCommand: 26 file=3D34
> > > D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: skipping =
> > getpeercon()
> > > D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: 27 from =
> > localhost:631 (IPv4)
> > > D [19/Jan/2010:15:57:27 -0100] [CGI] admin.cgi started...
> > > D [19/Jan/2010:15:57:27 -0100] [CGI] http=3D0x8e2ce28
> > > D [19/Jan/2010:15:57:27 -0100] [CGI] op=3D"add-class"...
> > > D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 27 POST /admin/ =
> > HTTP/1.1
> > > D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication data =
> > provided.
> > > D [19/Jan/2010:15:57:27 -0100] CUPS-Add-Modify-Class =
> > ipp://localhost/classes/se
> > > D [19/Jan/2010:15:57:27 -0100] cupsdIsAuthorized: username=3D""
> > > E [19/Jan/2010:15:57:27 -0100] CUPS-Add-Modify-Class: Unauthorized
> > > D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 27 code=3D401 =
> > (Unauthorized)
> > > D [19/Jan/2010:15:57:27 -0100] cupsdSendHeader: WWW-Authenticate: =
> > Basic realm=3D"CUPS"
> > > D [19/Jan/2010:15:57:27 -0100] [CGI] cgi_passwd(prompt=3D"Password for =
> > lp on localhost? ") called!
> > > D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 26 code=3D401 =
> > (Unauthorized)
> > > D [19/Jan/2010:15:57:27 -0100] cupsdSendHeader: WWW-Authenticate: =
> > Negotiate
> > > D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 26
> > > I [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: SSL shutdown =
> > successful!
> > > D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 26
> > > D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 27
> > > D [19/Jan/2010:15:57:27 -0100] PID 3476 =
> > (/usr/lib/cups/cgi-bin/admin.cgi) exited with no errors.
> > > D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: skipping =
> > getpeercon()
> > > D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: 26 from =
> > 10.153.158.201:631 (IPv4)
> > > D [19/Jan/2010:15:57:27 -0100] encrypt_client: 26 Connection from =
> > 10.153.158.201 now encrypted.
> > > D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 GET /cups.css =
> > HTTP/1.1
> > > D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication data =
> > provided.
> > > D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 26 code=3D304 (Not =
> > Modified)
> > > D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 GET /favicon.ico =
> > HTTP/1.1
> > > D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication data =
> > provided.
> > >=20
> > > I think the biggest problem is that obviously, no credentials are =
> > passed to CUPS
> > >=20
> > > Code:
> > >=20
> > > cupsdIsAuthorized: username=3D""
> > >=20
> > > and
> > >=20
> > > Code:
> > >=20
> > > cupsdAuthorize: No authentication data provided.
> > >=20
> > > When I run "kinit" from the CUPS server's command line, I get a =
> > ticket, so krb5 is configured fine. Could it be that there is some issue =
> > when working on a Mac client - I think that shouldn't be the problem's =
> > root, however, as I tried so many things, I don't know how to proceed in =
> > order to get this problem solved.
> > >=20
> > > I would be so thankful if somebody could help.. Thanks in advance!
> > >=20
> > > Greetings,
> > > Timo
> > > _______________________________________________
> > > cups mailing list
> > > cups at easysw.com
> > > http://lists.easysw.com/mailman/listinfo/cups
> >
> > ___________________________________________________
> > Michael Sweet, Senior Printing System Engineer
> >
> >
> >
>





More information about the cups mailing list