[cups] Forwarding Kerberos TGT to intermediate CUPS for remote Windows printing?

Robert Sturrock rns at unimelb.edu.au
Sun Mar 19 20:54:53 PDT 2017


Hello,

I would like to get some advice about whether the following configuration is possible with CUPS (1.6.3 on RHEL, 2.1.3 on Ubuntu).

We have a Windows-based print server with all organisational printers ‘behind’ it, with each queue presented via SMB/CIFS.  It is possible to print to these queues with a username/password or the appropriate Kerberos service ticket (cifs/print.domain).  Kerberos authentication is very much preferred.  Printing directly to the various printers is not an option (for a few reasons that I won’t enter into here).

We are looking at setting up a central CUPS server for Linux (primarily Ubuntu 16.04) clients.  This would provide a place to centralise the various printer PPDs.  After accepting jobs from the Linux clients, we would like this server to forward the jobs on to the existing Windows server.  I am not sure if this is possible, because it would require the user’s Kerberos TGT to be forwarded to the CUPS server, so that the CUPS server can then obtain the required service ticket for the Windows print server.  Is it possible to delegate credentials with CUPS/IPP, as in:

  Ubuntu Desktop with CUPS    =>     CUPS Server (via IPP)     =>    Windows Server (via SMB)
  (forwardable user TGT)             (user TGT)                      (cifs/print.domain service ticket)

(The desktops would be configured with ‘client.conf’ pointing directly to the CUPS server.)

If this is possible, can anyone provide some hints as to how best to achieve it.

Failing that, are other architectures possible?

Regards,

Robert.




More information about the cups mailing list