http://bugzilla.suse.com/show_bug.cgi?id=899118
--- Comment #3 from Johannes Meixner ---
I asked on the CUPS user discussion list
------------------------------------------------------------------------------
Date: Tue, 30 Sep 2014 12:32:17 +0200 (CEST)
From: Johannes Meixner
Reply-To: The CUPS user discussion list.
To: cups@cups.org
Subject: [cups] Supports CUPS Kerberos ticket saving and
forwarding for backends?
Hello,
we (i.e. openSUSE) got this issue report:
https://bugzilla.suse.com/show_bug.cgi?id=899118
Therein a user describes that CUPS 1.4 had some kind of
Kerberos ticket saving and forwarding functionality
so that the cupsd would save a Kerberos Ticket Granting Ticket (TGT)
that it got via Kerberos from a client (e.g. a "lp" program)
and then the cupsd could forward that TGT to a backend
(e.g. the smb backend) so that the backend could use the TGT
from the client to do Kerberos authentication at its recipient
(e.g. a SMB printer share on a Windows AD Print Server).
I am not at all a Kerberos expert but as far as I know,
Kerberos authentication in CUPS belongs only to the IPP protocol
(i.e. CUPS clients, the cupsd, and the ipp backend) but
Kerberos authentication at a Windows AD Print Server
(than belongs more or less to the SMB protocol)
has nothing to do with the Kerberos functionality in CUPS.
As far as I understand it, the Kerberos stuff in CUPS does not
apply when data should be sent to a SMB server where a SMB printer
share is and that printer share requires authentication via Kerberos.
My understanding is that CUPS backends (except the ipp backend)
are basically external tools for CUPS.
Accordingly I think Samba's smb backend itself must implement
whatever is needed to send the data to to a SMB server where
a SMB printer share is and if that printer share requires
authentication via Kerberos, then Samba's smb backend itself
must implement whatever is needed for the authentication.
But again I am not at all a Kerberos expert.
Therefore I could be wrong and there is really some kind of
Kerberos ticket forwarding (or TGT -> "normal ticket") mechanism
inside CUPS.
If there is really some kind of Kerberos ticket saving and
forwarding in CUPS, I would like to know where I can get more
detailed information about it. Currently I only know about
http://cups.org/documentation.php/doc-1.7/kerberos.html
Kind Regards
Johannes Meixner
------------------------------------------------------------------------------
The CUPS main author replied this:
------------------------------------------------------------------------------
Date: Tue, 30 Sep 2014 07:37:19 -0400
From: Michael Sweet
Reply-To: The CUPS user discussion list.
To: The CUPS user discussion list.
Subject: Re: [cups] Supports CUPS Kerberos ticket saving and
forwarding for backends?
Johannes,
We used to exercise this approach, where cupsd would get
a TGT and allow backends to re-issue tickets as needed.
But back in CUPS 1.6 or so we dropped doing so
(too fragile, difficult to deploy on Wi-Fi networks)
and instead have the IPP backend (and the SMB backend
on OS X - can't speak to what is being done on Linux for Samba)
"trampoline" into the user account to send the print job
as the user, with the user's Kerberos session...
Naturally this doesn't work for a print server daisy chaining
to another server, e.g.:
Client ----> Server -----> Server with Printer
but then Kerberos has trouble with this sort of trust
relationship anyways...
Michael Sweet, Senior Printing System Engineer, PWG Chair
------------------------------------------------------------------------------
--
You are receiving this mail because:
You are on the CC list for the bug.