[PATCH] Kerberised printing to a Windows print queue

Tom Shaw tomisfaraway at gmail.com
Mon Aug 9 08:49:10 GMT 2004


This is the same patch against the latest SVN rather than 3.0.5.
Tom

On Mon, 9 Aug 2004 14:34:25 +0800, Tom Shaw <tomisfaraway at gmail.com> wrote:
> Hi folks
> 
> Please find attached a patch to the CUPS backend 'smbspool' to allow
> users to print from CUPS to a Windows print queue using Kerberos
> credentials. Tested with Solaris 9 4/04 printing to a Windows Server
> 2003 print queue.
> 
> Here are the steps to get the printing working. I assume here that you
> have already joined your UNIX box to the AD domain and have set up
> Winbind to allow Windows users to log in to the UNIX environment. I
> also assume that you are familiar with CUPS.
> 
> After applying the patch:
> 
> 1) Make sure you compile Samba with ADS and krb5 support.
> 
> 2) ln -s /path/to/samba/bin/smbspool /path/to/lib/cups/backend/smb
> 
> 3) Create the printer in CUPS. Append "?k=true" or "?k" to the
> appropriate device URI in CUPS. This indicates that you want to use
> Kerberos authentication. For example:
> 
> smb://windowshost/printer1?k
> 
> 4) Set the system up so that when users log in, they receive a
> Kerberos ticket. I did this by using the pam_krb5 module that comes
> with Solaris 9. I imagine the Linux version of this module should work
> too. Test it by typing "klist" once you log in as a normal user.
> 
> 5) Try it out! lp -d <printqueue> <filetoprint>
> 
> (Please let me know if you have any problems with getting this working.)
> 
> Known issues:
> 
> 1) Whenever a print job fails for any user (due to eg a lack of
> credentials), the print queue is "Stopped" by CUPS. That is, any user
> can block the print queue simply by typing "kdestroy" and then trying
> to print. A workaround would be to change smbspool so that it returns
> success no matter what. However I think a better solution would be for
> smbspool to be able to return a value to CUPS that means "the print
> job failed, but don't stop the queue". Is this possible Mike?
> 
> 2) This method of using Kerberos to authenticate to a Windows print
> queue will not work if the CUPS server is remote, ie not the same
> machine that users log in to. In that case smbspool would not be able
> to access the Kerberos credentials cache.
> 
> Regards
> Tom Shaw
> 
> 
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smbspool-kerberos-v2.diff.gz
Type: application/gzip
Size: 1793 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20040809/90b57c87/smbspool-kerberos-v2.diff.bin


More information about the samba-technical mailing list