[Samba] [Solved] A working CUPS authentication now fails without change anything...
Sketch
smblist at rednsx.org
Tue May 12 11:45:53 MDT 2015
On Tue, 12 May 2015, Andrey Repin wrote:
> Greetings, Daniel Carrasco Marín!
>
>> Hi again!!, this time is not for help request as always :P finally i've
>> found the solution and I want to share it.
>> The problem was just permissions. If you change the keytab permission to
>> 644 it works perfect: chmod 644 /etc/krb5.keytab
>> Anyway I don't understand why the daemons can't read that file when are
>> running as root.
>
> Not all daemons are run as root, far from that.
> Most of single-purpose daemons, such as cups, run as their own users.
Yep, this is done for security purposes so that if one process is
compromised, it doesn't have administrative access to the rest of the
system.
In a similar vein, you don't generally want any process on the machine to
have access to some things. The system kerberos keytab is probably one of
those. If cups is running as it's own user, a better solution would be to
either generate a new keytab just for cups, or copy the existing keytab
and make it only readable by the cups user.
More information about the samba
mailing list