CUPS cannot print to Kerberos-authenticated SMB print queue
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Debian |
Fix Released
|
Unknown
|
|||
cups (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
samba (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: cups
That was investigated on maverick (cups 1.4.4) and natty (cups 1.4.6).
CUPS in Ubuntu cannot authenticate using Kerberos to an SMB print queue, such as one in an Active Directory. This is because the smb backend is being invoked as user lp, and this user cannot access the Kerberos credential cache of the user who submitted the job. When trying to print, the job is held for authentication, and a dialog prompting for username/password is being shown. On Windows (and possibly other OS), the user would not be prompted if he has a ticket in the Kerberos realm (ie, "logged on to the domain") he is trying to print to.
The CUPS smb backend on Ubuntu is the smbspool binary provided by Samba. When run as a user, it will pick the Kerberos credential cache by itself and authenticate seamlessly. Otherwise, it will read the KRB5CCNAME environment variable and try to use that when possible.
There is two possible solutions to that:
- Invoke the smb backend as root and pass it the KRB5CCNAME environment variable pointing to the user's Kerberos credential cache. CUPS execute the backend as user lp if it is world-executable, which is currently the case on Ubuntu. User lp do not have the permission to read the user's credential cache, hence why the smb backend would need to be executed as root (by removing the world-executable bit). Also, CUPS does not currently set KRB5CCNAME before invoking the smb backend (see http://
- Execute smbspool as the user submitting the job.
I presume we would have the same problem with other backend that would do Kerberos authentication, although I do not know of a specific one. I have only tested and investigated with the smb backend.
Changed in cups (Ubuntu): | |
status: | New → Confirmed |
Changed in debian: | |
importance: | Undecided → Unknown |
status: | New → Unknown |
Changed in debian: | |
status: | Unknown → New |
Changed in debian: | |
status: | New → Fix Released |
CUPS not setting the KRB5CCNAME environment variable has been reported upstream at http:// www.cups. org/str. php?L3847.