1*5e7646d2SAndroid Build Coastguard Worker<HTML> 2*5e7646d2SAndroid Build Coastguard Worker<!-- SECTION: Getting Started --> 3*5e7646d2SAndroid Build Coastguard Worker<HEAD> 4*5e7646d2SAndroid Build Coastguard Worker <TITLE>Using Kerberos Authentication</TITLE> 5*5e7646d2SAndroid Build Coastguard Worker <LINK REL="STYLESHEET" TYPE="text/css" HREF="../cups-printable.css"> 6*5e7646d2SAndroid Build Coastguard Worker</HEAD> 7*5e7646d2SAndroid Build Coastguard Worker<BODY> 8*5e7646d2SAndroid Build Coastguard Worker 9*5e7646d2SAndroid Build Coastguard Worker<H1 CLASS="title">Using Kerberos Authentication</H1> 10*5e7646d2SAndroid Build Coastguard Worker 11*5e7646d2SAndroid Build Coastguard Worker<P>CUPS allows you to use a Key Distribution Center (KDC) for authentication on your local CUPS server and when printing to a remote authenticated queue. This document describes how to configure CUPS to use Kerberos authentication and provides links to the MIT help pages for configuring Kerberos on your systems and network.</P> 12*5e7646d2SAndroid Build Coastguard Worker 13*5e7646d2SAndroid Build Coastguard Worker 14*5e7646d2SAndroid Build Coastguard Worker<H2 CLASS="title"><A NAME="REQUIREMENTS">System Requirements</A></H2> 15*5e7646d2SAndroid Build Coastguard Worker 16*5e7646d2SAndroid Build Coastguard Worker<p>The following are required to use Kerberos with CUPS:</p> 17*5e7646d2SAndroid Build Coastguard Worker 18*5e7646d2SAndroid Build Coastguard Worker<ol> 19*5e7646d2SAndroid Build Coastguard Worker 20*5e7646d2SAndroid Build Coastguard Worker <li>Heimdal Kerberos (any version) or MIT Kerberos (1.6.3 or newer)</li> 21*5e7646d2SAndroid Build Coastguard Worker 22*5e7646d2SAndroid Build Coastguard Worker <li>Properly configured Domain Name System (DNS) infrastructure (for your servers):<ol type='a'> 23*5e7646d2SAndroid Build Coastguard Worker <li>DNS server(s) with static IP addresses for all CUPS servers or configured to allow DHCP updates to the host addresses and</li> 24*5e7646d2SAndroid Build Coastguard Worker <li>All CUPS clients and servers configured to use the same 25*5e7646d2SAndroid Build Coastguard WorkerDNS server(s).</li> 26*5e7646d2SAndroid Build Coastguard Worker </ol></li> 27*5e7646d2SAndroid Build Coastguard Worker 28*5e7646d2SAndroid Build Coastguard Worker <li>Properly configured Kerberos infrastructure:<ol type='a'> 29*5e7646d2SAndroid Build Coastguard Worker <li>KDC configured to allow CUPS servers to obtain Service Granting Tickets (SGTs) for the "host" and "HTTP" services/principals,</li> 30*5e7646d2SAndroid Build Coastguard Worker <li>LDAP-based user accounts - both OpenDirectory and ActiveDirectory provide this with the KDC, and</li> 31*5e7646d2SAndroid Build Coastguard Worker <li>CUPS clients and servers bound to the same KDC and LDAP 32*5e7646d2SAndroid Build Coastguard Worker server(s).</li> 33*5e7646d2SAndroid Build Coastguard Worker </ol></li> 34*5e7646d2SAndroid Build Coastguard Worker 35*5e7646d2SAndroid Build Coastguard Worker</ol> 36*5e7646d2SAndroid Build Coastguard Worker 37*5e7646d2SAndroid Build Coastguard Worker 38*5e7646d2SAndroid Build Coastguard Worker<H2 CLASS="title"><A NAME="KRB5">Configuring Kerberos on Your System</A></H2> 39*5e7646d2SAndroid Build Coastguard Worker 40*5e7646d2SAndroid Build Coastguard Worker<P>Before you can use Kerberos with CUPS, you will need to configure Kerberos on your system and setup a system as a KDC. Because this configuration is highly system and site-specific, please consult the following on-line resources provided by the creators of Kerberos at the Massachusetts Institute of Technology (MIT):</P> 41*5e7646d2SAndroid Build Coastguard Worker 42*5e7646d2SAndroid Build Coastguard Worker<UL> 43*5e7646d2SAndroid Build Coastguard Worker 44*5e7646d2SAndroid Build Coastguard Worker <LI><A HREF="http://web.mit.edu/kerberos/">Kerberos: The Network Authentication Protocol</A></LI> 45*5e7646d2SAndroid Build Coastguard Worker 46*5e7646d2SAndroid Build Coastguard Worker <LI><A HREF="http://web.mit.edu/macdev/KfM/Common/Documentation/faq-osx.html">Kerberos 47*5e7646d2SAndroid Build Coastguard Worker on macOS Frequently Asked Questions</A></LI> 48*5e7646d2SAndroid Build Coastguard Worker 49*5e7646d2SAndroid Build Coastguard Worker</UL> 50*5e7646d2SAndroid Build Coastguard Worker 51*5e7646d2SAndroid Build Coastguard Worker<P>The Linux Documentation Project also has a HOWTO on Kerberos:</P> 52*5e7646d2SAndroid Build Coastguard Worker 53*5e7646d2SAndroid Build Coastguard Worker<UL> 54*5e7646d2SAndroid Build Coastguard Worker 55*5e7646d2SAndroid Build Coastguard Worker <LI><A HREF="http://tldp.org/HOWTO/html_single/Kerberos-Infrastructure-HOWTO/">Kerberos 56*5e7646d2SAndroid Build Coastguard Worker Infrastructure HOWTO</A></LI> 57*5e7646d2SAndroid Build Coastguard Worker 58*5e7646d2SAndroid Build Coastguard Worker</UL> 59*5e7646d2SAndroid Build Coastguard Worker 60*5e7646d2SAndroid Build Coastguard Worker 61*5e7646d2SAndroid Build Coastguard Worker<H2 CLASS="title"><A NAME="CUPS">Configuring CUPS to Use Kerberos</A></H2> 62*5e7646d2SAndroid Build Coastguard Worker 63*5e7646d2SAndroid Build Coastguard Worker<P>Once you have configured Kerberos on your system(s), you can then enable Kerberos authentication by selecting the <tt>Negotiate</tt> authentication type. The simplest way to do this is using the <tt>cupsctl(8)</tt> command on your server(s):</P> 64*5e7646d2SAndroid Build Coastguard Worker 65*5e7646d2SAndroid Build Coastguard Worker<PRE CLASS="command"> 66*5e7646d2SAndroid Build Coastguard Worker<KBD>cupsctl DefaultAuthType=Negotiate</KBD> 67*5e7646d2SAndroid Build Coastguard Worker</PRE> 68*5e7646d2SAndroid Build Coastguard Worker 69*5e7646d2SAndroid Build Coastguard Worker<P>You can also enable Kerberos from the web interface by checking the <VAR>Use Kerberos Authentication</VAR> box and clicking <VAR>Change Settings</VAR>:</P> 70*5e7646d2SAndroid Build Coastguard Worker 71*5e7646d2SAndroid Build Coastguard Worker<PRE CLASS="command"> 72*5e7646d2SAndroid Build Coastguard Workerhttp://server.example.com:631/admin 73*5e7646d2SAndroid Build Coastguard Worker</PRE> 74*5e7646d2SAndroid Build Coastguard Worker 75*5e7646d2SAndroid Build Coastguard Worker<P>After you have enabled Kerberos authentication, use the built-in "authenticated" policy or your own custom policies with the printers you will be sharing. See <a href="policies.html">Managing Operation Policies</a> for more information.</P> 76*5e7646d2SAndroid Build Coastguard Worker 77*5e7646d2SAndroid Build Coastguard Worker 78*5e7646d2SAndroid Build Coastguard Worker<H2 CLASS="title"><A NAME="IMPLEMENT">Implementation Information</A></H2> 79*5e7646d2SAndroid Build Coastguard Worker 80*5e7646d2SAndroid Build Coastguard Worker<P>CUPS implements Kerberos over HTTP using GSSAPI and the service/principal names "host/server.example.com" for command-line access and "HTTP/server.example.com" for web-based access, where "server.example.com" is replaced by your CUPS server's hostname. Because of limitations in the HTTP GSSAPI protocol extension, only a single domain/KDC is supported for authentication. The HTTP extension is described in <a href="http://tools.ietf.org/html/rfc4559">RFC 4559</a>.</P> 81*5e7646d2SAndroid Build Coastguard Worker 82*5e7646d2SAndroid Build Coastguard Worker<P>When doing printing tasks that require authentication, CUPS requests single-use "tickets" from your login session to authenticate who you are. These tickets give CUPS a username of the form "user@REALM", which is then truncated to just "user" for purposes of user and group checks.</P> 83*5e7646d2SAndroid Build Coastguard Worker 84*5e7646d2SAndroid Build Coastguard Worker<P>In order to support printing to a shared printer, CUPS runs the IPP or SMB backend as the owner of the print job so it can obtain the necessary credentials when the job is de-spooled to the server.</P> 85*5e7646d2SAndroid Build Coastguard Worker 86*5e7646d2SAndroid Build Coastguard Worker</BODY> 87*5e7646d2SAndroid Build Coastguard Worker</HTML> 88