Using Kerberos Authentication

CUPS allows you to use a Key Distribution Center (KDC) for authentication on your local CUPS server and when printing to a remote authenticated queue. This document describes how to configure CUPS to use Kerberos authentication and provides links to the MIT help pages for configuring Kerberos on your systems and network.

System Requirements

The following are required to use Kerberos with CUPS:

1. Heimdal Kerberos (any version) or MIT Kerberos (1.6.3 or newer)
2. Properly configured Domain Name System (DNS) infrastructure:
   1. DNS server(s) with static IP addresses for all CUPS clients and servers or configured to allow DHCP updates to the host addresses
   2. All CUPS clients and servers configured to use the same DNS server(s)
3. Properly configured Kerberos infrastructure:
   1. KDC configured to allow CUPS clients and servers to obtain Service Granting Tickets (SGTs) for the "ipp" service
   2. LDAP-based user accounts - both OpenDirectory and ActiveDirectory provide this with the KDC
   3. CUPS clients and servers bound to the KDC and LDAP server(s)
4. An "ipp" Service Granting Ticket (SGT) for every CUPS client and server

Configuring Kerberos on Your System

Before you can use Kerberos with CUPS, you will need to configure Kerberos on your system and setup a system as a KDC. Because this configuration is highly system and site-specific, please consult the following on-line resources provided by the creators of Kerberos at the Massachussetts Institute of Technology (MIT):

• Kerberos: The Network Authentication Protocol
• Kerberos on Mac OS X Frequently Asked Questions

The Linux Documentation Project also has a HOWTO on Kerberos:

• Kerberos Infrastructure HOWTO

Configuring CUPS to Use Kerberos

Once you have configured Kerberos on your system(s), you can then enable Kerberos authentication by selecting the Negotiate authentication type. The simplest way to do this is using the cupsctl(8) command:

cupsctl DefaultAuthType=Negotiate

You can also enable Kerberos from the web interface by checking the Use Kerberos Authentication box and clicking Change Settings:

http://localhost:631/admin

After you have enabled Kerberos authentication, use the built-in "authenticated" policy or your own custom policies with the printers you will be sharing. See Managing Operation Policies for more information.

Implementation Information

CUPS implements Kerberos over HTTP using GSSAPI and the service name "host". Because of limitations in the HTTP GSSAPI protocol extension, only a single domain/KDC is supported for authentication.

When doing printing tasks that require authentication, CUPS requests a single-use "ticket" from your login session to authenticate who you are. This ticket gives CUPS a username of the form "user@REALM", which is then converted to just "user" for purposes of user and group checks.

In order to support printing to a shared printer, CUPS has to ask the KDC for a copy of your credentials (this is called delegation) that can be sent to the remote server for authenticatation. Delegation only works when the system has a stable hostname which maps to the current address of the system, which is why you need a static IP address or DHCP that updates the DNS entry for your system.