CUPS and Kerberos - Problem with Authentication

Timo mailtohagen at gmail.com
Wed Jan 20 23:44:32 PST 2010 

>
Hi Michael,

thank you for answering.


> On Jan 19, 2010, at 11:33 PM, Timo wrote:
>
> >> You can't do Kerberos without encryption...
> >>=20
> >=20
> > Thank you for replying. Ok, I did not know that. However, I added the =
> entry "DefaultEncryption Never" after I have tried with normal =
> encryption, just to test if this could bring me closer to a solution.
> >=20
> > I've read a message here where someone added an entry in his config in =
> order to point to the keytab - I found nothing about that in the =
> official documentation. Is this entry needed?
>
> Not generally, and the undocumented directive was removed in CUPS 1.4 =
> anyways.
>

Ok, this is what I guessed, too. So I don't care about this anymore.

> It would be useful if you had a debug log that actually showed that =
> Kerberos was being used.

I am willing to provide any information that could help you to help me. However, quite frankly speaking, I don't know where I could find such a debug log. The Kerberos/LDAP log on the Mac server has no entries regarding this issue.

>
> Also, make sure you have current versions of Kerberos - CentOS's version =
> will likely be too old.

[root at vlinux002 ~]# yum list installed|grep krb
krb5-devel.i386                         1.6.1-36.el5_4.1               installed
krb5-libs.i386                          1.6.1-36.el5_4.1               installed
krb5-workstation.i386                   1.6.1-36.el5_4.1               installed
pam_krb5.i386                           2.2.14-10                      installed

are these versions really too old? I have the latest CentOS (5.4) and I have already updated all packages.

Hope you can provide further help, thank you in advance.

>
> >=20
> > Any help is still appreciated very much! Thank you
> >=20
> >> On Jan 19, 2010, at 12:48 PM, Timo wrote:
> >>=20
> >>> Hello folks,
> >>> =3D20
> >>> I have a KDC on a Mac server and I need to authenticate CUPS (hosted =
> =3D
> >> on an Ubuntu server, also tested on a CentOS Server - same problem) =3D=
>
> >> against it. I'm struggling with this since three days and I'm really =
> =3D
> >> frustrated since I've googled so much and tried any suggestions =3D
> >> available. Nothing helped, so I hope that I'll find support here.
> >>> =3D20
> >>> Please find my config and log below:
> >>> =3D20
> >>> cupsd.conf
> >>> Code:
> >>> =3D20
> >>> # Allow remote access
> >>> Port 631
> >>> # Enable printer sharing and shared printers.
> >>> Browsing On
> >>> BrowseOrder allow,deny
> >>> BrowseAllow all
> >>> BrowseAddress @LOCAL
> >>> DefaultEncryption Never
> >>> #DefaultAuthType Basic
> >>> DefaultAuthType Negotiate
> >>> <Location />
> >>> Allow from 10.153.158.*
> >>> # Allow shared printing and remote administration...
> >>> Order allow,deny
> >>> Allow @LOCAL
> >>> </Location>
> >>> <Location /admin>
> >>> Allow from 10.153.158.*
> >>> # Allow remote administration...
> >>> Order allow,deny
> >>> Allow @LOCAL
> >>> </Location>
> >>> <Location /admin/conf>
> >>> AuthType Default
> >>> Require user @SYSTEM
> >>> # Allow remote access to the configuration files...
> >>> Order allow,deny
> >>> Allow @LOCAL
> >>> </Location>
> >>> <Policy default>
> >>> <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job =3D
> >> Purge-Jobs Set-Job-Attributes Create-Job-Subscription =
> Renew-Subscription =3D
> >> Cancel-Subscription Get-Notifications Reprocess-Job =
> Cancel-Current-Job =3D
> >> Suspend-Current-Job Resume-Job CUPS-Move-Job>
> >>>   Require user @OWNER @SYSTEM
> >>>   Order deny,allow
> >>> </Limit>
> >>> <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer =3D
> >> CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
> >>>   AuthType Basic
> >>>   Require user root
> >>>   Order deny,allow
> >>> </Limit>
> >>> <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer =3D=
>
> >> Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs =3D=
>
> >> Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer =
> =3D
> >> Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs =3D
> >> CUPS-Reject-Jobs>
> >>>   AuthType Basic
> >>>   Require user @SYSTEM
> >>>   Order deny,allow
> >>> </Limit>
> >>> <Limit Cancel-Job CUPS-Authenticate-Job>
> >>>   Require user @OWNER @SYSTEM
> >>>   Order deny,allow
> >>> </Limit>
> >>> <Limit All>
> >>>   Order deny,allow
> >>> </Limit>
> >>> </Policy>
> >>> </code>
> >>> =3D20
> >>> excerpt from error_log
> >>> Code:
> >>> =3D20
> >>> D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 POST /admin =3D
> >> HTTP/1.1
> >>> D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication =
> data =3D
> >> provided.
> >>> D [19/Jan/2010:15:57:27 -0100] [CGI] /usr/lib/cups/cgi-bin/admin.cgi =
> =3D
> >> started - PID =3D3D 3476
> >>> I [19/Jan/2010:15:57:27 -0100] Started =3D
> >> "/usr/lib/cups/cgi-bin/admin.cgi" (pid=3D3D3476)
> >>> D [19/Jan/2010:15:57:27 -0100] cupsdSendCommand: 26 file=3D3D34
> >>> D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: skipping =3D
> >> getpeercon()
> >>> D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: 27 from =3D
> >> localhost:631 (IPv4)
> >>> D [19/Jan/2010:15:57:27 -0100] [CGI] admin.cgi started...
> >>> D [19/Jan/2010:15:57:27 -0100] [CGI] http=3D3D0x8e2ce28
> >>> D [19/Jan/2010:15:57:27 -0100] [CGI] op=3D3D"add-class"...
> >>> D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 27 POST /admin/ =3D
> >> HTTP/1.1
> >>> D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication =
> data =3D
> >> provided.
> >>> D [19/Jan/2010:15:57:27 -0100] CUPS-Add-Modify-Class =3D
> >> ipp://localhost/classes/se
> >>> D [19/Jan/2010:15:57:27 -0100] cupsdIsAuthorized: username=3D3D""
> >>> E [19/Jan/2010:15:57:27 -0100] CUPS-Add-Modify-Class: Unauthorized
> >>> D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 27 code=3D3D401 =3D
> >> (Unauthorized)
> >>> D [19/Jan/2010:15:57:27 -0100] cupsdSendHeader: WWW-Authenticate: =3D
> >> Basic realm=3D3D"CUPS"
> >>> D [19/Jan/2010:15:57:27 -0100] [CGI] cgi_passwd(prompt=3D3D"Password =
> for =3D
> >> lp on localhost? ") called!
> >>> D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 26 code=3D3D401 =3D
> >> (Unauthorized)
> >>> D [19/Jan/2010:15:57:27 -0100] cupsdSendHeader: WWW-Authenticate: =3D
> >> Negotiate
> >>> D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 26
> >>> I [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: SSL shutdown =3D
> >> successful!
> >>> D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 26
> >>> D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 27
> >>> D [19/Jan/2010:15:57:27 -0100] PID 3476 =3D
> >> (/usr/lib/cups/cgi-bin/admin.cgi) exited with no errors.
> >>> D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: skipping =3D
> >> getpeercon()
> >>> D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: 26 from =3D
> >> 10.153.158.201:631 (IPv4)
> >>> D [19/Jan/2010:15:57:27 -0100] encrypt_client: 26 Connection from =3D
> >> 10.153.158.201 now encrypted.
> >>> D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 GET /cups.css =3D
> >> HTTP/1.1
> >>> D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication =
> data =3D
> >> provided.
> >>> D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 26 code=3D3D304 (Not =
> =3D
> >> Modified)
> >>> D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 GET /favicon.ico =
> =3D
> >> HTTP/1.1
> >>> D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication =
> data =3D
> >> provided.
> >>> =3D20
> >>> I think the biggest problem is that obviously, no credentials are =3D
> >> passed to CUPS
> >>> =3D20
> >>> Code:
> >>> =3D20
> >>> cupsdIsAuthorized: username=3D3D""
> >>> =3D20
> >>> and
> >>> =3D20
> >>> Code:
> >>> =3D20
> >>> cupsdAuthorize: No authentication data provided.
> >>> =3D20
> >>> When I run "kinit" from the CUPS server's command line, I get a =3D
> >> ticket, so krb5 is configured fine. Could it be that there is some =
> issue =3D
> >> when working on a Mac client - I think that shouldn't be the =
> problem's =3D
> >> root, however, as I tried so many things, I don't know how to proceed =
> in =3D
> >> order to get this problem solved.
> >>> =3D20
> >>> I would be so thankful if somebody could help.. Thanks in advance!
> >>> =3D20
> >>> Greetings,
> >>> Timo
> >>> _______________________________________________
> >>> cups mailing list
> >>> cups at easysw.com
> >>> http://lists.easysw.com/mailman/listinfo/cups
> >>=20
> >> ___________________________________________________
> >> Michael Sweet, Senior Printing System Engineer
> >>=20
> >>=20
> >>=20
> >=20
> > _______________________________________________
> > cups mailing list
> > cups at easysw.com
> > http://lists.easysw.com/mailman/listinfo/cups
>
> ___________________________________________________
> Michael Sweet, Senior Printing System Engineer
>
>
>

More information about the cups mailing list