RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 837602 - cups + krb: it falls down into basic authorization instead of negotiate
Summary: cups + krb: it falls down into basic authorization instead of negotiate
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: cups
Version: 7.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Tim Waugh
QA Contact: Petr Sklenar
URL:
Whiteboard:
: 842782 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-07-04 11:02 UTC by Petr Sklenar
Modified: 2014-06-13 11:47 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 11:47:21 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Upstream patch (638 bytes, patch)
2012-12-18 10:57 UTC, Tim Waugh 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
CUPS Bugs and Features 4140 0 None None None 2012-07-18 12:01:10 UTC

Description Petr Sklenar 2012-07-04 11:02:16 UTC 
Description of problem:
cups + krb: it falls down into basic authorization instead of negotiate
There is error: 'Authorized using Basic, expected Negotiate!'


Version-Release number of selected component (if applicable):
# rpm -q cups
cups-1.5.3-1.1.el7.x86_64

# rpm -qa | grep krb
krb5-appl-clients-1.0.2-4.el7.x86_64
krb5-appl-servers-1.0.2-4.el7.x86_64
krb5-debuginfo-1.10-6.el7.x86_64
krb5-appl-debuginfo-1.0.2-4.el7.x86_64
krb5-pkinit-1.10-6.el7.x86_64
krb5-libs-1.10-6.el7.x86_64
krb5-server-1.10-6.el7.x86_64
krb5-auth-dialog-3.2.1-3.el7.x86_64
krb5-workstation-1.10-6.el7.x86_64
krb5-devel-1.10-6.el7.x86_64
krb5-server-ldap-1.10-6.el7.x86_64
pam_krb5-2.3.13-2.el7.x86_64
krb5-auth-dialog-debuginfo-3.2.1-3.el7.x86_64



How reproducible:
deterministic

Steps to Reproduce:
1. set up cups + krb5, DefaultAuthType=Negotiate
2. user has valid ticket

# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: KerberesiedPetr

Valid starting     Expires            Service principal
07/04/12 10:57:43  07/05/12 10:57:43  krbtgt/EXAMPLE.COM
	renew until 07/04/12 10:57:43


3. user is in the root group, 
# id KerberesiedPetr
uid=1001(KerberesiedPetr) gid=1001(KerberesiedPetr) groups=1001(KerberesiedPetr),0(root)

4. lpadmin -p $TPRN1 -v file:/dev/null -E -m $ML
  
Actual results:
lpadmin expect password for root on localhost?  

cups/error_log:

D [04/Jul/2012:10:48:10 -0400] cupsdReadClient: 19 1.1 CUPS-Add-Modify-Printer 1
D [04/Jul/2012:10:48:10 -0400] CUPS-Add-Modify-Printer ipp://localhost:631/printers/testprinter1
D [04/Jul/2012:10:48:10 -0400] cupsdIsAuthorized: username="root"
E [04/Jul/2012:10:48:10 -0400] Authorized using Basic, expected Negotiate!
D [04/Jul/2012:10:48:10 -0400] Returning HTTP Unauthorized for CUPS-Add-Modify-Printer (ipp://localhost:631/printers/testprinter1) from localhost


Expected results:
no password is expected


Additional info:
rhel6 works well with exactly same settings
Comment 4 Tim Waugh 2012-07-17 16:50:33 UTC 
This seems to be due to a check in the server end about whether this is a local connection:

scheduler/client.c:2719 (cupsdSendHeader):

#ifdef HAVE_GSSAPI
    else if (auth_type == CUPSD_AUTH_NEGOTIATE)
    {
#  ifdef AF_LOCAL
      if (_httpAddrFamily(con->http.hostaddr) == AF_LOCAL)
        strlcpy(auth_str, "Basic realm=\"CUPS\"", sizeof(auth_str));
      else
#  endif /* AF_LOCAL */
      strlcpy(auth_str, "Negotiate", sizeof(auth_str));
    }
#endif /* HAVE_GSSAPI */

Adjusting the lpadmin command to add "-h $IP_ADDR" with the external IP address of the machine allows it to succeed.

This seems to have been added as part of upstream revision 9732 on trunk:

commit 8e48ce8bd6acc030f9e913cd80ed31e7465d7ef1
Author: mike <mike@7a7537e8-13f0-0310-91df-b6672ffda945>
Date:   Sun May 1 19:55:04 2011 +0000

    Use GSS framework, when available, and support acquisition of Kerberos creds
    when the underlying libraries support it (may add others as time permits).
    
    
    git-svn-id: http://svn.easysw.com/public/cups/trunk@9732 7a7537e8-13f0-0310-91df-b6672ffda945
Comment 5 Tim Waugh 2012-07-18 12:01:10 UTC 
Reported upstream.
Comment 6 Tim Waugh 2012-08-03 11:17:05 UTC 
*** Bug 842782 has been marked as a duplicate of this bug. ***
Comment 9 Tim Waugh 2012-12-18 10:57:33 UTC 
Created attachment 665435 [details]
Upstream patch
Comment 10 Jiri Popelka 2012-12-18 14:59:24 UTC 
Upstream patch has been applied in cups-1.5.4-22.
Comment 11 Marcus Moeller 2013-10-28 08:13:48 UTC 
@Jiri has this been also made available to Fedora?
Comment 12 Tim Waugh 2013-10-28 12:27:39 UTC 
Looks like it:

commit 9db046f6c4f1b7f8afc79cec03780144c9244631
Author: Jiri Popelka <jpopelka>
Date:   Tue Dec 18 15:32:27 2012 +0100

    backport fixes for STR #4125, STR #4140, STR #4187, STR #4205, STR #4232
Comment 15 Ludek Smid 2014-06-13 11:47:21 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.