This problem was investigated on Ubuntu 10.10 (cups 1.4.4) and 11.04 (cups 1.4.6).
When trying to print to a Kerberos-authenticated print queue over SMB (ie, in an Active Directory), if the backend is not invoked as the user submitting the job (ie, it is run as root), Kerberos authentication cannot proceed. That's because the backend cannot access the user's Kerberos credential cache.
I presume the situation is the same with other network protocol that does Kerberos authentication, although I have tested only with SMB.
The smbspool binary, provided by Samba and used as the CUPS smb backend in Ubuntu and other distros, has the ability to pick up the Kerberos credential cache to use from the KRB5CCNAME environment variable. CUPS 1.4.x actually set that environment variable (in scheduler/ipp.c), but only when printing to IPP AFAICT.
It would be useful if CUPS would set the KRB5CCNAME environment variable before invoking the backend. That way, smbspool and other backend could do the right thing when Kerberos authentication is required.
The text was updated successfully, but these errors were encountered:
Aside from the fixes in the forthcoming 1.4.7 release, you will need to enable delegation for your credentials, either by policy (an AD setting) or otherwise, and you need a recent version of MIT Kerberos.
For CUPS 1.5 and later, the Samba smb backend will require changes to use the AUTH_UID environment variable to set the effective UID - see the ipp backend code for an example.