LPRng Reference Manual: 24 Sep 2004 (For LPRng-3.8.28) | ||
---|---|---|
Prev | Chapter 17. Permissions and Authentication | Next |
LPRng Kerberos 5 authentication is based on the Kerberos5-1.2.5 release as of 3 June 2002. The distribution was obtained from MIT from the http://web.mit.edu/kerberos/www/ Website.
The following sections briefly describes how to set up and test the Kerberos software and then how to configure LPRng to use Kerberos.
The following configure options are used to enable Kerberos support:
--enable-kerberos enable Kerberos V support --enable-mit_kerberos4 enable MIT Kerberos 4 support --disable-kerberos_checks disable Kerberos sanity checks
The --enable-kerberos option will cause configure to search for the include files such as krb5.h and the krb5 support libraries. libraries. If it finds these, then Kerberos authentication will be included. The --enable-mit_kerberos enable searching for the Kerberos 4 include files and support libraries. If these are found then MIT Kerberos 4 compatibility will be enabled. The --disable-kerberos_checks will disable checking for libraries and simply enable the various options.
Get the Kerberos 5 distribution.
Compile and install the distribution.
Create the /etc/krb5.conf and /usr/local/var/krb5kdc/kdc.conf, files using templates from the files in the Kerberos distribution's src/config-files directory. See the Kerberos Installation Guide and the Kerberos System Administrators Guide for details.
Start up the KDC and KADMIN servers - you might want to put the following in your rc.local or equivalent system startup files:
Use kadmin (or kadmin.local) to create principals for your users.
Use kadmin (or kadmin.local) to create principals for the lpd servers. The recommended method is to use lpr/hostname@REALM as a template for the principal name, i.e. - lpr/astart1.private@ASTART.COM for an example. You should use fully qualified domain names for the principals. Do not assign the principal a password.
Extract the keytab for each server:
The /etc/lpr.wayoff.private file contains the keytab information which is the equivalent of a password for a server program. You should create these files and then copy the appropriate keytab file to /etc/lpd.keytab file on each server. See the warnings about of keytab files in the Kerberos Installation and Kerberos Administration manuals. You should copy the file using an encrypted connection, set the permissions to read only by the owner (400), and set the owner to daemon or the user that lpd will run as.
If you want to have MIT Kerberos4 printing compatibility then you will need to set up Kerberos 4 servertabs instead of Kerberos 5 keytabs. Assuming that you have put the Kerberos 5 keytab in /etc/lpd.keytab, then you extract the Kerberos 4 srvtab version of the Kerberos 5 keytab using the following commands. You must put the key in the /etc/srvtab file in order to be compatible with the Kerberos 4 support.
The LPRng software needs to be configured so that it can find the Kerberos libraries and include files. By default, the include files are installed in /usr/local/include and the libraries in /usr/local/lib. Use the following steps to configure LPRng so that it uses these directories during configuration and installation:
Options used:
auth=kerberos5use Kerberos5 authentication
kerberos_id=server prinicpal name (for client use)
kerberos_server_principal=alias for kerberos_id
kerberos_forward_id=destination server used by server
kerberos_forward_principal=alias for kerberos_forward_id
kerberos_keytab=location of the lpd server keytab file
kerberos_service=service to be used
kerberos_life=lpd server ticket lifetime
kerberos_renew=lpd server ticket renew
Example printcap entry:
pr:client :lp=pr@wayoff :auth=kerberos5 :kerberos_id=lpr/wayoff.private@ASTART.COM pr:server :lp=pr@faroff.private :auth_forward=kerberos5 :kerberos_id=lpr/wayoff.private@ASTART.COM :kerberos_forward_id=lpr/faroff.private@ASTART.COM :kerberos_keytab=/etc/lpd.keytab OR If you want to use Kerberos 4 authentication to the server pr:client :lp=pr@wayoff :auth=kerberos4 :kerberos_id=lpr/wayoff.private@ASTART.COM # support both Kerberos 4 and 5 on server pr:server :lp=pr@faroff.private :auth_forward=kerberos5 :kerberos_id=lpr/wayoff.private@ASTART.COM :kerberos_forward_id=lpr/faroff.private@ASTART.COM :kerberos_keytab=/etc/lpd.keytab
The printcap configuration for Kerberos authentication is very simple.
The kerberos_id is the principal name of the lpd server that clients will connect to. For backwards compatibility, kerberos_server_principal can also be used. This values is used to obtain a ticket for the lpd server, and is the only entry required for client to server authentication.
The other entries are used by the lpd server. kerberos_keytab entry is the location of the keytab file to be used by the server. This contains the passphrase used by the server to authenticate itself and get a ticket from the ticket server.
The kerberos_id value is also used by the server during the authentication process to make sure that the correct principal name was used by the request originator. This check has saved many hours of pain in trying to determine why authentication is failing.
The kerberos_life and kerberos_renew set the lifetime and renewability of the lpd server Kerberos tickets. These values should not be modified unless you are familiar with the Kerberos system. There are extensive notes in the LPRng source code concerning these values. The kerberos_service value supplies the name of the service to be used when generating a ticket. It is stronly recommended that the kerberos_id entry be used instead.
In order to use kerberos authentication, the user will need to obtain a ticket from the Kerberos ticket server. This is done using kinit.
No other actions are required by the user.