Kerberos Authentication on Linux
bse
bse at chalmers.se
Wed Mar 31 08:44:31 PDT 2010
> Hi, im trying to create a cups setup that lets only certain users administer certain tasks and these users should be authenticated via gssapi.
> My server system is debian squeeze with cups 1.4.2. My clients are running Ubuntu with Kerberos auth (and OpenAFS). The problem seems to be that no auth info gets passed to my cups server. Here some config infos:
>
> cupsd.conf:
>
> LogLevel debug
> Listen *:443 #Firefox defaults to trust only https
> DefaultAuthType Negotiate
> ...
> <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
> AuthType Default
> Require user joerg
> Order deny,allow
> </Limit>
>
> Now if I try to add a printer I get a 401 unauthorized error. The error log says:
>
> D [31/Mar/2010:16:23:55 +0200] cupsdAcceptClient: 11 from 192.168.42.42:443 (IPv4)
> D [31/Mar/2010:16:23:55 +0200] Connection from 192.168.42.42 now encrypted.
> D [31/Mar/2010:16:23:55 +0200] cupsdReadClient: 11 POST /admin/ HTTP/1.1
> D [31/Mar/2010:16:23:55 +0200] cupsdSetBusyState: Active clients
> D [31/Mar/2010:16:23:55 +0200] cupsdAuthorize: No authentication data provided.
> ....
>
> After all, has kerberos auth with linux ever been established? Shouldn't there be some keytab for my cups process, at least the documentation says nothing the like. Maybe some working example would help a lot on this topic because the docs say almost nothing about it.
>
Yes, kerberos works in linux, at least in 1.3, and with patches in 1.4
Yes, you need a keytab, and also point to it in cupsd.conf, keyword Krb5Keytab
If you print directly to the printserver, your local host does not need a principal, only the user needs a kerberos ticket.
Note that your username in kerberos includes the realm
//Bse
> tia,
> Jörg Herzinger
More information about the cups
mailing list