Copyright (C) 2000-2012 |
Whole document tree 17.14. Using Kerberos 5 for AuthenticationLPRng Kerberos 5 authentication is based on the Kerberos5-1.2.4 release as of 3 March 2020. The distribution was obtained from MIT from the http://web.mit.edu/kerberos/www/ Website. The following sections briefly describes how to set up and test the Kerberos software and then how to configure LPRng to use Kerberos. 17.14.1. LPRng ConfigurationThe following configure options are used to enable Kerberos support: --enable-kerberos enable Kerberos V support --enable-mit_kerberos4 enable MIT Kerberos 4 support --disable-kerberos_checks disable Kerberos sanity checks The --enable-kerberos option will cause configure to search for the include files such as krb5.h and the krb5 support libraries. libraries. If it finds these, then Kerberos authentication will be included. The --enable-mit_kerberos enable searching for the Kerberos 4 include files and support libraries. If these are found then MIT Kerberos 4 compatibility will be enabled. The --disable-kerberos_checks will disable checking for libraries and simply enable the various options. 17.14.2. Kerberos Installation Procedure
17.14.3. LPRng ConfigurationThe LPRng software needs to be configured so that it can find the Kerberos libraries and include files. By default, the include files are installed in /usr/local/include and the libraries in /usr/local/lib. Use the following steps to configure LPRng so that it uses these directories during configuration and installation: cd .../LPRng rm -f config.cache CPPFLAGS="-I/usr/local/include -I/usr/include/kerberosIV" \ LDFLAGS="-L/usr/local/lib -L/usr/lib/kerberosIV" \ ./configure make clean all su make install 17.14.4. Printcap EntriesOptions used:
Example printcap entry: pr:client :lp=pr@wayoff :auth=kerberos5 :kerberos_id=lpr/wayoff.private@ASTART.COM pr:server :lp=pr@faroff.private :auth_forward=kerberos5 :kerberos_id=lpr/wayoff.private@ASTART.COM :kerberos_forward_id=lpr/faroff.private@ASTART.COM :kerberos_keytab=/etc/lpd.keytab OR If you want to use Kerberos 4 authentication to the server pr:client :lp=pr@wayoff :auth=kerberos4 :kerberos_id=lpr/wayoff.private@ASTART.COM # support both Kerberos 4 and 5 on server pr:server :lp=pr@faroff.private :auth_forward=kerberos5 :kerberos_id=lpr/wayoff.private@ASTART.COM :kerberos_forward_id=lpr/faroff.private@ASTART.COM :kerberos_keytab=/etc/lpd.keytab The printcap configuration for Kerberos authentication is very simple. The kerberos_id is the principal name of the lpd server that clients will connect to. For backwards compatibility, kerberos_server_principal can also be used. This values is used to obtain a ticket for the lpd server, and is the only entry required for client to server authentication. The other entries are used by the lpd server. kerberos_keytab entry is the location of the keytab file to be used by the server. This contains the passphrase used by the server to authenticate itself and get a ticket from the ticket server. The kerberos_id value is also used by the server during the authentication process to make sure that the correct principal name was used by the request originator. This check has saved many hours of pain in trying to determine why authentication is failing. The kerberos_life and kerberos_renew set the lifetime and renewability of the lpd server Kerberos tickets. These values should not be modified unless you are familiar with the Kerberos system. There are extensive notes in the LPRng source code concerning these values. The kerberos_service value supplies the name of the service to be used when generating a ticket. It is stronly recommended that the kerberos_id entry be used instead. 17.14.5. User Environment Variables and FilesIn order to use kerberos authentication, the user will need to obtain a ticket from the Kerberos ticket server. This is done using kinit. No other actions are required by the user. |