Red Hat Bugzilla – Bug 489734
[RFE] gtk2 cups printer backend should support Kerberos authentication
Last modified: 2012-10-30 10:33:13 EDT
Description of problem:
I'm trying to print to a kerberized CUPS daemon, with Gtk2 clients (firefox 3.0, but the same with gtk-demo). When trying to print, the client fails due to authorization error.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Launch gtk-demo and select "Printing"
2. Send the job
Seems to be a limitation of the gtk sources.
But it is quite annoying as RHEL 5 contains a kerberized cups.
Probable related bug (on RedHat bugzilla): Bug 476232 - gtk2 cups printer backend does not attempt SO_PEERCRED authentication
I attempted to apply the patch provided with Gnome bug report on my gtk2 version (gtk2-2.10.4-20). Authentication seems to succeed, but print failed. On the client side, I obtain a "Too many failed attempts" error.
The server log contains:
Feb 24 18:12:16 server cupsd: get_gss_creds: Attempting to acquire credentials for firstname.lastname@example.org...
Feb 24 18:12:16 server cupsd: get_gss_creds: Credentials acquired successfully for email@example.com.
Feb 24 18:12:16 server cupsd: cupsdAuthorize: Authorized as firstname.lastname@example.org using Negotiate
Thanks for testing that patch!
But it would be much more useful to provide feedback about it in the upstream bug where we are working on it.
2. What is the nature and description of the request?
Customer would like to see the possibility of kerberos authentication via
SSO for print jobs, so users without a valid kerberos ticket can not print
3. Why does the customer need this? (List the business requirements here)
The entire infrastructure at the customer site is kerberized and therefore
they also need it for printing purposes.
4. How would the customer like to achieve this? (List the functional
Additional authentication backend in lib-cups as it already exists upstream
5. For each functional requirement listed in question 4, specify how Red Hat
and the customer can test to confirm the requirement is successfully
Make sure you can only print when you have a valid kerberos ticket and the
kerberos authentication is enabled in cups.
6. Is there already an existing RFE upstream or in Red Hat bugzilla?
Yes, there is the upstream bz
https://bugzilla.gnome.org/show_bug.cgi?id=553690 and the Red Hat bz
7. How quickly does this need resolved? (desired target release)
5.7 if possible, 5.8 if not and 6.1
8. Does this request meet the RHEL Inclusion criteria (please review)
From my point of view it does.
9. List the affected packages
10. Would the customer be able to assist in testing this functionality if
RFE to be considered for a later release.
The request is relevant to RHEL and needs to be considered for a
Thank you for submitting this feature request for inclusion in Red Hat
Enterprise Linux. Your request will be considered in a future release of
Red Hat Enterprise Linux.
Thank you for submitting this issue for consideration. Red Hat Enterprise Linux 5 has reached the end of Production 1 Phase of its Life Cycle. Red Hat does not plan to incorporate the suggested capability in a future Red Hat Enterprise Linux 5 minor release. If you would like Red Hat to re-consider this feature request and the requested functionality is not currently in Red Hat Enterprise Linux 6, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.
Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
please disregard the previous comment.