Insufficiently Random

The lonely musings of a loosely connected software developer.

Sunday, August 28, 2005

Kerberos Printing on MacOS X

The RPI Computer Science department network uses Kerberos to protect its print spoolers. This allows students and faculty to print from any computer on the network and yet the department can verify the individual is allowed to print to that printer - and more importantly - track usage to prevent printer abuse.

MacOS 10.3 and 10.4 uses CUPS - and CUPS doesn't support connecting to a remote LPR daemon that requires Kerberos authentication. MacOS 10.3 and 10.4 both support printing to an SMB print spooler, but for unknown reasons 10.4 can't actually print over SMB.

Due to the architecture of CUPS and MacOS X it is rather difficult for a CUPS backend to gain access to the user's Kerberos tickets. So I developed this solution. :-)

Installation is rather technical - if you aren't comfortable opening a shell and using a command line don't attempt to install this software.

Otherwise, here you go: cups2lprng-relay-1.0.tar.bz2

How it works


At login a Perl script is started and run in the background as a
daemon.

The daemon creates a UNIX domain socket in /tmp which only the
user can access.

The CUPS backend (cups2lprng) is run as root by the CUPS printing
daemon. When the print job is received by the CUPS backend the
backend connects to the UNIX domain socket of the user who CUPS
claims submitted the print job. The print job is then copied over
the domain socket.

When the daemon receives a connection it starts up an LPRng process
to print the incoming print job.

Kerberos Tickets/Mach-O Chains


Other solutions have tried to run LPRng directly from within the
CUPS backend process. This has proved to be impossible with
Keberos tickets as the tickets are held in memory by the kernel
and are unavailable to the CUPS backend.

We get around the problem by running the daemon as the part of the
user login/desktop. The daemon will have access to the user's
tickets.

I have seen a solution from NCSU which has a printer plugin that
copies the user's Kerberos ticket to a temp file, then passes that
temp file to the CUPS backend. This exposes the ticket on disk
for a short period of time - a risk. This solution avoids that
risk.

0 comments :

Post a Comment