Further to my message of yesterday, I've been looking at the issue of kerberos and permissions a bit more closely.
It appears to me that the AUTH* values are not being set when a kerberos authenticated transfer is being made. I'll demonstrate why I think this. Firstly, as far as I can see, the kerberos exchanges all go well and the file is successfully transferred to the spool directory on the print server. The following seems fairly consistent with the process described in the HOWTO: 2002-02-27-14:54:43.128 host1 [9698] RCVSEC lp: Receive_secure: socket fd 4 2002-02-27-14:54:43.128 host1 [9698] RCVSEC lp: Dump_line_list: Receive_secure - input - 0xbfffeec4, count 5, max 102, list 0x805d1f0 2002-02-27-14:54:43.128 host1 [9698] RCVSEC lp: [ 0] 0x805b320 ='lp' 2002-02-27-14:54:43.128 host1 [9698] RCVSEC lp: [ 1] 0x805b330 ='C' 2002-02-27-14:54:43.128 host1 [9698] RCVSEC lp: [ 2] 0x805b340 ='toby' 2002-02-27-14:54:43.128 host1 [9698] RCVSEC lp: [ 3] 0x805c1a8 ='kerberos' 2002-02-27-14:54:43.128 host1 [9698] RCVSEC lp: [ 4] 0x805c1b8 ='1456' ... the server returns a value of 0: 2002-02-27-14:54:43.206 host1 [9698] RCVSEC lp: server_krb5_status: retval 0, error: '' 2002-02-27-14:54:43.206 host1 [9698] RCVSEC lp: Receive_secure: status 0, ack 0, error '' 2002-02-27-14:54:43.207 host1 [9698] RCVSEC lp: Receive_secure: starting server ...and the job is transferred from the client to the spool directory on the server. The kerberos principal of the sending user is correctly identified in the logs. In short, as far as I can see the kerberos authenticated part of the transfer is all working OK. However, all my AUTH* directives result in the job being rejected. When debugging this with the printcap option :db=database+3, I can see that the AUTH values are still null, e.g.: 2002-02-27-14:34:55.025 host1 [9546] (Server) lp: Perms_check: P_AUTHTYPE authtype '<NULL>' 2002-02-27-15:17:56.539 host1 [9874] (Server) lp: Perms_check: P_AUTH authuser '<NULL>' So, it appears to me that the AUTH* values are not being correctly set at the server side of things, although it's possible I might be missing something blindingly obvious somewhere. Can anyone offer any advice/assistance. Is there anyone out there actually using kerberos with LPRng? As always, thanks in advance Toby ----------------------------------------------------------------------- > Hi all, > > Can anyone suggest the best way to debug permissions problems? I am > testing LPRng 3.8.6 with kerberos 5 and can't seem to get it to behave > at all with regard to permissions. > > Basically what I'd really like to see is what the various AUTH* values > are set to when the server processes the job, so I can determine why > requests are being rejected. I have tried debugging with > /usr/sbin/lpd -F -D10 > /tmp/lpd.out 2>&1 but this doesn't really > offer anything useful, at least to my eyes. > > Searching through the archives of this list, I can't find a lot of > information relating to kerberos use, which makes me wonder whether > many people are using LPRng with kerberos. > > I have set up the server printcap with these options for the queue: > > :[EMAIL PROTECTED] > :kerberos_keytab=/etc/lpd.keytab > > .. and the client side with: > > :auth=kerberos5 > :[EMAIL PROTECTED] > > This certainly seems to work OK, as if I do an lpq from the client > machine, I successfully obtain a [EMAIL PROTECTED] > ticket. > > I can happily set permissions for USER, etc. values on the server side > and everything works as I would expect, but as soon as I try to use > any of the AUTH* values, I run into problems. For instance, with a > perms file of simply: > > DEFAULT ACCEPT > REJECT NOT AUTH > > ... which I would think would reject any non-authenticated operations, > lpq reports "ERROR: no permission to print" after using lpr to send a > job. Why does lpq succeed though? Additionally, why does lprm also > succeed? > > I have tried setting more complex values, e.g. > > ACCEPT AUTH SERVICE=XCMRP [EMAIL PROTECTED] > > .. with a similar complete lack of success. > > I'd be very grateful if anyone with experience of getting LPRng to > play nicely with kerberos authentication could offer me some > pointers. Or as I've mentioned, a better way of debugging the > permissions process. > > Many thanks in advance > Toby Blake > Division of Informatics > University of Edinburgh ----------------------------------------------------------------------- ----------------------------------------------------------------------------- YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRNG MAILING LIST The address you post from MUST be your subscription address If you need help, send email to [EMAIL PROTECTED] (or lprng-requests or lprng-digest-requests) with the word 'help' in the body. For the impatient, to subscribe to a list with name LIST, send mail to [EMAIL PROTECTED] with: | example: subscribe LIST <mailaddr> | subscribe lprng-digest [EMAIL PROTECTED] unsubscribe LIST <mailaddr> | unsubscribe lprng [EMAIL PROTECTED] If you have major problems, send email to [EMAIL PROTECTED] with the word LPRNGLIST in the SUBJECT line. -----------------------------------------------------------------------------
