1

I have been struggling to Kerberize certain services within our domain, one of which is CUPS. The setup is as follows: a central print server connects to each individual printer around the domain and shares them, and each client connects to certain printers on that server. Therefore both the server and all the clients run a CUPS spooler. Authentication is needed on the print server for obvious reasons - using Basic authentication works (with a username/password dialog appearing on a client attempting to print) but Negotiate authentication doesn't.

The print server has a service keytab with service name 'host', and the clients and the server have proper DNS and reverse DNS entries for the print server and the KDC. Getting a ticket for a principal works on the clients. But when I try to print, a dialog box with the text 'negotiate' appears with a text box next to it. No matter what is typed in the dialog just continues to show up.

Interestingly, using client.conf to point the client directly at the print server's spooler works with Negotiate authentication - getting a service ticket works and authentication happens without a hitch. But this is not ideal due to every client seeing every printer - different rooms want to see their specific room printers.

How is Negotiate authentication supposed to work? At the moment I have absolutely no idea where to go. The server is running Ubuntu 12.04 LTS (fully updated) and the clients are also using Ubuntu 12.04 LTS (not quite fully updated). Both the clients and the server run CUPS 1.5.3. The KDC is a Samba4 server, with both the print server and the clients correctly configured for Kerberos. The client configuration is just the default Ubuntu version. The current server cupsd.conf is as follows:

LogLevel warn
MaxLogSize 0
SystemGroup lpadmin
# Allow remote access
Port 631
HostNameLookups on
Listen /var/run/cups/cups.sock
Browsing On
BrowseOrder allow,deny
BrowseAllow all
BrowseLocalProtocols CUPS dnssd
BrowseAddress @LOCAL
DefaultAuthType Negotiate
DefaultPolicy authenticated
WebInterface Yes

<Location />
  # Allow remote access...
  Order allow,deny
  Allow all
</Location>
<Location /admin>
</Location>
<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
</Location>

<Policy default>
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default
  <Limit Create-Job Print-Job Print-URI Validate-Job>
  AuthType Default
  Require valid-user
    Order allow,deny
Allow from 172.30.*.*
  </Limit>
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

<Policy authenticated>
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    AuthType Default
    Order deny,allow
  </Limit>
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    AuthType Default
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  <Limit Cancel-Job CUPS-Authenticate-Job>
    AuthType Default
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  <Limit All>
    Order deny,allow
  </Limit>
</Policy>
Robin McCorkell
  • 273
  • 1
  • 10

0 Answers0