我一直在努力使我们域中的某些服务 Kerberize,其中之一就是 CUPS。设置如下:中央打印服务器连接到域中的每台打印机并共享它们,每个客户端连接到该服务器上的某些打印机。因此,服务器和所有客户端都运行 CUPS 假脱机程序。出于显而易见的原因,打印服务器上需要进行身份验证 - 使用基本身份验证有效(在尝试打印的客户端上出现用户名/密码对话框),但协商身份验证无效。
打印服务器具有服务名称为“host”的服务密钥表,客户端和服务器具有打印服务器和 KDC 的正确 DNS 和反向 DNS 条目。在客户端上获取主体的票证是可行的。但是当我尝试打印时,会出现一个带有文本“协商”的对话框,旁边还有一个文本框。无论在对话框中输入什么,它都会继续显示。
有趣的是,使用 client.conf 将客户端直接指向打印服务器的假脱机程序与协商身份验证配合使用 - 获取服务票证有效,身份验证顺利进行。但这并不理想,因为每个客户端都会看到每台打印机 - 不同的房间希望看到他们特定的房间打印机。
协商身份验证应该如何工作?目前我完全不知道该怎么做。服务器运行的是 Ubuntu 12.04 LTS(已完全更新),客户端也使用 Ubuntu 12.04 LTS(未完全更新)。客户端和服务器都运行 CUPS 1.5.3。KDC 是 Samba4 服务器,打印服务器和客户端都正确配置了 Kerberos。客户端配置只是默认的 Ubuntu 版本。当前服务器 cupsd.conf 如下:
LogLevel warn
MaxLogSize 0
SystemGroup lpadmin
# Allow remote access
Port 631
HostNameLookups on
Listen /var/run/cups/cups.sock
Browsing On
BrowseOrder allow,deny
BrowseAllow all
BrowseLocalProtocols CUPS dnssd
BrowseAddress @LOCAL
DefaultAuthType Negotiate
DefaultPolicy authenticated
WebInterface Yes
<Location />
# Allow remote access...
Order allow,deny
Allow all
</Location>
<Location /admin>
</Location>
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
</Location>
<Policy default>
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
<Limit Create-Job Print-Job Print-URI Validate-Job>
AuthType Default
Require valid-user
Order allow,deny
Allow from 172.30.*.*
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
<Policy authenticated>
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
<Limit Create-Job Print-Job Print-URI Validate-Job>
AuthType Default
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>