Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

KRB5CCNAME should be set before invoking a backend #3847

Closed
michaelrsweet opened this issue May 25, 2011 · 2 comments
Closed

KRB5CCNAME should be set before invoking a backend #3847

michaelrsweet opened this issue May 25, 2011 · 2 comments

Comments

@michaelrsweet
Copy link
Collaborator

@michaelrsweet michaelrsweet commented May 25, 2011

Version: 1.4.4
CUPS.org User: EtienneG

This problem was investigated on Ubuntu 10.10 (cups 1.4.4) and 11.04 (cups 1.4.6).

When trying to print to a Kerberos-authenticated print queue over SMB (ie, in an Active Directory), if the backend is not invoked as the user submitting the job (ie, it is run as root), Kerberos authentication cannot proceed. That's because the backend cannot access the user's Kerberos credential cache.

I presume the situation is the same with other network protocol that does Kerberos authentication, although I have tested only with SMB.

The smbspool binary, provided by Samba and used as the CUPS smb backend in Ubuntu and other distros, has the ability to pick up the Kerberos credential cache to use from the KRB5CCNAME environment variable. CUPS 1.4.x actually set that environment variable (in scheduler/ipp.c), but only when printing to IPP AFAICT.

It would be useful if CUPS would set the KRB5CCNAME environment variable before invoking the backend. That way, smbspool and other backend could do the right thing when Kerberos authentication is required.

@michaelrsweet
Copy link
Collaborator Author

@michaelrsweet michaelrsweet commented May 25, 2011

CUPS.org User: EtienneG

The Ubuntu-specific problem (which is larger in scope than what have been reported here) has been reported at https://bugs.launchpad.net/ubuntu/+source/cups/+bug/788167

@michaelrsweet
Copy link
Collaborator Author

@michaelrsweet michaelrsweet commented May 26, 2011

CUPS.org User: mike

Fixed in Subversion repository.

Aside from the fixes in the forthcoming 1.4.7 release, you will need to enable delegation for your credentials, either by policy (an AD setting) or otherwise, and you need a recent version of MIT Kerberos.

For CUPS 1.5 and later, the Samba smb backend will require changes to use the AUTH_UID environment variable to set the effective UID - see the ipp backend code for an example.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant