[Samba] [Solved] A working CUPS authentication now fails without change anything...

Sketch smblist at rednsx.org
Tue May 12 11:45:53 MDT 2015

On Tue, 12 May 2015, Andrey Repin wrote:

> Greetings, Daniel Carrasco Marín!
>> Hi again!!, this time is not for help request as always :P finally i've
>> found the solution and I want to share it.
>> The problem was just permissions. If you change the keytab permission to
>> 644 it works perfect: chmod 644 /etc/krb5.keytab
>> Anyway I don't understand why the daemons can't read that file when are
>> running as root.
> Not all daemons are run as root, far from that.
> Most of single-purpose daemons, such as cups, run as their own users.

Yep, this is done for security purposes so that if one process is 
compromised, it doesn't have administrative access to the rest of the 

In a similar vein, you don't generally want any process on the machine to 
have access to some things.  The system kerberos keytab is probably one of 
those.  If cups is running as it's own user, a better solution would be to 
either generate a new keytab just for cups, or copy the existing keytab 
and make it only readable by the cups user.

More information about the samba mailing list