[cups] Supports CUPS Kerberos ticket saving and forwarding for backends?

Michael Sweet msweet at apple.com
Tue Sep 30 04:37:19 PDT 2014 

Johannes,

We used to exercise this approach, where cupsd would get a TGT and allow backends to re-issue tickets as needed.  But back in CUPS 1.6 or so we dropped doing so (too fragile, difficult to deploy on Wi-Fi networks) and instead have the IPP backend (and the SMB backend on OS X - can't speak to what is being done on Linux for Samba) "trampoline" into the user account to send the print job as the user, with the user's Kerberos session...  Naturally this doesn't work for a print server daisy chaining to another server, e.g.:

    Client ----> Server -----> Server with Printer

but then Kerberos has trouble with this sort of trust relationship anyways...


> On Sep 30, 2014, at 6:32 AM, Johannes Meixner <jsmeix at suse.de> wrote:
> 
> 
> Hello,
> 
> we (i.e. openSUSE) got this issue report:
> https://bugzilla.suse.com/show_bug.cgi?id=899118
> 
> Therein a user describes that CUPS 1.4 had some kind of
> Kerberos ticket saving and forwarding functionality
> so that the cupsd would save a Kerberos Ticket Granting Ticket (TGT)
> that it got via Kerberos from a client (e.g. a "lp" program)
> and then the cupsd could forward that TGT to a backend
> (e.g. the smb backend) so that the backend could use the TGT
> from the client to do Kerberos authentication at its recipient
> (e.g. a SMB printer share on a Windows AD Print Server).
> 
> I am not at all a Kerberos expert but as far as I know,
> Kerberos authentication in CUPS belongs only to the IPP protocol
> (i.e. CUPS clients, the cupsd, and the ipp backend) but
> Kerberos authentication at a Windows AD Print Server
> (than belongs more or less to the SMB protocol)
> has nothing to do with the Kerberos functionality in CUPS.
> 
> As far as I understand it, the Kerberos stuff in CUPS does not
> apply when data should be sent to a SMB server where a SMB printer
> share is and that printer share requires authentication via Kerberos.
> 
> My understanding is that CUPS backends (except the ipp backend)
> are basically external tools for CUPS.
> 
> Accordingly I think Samba's smb backend itself must implement
> whatever is needed to send the data to to a SMB server where
> a SMB printer share is and if that printer share requires
> authentication via Kerberos, then Samba's smb backend itself
> must implement whatever is needed for the authentication.
> 
> But again I am not at all a Kerberos expert.
> Therefore I could be wrong and there is really some kind of
> Kerberos ticket forwarding (or TGT -> "normal ticket") mechanism
> inside CUPS.
> 
> If there is really some kind of Kerberos ticket saving and
> forwarding in CUPS, I would like to know where I can get more
> detailed information about it. Currently I only know about
> http://cups.org/documentation.php/doc-1.7/kerberos.html
> 
> 
> Kind Regards
> Johannes Meixner
> -- 
> SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany
> HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer
> _______________________________________________
> cups mailing list
> cups at cups.org
> https://www.cups.org/mailman/listinfo/cups

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

More information about the cups mailing list