CUPS interaction (authentication with LIBCUPS)

Andrew Bartlett abartlet at samba.org
Mon Jun 6 22:58:17 GMT 2005 

On Mon, 2005-06-06 at 07:34 -0700, Michael R Sweet wrote:
> Simo Sorce wrote:
> > On Mon, 2005-06-06 at 07:03 -0700, Michael R Sweet wrote:
> > 
> > 
> >>What we need is a general proxy-authentication method which works
> >>end-to-end for multiple protocols, not just a localized solution
> >>for SAMBA + Kerberos.
> > 
> > 
> > in this case your only bet could be to support winbind with ntlm_auth
> > program or something like that.
> > 
> > 
> >>FWIW, it looks like Kerberos will play a part in any solution we
> >>come up with, but first we need to kerberize CUPS and IPP...
> > 
> > 
> > what about providing external auth methods like squid does?, o modules
> > like apache does (I prefer the first so that I can hook up any script I
> > like) ?
> 
> There are issues with this:
> 
>      1. Backends are typically run as root, not as the user doing
>         the authentication.
>      2. The backend needing authentication info may not be on the
>         same machine as the user.
>      3. There is no direct communication path between the backend
>         and user.

> Ideally, whatever we implement should also be compatible with
> Windows clients talking over IPP, which points to a Kerberos
> solution...

You missed simo's point.  Simo was talking about a sane implementation
path for the server-side of the authentication problem.  Even without
IPP clients, the admin interface could benefit from this, due to
existing browser support for NTLM and 'Negotiate' (GSS-SPNEGO/GSSAPI).

The example given here is the open authentication architecture used by
squid.  Squid is a non-blocking single process deamon, and as such
performs a number of tasks in 'helpers'.  This approach has also allowed
these helpers to be easily replaced and extended.  After working with
the Squid team, I took over the production of NTLMSSP helpers, where
they talk with winbindd.  This is 'ntlm_auth', and it allows squid to do
NTLMSSP authentication, but without caring about the details. 

Likewise, a GSS-SPNEGO or GSSAPI module could be written for 'Negotiate'
authentication, with a similar backend.  (Samba4 provides a suitable
backend here, and it should be quite easy to write one for the general
GSSAPI library). 

Finally, the use of an external process to handle authentication would
also benefit CUPS, because errors in the pam libs (something I have hit
more often than I would prefer) would not stall out the entire cups
deamon. (I finally tracked down long-running cups issues to bugs in
pam_krb5).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050607/7a70fee2/attachment.bin

More information about the samba-technical mailing list