Bug 489734 - [RFE] gtk2 cups printer backend should support Kerberos authentication
[RFE] gtk2 cups printer backend should support Kerberos authentication
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: cups (Show other bugs)
5.3
All Linux
low Severity high
: rc
: ---
Assigned To: Tim Waugh
qe-baseos-daemons
: FutureFeature, Triaged
Depends On:
Blocks: 554476
  Show dependency treegraph
 
Reported: 2009-03-11 11:50 EDT by guilhem.bonnefille
Modified: 2012-10-30 10:33 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 690462 (view as bug list)
Environment:
Last Closed: 2012-10-30 10:33:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
GNOME Desktop 553690 None None None Never
CUPS Bugs and Features 3325 None None None Never
CUPS Bugs and Features 3519 None None None Never

  None (edit)
Description guilhem.bonnefille 2009-03-11 11:50:22 EDT
Description of problem:
I'm trying to print to a kerberized CUPS daemon, with Gtk2 clients (firefox 3.0, but the same with gtk-demo). When trying to print, the client fails due to authorization error.

Version-Release number of selected component (if applicable):
gtk2-2.10.4-20.el5
cups-1.3.7-8.el5
cups-libs-1.3.7-8.el5

How reproducible:
Always

Steps to Reproduce:
1. Launch gtk-demo and select "Printing"
2. Send the job
3.
  
Actual results:


Expected results:


Additional info:
Seems to be a limitation of the gtk sources.
But it is quite annoying as RHEL 5 contains a kerberized cups.
Comment 1 guilhem.bonnefille 2009-03-11 12:01:32 EDT
Probable related bug (on RedHat bugzilla): Bug 476232 -  gtk2 cups printer backend does not attempt SO_PEERCRED authentication
Comment 2 guilhem.bonnefille 2009-03-11 12:07:10 EDT
I attempted to apply the patch provided with Gnome bug report on my gtk2 version (gtk2-2.10.4-20). Authentication seems to succeed, but print failed. On the client side, I obtain a "Too many failed attempts" error.

The server log contains:

Feb 24 18:12:16 server cupsd[26585]: get_gss_creds: Attempting to acquire credentials for ipp@server.fr...
Feb 24 18:12:16 server cupsd[26585]: get_gss_creds: Credentials acquired successfully for ipp@server.fr.
Feb 24 18:12:16 server cupsd[26585]: cupsdAuthorize: Authorized as user@server.fr using Negotiate
Comment 3 Matthias Clasen 2009-03-11 12:43:28 EDT
Thanks for testing that patch! 
But it would be much more useful to provide feedback about it in the upstream bug where we are working on it.
Comment 4 J.H.M. Dassen (Ray) 2011-03-24 08:03:04 EDT
2. What is the nature and description of the request?

Customer would like to see the possibility of kerberos authentication via
SSO for print jobs, so users without a valid kerberos ticket can not print
anything.

3. Why does the customer need this? (List the business requirements here)

The entire infrastructure at the customer site is kerberized and therefore
they also need it for printing purposes.

4. How would the customer like to achieve this? (List the functional
requirements here)

Additional authentication backend in lib-cups as it already exists upstream
(cupslib 1.4.4)

5. For each functional requirement listed in question 4, specify how Red Hat
and the customer can test to confirm the requirement is successfully
implemented.

Make sure you can only print when you have a valid kerberos ticket and the
kerberos authentication is enabled in cups.

6. Is there already an existing RFE upstream or in Red Hat bugzilla?

Yes, there is the upstream bz
https://bugzilla.gnome.org/show_bug.cgi?id=553690 and the Red Hat bz
https://bugzilla.redhat.com/show_bug.cgi?id=489734 

7. How quickly does this need resolved? (desired target release)

5.7 if possible, 5.8 if not and 6.1

8. Does this request meet the RHEL Inclusion criteria (please review)

From my point of view it does.

9. List the affected packages

cups
cups-libs

10. Would the customer be able to assist in testing this functionality if
implemented?

Yes, definitely.
Comment 7 Dennis Hunter 2011-08-12 13:51:40 EDT
RFE to be considered for a later release.
----------------------------------------------------------
The request is relevant to RHEL and needs to be considered for a
later release.

Thank you for submitting this feature request for inclusion in Red Hat
Enterprise Linux. Your request will be considered in a future release of
Red Hat Enterprise Linux.
Comment 23 Libor Miksik 2012-10-25 08:30:54 EDT
Thank you for submitting this issue for consideration. Red Hat Enterprise Linux 5 has reached the end of Production 1 Phase of its Life Cycle.  Red Hat does not plan to incorporate the suggested capability in a future Red Hat Enterprise Linux 5 minor release. If you would like Red  Hat to re-consider this feature request and the requested functionality is not currently in Red Hat Enterprise Linux 6, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.
Comment 25 RHEL Product and Program Management 2012-10-26 14:18:59 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 26 Libor Miksik 2012-10-30 10:33:13 EDT
please disregard the previous comment.

Note You need to log in before you can comment on or make changes to this bug.