[cups.general] Kerberos auth, realm and domain considerations

Michael Sweet msweet at apple.com
Tue Oct 9 07:07:50 PDT 2012


The limit is one realm; typically this is implemented using a single (master) KDC with zero or more slave KDCs.

The reason for the limit is that the Microsoft-defined Negotiate authentication method for HTTP does not provide the realm as part of the authentication challenge or response, so the client has to basically guess.  For Windows AD you can almost always use the domain name of the server as the realm name, but that doesn't hold in general... :/

As for the static IP requirement (and it was more a guideline since you really just needed a stable hostname), that went away in CUPS 1.4 for clients - servers still need to have a stable hostname, for obvious reasons... :)


On 2012-10-05, at 2:48 AM, Søren Grønning <sgi at dskd.dk> wrote:

> Hi all,
> 
> I'm trying to get our Mac OS X clients to perform Kerberos authentication when accessing the print queues on our Mac OS X 10.6.8 print server, however, I'm having a hard time getting it to work reliably.
> 
> Were operating a mixed Windows and Mac environment, in which the Macs are unable to update our DNS server dynamically due to 'secure updates' on the server which use GSS-TSIG keys to update the DNS server's records, which makes me worry about the stated need for static ip addresses or a working, dynamically updated DNS service for Kerberos to work with Cups (we use Cups 1.4.7) as well as the remark about a 'single domain/KDC' (whatever that means...) since it might imply that a Kerberos realm (which is what I believe is what's referred to in this context) might only consist of a KDC master and no slaves, although I believe it means that you can only bind to ONE Kerberos realm per server or client ...
> 
> So my question is: Does it require a single Kerberos realm with only a single KDC server (a master) to make this work or is a single realm consisting of two (or more) KDC servers okay?
> 
> Cheers,
> _______________________________________________
> cups mailing list
> cups at easysw.com
> http://lists.easysw.com/mailman/listinfo/cups

__________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair





More information about the cups mailing list