[PATCH] Kerberised printing to a Windows print queue

Michael Sweet mike at easysw.com
Mon Aug 9 13:45:20 GMT 2004

Tom Shaw wrote:
> Hi folks
> Please find attached a patch to the CUPS backend 'smbspool' to allow
> users to print from CUPS to a Windows print queue using Kerberos
> credentials. Tested with Solaris 9 4/04 printing to a Windows Server
> 2003 print queue.
> Here are the steps to get the printing working. I assume here that you
> have already joined your UNIX box to the AD domain and have set up
> Winbind to allow Windows users to log in to the UNIX environment. I
> also assume that you are familiar with CUPS.
> After applying the patch:
> 1) Make sure you compile Samba with ADS and krb5 support.
> 2) ln -s /path/to/samba/bin/smbspool /path/to/lib/cups/backend/smb
> 3) Create the printer in CUPS. Append "?k=true" or "?k" to the
> appropriate device URI in CUPS. This indicates that you want to use
> Kerberos authentication. For example:

I would recommend using the full name, e.g.:


as "k" is non-descriptive.

> smb://windowshost/printer1?k
> 4) Set the system up so that when users log in, they receive a
> Kerberos ticket. I did this by using the pam_krb5 module that comes
> with Solaris 9. I imagine the Linux version of this module should work
> too. Test it by typing "klist" once you log in as a normal user.
> 5) Try it out! lp -d <printqueue> <filetoprint>
> (Please let me know if you have any problems with getting this working.)
> Known issues:
> 1) Whenever a print job fails for any user (due to eg a lack of
> credentials), the print queue is "Stopped" by CUPS. That is, any user
> can block the print queue simply by typing "kdestroy" and then trying
> to print. A workaround would be to change smbspool so that it returns
> success no matter what. However I think a better solution would be for
> smbspool to be able to return a value to CUPS that means "the print
> job failed, but don't stop the queue". Is this possible Mike?

Not at present; CUPS 1.2 adds per-printer error policies so that
you can have CUPS hold jobs that cannot be printed and keep on
chugging with other jobs.

> 2) This method of using Kerberos to authenticate to a Windows print
> queue will not work if the CUPS server is remote, ie not the same
> machine that users log in to. In that case smbspool would not be able
> to access the Kerberos credentials cache.

Seems like a reasonable first step, but ultimately we'll want to
be able to forward the credentials to the remove server, too -
that will require more CUPS integration with Kerberos...

Michael Sweet, Easy Software Products           mike at easysw dot com
Printing Software for UNIX                       http://www.easysw.com

More information about the samba-technical mailing list