[thirdparty/cups.git] / doc / help / kerberos.html

<HTML>
<!-- SECTION: Getting Started -->
<HEAD>
	<TITLE>Using Kerberos Authentication</TITLE>
</HEAD>
<BODY>

<P>CUPS allows you to use a Key Distribution Center (KDC) for authentication
on your local CUPS server and when printing to a remote authenticated queue.
This document describes how to configure CUPS to use Kerberos authentication
and provides links to the MIT help pages for configuring Kerberos on your
systems and network.</P>


<H2 CLASS="title"><A NAME="REQUIREMENTS">System Requirements</A></H2>

<p>The following are required to use Kerberos with CUPS:</p>

<ol>

	<li>Heimdal Kerberos (any version) or MIT Kerberos (1.6.3 or newer)</li>

	<li>Properly configured Domain Name System (DNS)
	infrastructure:<ol type='a'>
		<li>DNS server(s) with static IP addresses for all CUPS clients
		and servers or configured to allow DHCP updates to the host
		addresses</li>
		<li>All CUPS clients and servers configured to use the same
		DNS server(s)</li>
	</ol></li>

	<li>Properly configured Kerberos infrastructure:<ol type='a'>
		<li>KDC configured to allow CUPS clients and servers to obtain
		Service Granting Tickets (SGTs) for the "ipp" service</li>
		<li>LDAP-based user accounts - both OpenDirectory and
		ActiveDirectory provide this with the KDC</li>
		<li>CUPS clients and servers bound to the KDC and LDAP
		server(s)</li>
	</ol></li>

	<li>An "ipp" Service Granting Ticket (SGT) for every CUPS client and
	server</li>

</ol>


<H2 CLASS="title"><A NAME="KRB5">Configuring Kerberos on Your System</A></H2>

<P>Before you can use Kerberos with CUPS, you will need to configure
Kerberos on your system and setup a system as a KDC. Because this
configuration is highly system and site-specific, please consult
the following on-line resources provided by the creators of Kerberos
at the Massachussetts Institute of Technology (MIT):</P>

<UL>

	<LI><A HREF="http://web.mit.edu/kerberos/">Kerberos: The Network
	Authentication Protocol</A></LI>

	<LI><A HREF="http://web.mit.edu/macdev/KfM/Common/Documentation/faq-osx.html">Kerberos
	on Mac OS X Frequently Asked Questions</A></LI>

</UL>

<P>The Linux Documentation Project also has a HOWTO on Kerberos:</P>

<UL>

	<LI><A HREF="http://tldp.org/HOWTO/html_single/Kerberos-Infrastructure-HOWTO/">Kerberos
	Infrastructure HOWTO</A></LI>

</UL>


<H2 CLASS="title"><A NAME="CUPS">Configuring CUPS to Use Kerberos</A></H2>

<P>Once you have configured Kerberos on your system(s), you can then
enable Kerberos authentication by selecting the <tt>Negotiate</tt>
authentication type. The simplest way to do this is using the
<tt>cupsctl(8)</tt> command:</P>

<PRE CLASS="command">
<KBD>cupsctl DefaultAuthType=Negotiate</KBD>
</PRE>

<P>You can also enable Kerberos from the web interface by checking the
<VAR>Use Kerberos Authentication</VAR> box and clicking <VAR>Change
Settings</VAR>:</P>

<PRE CLASS="command">
http://localhost:631/admin
</PRE>

<P>After you have enabled Kerberos authentication, use the built-in
"authenticated" policy or your own custom policies with the printers you
will be sharing. See <a href="policies.html">Managing Operation Policies</a>
for more information.</P>


<H2 CLASS="title"><A NAME="IMPLEMENT">Implementation Information</A></H2>

<P>CUPS implements Kerberos over HTTP using GSSAPI and the service name
"ipp". Because of limitations in the HTTP GSSAPI protocol extension, only
a single domain/KDC is supported for authentication.</P>

<P>When doing printing tasks that require authentication, CUPS requests a
single-use "ticket" from your login session to authenticate who you are.
This ticket gives CUPS a username of the form "user@REALM", which is then
converted to just "user" for purposes of user and group checks.</P>

<P>In order to support printing to a shared printer, CUPS has to ask the KDC
for a copy of your credentials (this is called delegation) that can be sent to
the remote server for authenticatation. Delegation only works when the system
has a stable hostname which maps to the current address of the system, which
is why you need a static IP address or DHCP that updates the DNS entry for your
system.</P>

</BODY>
</HTML>
Commit	Line	Data
355e94dc MS	1	<HTML>
	2	<!-- SECTION: Getting Started -->
	3	<HEAD>
	4	<TITLE>Using Kerberos Authentication</TITLE>
	5	</HEAD>
	6	<BODY>
	7
749b1e90 MS	8	<P>CUPS allows you to use a Key Distribution Center (KDC) for authentication
	9	on your local CUPS server and when printing to a remote authenticated queue.
	10	This document describes how to configure CUPS to use Kerberos authentication
	11	and provides links to the MIT help pages for configuring Kerberos on your
	12	systems and network.</P>
355e94dc	13
76cd9e37	14
749b1e90	15	<H2 CLASS="title"><A NAME="REQUIREMENTS">System Requirements</A></H2>
76cd9e37	16
749b1e90 MS	17	<p>The following are required to use Kerberos with CUPS:</p>
	18
	19	<ol>
	20
	21	<li>Heimdal Kerberos (any version) or MIT Kerberos (1.6.3 or newer)</li>
	22
	23	<li>Properly configured Domain Name System (DNS)
	24	infrastructure:<ol type='a'>
	25	<li>DNS server(s) with static IP addresses for all CUPS clients
	26	and servers or configured to allow DHCP updates to the host
	27	addresses</li>
	28	<li>All CUPS clients and servers configured to use the same
	29	DNS server(s)</li>
	30	</ol></li>
	31
	32	<li>Properly configured Kerberos infrastructure:<ol type='a'>
	33	<li>KDC configured to allow CUPS clients and servers to obtain
	34	Service Granting Tickets (SGTs) for the "ipp" service</li>
	35	<li>LDAP-based user accounts - both OpenDirectory and
	36	ActiveDirectory provide this with the KDC</li>
	37	<li>CUPS clients and servers bound to the KDC and LDAP
	38	server(s)</li>
	39	</ol></li>
	40
	41	<li>An "ipp" Service Granting Ticket (SGT) for every CUPS client and
	42	server</li>
	43
	44	</ol>
76cd9e37	45
355e94dc MS	46
	47	<H2 CLASS="title"><A NAME="KRB5">Configuring Kerberos on Your System</A></H2>
	48
	49	<P>Before you can use Kerberos with CUPS, you will need to configure
	50	Kerberos on your system and setup a system as a KDC. Because this
	51	configuration is highly system and site-specific, please consult
	52	the following on-line resources provided by the creators of Kerberos
	53	at the Massachussetts Institute of Technology (MIT):</P>
	54
	55	<UL>
	56
	57	<LI><A HREF="http://web.mit.edu/kerberos/">Kerberos: The Network
	58	Authentication Protocol</A></LI>
	59
	60	<LI><A HREF="http://web.mit.edu/macdev/KfM/Common/Documentation/faq-osx.html">Kerberos
	61	on Mac OS X Frequently Asked Questions</A></LI>
	62
	63	</UL>
	64
	65	<P>The Linux Documentation Project also has a HOWTO on Kerberos:</P>
	66
	67	<UL>
	68
	69	<LI><A HREF="http://tldp.org/HOWTO/html_single/Kerberos-Infrastructure-HOWTO/">Kerberos
	70	Infrastructure HOWTO</A></LI>
	71
	72	</UL>
	73
	74
	75	<H2 CLASS="title"><A NAME="CUPS">Configuring CUPS to Use Kerberos</A></H2>
	76
	77	<P>Once you have configured Kerberos on your system(s), you can then
	78	enable Kerberos authentication by selecting the <tt>Negotiate</tt>
	79	authentication type. The simplest way to do this is using the
	80	<tt>cupsctl(8)</tt> command:</P>
	81
	82	<PRE CLASS="command">
	83	<KBD>cupsctl DefaultAuthType=Negotiate</KBD>
	84	</PRE>
	85
	86	<P>You can also enable Kerberos from the web interface by checking the
	87	<VAR>Use Kerberos Authentication</VAR> box and clicking <VAR>Change
	88	Settings</VAR>:</P>
	89
	90	<PRE CLASS="command">
	91	http://localhost:631/admin
	92	</PRE>
	93
749b1e90 MS	94	<P>After you have enabled Kerberos authentication, use the built-in
	95	"authenticated" policy or your own custom policies with the printers you
	96	will be sharing. See <a href="policies.html">Managing Operation Policies</a>
	97	for more information.</P>
355e94dc MS	98
	99
	100	<H2 CLASS="title"><A NAME="IMPLEMENT">Implementation Information</A></H2>
	101
749b1e90 MS	102	<P>CUPS implements Kerberos over HTTP using GSSAPI and the service name
	103	"ipp". Because of limitations in the HTTP GSSAPI protocol extension, only
	104	a single domain/KDC is supported for authentication.</P>
	105
	106	<P>When doing printing tasks that require authentication, CUPS requests a
	107	single-use "ticket" from your login session to authenticate who you are.
	108	This ticket gives CUPS a username of the form "user@REALM", which is then
	109	converted to just "user" for purposes of user and group checks.</P>
	110
	111	<P>In order to support printing to a shared printer, CUPS has to ask the KDC
	112	for a copy of your credentials (this is called delegation) that can be sent to
	113	the remote server for authenticatation. Delegation only works when the system
	114	has a stable hostname which maps to the current address of the system, which
	115	is why you need a static IP address or DHCP that updates the DNS entry for your
	116	system.</P>
355e94dc MS	117
	118	</BODY>
	119	</HTML>