No local Kerberos authentication #4140

Closed
michaelrsweet opened this Issue Jul 18, 2012 · 8 comments

Comments

Projects
None yet
1 participant
Collaborator

michaelrsweet commented Jul 18, 2012

Version: 1.5.3
CUPS.org User: twaugh.redhat

With DefaultAuthType set to Negotiate, local admin operations always ask for a password even when a valid Kerberos ticket is available.

/var/log/cups/error_log says:

Authorized using Basic, expected Negotiate
Returning HTTP Unauthorized for CUPS-Delete-Printer (ipp://...) from localhost

Collaborator

michaelrsweet commented Aug 9, 2012

CUPS.org User: mike

More than likely this is just an issue with us mapping the peer credentials incorrectly.

Collaborator

michaelrsweet commented Dec 8, 2012

CUPS.org User: odyx

Hi Mike,

In Debian, we have two reports that apparently have #4140 as source. One of those is Release-Critical for us, and I'd welcome some guidance to help getting this fixed.

http://bugs.debian.org/640939
http://bugs.debian.org/663995

Any idea on where to start from ?

Collaborator

michaelrsweet commented Dec 10, 2012

CUPS.org User: mike

Didier,

It would be useful to see if this happens with CUPS 1.6.x. We changed a lot of the Kerberos support code in 1.6 to fix issues like this.

Collaborator

michaelrsweet commented Dec 17, 2012

CUPS.org User: mike

Please try the attached patch; basically we were not using Kerberos over the local domain socket.

Collaborator

michaelrsweet commented Jan 14, 2013

CUPS.org User: odyx

Hi Mike,

according to http://bugs.debian.org/640939 both your fix on top of 1.5.3 and 1.6.1 fix this Kerberos local authentication problem.

Thank you!

OdyX

Collaborator

michaelrsweet commented Feb 26, 2014

CUPS.org User: twaugh.redhat

It looks like this was applied in 1.6.2 but reverted in 1.6.3. What happened?

Collaborator

michaelrsweet commented Feb 26, 2014

CUPS.org User: mike

The change caused a regression.

Collaborator

michaelrsweet commented Feb 26, 2014

"str4140.patch":

Index: scheduler/client.c

--- scheduler/client.c (revision 10776)
+++ scheduler/client.c (working copy)
@@ -2580,14 +2580,7 @@
con->http.hostname);
#ifdef HAVE_GSSAPI
else if (auth_type == CUPSD_AUTH_NEGOTIATE)

  • {
    -# ifdef AF_LOCAL

  •  if (_httpAddrFamily(con->http.hostaddr) == AF_LOCAL)
    
  •    strlcpy(auth_str, "Basic realm=\"CUPS\"", sizeof(auth_str));
    
  •  else
    

    -# endif /* AF_LOCAL */
    strlcpy(auth_str, "Negotiate", sizeof(auth_str));

  • }
    #endif /* HAVE_GSSAPI */

    if (con->best && auth_type != CUPSD_AUTH_NEGOTIATE &&

michaelrsweet added this to the Stable milestone Mar 17, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment