In my ongoing quest to deploy LPRng 3.6.13 based print servers
(the most recent version of the software we've imported), I've found a
new problem: authenticated server to server forwarding is broken.
Relevant information:
Client lpd.conf (shouldn't matter):
# Athena LPRng master config file
# $Id: lpd.conf,v 1.6 1999/08/19 11:01:09 danw Exp $
bp=/usr/athena/libexec/filters/banner
force_localhost@
kerberos_keytab=/var/spool/printer/krb5.keytab
kerberos_service=daemon
lockfile=/var/athena/daemon/lpd.lock
printcap_path=/etc/printcap:|/usr/athena/libexec/get_hesiod_pcap
reuse_addr
use_date@
retry_econnrefused@
Server lpd.conf:
# Athena LPRng master config file
# $Id: lpd.conf,v 1.3 2000/12/27 07:03:13 zacheiss Exp $
bp=/usr/athena/libexec/filters/banner
force_localhost@
kerberos_keytab=/var/spool/printer/krb5.keytab
kerberos_service=daemon
lockfile=/var/athena/daemon/lpd.lock
lpd_printcap_path=/etc/printcap:|/var/ops/bin/get_bounce_pcap
ignore_requested_user_priority
<reuse_addr
use_date@
Relevant portion of server printcap:
# ASO LPRng printcap.local
# $Id: printcap.local,v 1.3 1999/08/31 18:52:59 mwhitson Exp $
# This file defines tc entries which are referenced by the
# DCM-generated section of the printcap file.
.common
:sd=/var/spool/printer/%P
:lf=/var/spool/printer/%P/%P-log
:af=/var/spool/printer/%P/%P-acct
:mx#0:minfree#1024:sf:az:xn
:auth_forward=kerberos5
The first problem I encountered was simple:
Index: vars.c
===================================================================
RCS file: /afs/dev.mit.edu/source/repository/third/lprng/lprng/src/common/vars.c,v
retrieving revision 1.10
diff -u -r1.10 vars.c
--- vars.c 2000/04/03 19:01:48 1.10
+++ vars.c 2001/01/12 13:01:25
@@ -97,6 +97,8 @@
{ "as", STRING_K, &Accounting_start_DYN,0,0,"=jobstart $H $n $P $k $b $t"},
/* authentication type for client to server */
{ "auth", STRING_K, &Auth_DYN,0,0 },
+ /* authentication for forwarding */
+{ "auth_forward", STRING_K, &Auth_forward_DYN,0,0},
/* Athena compat: 'Z' means zephyr, not "pass to filter" */
{ "az", FLAG_K, &Athena_Z_compat_DYN,0,0},
/* end banner printing program overides bp */
the auth_forward tag was no longer being recognized, because it had
fallen out of vars.c. This appears fixed in the most recent LPRng
tarball I looked at.
The next problem is somewhat more perplexing. With the above patch
applied and the aforementioned config files, spooling to a queue that
bounces to another queue where both require authentication results in
the error:
Send_auth_transfer: security 'kerberos' missing authenticated client
Which comes from sendauth.c. Relevant chunk of code:
if( job ){
client = Find_str_value(&job->info,AUTHINFO,Value_sep);
Set_str_value(info,CLIENT,client);
} else {
client = (char *)Perm_check.auth_client_id;
}if( client == 0
&& !(client = Find_str_value(info,"default_client_name", Value_sep))
&& safestrcmp(tag, "none") ){
plp_snprintf(error, errlen,
"Send_auth_transfer: security '%s' missing authenticated
client", tag );
goto error;
Stepping through the code with a debugger, it goes through the code path
that takes place if 'job' isn't NULL, but there are no entries matching
AUTHINFO in the &job->info struct.
It appears that all of this code was rewritten extensively immediately
before 3.6.13 was released, so it doesn't surprise me terribly that
there's bugs in it. I didn't see anything in the ChangeLog for more
recent versions suggesting this was a known problem, though, so I
thought I'd ask. Any bright ideas, Patrick?
Garry
-----------------------------------------------------------------------------
YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRNG MAILING LIST
The address you post from MUST be your subscription address
If you need help, send email to [EMAIL PROTECTED] (or lprng-requests
or lprng-digest-requests) with the word 'help' in the body. For the impatient,
to subscribe to a list with name LIST, send mail to [EMAIL PROTECTED]
with: | example:
subscribe LIST <mailaddr> | subscribe lprng-digest [EMAIL PROTECTED]
unsubscribe LIST <mailaddr> | unsubscribe lprng [EMAIL PROTECTED]
If you have major problems, send email to [EMAIL PROTECTED] with the word
LPRNGLIST in the SUBJECT line.
-----------------------------------------------------------------------------
