2 <!-- SECTION: Getting Started -->
4 <TITLE>Using Kerberos Authentication
</TITLE>
8 <P>CUPS
1.3 adds Kerberos support which allows you to use a Key Distribution
9 Center (KDC) for authentication on your local CUPS server and when printing
10 to a remote authenticated queue. This document describes how to configure
11 CUPS to use Kerberos authentication and provides helpful links to the MIT
12 help pages for configuring Kerberos on your systems and network.
</P>
14 <BLOCKQUOTE><B>Note:
</B>
16 <P>In order to use Kerberos-authenticated shared printers, you
<EM>must
</EM> be
17 running a version of MIT Kerberos with the
<TT>krb5_cc_new_unique()
</TT>
18 function or Heimdal Kerberos. Otherwise, only local Kerberos authentication
24 <H2 CLASS=
"title"><A NAME=
"KRB5">Configuring Kerberos on Your System
</A></H2>
26 <P>Before you can use Kerberos with CUPS, you will need to configure
27 Kerberos on your system and setup a system as a KDC. Because this
28 configuration is highly system and site-specific, please consult
29 the following on-line resources provided by the creators of Kerberos
30 at the Massachussetts Institute of Technology (MIT):
</P>
34 <LI><A HREF=
"http://web.mit.edu/kerberos/">Kerberos: The Network
35 Authentication Protocol
</A></LI>
37 <LI><A HREF=
"http://web.mit.edu/macdev/KfM/Common/Documentation/faq-osx.html">Kerberos
38 on Mac OS X Frequently Asked Questions
</A></LI>
42 <P>The Linux Documentation Project also has a HOWTO on Kerberos:
</P>
46 <LI><A HREF=
"http://tldp.org/HOWTO/html_single/Kerberos-Infrastructure-HOWTO/">Kerberos
47 Infrastructure HOWTO
</A></LI>
52 <H2 CLASS=
"title"><A NAME=
"CUPS">Configuring CUPS to Use Kerberos
</A></H2>
54 <P>Once you have configured Kerberos on your system(s), you can then
55 enable Kerberos authentication by selecting the
<tt>Negotiate
</tt>
56 authentication type. The simplest way to do this is using the
57 <tt>cupsctl(
8)
</tt> command:
</P>
60 <KBD>cupsctl DefaultAuthType=Negotiate
</KBD>
63 <P>You can also enable Kerberos from the web interface by checking the
64 <VAR>Use Kerberos Authentication
</VAR> box and clicking
<VAR>Change
68 http://localhost:
631/admin
71 <P>After you have enabled Kerberos authentication, add
<tt>AuthType Default
</tt>
72 lines to the policies you want to protect with authentication, for example:
</P>
75 <EM>Listing
1:
<A NAME=
"LISTING01">Remote Printer Operation Policy
</A></EM>
78 2 # Job-related operations must be done by the owner or an
80 3 <Limit Send-Document Send-URI Hold-Job Release-Job
81 Restart-Job Purge-Jobs Set-Job-Attributes
82 Create-Job-Subscription Renew-Subscription
83 Cancel-Subscription Get-Notifications Reprocess-Job
84 Cancel-Current-Job Suspend-Current-Job Resume-Job
87 5 Require user @OWNER @SYSTEM
91 9 # Require authentication when creating jobs
92 10 <Limit Create-Job Print-Job Print-URI
>
98 16 # All administration operations require an administrator
100 17 <Limit CUPS-Add-Printer CUPS-Delete-Printer
101 CUPS-Add-Class CUPS-Delete-Class CUPS-Set-Default
>
103 19 Require user @SYSTEM
107 23 # All printer operations require a printer operator
109 24 <Limit Pause-Printer Resume-Printer
110 Set-Printer-Attributes Enable-Printer Disable-Printer
111 Pause-Printer-After-Current-Job Hold-New-Jobs
112 Release-Held-New-Jobs Deactivate-Printer Activate-Printer
113 Restart-Printer Shutdown-Printer Startup-Printer
114 Promote-Job Schedule-Job-After CUPS-Accept-Jobs
117 26 Require user
<em>varies by OS
</em>
121 30 # Only the owner or an administrator can cancel or
122 authenticate a job...
123 31 <Limit Cancel-Job CUPS-Authenticate-Job
>
124 32 Require user @OWNER @SYSTEM
135 <H2 CLASS=
"title"><A NAME=
"IMPLEMENT">Implementation Information
</A></H2>
137 <P>CUPS implements Kerberos over HTTP using GSS API and the service name
138 "ipp". Delegation of credentials, which is needed when printing to a
139 remote/shared printer with Kerberos authentication, is currently only supported
140 when using a single KDC on your network.
</P>
142 <P>After getting a user's Kerberos credentials, CUPS strips the
"@KDC"
143 portion of the username so that it can check the group membership locally,
144 effectively treating the Kerberos account as a local user account.
</P>