[cups.general] CUPS and Kerberos - Problem with Authentication

Michael Sweet msweet at apple.com
Wed Jan 20 23:59:33 PST 2010


On Jan 20, 2010, at 11:44 PM, Timo wrote:

>>
> Hi Michael,
>
> thank you for answering.
>
>
>> On Jan 19, 2010, at 11:33 PM, Timo wrote:
>>
>>>> You can't do Kerberos without encryption...
>>>> =20
>>> =20
>>> Thank you for replying. Ok, I did not know that. However, I added  
>>> the =
>> entry "DefaultEncryption Never" after I have tried with normal =
>> encryption, just to test if this could bring me closer to a solution.
>>> =20
>>> I've read a message here where someone added an entry in his  
>>> config in =
>> order to point to the keytab - I found nothing about that in the =
>> official documentation. Is this entry needed?
>>
>> Not generally, and the undocumented directive was removed in CUPS  
>> 1.4 =
>> anyways.
>>
>
> Ok, this is what I guessed, too. So I don't care about this anymore.
>
>> It would be useful if you had a debug log that actually showed that =
>> Kerberos was being used.
>
> I am willing to provide any information that could help you to help  
> me. However, quite frankly speaking, I don't know where I could find  
> such a debug log. The Kerberos/LDAP log on the Mac server has no  
> entries regarding this issue.
>
>>
>> Also, make sure you have current versions of Kerberos - CentOS's  
>> version =
>> will likely be too old.
>
> [root at vlinux002 ~]# yum list installed|grep krb
> krb5-devel.i386                          
> 1.6.1-36.el5_4.1               installed
> krb5-libs.i386                           
> 1.6.1-36.el5_4.1               installed
> krb5-workstation.i386                    
> 1.6.1-36.el5_4.1               installed
> pam_krb5.i386                            
> 2.2.14-10                      installed
>
> are these versions really too old? I have the latest CentOS (5.4)  
> and I have already updated all packages.

You need at least MIT Kerberos 1.6.3 or any version of Heimdal.

>
> Hope you can provide further help, thank you in advance.
>
>>
>>> =20
>>> Any help is still appreciated very much! Thank you
>>> =20
>>>> On Jan 19, 2010, at 12:48 PM, Timo wrote:
>>>> =20
>>>>> Hello folks,
>>>>> =3D20
>>>>> I have a KDC on a Mac server and I need to authenticate CUPS  
>>>>> (hosted =
>> =3D
>>>> on an Ubuntu server, also tested on a CentOS Server - same  
>>>> problem) =3D=
>>
>>>> against it. I'm struggling with this since three days and I'm  
>>>> really =
>> =3D
>>>> frustrated since I've googled so much and tried any suggestions =3D
>>>> available. Nothing helped, so I hope that I'll find support here.
>>>>> =3D20
>>>>> Please find my config and log below:
>>>>> =3D20
>>>>> cupsd.conf
>>>>> Code:
>>>>> =3D20
>>>>> # Allow remote access
>>>>> Port 631
>>>>> # Enable printer sharing and shared printers.
>>>>> Browsing On
>>>>> BrowseOrder allow,deny
>>>>> BrowseAllow all
>>>>> BrowseAddress @LOCAL
>>>>> DefaultEncryption Never
>>>>> #DefaultAuthType Basic
>>>>> DefaultAuthType Negotiate
>>>>> <Location />
>>>>> Allow from 10.153.158.*
>>>>> # Allow shared printing and remote administration...
>>>>> Order allow,deny
>>>>> Allow @LOCAL
>>>>> </Location>
>>>>> <Location /admin>
>>>>> Allow from 10.153.158.*
>>>>> # Allow remote administration...
>>>>> Order allow,deny
>>>>> Allow @LOCAL
>>>>> </Location>
>>>>> <Location /admin/conf>
>>>>> AuthType Default
>>>>> Require user @SYSTEM
>>>>> # Allow remote access to the configuration files...
>>>>> Order allow,deny
>>>>> Allow @LOCAL
>>>>> </Location>
>>>>> <Policy default>
>>>>> <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job =3D
>>>> Purge-Jobs Set-Job-Attributes Create-Job-Subscription =
>> Renew-Subscription =3D
>>>> Cancel-Subscription Get-Notifications Reprocess-Job =
>> Cancel-Current-Job =3D
>>>> Suspend-Current-Job Resume-Job CUPS-Move-Job>
>>>>>  Require user @OWNER @SYSTEM
>>>>>  Order deny,allow
>>>>> </Limit>
>>>>> <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer =3D
>>>> CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
>>>>>  AuthType Basic
>>>>>  Require user root
>>>>>  Order deny,allow
>>>>> </Limit>
>>>>> <Limit Pause-Printer Resume-Printer Enable-Printer Disable- 
>>>>> Printer =3D=
>>
>>>> Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New- 
>>>> Jobs =3D=
>>
>>>> Deactivate-Printer Activate-Printer Restart-Printer Shutdown- 
>>>> Printer =
>> =3D
>>>> Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs =3D
>>>> CUPS-Reject-Jobs>
>>>>>  AuthType Basic
>>>>>  Require user @SYSTEM
>>>>>  Order deny,allow
>>>>> </Limit>
>>>>> <Limit Cancel-Job CUPS-Authenticate-Job>
>>>>>  Require user @OWNER @SYSTEM
>>>>>  Order deny,allow
>>>>> </Limit>
>>>>> <Limit All>
>>>>>  Order deny,allow
>>>>> </Limit>
>>>>> </Policy>
>>>>> </code>
>>>>> =3D20
>>>>> excerpt from error_log
>>>>> Code:
>>>>> =3D20
>>>>> D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 POST /admin =3D
>>>> HTTP/1.1
>>>>> D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication =
>> data =3D
>>>> provided.
>>>>> D [19/Jan/2010:15:57:27 -0100] [CGI] /usr/lib/cups/cgi-bin/ 
>>>>> admin.cgi =
>> =3D
>>>> started - PID =3D3D 3476
>>>>> I [19/Jan/2010:15:57:27 -0100] Started =3D
>>>> "/usr/lib/cups/cgi-bin/admin.cgi" (pid=3D3D3476)
>>>>> D [19/Jan/2010:15:57:27 -0100] cupsdSendCommand: 26 file=3D3D34
>>>>> D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: skipping =3D
>>>> getpeercon()
>>>>> D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: 27 from =3D
>>>> localhost:631 (IPv4)
>>>>> D [19/Jan/2010:15:57:27 -0100] [CGI] admin.cgi started...
>>>>> D [19/Jan/2010:15:57:27 -0100] [CGI] http=3D3D0x8e2ce28
>>>>> D [19/Jan/2010:15:57:27 -0100] [CGI] op=3D3D"add-class"...
>>>>> D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 27 POST /admin/  
>>>>> =3D
>>>> HTTP/1.1
>>>>> D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication =
>> data =3D
>>>> provided.
>>>>> D [19/Jan/2010:15:57:27 -0100] CUPS-Add-Modify-Class =3D
>>>> ipp://localhost/classes/se
>>>>> D [19/Jan/2010:15:57:27 -0100] cupsdIsAuthorized: username=3D3D""
>>>>> E [19/Jan/2010:15:57:27 -0100] CUPS-Add-Modify-Class: Unauthorized
>>>>> D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 27 code=3D3D401 =3D
>>>> (Unauthorized)
>>>>> D [19/Jan/2010:15:57:27 -0100] cupsdSendHeader: WWW- 
>>>>> Authenticate: =3D
>>>> Basic realm=3D3D"CUPS"
>>>>> D [19/Jan/2010:15:57:27 -0100] [CGI]  
>>>>> cgi_passwd(prompt=3D3D"Password =
>> for =3D
>>>> lp on localhost? ") called!
>>>>> D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 26 code=3D3D401 =3D
>>>> (Unauthorized)
>>>>> D [19/Jan/2010:15:57:27 -0100] cupsdSendHeader: WWW- 
>>>>> Authenticate: =3D
>>>> Negotiate
>>>>> D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 26
>>>>> I [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: SSL shutdown =3D
>>>> successful!
>>>>> D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 26
>>>>> D [19/Jan/2010:15:57:27 -0100] cupsdCloseClient: 27
>>>>> D [19/Jan/2010:15:57:27 -0100] PID 3476 =3D
>>>> (/usr/lib/cups/cgi-bin/admin.cgi) exited with no errors.
>>>>> D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: skipping =3D
>>>> getpeercon()
>>>>> D [19/Jan/2010:15:57:27 -0100] cupsdAcceptClient: 26 from =3D
>>>> 10.153.158.201:631 (IPv4)
>>>>> D [19/Jan/2010:15:57:27 -0100] encrypt_client: 26 Connection  
>>>>> from =3D
>>>> 10.153.158.201 now encrypted.
>>>>> D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 GET /cups.css  
>>>>> =3D
>>>> HTTP/1.1
>>>>> D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication =
>> data =3D
>>>> provided.
>>>>> D [19/Jan/2010:15:57:27 -0100] cupsdSendError: 26 code=3D3D304  
>>>>> (Not =
>> =3D
>>>> Modified)
>>>>> D [19/Jan/2010:15:57:27 -0100] cupsdReadClient: 26 GET / 
>>>>> favicon.ico =
>> =3D
>>>> HTTP/1.1
>>>>> D [19/Jan/2010:15:57:27 -0100] cupsdAuthorize: No authentication =
>> data =3D
>>>> provided.
>>>>> =3D20
>>>>> I think the biggest problem is that obviously, no credentials  
>>>>> are =3D
>>>> passed to CUPS
>>>>> =3D20
>>>>> Code:
>>>>> =3D20
>>>>> cupsdIsAuthorized: username=3D3D""
>>>>> =3D20
>>>>> and
>>>>> =3D20
>>>>> Code:
>>>>> =3D20
>>>>> cupsdAuthorize: No authentication data provided.
>>>>> =3D20
>>>>> When I run "kinit" from the CUPS server's command line, I get a  
>>>>> =3D
>>>> ticket, so krb5 is configured fine. Could it be that there is  
>>>> some =
>> issue =3D
>>>> when working on a Mac client - I think that shouldn't be the =
>> problem's =3D
>>>> root, however, as I tried so many things, I don't know how to  
>>>> proceed =
>> in =3D
>>>> order to get this problem solved.
>>>>> =3D20
>>>>> I would be so thankful if somebody could help.. Thanks in advance!
>>>>> =3D20
>>>>> Greetings,
>>>>> Timo
>>>>> _______________________________________________
>>>>> cups mailing list
>>>>> cups at easysw.com
>>>>> http://lists.easysw.com/mailman/listinfo/cups
>>>> =20
>>>> ___________________________________________________
>>>> Michael Sweet, Senior Printing System Engineer
>>>> =20
>>>> =20
>>>> =20
>>> =20
>>> _______________________________________________
>>> cups mailing list
>>> cups at easysw.com
>>> http://lists.easysw.com/mailman/listinfo/cups
>>
>> ___________________________________________________
>> Michael Sweet, Senior Printing System Engineer
>>
>>
>>
>
> _______________________________________________
> cups mailing list
> cups at easysw.com
> http://lists.easysw.com/mailman/listinfo/cups

___________________________________________________
Michael Sweet, Senior Printing System Engineer







More information about the cups mailing list