<!-- SECTION: Getting Started -->
<HEAD>
<TITLE>Using Kerberos Authentication</TITLE>
+ <LINK REL="STYLESHEET" TYPE="text/css" HREF="../cups-printable.css">
</HEAD>
<BODY>
-<P>CUPS 1.3 adds Kerberos support which allows you to use a Key Distribution
-Center (KDC) for authentication on your local CUPS server and when printing
-to a remote authenticated queue. This document describes how to configure
-CUPS to use Kerberos authentication and provides helpful links to the MIT
-help pages for configuring Kerberos on your systems and network.</P>
+<H1 CLASS="title">Using Kerberos Authentication</H1>
+
+<P>CUPS allows you to use a Key Distribution Center (KDC) for authentication on your local CUPS server and when printing to a remote authenticated queue. This document describes how to configure CUPS to use Kerberos authentication and provides links to the MIT help pages for configuring Kerberos on your systems and network.</P>
+
+
+<H2 CLASS="title"><A NAME="REQUIREMENTS">System Requirements</A></H2>
+
+<p>The following are required to use Kerberos with CUPS:</p>
+
+<ol>
+
+ <li>Heimdal Kerberos (any version) or MIT Kerberos (1.6.3 or newer)</li>
+
+ <li>Properly configured Domain Name System (DNS) infrastructure (for your servers):<ol type='a'>
+ <li>DNS server(s) with static IP addresses for all CUPS servers or configured to allow DHCP updates to the host addresses and</li>
+ <li>All CUPS clients and servers configured to use the same
+DNS server(s).</li>
+ </ol></li>
+
+ <li>Properly configured Kerberos infrastructure:<ol type='a'>
+ <li>KDC configured to allow CUPS servers to obtain Service Granting Tickets (SGTs) for the "host" service,</li>
+ <li>LDAP-based user accounts - both OpenDirectory and ActiveDirectory provide this with the KDC, and</li>
+ <li>CUPS clients and servers bound to the same KDC and LDAP
+ server(s).</li>
+ </ol></li>
+
+</ol>
<H2 CLASS="title"><A NAME="KRB5">Configuring Kerberos on Your System</A></H2>
-<P>Before you can use Kerberos with CUPS, you will need to configure
-Kerberos on your system and setup a system as a KDC. Because this
-configuration is highly system and site-specific, please consult
-the following on-line resources provided by the creators of Kerberos
-at the Massachussetts Institute of Technology (MIT):</P>
+<P>Before you can use Kerberos with CUPS, you will need to configure Kerberos on your system and setup a system as a KDC. Because this configuration is highly system and site-specific, please consult the following on-line resources provided by the creators of Kerberos at the Massachusetts Institute of Technology (MIT):</P>
<UL>
- <LI><A HREF="http://web.mit.edu/kerberos/">Kerberos: The Network
- Authentication Protocol</A></LI>
+ <LI><A HREF="http://web.mit.edu/kerberos/">Kerberos: The Network Authentication Protocol</A></LI>
<LI><A HREF="http://web.mit.edu/macdev/KfM/Common/Documentation/faq-osx.html">Kerberos
- on Mac OS X Frequently Asked Questions</A></LI>
+ on macOS Frequently Asked Questions</A></LI>
</UL>
<H2 CLASS="title"><A NAME="CUPS">Configuring CUPS to Use Kerberos</A></H2>
-<P>Once you have configured Kerberos on your system(s), you can then
-enable Kerberos authentication by selecting the <tt>Negotiate</tt>
-authentication type. The simplest way to do this is using the
-<tt>cupsctl(8)</tt> command:</P>
+<P>Once you have configured Kerberos on your system(s), you can then enable Kerberos authentication by selecting the <tt>Negotiate</tt> authentication type. The simplest way to do this is using the <tt>cupsctl(8)</tt> command on your server(s):</P>
<PRE CLASS="command">
<KBD>cupsctl DefaultAuthType=Negotiate</KBD>
</PRE>
-<P>You can also enable Kerberos from the web interface by checking the
-<VAR>Use Kerberos Authentication</VAR> box and clicking <VAR>Change
-Settings</VAR>:</P>
+<P>You can also enable Kerberos from the web interface by checking the <VAR>Use Kerberos Authentication</VAR> box and clicking <VAR>Change Settings</VAR>:</P>
<PRE CLASS="command">
-http://localhost:631/admin
+http://server.example.com:631/admin
</PRE>
-<P>After you have enabled Kerberos authentication, add <tt>AuthType Default</tt>
-lines to the policies you want to protect with authentication, for example:</P>
-
-<PRE CLASS="command">
-<EM>Listing 1: <A NAME="LISTING01">Remote Printer Operation Policy</A></EM>
-
- 1 <Policy remote>
- 2 # Job-related operations must be done by the owner or an
- administrator...
- 3 <Limit Send-Document Send-URI Hold-Job Release-Job
- Restart-Job Purge-Jobs Set-Job-Attributes
- Create-Job-Subscription Renew-Subscription
- Cancel-Subscription Get-Notifications Reprocess-Job
- Cancel-Current-Job Suspend-Current-Job Resume-Job
- CUPS-Move-Job>
- 4 AuthType Default
- 5 Require user @OWNER @SYSTEM
- 6 Order deny,allow
- 7 </Limit>
- 8
- 9 # Require authentication when creating jobs
-10 <Limit Create-Job Print-Job Print-URI>
-11 AuthType Default
-12 Require valid-user
-13 Order deny,allow
-14 </Limit>
-15
-16 # All administration operations require an administrator
- to authenticate...
-17 <Limit CUPS-Add-Printer CUPS-Delete-Printer
- CUPS-Add-Class CUPS-Delete-Class CUPS-Set-Default>
-18 AuthType Default
-19 Require user @SYSTEM
-20 Order deny,allow
-21 </Limit>
-22
-23 # All printer operations require a printer operator
- to authenticate...
-24 <Limit Pause-Printer Resume-Printer
- Set-Printer-Attributes Enable-Printer Disable-Printer
- Pause-Printer-After-Current-Job Hold-New-Jobs
- Release-Held-New-Jobs Deactivate-Printer Activate-Printer
- Restart-Printer Shutdown-Printer Startup-Printer
- Promote-Job Schedule-Job-After CUPS-Accept-Jobs
- CUPS-Reject-Jobs>
-25 AuthType Default
-26 Require user <em>varies by OS</em>
-27 Order deny,allow
-28 </Limit>
-29
-30 # Only the owner or an administrator can cancel or
- authenticate a job...
-31 <Limit Cancel-Job CUPS-Authenticate-Job>
-32 Require user @OWNER @SYSTEM
-33 Order deny,allow
-34 </Limit>
-35
-36 <Limit All>
-37 Order deny,allow
-38 </Limit>
-39 </Policy>
-</PRE>
+<P>After you have enabled Kerberos authentication, use the built-in "authenticated" policy or your own custom policies with the printers you will be sharing. See <a href="policies.html">Managing Operation Policies</a> for more information.</P>
<H2 CLASS="title"><A NAME="IMPLEMENT">Implementation Information</A></H2>
-<P>CUPS implements Kerberos over HTTP using GSS API and the service name
-"ipp". Delegation of credentials (needed for remote printers with
-authentication) is only supported when using a single KDC on your network.</P>
+<P>CUPS implements Kerberos over HTTP using GSSAPI and the service name "host". Because of limitations in the HTTP GSSAPI protocol extension, only a single domain/KDC is supported for authentication. The HTTP extension is described in <a href="http://tools.ietf.org/html/rfc4559">RFC 4559</a>.</P>
+
+<P>When doing printing tasks that require authentication, CUPS requests single-use "tickets" from your login session to authenticate who you are. These tickets give CUPS a username of the form "user@REALM", which is then converted to just "user" for purposes of user and group checks.</P>
-<P>After getting a user's Kerberos credentials, CUPS strips the "@KDC"
-portion of the username so that it can check the group membership locally,
-effectively treating the Kerberos account as a local user account.</P>
+<P>In order to support printing to a shared printer, CUPS runs the IPP backend as the owner of the print job so it can obtain the necessary credentials when the job is de-spooled to the server.</P>
</BODY>
</HTML>