• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1<html>
2<!-- SECTION: Getting Started -->
3  <head>
4    <title>Using Kerberos Authentication</title>
5    <link rel="stylesheet" type="text/css" href="../cups-printable.css">
6  </head>
7  <body>
8    <h1 class="title">Using Kerberos Authentication</h1>
9
10    <p>CUPS allows you to use a Key Distribution Center (KDC) for authentication on your local CUPS server and when printing to a remote authenticated queue. This document describes how to configure CUPS to use Kerberos authentication and provides links to the MIT help pages for configuring Kerberos on your systems and network.</p>
11
12    <blockquote><b>Note:</b> Kerberos authentication is deprecated starting in CUPS 2.4.0. OAuth 2.0 is the recommended SSO replacement.</blockquote>
13
14
15    <h2 class="title" id="REQUIREMENTS">System Requirements</h2>
16
17    <p>The following are required to use Kerberos with CUPS:</p>
18
19    <ol>
20      <li>Heimdal Kerberos (any version) or MIT Kerberos (1.6.3 or newer)</li>
21      <li>Properly configured Domain Name System (DNS) infrastructure (for your servers):
22        <ol type="a">
23          <li>DNS server(s) with static IP addresses for all CUPS servers or configured to allow DHCP updates to the host addresses and</li>
24          <li>All CUPS clients and servers configured to use the same DNS server(s).</li>
25        </ol>
26      </li>
27
28      <li>Properly configured Kerberos infrastructure:
29        <ol type='a'>
30          <li>KDC configured to allow CUPS servers to obtain Service Granting Tickets (SGTs) for the "host" and "HTTP" services/principals,</li>
31          <li>LDAP-based user accounts - both OpenDirectory and ActiveDirectory provide this with the KDC, and</li>
32          <li>CUPS clients and servers bound to the same KDC and LDAP server(s).</li>
33        </ol>
34      </li>
35    </ol>
36
37
38    <h2 class="title" id="KRB5">Configuring Kerberos on Your System</h2>
39
40    <p>Before you can use Kerberos with CUPS, you will need to configure Kerberos on your system and setup a system as a KDC. Because this configuration is highly system and site-specific, please consult the following on-line resources provided by the creators of Kerberos at the Massachusetts Institute of Technology (MIT):</p>
41
42    <ul>
43      <li><a href="http://web.mit.edu/kerberos/" target="_blank">Kerberos: The Network Authentication Protocol</a></li>
44      <li><a href="http://web.mit.edu/macdev/KfM/Common/Documentation/faq-osx.html" target="_blank">Kerberos on macOS Frequently Asked Questions</a></li>
45    </ul>
46
47    <p>The Linux Documentation Project also has a HOWTO on Kerberos:</p>
48
49    <ul>
50      <li><a href="http://tldp.org/HOWTO/html_single/Kerberos-Infrastructure-HOWTO/" target="_blank">Kerberos Infrastructure HOWTO</a></li>
51    </ul>
52
53
54    <h2 class="title" id="CUPS">Configuring CUPS to Use Kerberos</h2>
55
56    <p>Once you have configured Kerberos on your system(s), you can then enable Kerberos authentication by selecting the <tt>Negotiate</tt> authentication type. The simplest way to do this is using the <tt>cupsctl(8)</tt> command on your server(s):</p>
57
58    <pre class="command"><kbd>cupsctl DefaultAuthType=Negotiate</kbd></pre>
59
60    <p>You can also enable Kerberos from the web interface by checking the <VAR>Use Kerberos Authentication</VAR> box and clicking <VAR>Change Settings</VAR>:</p>
61
62    <pre class="command">https://server.example.com:631/admin</pre>
63
64    <p>After you have enabled Kerberos authentication, use the built-in "authenticated" policy or your own custom policies with the printers you will be sharing. See <a href="policies.html">Managing Operation Policies</a> for more information.</p>
65
66
67    <h2 class="title" id="IMPLEMENT">Implementation Information</h2>
68
69    <p>CUPS implements Kerberos over HTTP using GSSAPI and the service/principal names "host/server.example.com" for command-line access and "HTTP/server.example.com" for web-based access, where "server.example.com" is replaced by your CUPS server's hostname. Because of limitations in the HTTP GSSAPI protocol extension, only a single domain/KDC is supported for authentication. The (experimental) HTTP extension is described in <a href="http://tools.ietf.org/html/rfc4559">RFC 4559</a>.</p>
70
71    <p>When doing printing tasks that require authentication, CUPS requests single-use "tickets" from your login session to authenticate who you are. These tickets give CUPS a username of the form "user@REALM", which is then truncated to just "user" for purposes of user and group checks.</p>
72
73    <p>In order to support printing to a shared printer, CUPS runs the IPP or SMB backend as the owner of the print job so it can obtain the necessary credentials when the job is de-spooled to the server.</p>
74  </body>
75</html>
76