Kerberised printing to a Windows print queue

Tom Shaw tomisfaraway at
Sat Aug 7 05:27:14 GMT 2004

Hi Michael

I'm was just going through the steps of adding a use_kerberos option
to smbspool, and I have a couple of questions about how to do this the
Right Way. (If you're not the right person to answer this could you
direct me to the person who is?)

1) Is it appropriate to use the "options" argument? I'm guessing not
because only the ipp backend seems to use that, while the other
backends append options to the URI.

2) I've noticed that the options list appended to eg the serial URI is
slightly non-standard.

searching via google:

cups URI:

Note that HTTP GET uses '+' as a replacement for "space", and '&' as
an option separator, while CUPS uses '+' as the option separator.

Do you think it would be better for me to follow the CUPS way or the
standard way?

3) How trustworthy is the "user" argument that is passed to the
backend? I don't want to allow an impersonation attack where for
example a user can use up another user's print quota.

Anyway.. In terms of making CUPS itself kerberised, I've been thinking
through what my intended patch will achieve. My goal is to allow a
user to print via a local CUPS server using the kerberos credentials
that are stored on that local machine. The way I plan to do this is to
have smbspool seteuid() to the user and use the existing smb
infrastructure to authenticate to the print server.

I believe this method has no chance of working if the CUPS server is
remote (ie on a different machine to the user), because smbspool on
that machine will not have access to the user's credentials cache.
That situation is beyond my experience so I'm not sure how it could be


On Fri, 06 Aug 2004 09:03:25 -0400, Michael Sweet <mike at> wrote:
> Tom Shaw wrote:
> > Hi folks
> >
> > I've been having a look at how to allow multiple users to print to a
> > Windows 2003 print queue without having to specify their username and
> > password each time. Authentication is important in this situation in
> > order to keep track of quotas.
> >
> > As far as I can tell, the solution will need to involve a pam_krb5
> > module to initialise the user's kerberos credentials on logon, then
> > use a kerberos-enabled printing program to print to the Windows
> > printer.
> >
> > It would be perfect I could modify smbspool to be kerberos-enabled and
> > use it as a backend to CUPS. However the showstopper question is: Does
> > any information about the user actually reach the CUPS backend? If so,
> > then I'd love to have a go at modifying smbspool to support this.
> As you noticed afterwards, the username is passed in as one of the
> backend arguments.
> If you *are* able to do this successfully, we'd be interested in
> your work - perhaps we can leverage it to make CUPS fully kerberized!
> --
> ______________________________________________________________________
> Michael Sweet, Easy Software Products           mike at easysw dot com
> Printing Software for UNIX             

More information about the samba-technical mailing list