doc/help/kerberos.html

   1 <HTML>
   2 <!-- SECTION: Getting Started -->
   3 <HEAD>
   4         <TITLE>Using Kerberos Authentication</TITLE>
   5         <LINK REL="STYLESHEET" TYPE="text/css" HREF="../cups-printable.css">
   6 </HEAD>
   7 <BODY>
   8
   9 <H1 CLASS="title">Using Kerberos Authentication</H1>
  10
  11 <P>CUPS allows you to use a Key Distribution Center (KDC) for authentication
  12 on your local CUPS server and when printing to a remote authenticated queue.
  13 This document describes how to configure CUPS to use Kerberos authentication
  14 and provides links to the MIT help pages for configuring Kerberos on your
  15 systems and network.</P>
  16
  17
  18 <H2 CLASS="title"><A NAME="REQUIREMENTS">System Requirements</A></H2>
  19
  20 <p>The following are required to use Kerberos with CUPS:</p>
  21
  22 <ol>
  23
  24         <li>Heimdal Kerberos (any version) or MIT Kerberos (1.6.3 or newer)</li>
  25
  26         <li>Properly configured Domain Name System (DNS)
  27         infrastructure:<ol type='a'>
  28                 <li>DNS server(s) with static IP addresses for all CUPS clients
  29                 and servers or configured to allow DHCP updates to the host
  30                 addresses</li>
  31                 <li>All CUPS clients and servers configured to use the same
  32                 DNS server(s)</li>
  33         </ol></li>
  34
  35         <li>Properly configured Kerberos infrastructure:<ol type='a'>
  36                 <li>KDC configured to allow CUPS clients and servers to obtain
  37                 Service Granting Tickets (SGTs) for the "ipp" service</li>
  38                 <li>LDAP-based user accounts - both OpenDirectory and
  39                 ActiveDirectory provide this with the KDC</li>
  40                 <li>CUPS clients and servers bound to the KDC and LDAP
  41                 server(s)</li>
  42         </ol></li>
  43
  44         <li>An "ipp" Service Granting Ticket (SGT) for every CUPS client and
  45         server</li>
  46
  47 </ol>
  48
  49
  50 <H2 CLASS="title"><A NAME="KRB5">Configuring Kerberos on Your System</A></H2>
  51
  52 <P>Before you can use Kerberos with CUPS, you will need to configure
  53 Kerberos on your system and setup a system as a KDC. Because this
  54 configuration is highly system and site-specific, please consult
  55 the following on-line resources provided by the creators of Kerberos
  56 at the Massachussetts Institute of Technology (MIT):</P>
  57
  58 <UL>
  59
  60         <LI><A HREF="http://web.mit.edu/kerberos/">Kerberos: The Network
  61         Authentication Protocol</A></LI>
  62
  63         <LI><A HREF="http://web.mit.edu/macdev/KfM/Common/Documentation/faq-osx.html">Kerberos
  64         on Mac OS X Frequently Asked Questions</A></LI>
  65
  66 </UL>
  67
  68 <P>The Linux Documentation Project also has a HOWTO on Kerberos:</P>
  69
  70 <UL>
  71
  72         <LI><A HREF="http://tldp.org/HOWTO/html_single/Kerberos-Infrastructure-HOWTO/">Kerberos
  73         Infrastructure HOWTO</A></LI>
  74
  75 </UL>
  76
  77
  78 <H2 CLASS="title"><A NAME="CUPS">Configuring CUPS to Use Kerberos</A></H2>
  79
  80 <P>Once you have configured Kerberos on your system(s), you can then
  81 enable Kerberos authentication by selecting the <tt>Negotiate</tt>
  82 authentication type. The simplest way to do this is using the
  83 <tt>cupsctl(8)</tt> command:</P>
  84
  85 <PRE CLASS="command">
  86 <KBD>cupsctl DefaultAuthType=Negotiate</KBD>
  87 </PRE>
  88
  89 <P>You can also enable Kerberos from the web interface by checking the
  90 <VAR>Use Kerberos Authentication</VAR> box and clicking <VAR>Change
  91 Settings</VAR>:</P>
  92
  93 <PRE CLASS="command">
  94 http://localhost:631/admin
  95 </PRE>
  96
  97 <P>After you have enabled Kerberos authentication, use the built-in
  98 "authenticated" policy or your own custom policies with the printers you
  99 will be sharing. See <a href="policies.html">Managing Operation Policies</a>
 100 for more information.</P>
 101
 102
 103 <H2 CLASS="title"><A NAME="IMPLEMENT">Implementation Information</A></H2>
 104
 105 <P>CUPS implements Kerberos over HTTP using GSSAPI and the service name
 106 "host". Because of limitations in the HTTP GSSAPI protocol extension, only
 107 a single domain/KDC is supported for authentication.</P>
 108
 109 <P>When doing printing tasks that require authentication, CUPS requests a
 110 single-use "ticket" from your login session to authenticate who you are.
 111 This ticket gives CUPS a username of the form "user@REALM", which is then
 112 converted to just "user" for purposes of user and group checks.</P>
 113
 114 <P>In order to support printing to a shared printer, CUPS has to ask the KDC
 115 for a copy of your credentials (this is called delegation) that can be sent to
 116 the remote server for authentication. Delegation only works when the system
 117 has a stable hostname which maps to the current address of the system, which
 118 is why you need a static IP address or DHCP that updates the DNS entry for your
 119 system.</P>
 120
 121 </BODY>
 122 </HTML>