[cups.general] Authentication problem

Martin Schuster (IFKL IT OS DS CD) Martin.Schuster1 at infineon.com
Wed Aug 24 23:31:31 PDT 2011 

On 2011-08-24 22:08, P. Larry Nelson wrote:
> Hi,
> 
> I'm new to this list, but not to CUPS.  I have a few conceptual
> questions about using authentication.
> 
> I've been using CUPS for many years now on a linux server to allow
> our linux and Mac users access to our printers.  It has always just
> worked with rarely any intervention on my part.  I'm currently
> using cups-1.3.7-18.el5 (RedHat).  I expect that version to remain
> the same unless there's an update from RedHat or at some time in
> the future when/if we migrate the server to RedHat 6 - probably
> a couple years down the road.
> 
It's no major problem to get a current CUPS running on RHEL5.

Attaching my cookbook, might be /slightly/ out-of-date (wrote it
before 1.4.4 was released), but should give you a basic idea.

> All our printers are HP laser printers and all are networked on our
> group's LAN.  All our Windows users print via a Windows print server.
> They can do that no matter whether they are on our LAN or on any
> other LAN on campus because they authenticate thru the campus
> Active Directory.  Group policy allows authorization to print
> to our printers.
> 
I guess this means that the Windows print server checks the
authentication (most likely via Kerberos).

> Access for the linux and Mac users has always been via the "Allow from"
> in cupsd.conf, as in:
> [...]
....and here the CUPS server checks the authentication, this time
based on the IP address of the client.

> [...]
> What I need is a simple authorization solution, not just from
> my end, but also for the linux/Mac users viewpoint to keep
> printing simple.
> 
afaics there are at least 3 ways to get everything working:

> We are not running kerberos
>
1) You could use the AD for Kerberos. Use pam_krb5 for the login
of the Linux-Boxes, or tell users to call "kinit" before printing;
in both cases they will have a Kerberos-ticket afterwards, which
CUPS then needs to work with.

> (and really do not want to venture down that sticky road),
>
It might be a little bit tricky to get it running the first
time, there are some traps (hint: in case of problems, check
NTP and DNS), but doable within a day.

> but I do have Samba running on the same
> linux server as the CUPS server, and from the little I've tried
> to read and understand about it, it appears that Samba will play
> quite well with CUPS.
>
2) Together with winbind, this will allow your users to print via
SMB (the Windows protocol; don't think you'll see a lot of clients
that can do this). Doable, but imho not what you want.

> [...]
3) You could also use the AD as LDAP, i.e. in /etc/pam.d/cups use
pam_ldap, then tell pam_ldap in /etc/ldap.conf to use the AD. Also,
you need to list ldap in /etc/nsswitch.conf.

This would require people that want to print to auth against the AD;
don't know if that's what you want.


hth,
-- 
Infineon Technologies IT-Services GmbH   Martin.Schuster1 at infineon.com
Lakeside B05, 9020 Klagenfurt, Austria   Martin Schuster
         FB: LG Klagenfurt, FN 246787y   +43 5 1777 3517
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: cups_1.4.txt
URL: <https://lists.cups.org/pipermail/cups/attachments/20110824/2e2f72f4/attachment-0001.txt>

More information about the cups mailing list