Bug#703424: Regression: CUPS Web interface fails to authenticate Kerberos access to IPP information

To: submit@bugs.debian.org
Subject: Bug#703424: Regression: CUPS Web interface fails to authenticate Kerberos access to IPP information
From: "Timothy Pearson" <kb9vqf@pearsoncomputing.net>
Date: Tue, 19 Mar 2013 08:32:33 -0500
Message-id: <[🔎] 19031794665075509bb8e9566c78acad.squirrel@vali.starlink.edu>
Reply-to: kb9vqf@pearsoncomputing.net, 703424@bugs.debian.org

Package: cups
Version: 1.5.3-2.16

When using the Web interface to CUPS in a Kerberized environment, CUPS
fails to pass Kerberos authentication information to the local IPP socket.
 This manifests as access being denied to any pages which access printer
information, even though the user logged in via Kerberos has been granted
access to both the pages and printers in question.  The CUPS error log
shows that it has rejected unauthenticated access to the printers in
question, even though the prior access to the Web printer list page was
successfully authenticated.

This appears to be a regression introduced when resolving Bug 640939,
specifically this patch removes the ability for CUPS to pass Kerberos
login credentials to the local IPP socket:
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=105;filename=cups-1.5.3-2.14-nmu.diff;att=1;bug=640939

Unfortunately, simply reverting that patch introduces another problem,
specifically an inability to access any administrative pages and this line
appearing in the error log:
[CGI] cgi_passwd(prompt="Password for lp on localhost? ") called!

Therefore, it would seem that a more selective approach to passing the
Kerberos credentials to the local IPP socket is in order.

Reply to:

Prev by Date: Bug#612652: marked as done (cups: print-self-test-page doesn't work)
Next by Date: Processing of cups_1.6.2-1_amd64.changes
Previous by thread: Bug#612652: marked as done (cups: print-self-test-page doesn't work)
Next by thread: Processing of cups_1.6.2-1_amd64.changes
Index(es):
- Date
- Thread