CUPS interaction (authentication with LIBCUPS)

Michael R Sweet mike at
Mon Jun 6 14:34:54 GMT 2005

Simo Sorce wrote:
> On Mon, 2005-06-06 at 07:03 -0700, Michael R Sweet wrote:
>>What we need is a general proxy-authentication method which works
>>end-to-end for multiple protocols, not just a localized solution
>>for SAMBA + Kerberos.
> in this case your only bet could be to support winbind with ntlm_auth
> program or something like that.
>>FWIW, it looks like Kerberos will play a part in any solution we
>>come up with, but first we need to kerberize CUPS and IPP...
> what about providing external auth methods like squid does?, o modules
> like apache does (I prefer the first so that I can hook up any script I
> like) ?

There are issues with this:

     1. Backends are typically run as root, not as the user doing
        the authentication.
     2. The backend needing authentication info may not be on the
        same machine as the user.
     3. There is no direct communication path between the backend
        and user.

Certainly we can provide support for additional authentication
methods, however we need to do this in the CUPS API, cupsd
(server), and potentially in the backends (if the CUPS API
changes don't take care of things automatically for us)

I don't see modules *or* scripting solving this problem, since
we need something that a) is supported by all CUPS applications,
b) is available on all machines on the network, and c) does away
with the traditional username/password authentication model
which is already well supported, including PAM support on the
server side for custom auth interfaces.

Ideally, whatever we implement should also be compatible with
Windows clients talking over IPP, which points to a Kerberos

Michael Sweet, Easy Software Products           mike at easysw dot com
Internet Printing and Publishing Software

More information about the samba-technical mailing list