[cups.general] CUPS and Kerberos - Problem with Authentication

Michael Sweet msweet at apple.com
Wed Jan 20 21:12:51 PST 2010 

On Jan 19, 2010, at 11:33 PM, Timo wrote:

>> You can't do Kerberos without encryption...
>> 
> 
> Thank you for replying. Ok, I did not know that. However, I added the entry "DefaultEncryption Never" after I have tried with normal encryption, just to test if this could bring me closer to a solution.
> 
> I've read a message here where someone added an entry in his config in order to point to the keytab - I found nothing about that in the official documentation. Is this entry needed?

Not generally, and the undocumented directive was removed in CUPS 1.4 anyways.

It would be useful if you had a debug log that actually showed that Kerberos was being used.

Also, make sure you have current versions of Kerberos - CentOS's version will likely be too old.

> 
> Any help is still appreciated very much! Thank you
> 
>> On Jan 19, 2010, at 12:48 PM, Timo wrote:
>> 
>>> Hello folks,
>>> =20
>>> I have a KDC on a Mac server and I need to authenticate CUPS (hosted =
>> on an Ubuntu server, also tested on a CentOS Server - same problem) =
>> against it. I'm struggling with this since three days and I'm really =
>> frustrated since I've googled so much and tried any suggestions =
>> available. Nothing helped, so I hope that I'll find support here.
>>> =20
>>> Please find my config and log below:
>>> =20
>>> cupsd.conf
>>> Code:
>>> =20
>>> # Allow remote access
>>> Port 631
>>> # Enable printer sharing and shared printers.
>>> Browsing On
>>> BrowseOrder allow,deny
>>> BrowseAllow all
>>> BrowseAddress @LOCAL
>>> DefaultEncryption Never
>>> #DefaultAuthType Basic
>>> DefaultAuthType Negotiate
>>> <Location />
>>> Allow from 10.153.158.*
>>> # Allow shared printing and remote administration...
>>> Order allow,deny
>>> Allow @LOCAL
>>> </Location>
>>> <Location /admin>
>>> Allow from 10.153.158.*
>>> # Allow remote administration...
>>> Order allow,deny
>>> Allow @LOCAL
>>> </Location>
>>> <Location /admin/conf>
>>> AuthType Default
>>> Require user @SYSTEM
>>> # Allow remote access to the configuration files...
>>> Order allow,deny
>>> Allow @LOCAL
>>> </Location>
>>> <Policy default>
>>> <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job =
>> Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription =
>> Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job =
>> Suspend-Current-Job Resume-Job CUPS-Move-Job>
>>>   Require user @OWNER @SYSTEM
>>>   Order deny,allow
>>> </Limit>
>>> <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer =
>> CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
>>>   AuthType Basic
>>>   Require user root
>>>   Order deny,allow
>>> </Limit>
>>> <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer =
>> Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs =
>> Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer =
>> Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs =
>> CUPS-Reject-Jobs>
>>>   AuthType Basic
>>>   Require user @SYSTEM
>>>   Order deny,allow
>>> </Limit>
>>> <Limit Cancel-Job CUPS-Authenticate-Job>
>>>   Require user @OWNER @SYSTEM
>>>   Order deny,allow
>>> </Limit>
>>> <Limit All>
>>>   Order deny,allow
>>> </Limit>
>>> </Policy>
>>> </code>
>>> =20
>>> excerpt from error_log
>>> Code:
>>> =20
>>> D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 POST /admin =
>> HTTP/1.1
>>> D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication data =
>> provided.
>>> D [19/Jan/2010:15:57:27 -0100] [CGI] /usr/lib/cups/cgi-bin/admin.cgi =
>> started - PID =3D 3476
>>> I [19/Jan/2010:15:57:27 -0100] Started =
>> "/usr/lib/cups/cgi-bin/admin.cgi" (pid=3D3476)
>>> D [19/Jan/2010:15:57:27 -0100] cupsdSendCommand: 26 file=3D34
>>> D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: skipping =
>> getpeercon()
>>> D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: 27 from =
>> localhost:631 (IPv4)
>>> D [19/Jan/2010:15:57:27 -0100] [CGI] admin.cgi started...
>>> D [19/Jan/2010:15:57:27 -0100] [CGI] http=3D0x8e2ce28
>>> D [19/Jan/2010:15:57:27 -0100] [CGI] op=3D"add-class"...
>>> D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 27 POST /admin/ =
>> HTTP/1.1
>>> D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication data =
>> provided.
>>> D [19/Jan/2010:15:57:27 -0100] CUPS-Add-Modify-Class =
>> ipp://localhost/classes/se
>>> D [19/Jan/2010:15:57:27 -0100] cupsdIsAuthorized: username=3D""
>>> E [19/Jan/2010:15:57:27 -0100] CUPS-Add-Modify-Class: Unauthorized
>>> D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 27 code=3D401 =
>> (Unauthorized)
>>> D [19/Jan/2010:15:57:27 -0100] cupsdSendHeader: WWW-Authenticate: =
>> Basic realm=3D"CUPS"
>>> D [19/Jan/2010:15:57:27 -0100] [CGI] cgi_passwd(prompt=3D"Password for =
>> lp on localhost? ") called!
>>> D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 26 code=3D401 =
>> (Unauthorized)
>>> D [19/Jan/2010:15:57:27 -0100] cupsdSendHeader: WWW-Authenticate: =
>> Negotiate
>>> D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 26
>>> I [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: SSL shutdown =
>> successful!
>>> D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 26
>>> D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 27
>>> D [19/Jan/2010:15:57:27 -0100] PID 3476 =
>> (/usr/lib/cups/cgi-bin/admin.cgi) exited with no errors.
>>> D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: skipping =
>> getpeercon()
>>> D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: 26 from =
>> 10.153.158.201:631 (IPv4)
>>> D [19/Jan/2010:15:57:27 -0100] encrypt_client: 26 Connection from =
>> 10.153.158.201 now encrypted.
>>> D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 GET /cups.css =
>> HTTP/1.1
>>> D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication data =
>> provided.
>>> D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 26 code=3D304 (Not =
>> Modified)
>>> D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 GET /favicon.ico =
>> HTTP/1.1
>>> D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication data =
>> provided.
>>> =20
>>> I think the biggest problem is that obviously, no credentials are =
>> passed to CUPS
>>> =20
>>> Code:
>>> =20
>>> cupsdIsAuthorized: username=3D""
>>> =20
>>> and
>>> =20
>>> Code:
>>> =20
>>> cupsdAuthorize: No authentication data provided.
>>> =20
>>> When I run "kinit" from the CUPS server's command line, I get a =
>> ticket, so krb5 is configured fine. Could it be that there is some issue =
>> when working on a Mac client - I think that shouldn't be the problem's =
>> root, however, as I tried so many things, I don't know how to proceed in =
>> order to get this problem solved.
>>> =20
>>> I would be so thankful if somebody could help.. Thanks in advance!
>>> =20
>>> Greetings,
>>> Timo
>>> _______________________________________________
>>> cups mailing list
>>> cups at easysw.com
>>> http://lists.easysw.com/mailman/listinfo/cups
>> 
>> ___________________________________________________
>> Michael Sweet, Senior Printing System Engineer
>> 
>> 
>> 
> 
> _______________________________________________
> cups mailing list
> cups at easysw.com
> http://lists.easysw.com/mailman/listinfo/cups

___________________________________________________
Michael Sweet, Senior Printing System Engineer

More information about the cups mailing list