]>
Commit | Line | Data |
---|---|---|
355e94dc MS |
1 | <HTML> |
2 | <!-- SECTION: Getting Started --> | |
3 | <HEAD> | |
4 | <TITLE>Using Kerberos Authentication</TITLE> | |
5 | </HEAD> | |
6 | <BODY> | |
7 | ||
749b1e90 MS |
8 | <P>CUPS allows you to use a Key Distribution Center (KDC) for authentication |
9 | on your local CUPS server and when printing to a remote authenticated queue. | |
10 | This document describes how to configure CUPS to use Kerberos authentication | |
11 | and provides links to the MIT help pages for configuring Kerberos on your | |
12 | systems and network.</P> | |
355e94dc | 13 | |
76cd9e37 | 14 | |
749b1e90 | 15 | <H2 CLASS="title"><A NAME="REQUIREMENTS">System Requirements</A></H2> |
76cd9e37 | 16 | |
749b1e90 MS |
17 | <p>The following are required to use Kerberos with CUPS:</p> |
18 | ||
19 | <ol> | |
20 | ||
21 | <li>Heimdal Kerberos (any version) or MIT Kerberos (1.6.3 or newer)</li> | |
22 | ||
23 | <li>Properly configured Domain Name System (DNS) | |
24 | infrastructure:<ol type='a'> | |
25 | <li>DNS server(s) with static IP addresses for all CUPS clients | |
26 | and servers or configured to allow DHCP updates to the host | |
27 | addresses</li> | |
28 | <li>All CUPS clients and servers configured to use the same | |
29 | DNS server(s)</li> | |
30 | </ol></li> | |
31 | ||
32 | <li>Properly configured Kerberos infrastructure:<ol type='a'> | |
33 | <li>KDC configured to allow CUPS clients and servers to obtain | |
34 | Service Granting Tickets (SGTs) for the "ipp" service</li> | |
35 | <li>LDAP-based user accounts - both OpenDirectory and | |
36 | ActiveDirectory provide this with the KDC</li> | |
37 | <li>CUPS clients and servers bound to the KDC and LDAP | |
38 | server(s)</li> | |
39 | </ol></li> | |
40 | ||
41 | <li>An "ipp" Service Granting Ticket (SGT) for every CUPS client and | |
42 | server</li> | |
43 | ||
44 | </ol> | |
76cd9e37 | 45 | |
355e94dc MS |
46 | |
47 | <H2 CLASS="title"><A NAME="KRB5">Configuring Kerberos on Your System</A></H2> | |
48 | ||
49 | <P>Before you can use Kerberos with CUPS, you will need to configure | |
50 | Kerberos on your system and setup a system as a KDC. Because this | |
51 | configuration is highly system and site-specific, please consult | |
52 | the following on-line resources provided by the creators of Kerberos | |
53 | at the Massachussetts Institute of Technology (MIT):</P> | |
54 | ||
55 | <UL> | |
56 | ||
57 | <LI><A HREF="http://web.mit.edu/kerberos/">Kerberos: The Network | |
58 | Authentication Protocol</A></LI> | |
59 | ||
60 | <LI><A HREF="http://web.mit.edu/macdev/KfM/Common/Documentation/faq-osx.html">Kerberos | |
61 | on Mac OS X Frequently Asked Questions</A></LI> | |
62 | ||
63 | </UL> | |
64 | ||
65 | <P>The Linux Documentation Project also has a HOWTO on Kerberos:</P> | |
66 | ||
67 | <UL> | |
68 | ||
69 | <LI><A HREF="http://tldp.org/HOWTO/html_single/Kerberos-Infrastructure-HOWTO/">Kerberos | |
70 | Infrastructure HOWTO</A></LI> | |
71 | ||
72 | </UL> | |
73 | ||
74 | ||
75 | <H2 CLASS="title"><A NAME="CUPS">Configuring CUPS to Use Kerberos</A></H2> | |
76 | ||
77 | <P>Once you have configured Kerberos on your system(s), you can then | |
78 | enable Kerberos authentication by selecting the <tt>Negotiate</tt> | |
79 | authentication type. The simplest way to do this is using the | |
80 | <tt>cupsctl(8)</tt> command:</P> | |
81 | ||
82 | <PRE CLASS="command"> | |
83 | <KBD>cupsctl DefaultAuthType=Negotiate</KBD> | |
84 | </PRE> | |
85 | ||
86 | <P>You can also enable Kerberos from the web interface by checking the | |
87 | <VAR>Use Kerberos Authentication</VAR> box and clicking <VAR>Change | |
88 | Settings</VAR>:</P> | |
89 | ||
90 | <PRE CLASS="command"> | |
91 | http://localhost:631/admin | |
92 | </PRE> | |
93 | ||
749b1e90 MS |
94 | <P>After you have enabled Kerberos authentication, use the built-in |
95 | "authenticated" policy or your own custom policies with the printers you | |
96 | will be sharing. See <a href="policies.html">Managing Operation Policies</a> | |
97 | for more information.</P> | |
355e94dc MS |
98 | |
99 | ||
100 | <H2 CLASS="title"><A NAME="IMPLEMENT">Implementation Information</A></H2> | |
101 | ||
749b1e90 MS |
102 | <P>CUPS implements Kerberos over HTTP using GSSAPI and the service name |
103 | "ipp". Because of limitations in the HTTP GSSAPI protocol extension, only | |
104 | a single domain/KDC is supported for authentication.</P> | |
105 | ||
106 | <P>When doing printing tasks that require authentication, CUPS requests a | |
107 | single-use "ticket" from your login session to authenticate who you are. | |
108 | This ticket gives CUPS a username of the form "user@REALM", which is then | |
109 | converted to just "user" for purposes of user and group checks.</P> | |
110 | ||
111 | <P>In order to support printing to a shared printer, CUPS has to ask the KDC | |
112 | for a copy of your credentials (this is called delegation) that can be sent to | |
113 | the remote server for authenticatation. Delegation only works when the system | |
114 | has a stable hostname which maps to the current address of the system, which | |
115 | is why you need a static IP address or DHCP that updates the DNS entry for your | |
116 | system.</P> | |
355e94dc MS |
117 | |
118 | </BODY> | |
119 | </HTML> |