[cups-devel] SSL-encrypted CUPS IPP Basic Authentication via Active Directory

Michael Sweet msweet at apple.com
Wed Apr 1 16:46:48 PDT 2015


Since IPP (and HTTP) has no notion of a login or session, every IPP request issued by the client (Get-Printer-Attributes, Get-Job-Attributes, Create-Job, Send-Document) gets authenticated, so you'll see a PAM call for each request that is processed by cupsd.

> On Apr 1, 2015, at 5:33 PM, Rick Cochran <rcc2 at cornell.edu> wrote:
> Hi,
> I have a campus full of OS X and Linux users whose print job submissions I would like to authenticate via Active Directory.  The good new is that I already have this working.  I would just like to make sure I'm doing it optimally.
> What I have working is CUPS using pam_krb5 to authenticate to AD.  The strange thing I am seeing is that each print job authentication results in 21 Kerberos ticket cache files created in /tmp, and 21 "authentication succeeds for 'rcc2'" messages and 21 "TGT verified" messages logged to /var/log/messages.
> It seems as though CUPS is making 21 authentication calls to PAM.  This seems rather excessive.  Perhaps there is a way to reduce it.
> Another possibility would be to use pam_ldap instead of pam_krb5.  Is there some reason to believe that would be a better solution?
> Thanks for any help.
> -Rick
> _______________________________________________
> cups-devel mailing list
> cups-devel at cups.org
> https://www.cups.org/mailman/listinfo/cups-devel

Michael Sweet, Senior Printing System Engineer, PWG Chair

More information about the cups mailing list