17.13. Using Kerberos 5 for Authentication

LPRng Kerberos 5 authentication is based on the Kerberos5-1.2.5 release as of 3 June 2002. The distribution was obtained from MIT from the http://web.mit.edu/kerberos/www/ Website.

The following sections briefly describes how to set up and test the Kerberos software and then how to configure LPRng to use Kerberos.

17.13.1. LPRng Configuration

The following configure options are used to enable Kerberos support:

--enable-kerberos         enable Kerberos V support
--enable-mit_kerberos4    enable MIT Kerberos 4 support
--disable-kerberos_checks disable Kerberos sanity checks

The --enable-kerberos option will cause configure to search for the include files such as krb5.h and the krb5 support libraries. libraries. If it finds these, then Kerberos authentication will be included. The --enable-mit_kerberos enable searching for the Kerberos 4 include files and support libraries. If these are found then MIT Kerberos 4 compatibility will be enabled. The --disable-kerberos_checks will disable checking for libraries and simply enable the various options.

17.13.2. Kerberos Installation Procedure

  1. Get the Kerberos 5 distribution.

  2. Compile and install the distribution.

  3. Create the /etc/krb5.conf and /usr/local/var/krb5kdc/kdc.conf, files using templates from the files in the Kerberos distribution's src/config-files directory. See the Kerberos Installation Guide and the Kerberos System Administrators Guide for details.

  4. Start up the KDC and KADMIN servers - you might want to put the following in your rc.local or equivalent system startup files:

    if [ -f /etc/krb5.conf -a -f /usr/local/var/krb5kdc/kdc.conf  ]; then
        echo -n ' krb5kdc ';    /usr/local/sbin/krb5kdc;
        echo -n ' kadmind ';    /usr/local/sbin/kadmind;
    fi
    
  5. Use kadmin (or kadmin.local) to create principals for your users.

  6. Use kadmin (or kadmin.local) to create principals for the lpd servers. The recommended method is to use lpr/hostname@REALM as a template for the principal name, i.e. - lpr/astart1.private@ASTART.COM for an example. You should use fully qualified domain names for the principals. Do not assign the principal a password.

    Example:
    
    #> kadmin   OR #> kadmin.local 
    kadmin: addprinc -randkey lpr/wayoff.private@ASTART.COM
    quit
    
  7. Extract the keytab for each server:

    Example:
    #> kadmin   OR #> kadmin.local 
    ktadd -k /etc/lpr.wayoff.private  lpr/wayoff.private@ASTART.COM
    quit
    
  8. The /etc/lpr.wayoff.private file contains the keytab information which is the equivalent of a password for a server program. You should create these files and then copy the appropriate keytab file to /etc/lpd.keytab file on each server. See the warnings about of keytab files in the Kerberos Installation and Kerberos Administration manuals. You should copy the file using an encrypted connection, set the permissions to read only by the owner (400), and set the owner to daemon or the user that lpd will run as.

    #> chmod 400 lpr.wayoff.com
    #> scp lpr.wayoff.com root@wayoff.com:/etc/lpd.keytab
    #> ssh -l root wayoff.com
    # wayoff > chmod 400 /etc/lpd.keytab  
    # wayoff > chown daemon /etc/lpd.keytab  
    # wayoff > ls -l /etc/lpd.keytab  
    -rw-------  1 daemon  wheel  128 Jan 16 11:06 /etc/lpd.keytab
    
  9. If you want to have MIT Kerberos4 printing compatibility then you will need to set up Kerberos 4 servertabs instead of Kerberos 5 keytabs. Assuming that you have put the Kerberos 5 keytab in /etc/lpd.keytab, then you extract the Kerberos 4 srvtab version of the Kerberos 5 keytab using the following commands. You must put the key in the /etc/srvtab file in order to be compatible with the Kerberos 4 support.

    h4: {321} # ktuil
    rkt /etc/lpd.keytab
    wst /etc/srvtab
    

17.13.3. LPRng Configuration

The LPRng software needs to be configured so that it can find the Kerberos libraries and include files. By default, the include files are installed in /usr/local/include and the libraries in /usr/local/lib. Use the following steps to configure LPRng so that it uses these directories during configuration and installation:

cd .../LPRng
rm -f config.cache
CPPFLAGS="-I/usr/local/include -I/usr/include/kerberosIV" \
  LDFLAGS="-L/usr/local/lib -L/usr/lib/kerberosIV" \
  ./configure
make clean all
su
make install

17.13.4. Printcap Entries

Options used:

Example printcap entry:

pr:client
    :lp=pr@wayoff
    :auth=kerberos5
    :kerberos_id=lpr/wayoff.private@ASTART.COM
pr:server
    :lp=pr@faroff.private
    :auth_forward=kerberos5
    :kerberos_id=lpr/wayoff.private@ASTART.COM
    :kerberos_forward_id=lpr/faroff.private@ASTART.COM
    :kerberos_keytab=/etc/lpd.keytab

OR If you want to use Kerberos 4 authentication to the server
pr:client
    :lp=pr@wayoff
    :auth=kerberos4
    :kerberos_id=lpr/wayoff.private@ASTART.COM
# support both Kerberos 4 and 5 on server
pr:server
    :lp=pr@faroff.private
    :auth_forward=kerberos5
    :kerberos_id=lpr/wayoff.private@ASTART.COM
    :kerberos_forward_id=lpr/faroff.private@ASTART.COM
    :kerberos_keytab=/etc/lpd.keytab

The printcap configuration for Kerberos authentication is very simple.

The kerberos_id is the principal name of the lpd server that clients will connect to. For backwards compatibility, kerberos_server_principal can also be used. This values is used to obtain a ticket for the lpd server, and is the only entry required for client to server authentication.

The other entries are used by the lpd server. kerberos_keytab entry is the location of the keytab file to be used by the server. This contains the passphrase used by the server to authenticate itself and get a ticket from the ticket server.

The kerberos_id value is also used by the server during the authentication process to make sure that the correct principal name was used by the request originator. This check has saved many hours of pain in trying to determine why authentication is failing.

The kerberos_life and kerberos_renew set the lifetime and renewability of the lpd server Kerberos tickets. These values should not be modified unless you are familiar with the Kerberos system. There are extensive notes in the LPRng source code concerning these values. The kerberos_service value supplies the name of the service to be used when generating a ticket. It is stronly recommended that the kerberos_id entry be used instead.

17.13.5. User Environment Variables and Files

In order to use kerberos authentication, the user will need to obtain a ticket from the Kerberos ticket server. This is done using kinit.

No other actions are required by the user.