Kerberos authentication: Unauthorized, but still prints!

Germán Márquez Mejía marquezmejia at tubit.tu-berlin.de
Tue Nov 30 08:51:45 PST 2010 

$lpr -H cupsserver:631 -P TestPrinter file
lpr: Unauthorized

In spite of the "Unauthorized" message above, the client gets a new host/server at REALM ticket and the job reaches the server. I've tested this on a Lenny server with CUPS 1.3.11, 1.4.4 and 1.5svn (r9031), the latter of which supposedly fixes http://www.cups.org/str.php?L3325.

access_log:
----
130.x.x.x - - [30/Nov/2010:15:56:43 +0100] "POST / HTTP/1.1" 200 685 Get-Printer-Attributes successful-ok
130.x.x.x - - [30/Nov/2010:15:56:43 +0100] "POST /printers/TestPrinter HTTP/1.1" 426 346 Create-Job successful-ok
130.x.x.x - - [30/Nov/2010:15:56:43 +0100] "POST /printers/TestPrinter HTTP/1.1" 401 346 Create-Job successful-ok
130.x.x.x - user at REALM [30/Nov/2010:15:56:43 +0100] "POST /printers/TestPrinter HTTP/1.1" 200 346 Create-Job successful-ok
130.x.x.x - - [30/Nov/2010:15:56:43 +0100] "POST /printers/TestPrinter HTTP/1.1" 401 238 Send-Document successful-ok
----

error_log:
----
D [30/Nov/2010:15:56:43 +0100] cupsdReadClient: 12 1.1 Create-Job 1
d [30/Nov/2010:15:56:43 +0100] cupsdProcessIPPRequest(0x800d3030[12]): operation_id = 0005
D [30/Nov/2010:15:56:43 +0100] Create-Job ipp://localhost:631/printers/TestPrinter
d [30/Nov/2010:15:56:43 +0100] create_job(0x800d3030[12], ipp://localhost:631/printers/TestPrinter)
d [30/Nov/2010:15:56:43 +0100] add_job(0x800d3030[12], 0x8006d300(TestPrinter), (nil)(none/none))
d [30/Nov/2010:15:56:43 +0100] cupsdFindPolicyOp(p=0x800cc340, op=5(Create-Job))
d [30/Nov/2010:15:56:43 +0100] cupsdFindPolicyOp: Found exact match...
d [30/Nov/2010:15:56:43 +0100] cupsdIsAuthorized: con->uri="/printers/TestPrinter", con->best=0x800cc398((null))
d [30/Nov/2010:15:56:43 +0100] cupsdIsAuthorized: level=CUPSD_AUTH_USER, type=Negotiate, satisfy=CUPSD_AUTH_SATISFY_ALL, num_names=0
d [30/Nov/2010:15:56:43 +0100] cupsdIsAuthorized: op=5(Create-Job)
d [30/Nov/2010:15:56:43 +0100] cupsdIsAuthorized: auth=CUPSD_AUTH_ALLOW...
D [30/Nov/2010:15:56:43 +0100] cupsdIsAuthorized: username=""
D [30/Nov/2010:15:56:43 +0100] Returning HTTP Unauthorized for Create-Job (ipp://localhost:631/printers/TestPrinter) from 130.x.x.x
----

Could it be the username="" the problem. If so, what am I missing? Perhaps something wrong with my cupsd.conf?

Parts of it:
----
Port 631
Listen /home/cups/var/run/cups/cups.sock
LogLevel debug2
AccessLogLevel all
SystemGroup root
Browsing On
BrowseOrder deny,allow
BrowseProtocols cups
DefaultAuthType Basic
Krb5Keytab /etc/krb5.keytab

...

  <Limit Send-Document Create-Job Print-Job Print-URI>
    Order deny,allow
    AuthType Negotiate
    Require valid-user
  </Limit>

...
----

Thanks in advance.

More information about the cups mailing list