LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices



Reply
 
Search this Thread
Old 04-28-2009, 02:59 PM   #1
Linuxchuck
LQ Newbie
 
Registered: Aug 2007
Distribution: Slackware from 94-09, Debian Since March 09
Posts: 28

Rep: Reputation: 19
Question CUPS printing from AD-integrated workstation to AD-print-shares using Kerberos Auth


Ok, I've been researching my tail off, but have yet to find a working solution to this issue. Here is the scenario:

I have several Debian Lenny workstations successfully integrated into an Active Directory domain using Kerberos authentication. Everything works wonderfully (File share access, AD-based authentication) except for Printing to AD print shares using CUPS.

I know I have access to the AD printer share because the following command:

Code:
export DEVICE_URI=smb://ad_print_share_server/hp_clj_5550
smbspool 1 user.name test 1 none anyfile.txt
successfully prints the file "anyfile.txt" to the shared printer without need for a password. It even prints out a debug message to the console saying it's using Kerberos authentication.

My problem is getting CUPS to utilize the Kerberos authentication for printers I add to it. For example, I've added a printer through the CUPS web interface on the workstation with the following settings:

Windows printer via SAMBA
Device URI: smb://ad_print_share_server/hp_clj_5550
I gave it a name, location, and selected the appropriate driver as well.

Next, I run the following command to print the file "acl.txt" through CUPS.

Code:
user.name@workstation:~$ lpr acl.txt
The problem I get is detailed in the CUPS log below:

(unneeded lines removed from output, and things I found interesting highlighted)

Code:
D [28/Apr/2009:13:20:18 -0500] cupsdAcceptClient: 9 from localhost (Domain)
D [28/Apr/2009:13:20:18 -0500] cupsdReadClient: 9 POST / HTTP/1.1
D [28/Apr/2009:13:20:18 -0500] cupsdAuthorize: No authentication data provided.
D [28/Apr/2009:13:20:18 -0500] CUPS-Get-Printers
D [28/Apr/2009:13:20:18 -0500] cupsdProcessIPPRequest: 9 status_code=0 (successf
ul-ok)
D [28/Apr/2009:13:20:18 -0500] cupsdReadClient: 9 POST / HTTP/1.1
D [28/Apr/2009:13:20:18 -0500] cupsdAuthorize: No authentication data provided.
D [28/Apr/2009:13:20:18 -0500] CUPS-Get-Classes
D [28/Apr/2009:13:20:18 -0500] cupsdProcessIPPRequest: 9 status_code=0 (successf
ul-ok)
D [28/Apr/2009:13:20:18 -0500] cupsdReadClient: 9 POST / HTTP/1.1
D [28/Apr/2009:13:20:18 -0500] cupsdAuthorize: No authentication data provided.
D [28/Apr/2009:13:20:18 -0500] CUPS-Get-Default
D [28/Apr/2009:13:20:18 -0500] cupsdProcessIPPRequest: 9 status_code=0 (successf
ul-ok)
D [28/Apr/2009:13:20:18 -0500] cupsdCloseClient: 9
D [28/Apr/2009:13:20:18 -0500] cupsdAcceptClient: 9 from localhost (Domain)
D [28/Apr/2009:13:20:18 -0500] cupsdReadClient: 9 POST /printers/hp_clj_5550 HTT
P/1.1
D [28/Apr/2009:13:20:18 -0500] cupsdAuthorize: No authentication data provided.
D [28/Apr/2009:13:20:18 -0500] Print-Job ipp://localhost/printers/hp_clj_5550
D [28/Apr/2009:13:20:18 -0500] [Job ???] Auto-typing file...
I [28/Apr/2009:13:20:18 -0500] [Job ???] Request file type is text/plain.
E [28/Apr/2009:13:20:18 -0500] Print-Job: Unauthorized
D [28/Apr/2009:13:20:18 -0500] cupsdSendError: 9 code=401 (Unauthorized)
D [28/Apr/2009:13:20:18 -0500] cupsdSendHeader: WWW-Authenticate: Basic realm="CUPS"
D [28/Apr/2009:13:20:18 -0500] cupsdCloseClient: 9
D [28/Apr/2009:13:20:18 -0500] cupsdAcceptClient: 9 from localhost (Domain)
D [28/Apr/2009:13:20:18 -0500] cupsdReadClient: 9 POST /printers/hp_clj_5550 HTTP/1.1
D [28/Apr/2009:13:20:18 -0500] cupsdAuthorize: Authorized as root using Local
D [28/Apr/2009:13:20:18 -0500] Print-Job ipp://localhost/printers/hp_clj_5550
D [28/Apr/2009:13:20:18 -0500] [Job ???] Auto-typing file...
I [28/Apr/2009:13:20:18 -0500] [Job ???] Request file type is text/plain.
I [28/Apr/2009:13:20:18 -0500] [Job 25] Adding start banner page "none".
D [28/Apr/2009:13:20:18 -0500] Discarding unused job-created event...
I [28/Apr/2009:13:20:18 -0500] [Job 25] Adding end banner page "none".
I [28/Apr/2009:13:20:18 -0500] [Job 25] File of type text/plain queued by "root".
D [28/Apr/2009:13:20:18 -0500] [Job 25] hold_until=0
D [28/Apr/2009:13:20:18 -0500] Discarding unused printer-state-changed event...
D [28/Apr/2009:13:20:18 -0500] [Job 25] job-sheets=none,none
D [28/Apr/2009:13:20:18 -0500] [Job 25] banner_page = 0
D [28/Apr/2009:13:20:18 -0500] [Job 25] argv[0]="hp_clj_5550"
D [28/Apr/2009:13:20:18 -0500] [Job 25] argv[1]="25"
D [28/Apr/2009:13:20:18 -0500] [Job 25] argv[2]="root"
D [28/Apr/2009:13:20:18 -0500] [Job 25] argv[3]="acl.txt"
D [28/Apr/2009:13:20:18 -0500] [Job 25] argv[4]="1"
D [28/Apr/2009:13:20:18 -0500] [Job 25] argv[5]="media=Letter sides=one-sided finishings=3 number-up=1 job-uuid=urn:uuid:6c8087e3-851a-33cb-77e5-ab06fcddf07b"
D [28/Apr/2009:13:20:18 -0500] [Job 25] argv[6]="/var/spool/cups/d00025-001"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[0]="CUPS_CACHEDIR=/var/cache/cups"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[1]="CUPS_DATADIR=/usr/share/cups"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[2]="CUPS_DOCROOT=/usr/share/cups/doc-root"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[3]="CUPS_FONTPATH=/usr/share/cups/fonts"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[4]="CUPS_REQUESTROOT=/var/spool/cups"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[5]="CUPS_SERVERBIN=/usr/lib/cups"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[6]="CUPS_SERVERROOT=/etc/cups"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[7]="CUPS_STATEDIR=/var/run/cups"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[8]="PATH=/usr/lib/cups/filter:/usr/bin:/usr/sbin:/bin:/usr/bin"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[9]="SERVER_ADMIN=root@workstation.domain.local"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[10]="SOFTWARE=CUPS/1.3.8"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[11]="TMPDIR=/var/spool/cups/tmp"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[12]="TZ=US/Central"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[13]="USER=root"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[14]="CUPS_SERVER=/var/run/cups/cups.sock"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[15]="CUPS_ENCRYPTION=IfRequested"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[16]="IPP_PORT=631"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[17]="CHARSET=utf-8"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[18]="LANG=en_US.UTF8"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[19]="PPD=/etc/cups/ppd/hp_clj_5550.ppd"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[20]="RIP_MAX_CACHE=8m"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[21]="CONTENT_TYPE=text/plain"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[22]="DEVICE_URI=smb://ad_print_share_server/printer_name"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[23]="PRINTER=hp_clj_5550"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[24]="FINAL_CONTENT_TYPE=application/vnd.cups-postscript"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[25]="AUTH_U****"
D [28/Apr/2009:13:20:18 -0500] [Job 25] envp[26]="AUTH_P****"
I [28/Apr/2009:13:20:18 -0500] [Job 25] Started filter /usr/lib/cups/filter/texttops (PID 7954)
I [28/Apr/2009:13:20:18 -0500] [Job 25] Started filter /usr/lib/cups/filter/pstops (PID 7955)
I [28/Apr/2009:13:20:18 -0500] [Job 25] Started backend /usr/lib/cups/backend/smb (PID 7956)
D [28/Apr/2009:13:20:18 -0500] Discarding unused job-state-changed event...
D [28/Apr/2009:13:20:18 -0500] cupsdProcessIPPRequest: 9 status_code=0 (successful-ok)
D [28/Apr/2009:13:20:18 -0500] cupsdCloseClient: 9
D [28/Apr/2009:13:20:19 -0500] [Job 25] Page = 612x792; 12,12 to 600,780
E [28/Apr/2009:13:20:19 -0500] [Job 25] Session setup failed: NT_STATUS_LOGON_FAILURE
D [28/Apr/2009:13:20:19 -0500] Discarding unused printer-state-changed event...
D [28/Apr/2009:13:20:19 -0500] [Job 25] get_exit_code(cli=0x8b5ed08, nt_status=c000006d)
I [28/Apr/2009:13:20:19 -0500] Saving printers.conf...
D [28/Apr/2009:13:20:19 -0500] [Job 25] ppd->num_fonts = 80

     <SNIP! removed dozens of font-messages here>

D [28/Apr/2009:13:20:19 -0500] [Job 25] ppd->fonts[28] = Symbol
E [28/Apr/2009:13:20:19 -0500] [Job 25] Session setup failed: NT_STATUS_NO_SUCH_FILE
D [28/Apr/2009:13:20:19 -0500] Discarding unused printer-state-changed event...
D [28/Apr/2009:13:20:19 -0500] [Job 25] get_exit_code(cli=0x8b5ed08, nt_status=c000000f)
E [28/Apr/2009:13:20:19 -0500] [Job 25] Session setup failed: NT_STATUS_LOGON_FAILURE

     <SNIP! Just more useless messages>

E [28/Apr/2009:13:20:19 -0500] [Job 25] Tree connect failed (NT_STATUS_ACCESS_DENIED)
D [28/Apr/2009:13:20:19 -0500] [Job 25] get_exit_code(cli=0x8b82d80, nt_status=c0000022)
I [28/Apr/2009:13:20:19 -0500] Saving printers.conf...
D [28/Apr/2009:13:20:19 -0500] Discarding unused printer-state-changed event...
D [28/Apr/2009:13:20:19 -0500] PID 7954 (/usr/lib/cups/filter/texttops) exited with no errors.
D [28/Apr/2009:13:20:19 -0500] PID 7955 (/usr/lib/cups/filter/pstops) exited with no errors.
E [28/Apr/2009:13:20:19 -0500] PID 7956 (/usr/lib/cups/backend/smb) stopped with status 2!

<SNIP!  More messages removed>

D [28/Apr/2009:13:20:19 -0500] [Job 25] File 0 is complete.
I [28/Apr/2009:13:20:19 -0500] [Job 25] Backend returned status 2 (authentication required)
D [28/Apr/2009:13:20:19 -0500] Discarding unused printer-state-changed event...
D [28/Apr/2009:13:20:19 -0500] Discarding unused job-stopped event...
Here is some information about the highlighted entries:
  • Even though the file was technically spooled by "user.name", CUPS shows it as spooled by "root" instead. In addition, the original "user.name" should be sent as argv[2] to the backend, but it is also sent as "root".
  • /usr/lib/cups/backend/smb is a symlink to /usr/bin/smbspool which I tested manually at the top of this post.
  • The logon failure, and status denied messages are there because there is no such user as "root" on the AD domain.

I have the following /etc/cupsd.conf file:

Code:
LogLevel debug
SystemGroup lpadmin
# Only listen for connections from the local machine.
Listen localhost:631
Listen /var/run/cups/cups.sock
# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow all
#DefaultAuthType Negotiate
DefaultAuthType Basic
<Location />
  # Restrict access to the server...
  Order allow,deny
</Location>
<Location /admin>
#  AuthType Basic
  # Restrict access to the admin pages...
  Order allow,deny
</Location>
<Location /admin/conf>
#  AuthType Basic
  Require user  @SYSTEM
  # Restrict access to the configuration files...
  Order allow,deny
</Location>
<Policy default>
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
#    AuthType Default
    Require user  @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
#    AuthType Basic
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
#    AuthType Basic
    Require user  @SYSTEM
    Order deny,allow
  </Limit>
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
#    AuthType Default
#    Require user @SYSTEM
    Order deny,allow
  </Limit>
  <Limit All>
    Order deny,allow
  </Limit>
</Policy>
You may notice a few commented entries in the file. These are various tests I've attempted in order to get things working.

Before anyone suggests it, I do not want to create a "generic printing account" in the AD domain. That is unacceptable, as print usage needs to be tracked on a per-user basis. I also have no desire whatsoever to store the username/password in the printers.conf file as part of the URI because some of these workstations are multi-user workstations.

I would *love* to get this working, but seem to have completely run out of ideas to try. I appreciate any viable suggestions any of you may come up with, and look forward to working this issue out.

Last edited by Linuxchuck; 04-29-2009 at 10:55 AM. Reason: fixed a typo in the smbspool command example.
 
Old 07-24-2009, 07:17 AM   #2
clal
LQ Newbie
 
Registered: Jul 2009
Posts: 1

Rep: Reputation: 0
Hi Linuxchuck,

I found your post using google.
I have the exact same problem with Ubuntu 9.04.

And I had to create an account here now to tell how I have fixed it

smbspool itself is kerberos ready, but cups is calling its backends as userid root or as userid lp. And this two users does not have the same kerberos context then the user who is printing has.

The quick and dirty solution is to delete the symlink /usr/lib/cups/backend/smb and create a small wrapper script to run smbspool in the context of the user who is printing:

/usr/lib/cups/backend/smb:

#!/bin/bash
echo 'network smb "Unknown" "Windows Printer via SAMBA"'
su -c "/usr/bin/smbspool $1 $2 \"$3\" $4 $5" $2


The script must have the x-bit set for the user root only! If it is world executable cups will run the backend as user lp and not as user root and that will break the su comamnd!

chown root.root /usr/lib/cups/backend/smb
chmod 744 /usr/lib/cups/backend/smb

That's it. Now AD printers are working with single sign on!

Regards
Claus
 
Old 07-19-2010, 11:28 PM   #3
gch
LQ Newbie
 
Registered: Jul 2010
Posts: 1

Rep: Reputation: 0
Quote:
Originally Posted by clal View Post
Hi Linuxchuck,

I found your post using google.
I have the exact same problem with Ubuntu 9.04.

And I had to create an account here now to tell how I have fixed it

smbspool itself is kerberos ready, but cups is calling its backends as userid root or as userid lp. And this two users does not have the same kerberos context then the user who is printing has.

The quick and dirty solution is to delete the symlink /usr/lib/cups/backend/smb and create a small wrapper script to run smbspool in the context of the user who is printing:

/usr/lib/cups/backend/smb:

#!/bin/bash
echo 'network smb "Unknown" "Windows Printer via SAMBA"'
su -c "/usr/bin/smbspool $1 $2 \"$3\" $4 $5" $2


The script must have the x-bit set for the user root only! If it is world executable cups will run the backend as user lp and not as user root and that will break the su comamnd!

chown root.root /usr/lib/cups/backend/smb
chmod 744 /usr/lib/cups/backend/smb

That's it. Now AD printers are working with single sign on!

Regards
Claus
Hi! Your solution is correct, but you need to protect the 5th argument with \" as well. This argument contains the set of cups options, which include spaces. So the final result should be:

Code:
#!/bin/bash
echo 'network smb "Unknown" "Windows Printer via SAMBA"'
su -c "/usr/bin/smbspool $1 $2 \"$3\" $4 \"$5\"" $2
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
cups printing - where do I create a print filter? OOsorio Linux - Newbie 2 05-20-2008 09:31 PM
remote cups printing to a smb/cups print server? justanothergeek Linux - Networking 2 09-15-2004 09:31 AM
Configuring CUPS printing through router w/ print server AIMath Linux - Networking 6 08-31-2004 12:51 AM
cups printing: can print test page, but printer not available in openoffice hamish Linux - Software 4 07-05-2004 12:50 PM
Cups, RH 8, and printing from a Win2k workstation? gsmonk Linux - Distributions 0 05-29-2003 10:38 PM


All times are GMT -5. The time now is 02:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration