Comment 2 for bug 572869

To add to what Bart said above, CUPS backend are executed as user lp if they are world-executable, and by root is the backend is only executable by root. If the backend is to retrieve the user's credential, it has to be executed as root or as the user itself. So if you write a wrapper script for the smb backend, you need to make sure it is executable only by root.

Having a wrapper script setting KRB5CCNAME is a possible solution, but a more elegant one is to invoke smbspool as the user submitting the job, in which case it will pick up the Kerberos ticket just fine and do the right thing by itself. Minimally, something like the following would work:

----------------------------------------------------------------------
#!/bin/bash
su -c "/usr/bin/smbspool $1 $2 \"$3\" $4 \"$5\"" $2
----------------------------------------------------------------------

Nikke, I am not sure the problem you report is what we are actually talking about. The upstream CUPS bug you point to describe a different problem than the one we are having in Ubuntu, where Kerberos authentication is not even attempted in the first place. Can you describe your setup and your problem in more details?