Bug 837602 - cups + krb: it falls down into basic authorization instead of negotiate
cups + krb: it falls down into basic authorization instead of negotiate
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: cups (Show other bugs)
7.0
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: Tim Waugh
Petr Sklenar
: Patch, Regression
: 842782 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-04 07:02 EDT by Petr Sklenar
Modified: 2014-06-13 07:47 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 07:47:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Upstream patch (638 bytes, patch)
2012-12-18 05:57 EST, Tim Waugh
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
CUPS Bugs and Features 4140 None None None 2012-07-18 08:01:10 EDT

  None (edit)
Description Petr Sklenar 2012-07-04 07:02:16 EDT
Description of problem:
cups + krb: it falls down into basic authorization instead of negotiate
There is error: 'Authorized using Basic, expected Negotiate!'


Version-Release number of selected component (if applicable):
# rpm -q cups
cups-1.5.3-1.1.el7.x86_64

# rpm -qa | grep krb
krb5-appl-clients-1.0.2-4.el7.x86_64
krb5-appl-servers-1.0.2-4.el7.x86_64
krb5-debuginfo-1.10-6.el7.x86_64
krb5-appl-debuginfo-1.0.2-4.el7.x86_64
krb5-pkinit-1.10-6.el7.x86_64
krb5-libs-1.10-6.el7.x86_64
krb5-server-1.10-6.el7.x86_64
krb5-auth-dialog-3.2.1-3.el7.x86_64
krb5-workstation-1.10-6.el7.x86_64
krb5-devel-1.10-6.el7.x86_64
krb5-server-ldap-1.10-6.el7.x86_64
pam_krb5-2.3.13-2.el7.x86_64
krb5-auth-dialog-debuginfo-3.2.1-3.el7.x86_64



How reproducible:
deterministic

Steps to Reproduce:
1. set up cups + krb5, DefaultAuthType=Negotiate
2. user has valid ticket

# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: KerberesiedPetr@EXAMPLE.COM

Valid starting     Expires            Service principal
07/04/12 10:57:43  07/05/12 10:57:43  krbtgt/EXAMPLE.COM@EXAMPLE.COM
	renew until 07/04/12 10:57:43


3. user is in the root group, 
# id KerberesiedPetr
uid=1001(KerberesiedPetr) gid=1001(KerberesiedPetr) groups=1001(KerberesiedPetr),0(root)

4. lpadmin -p $TPRN1 -v file:/dev/null -E -m $ML
  
Actual results:
lpadmin expect password for root on localhost?  

cups/error_log:

D [04/Jul/2012:10:48:10 -0400] cupsdReadClient: 19 1.1 CUPS-Add-Modify-Printer 1
D [04/Jul/2012:10:48:10 -0400] CUPS-Add-Modify-Printer ipp://localhost:631/printers/testprinter1
D [04/Jul/2012:10:48:10 -0400] cupsdIsAuthorized: username="root"
E [04/Jul/2012:10:48:10 -0400] Authorized using Basic, expected Negotiate!
D [04/Jul/2012:10:48:10 -0400] Returning HTTP Unauthorized for CUPS-Add-Modify-Printer (ipp://localhost:631/printers/testprinter1) from localhost


Expected results:
no password is expected


Additional info:
rhel6 works well with exactly same settings
Comment 4 Tim Waugh 2012-07-17 12:50:33 EDT
This seems to be due to a check in the server end about whether this is a local connection:

scheduler/client.c:2719 (cupsdSendHeader):

#ifdef HAVE_GSSAPI
    else if (auth_type == CUPSD_AUTH_NEGOTIATE)
    {
#  ifdef AF_LOCAL
      if (_httpAddrFamily(con->http.hostaddr) == AF_LOCAL)
        strlcpy(auth_str, "Basic realm=\"CUPS\"", sizeof(auth_str));
      else
#  endif /* AF_LOCAL */
      strlcpy(auth_str, "Negotiate", sizeof(auth_str));
    }
#endif /* HAVE_GSSAPI */

Adjusting the lpadmin command to add "-h $IP_ADDR" with the external IP address of the machine allows it to succeed.

This seems to have been added as part of upstream revision 9732 on trunk:

commit 8e48ce8bd6acc030f9e913cd80ed31e7465d7ef1
Author: mike <mike@7a7537e8-13f0-0310-91df-b6672ffda945>
Date:   Sun May 1 19:55:04 2011 +0000

    Use GSS framework, when available, and support acquisition of Kerberos creds
    when the underlying libraries support it (may add others as time permits).
    
    
    git-svn-id: http://svn.easysw.com/public/cups/trunk@9732 7a7537e8-13f0-0310-91df-b6672ffda945
Comment 5 Tim Waugh 2012-07-18 08:01:10 EDT
Reported upstream.
Comment 6 Tim Waugh 2012-08-03 07:17:05 EDT
*** Bug 842782 has been marked as a duplicate of this bug. ***
Comment 9 Tim Waugh 2012-12-18 05:57:33 EST
Created attachment 665435 [details]
Upstream patch
Comment 10 Jiri Popelka 2012-12-18 09:59:24 EST
Upstream patch has been applied in cups-1.5.4-22.
Comment 11 Marcus Moeller 2013-10-28 04:13:48 EDT
@Jiri has this been also made available to Fedora?
Comment 12 Tim Waugh 2013-10-28 08:27:39 EDT
Looks like it:

commit 9db046f6c4f1b7f8afc79cec03780144c9244631
Author: Jiri Popelka <jpopelka@redhat.com>
Date:   Tue Dec 18 15:32:27 2012 +0100

    backport fixes for STR #4125, STR #4140, STR #4187, STR #4205, STR #4232
Comment 15 Ludek Smid 2014-06-13 07:47:21 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.