Kerberos Authentication on Linux
Jörg Herzinger
joerg at global2000.at
Wed Mar 31 07:30:02 PDT 2010
Hi, im trying to create a cups setup that lets only certain users administer certain tasks and these users should be authenticated via gssapi.
My server system is debian squeeze with cups 1.4.2. My clients are running Ubuntu with Kerberos auth (and OpenAFS). The problem seems to be that no auth info gets passed to my cups server. Here some config infos:
cupsd.conf:
LogLevel debug
Listen *:443 #Firefox defaults to trust only https
DefaultAuthType Negotiate
...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
AuthType Default
Require user joerg
Order deny,allow
</Limit>
Now if I try to add a printer I get a 401 unauthorized error. The error log says:
D [31/Mar/2010:16:23:55 +0200] cupsdAcceptClient: 11 from 192.168.42.42:443 (IPv4)
D [31/Mar/2010:16:23:55 +0200] Connection from 192.168.42.42 now encrypted.
D [31/Mar/2010:16:23:55 +0200] cupsdReadClient: 11 POST /admin/ HTTP/1.1
D [31/Mar/2010:16:23:55 +0200] cupsdSetBusyState: Active clients
D [31/Mar/2010:16:23:55 +0200] cupsdAuthorize: No authentication data provided.
....
After all, has kerberos auth with linux ever been established? Shouldn't there be some keytab for my cups process, at least the documentation says nothing the like. Maybe some working example would help a lot on this topic because the docs say almost nothing about it.
tia,
Jörg Herzinger
More information about the cups
mailing list