CUPS and Kerberos - Problem with Authentication

Timo mailtohagen at gmail.com
Wed Jan 20 23:47:57 PST 2010 

By the way, like posted before, I tried also to get things running on an Ubuntu server - but I got exactly the same problem and error message in the error_log.

> >
> Hi Michael,
>
> thank you for answering.
>
>
> > On Jan 19, 2010, at 11:33 PM, Timo wrote:
> >
> > >> You can't do Kerberos without encryption...
> > >>=20
> > >=20
> > > Thank you for replying. Ok, I did not know that. However, I added the =
> > entry "DefaultEncryption Never" after I have tried with normal =
> > encryption, just to test if this could bring me closer to a solution.
> > >=20
> > > I've read a message here where someone added an entry in his config in =
> > order to point to the keytab - I found nothing about that in the =
> > official documentation. Is this entry needed?
> >
> > Not generally, and the undocumented directive was removed in CUPS 1.4 =
> > anyways.
> >
>
> Ok, this is what I guessed, too. So I don't care about this anymore.
>
> > It would be useful if you had a debug log that actually showed that =
> > Kerberos was being used.
>
> I am willing to provide any information that could help you to help me. However, quite frankly speaking, I don't know where I could find such a debug log. The Kerberos/LDAP log on the Mac server has no entries regarding this issue.
>
> >
> > Also, make sure you have current versions of Kerberos - CentOS's version =
> > will likely be too old.
>
> [root at vlinux002 ~]# yum list installed|grep krb
> krb5-devel.i386                         1.6.1-36.el5_4.1               installed
> krb5-libs.i386                          1.6.1-36.el5_4.1               installed
> krb5-workstation.i386                   1.6.1-36.el5_4.1               installed
> pam_krb5.i386                           2.2.14-10                      installed
>
> are these versions really too old? I have the latest CentOS (5.4) and I have already updated all packages.
>
> Hope you can provide further help, thank you in advance.
>
> >
> > >=20
> > > Any help is still appreciated very much! Thank you
> > >=20
> > >> On Jan 19, 2010, at 12:48 PM, Timo wrote:
> > >>=20
> > >>> Hello folks,
> > >>> =3D20
> > >>> I have a KDC on a Mac server and I need to authenticate CUPS (hosted =
> > =3D
> > >> on an Ubuntu server, also tested on a CentOS Server - same problem) =3D=
> >
> > >> against it. I'm struggling with this since three days and I'm really =
> > =3D
> > >> frustrated since I've googled so much and tried any suggestions =3D
> > >> available. Nothing helped, so I hope that I'll find support here.
> > >>> =3D20
> > >>> Please find my config and log below:
> > >>> =3D20
> > >>> cupsd.conf
> > >>> Code:
> > >>> =3D20
> > >>> # Allow remote access
> > >>> Port 631
> > >>> # Enable printer sharing and shared printers.
> > >>> Browsing On
> > >>> BrowseOrder allow,deny
> > >>> BrowseAllow all
> > >>> BrowseAddress @LOCAL
> > >>> DefaultEncryption Never
> > >>> #DefaultAuthType Basic
> > >>> DefaultAuthType Negotiate
> > >>> <Location />
> > >>> Allow from 10.153.158.*
> > >>> # Allow shared printing and remote administration...
> > >>> Order allow,deny
> > >>> Allow @LOCAL
> > >>> </Location>
> > >>> <Location /admin>
> > >>> Allow from 10.153.158.*
> > >>> # Allow remote administration...
> > >>> Order allow,deny
> > >>> Allow @LOCAL
> > >>> </Location>
> > >>> <Location /admin/conf>
> > >>> AuthType Default
> > >>> Require user @SYSTEM
> > >>> # Allow remote access to the configuration files...
> > >>> Order allow,deny
> > >>> Allow @LOCAL
> > >>> </Location>
> > >>> <Policy default>
> > >>> <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job =3D
> > >> Purge-Jobs Set-Job-Attributes Create-Job-Subscription =
> > Renew-Subscription =3D
> > >> Cancel-Subscription Get-Notifications Reprocess-Job =
> > Cancel-Current-Job =3D
> > >> Suspend-Current-Job Resume-Job CUPS-Move-Job>
> > >>>   Require user @OWNER @SYSTEM
> > >>>   Order deny,allow
> > >>> </Limit>
> > >>> <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer =3D
> > >> CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
> > >>>   AuthType Basic
> > >>>   Require user root
> > >>>   Order deny,allow
> > >>> </Limit>
> > >>> <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer =3D=
> >
> > >> Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs =3D=
> >
> > >> Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer =
> > =3D
> > >> Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs =3D
> > >> CUPS-Reject-Jobs>
> > >>>   AuthType Basic
> > >>>   Require user @SYSTEM
> > >>>   Order deny,allow
> > >>> </Limit>
> > >>> <Limit Cancel-Job CUPS-Authenticate-Job>
> > >>>   Require user @OWNER @SYSTEM
> > >>>   Order deny,allow
> > >>> </Limit>
> > >>> <Limit All>
> > >>>   Order deny,allow
> > >>> </Limit>
> > >>> </Policy>
> > >>> </code>
> > >>> =3D20
> > >>> excerpt from error_log
> > >>> Code:
> > >>> =3D20
> > >>> D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 POST /admin =3D
> > >> HTTP/1.1
> > >>> D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication =
> > data =3D
> > >> provided.
> > >>> D [19/Jan/2010:15:57:27 -0100] [CGI] /usr/lib/cups/cgi-bin/admin.cgi =
> > =3D
> > >> started - PID =3D3D 3476
> > >>> I [19/Jan/2010:15:57:27 -0100] Started =3D
> > >> "/usr/lib/cups/cgi-bin/admin.cgi" (pid=3D3D3476)
> > >>> D [19/Jan/2010:15:57:27 -0100] cupsdSendCommand: 26 file=3D3D34
> > >>> D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: skipping =3D
> > >> getpeercon()
> > >>> D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: 27 from =3D
> > >> localhost:631 (IPv4)
> > >>> D [19/Jan/2010:15:57:27 -0100] [CGI] admin.cgi started...
> > >>> D [19/Jan/2010:15:57:27 -0100] [CGI] http=3D3D0x8e2ce28
> > >>> D [19/Jan/2010:15:57:27 -0100] [CGI] op=3D3D"add-class"...
> > >>> D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 27 POST /admin/ =3D
> > >> HTTP/1.1
> > >>> D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication =
> > data =3D
> > >> provided.
> > >>> D [19/Jan/2010:15:57:27 -0100] CUPS-Add-Modify-Class =3D
> > >> ipp://localhost/classes/se
> > >>> D [19/Jan/2010:15:57:27 -0100] cupsdIsAuthorized: username=3D3D""
> > >>> E [19/Jan/2010:15:57:27 -0100] CUPS-Add-Modify-Class: Unauthorized
> > >>> D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 27 code=3D3D401 =3D
> > >> (Unauthorized)
> > >>> D [19/Jan/2010:15:57:27 -0100] cupsdSendHeader: WWW-Authenticate: =3D
> > >> Basic realm=3D3D"CUPS"
> > >>> D [19/Jan/2010:15:57:27 -0100] [CGI] cgi_passwd(prompt=3D3D"Password =
> > for =3D
> > >> lp on localhost? ") called!
> > >>> D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 26 code=3D3D401 =3D
> > >> (Unauthorized)
> > >>> D [19/Jan/2010:15:57:27 -0100] cupsdSendHeader: WWW-Authenticate: =3D
> > >> Negotiate
> > >>> D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 26
> > >>> I [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: SSL shutdown =3D
> > >> successful!
> > >>> D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 26
> > >>> D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 27
> > >>> D [19/Jan/2010:15:57:27 -0100] PID 3476 =3D
> > >> (/usr/lib/cups/cgi-bin/admin.cgi) exited with no errors.
> > >>> D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: skipping =3D
> > >> getpeercon()
> > >>> D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: 26 from =3D
> > >> 10.153.158.201:631 (IPv4)
> > >>> D [19/Jan/2010:15:57:27 -0100] encrypt_client: 26 Connection from =3D
> > >> 10.153.158.201 now encrypted.
> > >>> D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 GET /cups.css =3D
> > >> HTTP/1.1
> > >>> D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication =
> > data =3D
> > >> provided.
> > >>> D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 26 code=3D3D304 (Not =
> > =3D
> > >> Modified)
> > >>> D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 GET /favicon.ico =
> > =3D
> > >> HTTP/1.1
> > >>> D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication =
> > data =3D
> > >> provided.
> > >>> =3D20
> > >>> I think the biggest problem is that obviously, no credentials are =3D
> > >> passed to CUPS
> > >>> =3D20
> > >>> Code:
> > >>> =3D20
> > >>> cupsdIsAuthorized: username=3D3D""
> > >>> =3D20
> > >>> and
> > >>> =3D20
> > >>> Code:
> > >>> =3D20
> > >>> cupsdAuthorize: No authentication data provided.
> > >>> =3D20
> > >>> When I run "kinit" from the CUPS server's command line, I get a =3D
> > >> ticket, so krb5 is configured fine. Could it be that there is some =
> > issue =3D
> > >> when working on a Mac client - I think that shouldn't be the =
> > problem's =3D
> > >> root, however, as I tried so many things, I don't know how to proceed =
> > in =3D
> > >> order to get this problem solved.
> > >>> =3D20
> > >>> I would be so thankful if somebody could help.. Thanks in advance!
> > >>> =3D20
> > >>> Greetings,
> > >>> Timo
> > >>> _______________________________________________
> > >>> cups mailing list
> > >>> cups at easysw.com
> > >>> http://lists.easysw.com/mailman/listinfo/cups
> > >>=20
> > >> ___________________________________________________
> > >> Michael Sweet, Senior Printing System Engineer
> > >>=20
> > >>=20
> > >>=20
> > >=20
> > > _______________________________________________
> > > cups mailing list
> > > cups at easysw.com
> > > http://lists.easysw.com/mailman/listinfo/cups
> >
> > ___________________________________________________
> > Michael Sweet, Senior Printing System Engineer
> >
> >
> >
>

More information about the cups mailing list