Ok, I've been researching my tail off, but have yet to find a working solution to this issue. Here is the scenario:
I have several Debian Lenny workstations successfully integrated into an Active Directory domain using Kerberos authentication. Everything works wonderfully (File share access, AD-based authentication) except for Printing to AD print shares using CUPS.
I know I have access to the AD printer share because the following command:
Code:
export DEVICE_URI=smb://ad_print_share_server/hp_clj_5550
smbspool 1 user.name test 1 none anyfile.txt
successfully prints the file "anyfile.txt" to the shared printer without need for a password. It even prints out a debug message to the console saying it's using Kerberos authentication.
My problem is getting CUPS to utilize the Kerberos authentication for printers I add to it. For example, I've added a printer through the CUPS web interface on the workstation with the following settings:
Windows printer via SAMBA
Device URI: smb://ad_print_share_server/hp_clj_5550
I gave it a name, location, and selected the appropriate driver as well.
Next, I run the following command to print the file "acl.txt" through CUPS.
Code:
user.name@workstation:~$ lpr acl.txt
The problem I get is detailed in the CUPS log below:
(unneeded lines removed from output, and things I found interesting highlighted)
Code:
D [28/Apr/2009:13:20:18 -0500] cupsdAcceptClient: 9 from localhost (Domain)
D [28/Apr/2009:13:20:18 -0500] cupsdReadClient: 9 POST / HTTP/1.1
D [28/Apr/2009:13:20:18 -0500] cupsdAuthorize: No authentication data provided.
D [28/Apr/2009:13:20:18 -0500] CUPS-Get-Printers
D [28/Apr/2009:13:20:18 -0500] cupsdProcessIPPRequest: 9 status_code=0 (successf
ul-ok)
D [28/Apr/2009:13:20:18 -0500] cupsdReadClient: 9 POST / HTTP/1.1
D [28/Apr/2009:13:20:18 -0500] cupsdAuthorize: No authentication data provided.
D [28/Apr/2009:13:20:18 -0500] CUPS-Get-Classes
D [28/Apr/2009:13:20:18 -0500] cupsdProcessIPPRequest: 9 status_code=0 (successf
ul-ok)
D [28/Apr/2009:13:20:18 -0500] cupsdReadClient: 9 POST / HTTP/1.1
D [28/Apr/2009:13:20:18 -0500] cupsdAuthorize: No authentication data provided.
D [28/Apr/2009:13:20:18 -0500] CUPS-Get-Default
D [28/Apr/2009:13:20:18 -0500] cupsdProcessIPPRequest: 9 status_code=0 (successf
ul-ok)
D [28/Apr/2009:13:20:18 -0500] cupsdCloseClient: 9
D [28/Apr/2009:13:20:18 -0500] cupsdAcceptClient: 9 from localhost (Domain)
D [28/Apr/2009:13:20:18 -0500] cupsdReadClient: 9 POST /printers/hp_clj_5550 HTT
P/1.1
D [28/Apr/2009:13:20:18 -0500] cupsdAuthorize: No authentication data provided.
D [28/Apr/2009:13:20:18 -0500] Print-Job ipp://localhost/printers/hp_clj_5550
D [28/Apr/2009:13:20:18 -0500] [Job ???] Auto-typing file...
I [28/Apr/2009:13:20:18 -0500] [Job ???] Request file type is text/plain.
E [28/Apr/2009:13:20:18 -0500] Print-Job: Unauthorized
D [28/Apr/2009:13:20:18 -0500] cupsdSendError: 9 code=401 (Unauthorized)
D [28/Apr/2009:13:20:18 -0500] cupsdSendHeader: WWW-Authenticate: Basic realm="CUPS"
D [28/Apr/2009:13:20:18 -0500] cupsdCloseClient: 9
D [28/Apr/2009:13:20:18 -0500] cupsdAcceptClient: 9 from localhost (Domain)
D [28/Apr/2009:13:20:18 -0500] cupsdReadClient: 9 POST /printers/hp_clj_5550 HTTP/1.1
D [28/Apr/2009:13:20:18 -0500] cupsdAuthorize: Authorized as root using Local
D [28/Apr/2009:13:20:18 -0500] Print-Job ipp://localhost/printers/hp_clj_5550
D [28/Apr/2009:13:20:18 -0500] [Job ???] Auto-typing file...
I [28/Apr/2009:13:20:18 -0500] [Job ???] Request file type is text/plain.
I [28/Apr/2009:13:20:18 -0500] [Job 25] Adding start banner page "none".
D [28/Apr/2009:13:20:18 -0500] Discarding unused job-created event...
I [28/Apr/2009:13:20:18 -0500] [Job 25] Adding end banner page "none".
I [28/Apr/2009:13:20:18 -0500] [Job 25] File of type text/plain queued by "root".
D [28/Apr/2009:13:20:18 -0500] [Job 25] hold_until=0
D [28/Apr/2009:13:20:18 -0500] Discarding unused printer-state-changed event...
D [28/Apr/2009:13:20:18 -0500] [Job 25] job-sheets=none,none
D [28/Apr/2009:13:20:18 -0500] [Job 25] banner_page = 0
D [28/Apr/2009:13:20:18 -0500] [Job 25] argv[0]="hp_clj_5550"
D [28/Apr/2009:13:20:18 -0500] [Job 25] argv[1]="25"
D [28/Apr/2009:13:20:18 -0500] [Job 25] argv[2]="root"
D [28/Apr/2009:13:20:18 -0500] [Job 25] argv[3]="acl.txt"
D [28/Apr/2009:13:20:18 -0500] [Job 25] argv[4]="1"
D [28/Apr/2009:13:20:18 -0500] [Job 25] argv[5]="media=Letter sides=one-sided finishings=3 number-up=1 job-uuid=urn:uuid:6c8087e3-851a-33cb-77e5-ab06fcddf07b"
D [28/Apr/2009:13:20:18 -0500] [Job 25] argv[6]="/var/spool/cups/d00025-001"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[0]="CUPS_CACHEDIR=/var/cache/cups"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[1]="CUPS_DATADIR=/usr/share/cups"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[2]="CUPS_DOCROOT=/usr/share/cups/doc-root"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[3]="CUPS_FONTPATH=/usr/share/cups/fonts"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[4]="CUPS_REQUESTROOT=/var/spool/cups"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[5]="CUPS_SERVERBIN=/usr/lib/cups"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[6]="CUPS_SERVERROOT=/etc/cups"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[7]="CUPS_STATEDIR=/var/run/cups"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[8]="PATH=/usr/lib/cups/filter:/usr/bin:/usr/sbin:/bin:/usr/bin"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[9]="SERVER_ADMIN=root@workstation.domain.local"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[10]="SOFTWARE=CUPS/1.3.8"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[11]="TMPDIR=/var/spool/cups/tmp"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[12]="TZ=US/Central"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[13]="USER=root"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[14]="CUPS_SERVER=/var/run/cups/cups.sock"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[15]="CUPS_ENCRYPTION=IfRequested"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[16]="IPP_PORT=631"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[17]="CHARSET=utf-8"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[18]="LANG=en_US.UTF8"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[19]="PPD=/etc/cups/ppd/hp_clj_5550.ppd"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[20]="RIP_MAX_CACHE=8m"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[21]="CONTENT_TYPE=text/plain"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[22]="DEVICE_URI=smb://ad_print_share_server/printer_name"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[23]="PRINTER=hp_clj_5550"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[24]="FINAL_CONTENT_TYPE=application/vnd.cups-postscript"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[25]="AUTH_U****"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[26]="AUTH_P****"
I [28/Apr/2009:13:20:18 -0500] [Job 25] Started filter /usr/lib/cups/filter/texttops (PID 7954)
I [28/Apr/2009:13:20:18 -0500] [Job 25] Started filter /usr/lib/cups/filter/pstops (PID 7955)
I [28/Apr/2009:13:20:18 -0500] [Job 25] Started backend /usr/lib/cups/backend/smb (PID 7956)
D [28/Apr/2009:13:20:18 -0500] Discarding unused job-state-changed event...
D [28/Apr/2009:13:20:18 -0500] cupsdProcessIPPRequest: 9 status_code=0 (successful-ok)
D [28/Apr/2009:13:20:18 -0500] cupsdCloseClient: 9
D [28/Apr/2009:13:20:19 -0500] [Job 25] Page = 612x792; 12,12 to 600,780
E [28/Apr/2009:13:20:19 -0500] [Job 25] Session setup failed: NT_STATUS_LOGON_FAILURE
D [28/Apr/2009:13:20:19 -0500] Discarding unused printer-state-changed event...
D [28/Apr/2009:13:20:19 -0500] [Job 25] get_exit_code(cli=0x8b5ed08, nt_status=c000006d)
I [28/Apr/2009:13:20:19 -0500] Saving printers.conf...
D [28/Apr/2009:13:20:19 -0500] [Job 25] ppd->num_fonts = 80
<SNIP! removed dozens of font-messages here>
D [28/Apr/2009:13:20:19 -0500] [Job 25] ppd->fonts[28] = Symbol
E [28/Apr/2009:13:20:19 -0500] [Job 25] Session setup failed: NT_STATUS_NO_SUCH_FILE
D [28/Apr/2009:13:20:19 -0500] Discarding unused printer-state-changed event...
D [28/Apr/2009:13:20:19 -0500] [Job 25] get_exit_code(cli=0x8b5ed08, nt_status=c000000f)
E [28/Apr/2009:13:20:19 -0500] [Job 25] Session setup failed: NT_STATUS_LOGON_FAILURE
<SNIP! Just more useless messages>
E [28/Apr/2009:13:20:19 -0500] [Job 25] Tree connect failed (NT_STATUS_ACCESS_DENIED)
D [28/Apr/2009:13:20:19 -0500] [Job 25] get_exit_code(cli=0x8b82d80, nt_status=c0000022)
I [28/Apr/2009:13:20:19 -0500] Saving printers.conf...
D [28/Apr/2009:13:20:19 -0500] Discarding unused printer-state-changed event...
D [28/Apr/2009:13:20:19 -0500] PID 7954 (/usr/lib/cups/filter/texttops) exited with no errors.
D [28/Apr/2009:13:20:19 -0500] PID 7955 (/usr/lib/cups/filter/pstops) exited with no errors.
E [28/Apr/2009:13:20:19 -0500] PID 7956 (/usr/lib/cups/backend/smb) stopped with status 2!
<SNIP! More messages removed>
D [28/Apr/2009:13:20:19 -0500] [Job 25] File 0 is complete.
I [28/Apr/2009:13:20:19 -0500] [Job 25] Backend returned status 2 (authentication required)
D [28/Apr/2009:13:20:19 -0500] Discarding unused printer-state-changed event...
D [28/Apr/2009:13:20:19 -0500] Discarding unused job-stopped event...
Here is some information about the highlighted entries:
- Even though the file was technically spooled by "user.name", CUPS shows it as spooled by "root" instead. In addition, the original "user.name" should be sent as argv[2] to the backend, but it is also sent as "root".
- /usr/lib/cups/backend/smb is a symlink to /usr/bin/smbspool which I tested manually at the top of this post.
- The logon failure, and status denied messages are there because there is no such user as "root" on the AD domain.
I have the following /etc/cupsd.conf file:
Code:
LogLevel debug
SystemGroup lpadmin
# Only listen for connections from the local machine.
Listen localhost:631
Listen /var/run/cups/cups.sock
# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow all
#DefaultAuthType Negotiate
DefaultAuthType Basic
<Location />
# Restrict access to the server...
Order allow,deny
</Location>
<Location /admin>
# AuthType Basic
# Restrict access to the admin pages...
Order allow,deny
</Location>
<Location /admin/conf>
# AuthType Basic
Require user @SYSTEM
# Restrict access to the configuration files...
Order allow,deny
</Location>
<Policy default>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
# AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
# AuthType Basic
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
# AuthType Basic
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
# AuthType Default
# Require user @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
You may notice a few commented entries in the file. These are various tests I've attempted in order to get things working.
Before anyone suggests it, I do not want to create a "generic printing account" in the AD domain. That is unacceptable, as print usage needs to be tracked on a per-user basis. I also have no desire whatsoever to store the username/password in the printers.conf file as part of the URI because some of these workstations are multi-user workstations.
I would *love* to get this working, but seem to have completely run out of ideas to try. I appreciate any viable suggestions any of you may come up with, and look forward to working this issue out.
CUPS printing from AD-integrated workstation to AD-print-shares using Kerberos Auth
