[PATCH] Kerberised printing to a Windows print queue

Tom Shaw tomisfaraway at gmail.com
Mon Aug 9 06:34:25 GMT 2004

Hi folks

Please find attached a patch to the CUPS backend 'smbspool' to allow
users to print from CUPS to a Windows print queue using Kerberos
credentials. Tested with Solaris 9 4/04 printing to a Windows Server
2003 print queue.

Here are the steps to get the printing working. I assume here that you
have already joined your UNIX box to the AD domain and have set up
Winbind to allow Windows users to log in to the UNIX environment. I
also assume that you are familiar with CUPS.

After applying the patch:

1) Make sure you compile Samba with ADS and krb5 support.

2) ln -s /path/to/samba/bin/smbspool /path/to/lib/cups/backend/smb

3) Create the printer in CUPS. Append "?k=true" or "?k" to the
appropriate device URI in CUPS. This indicates that you want to use
Kerberos authentication. For example:


4) Set the system up so that when users log in, they receive a
Kerberos ticket. I did this by using the pam_krb5 module that comes
with Solaris 9. I imagine the Linux version of this module should work
too. Test it by typing "klist" once you log in as a normal user.

5) Try it out! lp -d <printqueue> <filetoprint>

(Please let me know if you have any problems with getting this working.)

Known issues:

1) Whenever a print job fails for any user (due to eg a lack of
credentials), the print queue is "Stopped" by CUPS. That is, any user
can block the print queue simply by typing "kdestroy" and then trying
to print. A workaround would be to change smbspool so that it returns
success no matter what. However I think a better solution would be for
smbspool to be able to return a value to CUPS that means "the print
job failed, but don't stop the queue". Is this possible Mike?

2) This method of using Kerberos to authenticate to a Windows print
queue will not work if the CUPS server is remote, ie not the same
machine that users log in to. In that case smbspool would not be able
to access the Kerberos credentials cache.

Tom Shaw
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smbspool-kerberos.diff.gz
Type: application/gzip
Size: 1819 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20040809/0ae7a827/smbspool-kerberos.diff.bin

More information about the samba-technical mailing list