GNOME Bugzilla – Bug 669008
Kerberos authentication popup
Last modified: 2015-03-09 13:22:56 UTC
Created attachment 206405 [details] Screenshot of popup Hi, We have are using Debian Squeeze and a kerberized cups server which also allows printing without a kerberos ticket from specific IPs. When somone trys to print with a gtk-Application (e.g. gimp, gedit...) he gets a popup with the message "Authentication is required to print document 'example.png' on printer 'printer1'". When ok is clicked, the print job and the authentication is sent to the server. I'm not sure if this is a bug or a feature, but it's annoying to always click ok when you want to print.
Created attachment 206503 [details] Default policy Here is the important part of our cupsd.conf
The problem seems to be Satisfy Any. If I change the policy to only Allow,Deny or only Kerberos it works.
Created attachment 296185 [details] [review] Patch to prevent the password request popup Hi, This popup is caused by the auth_info handling that is used to authenticate jobs where credentials are needed. But the auth_info handling currently only handles username, password and domain. For kerberos authentication this is set to negotiate and the request password dialog is called with an empty list for auth_info_required. The cups library handles attaching the kerberos ticket to the print job transparently so there is no need for special auth info handling in GTK in that case. Attached patch fixes this by disabling the GTK auth info handling in case negotiate is the only required auth info field.
Hi, I can not reproduce the problem. The dialog doesn't show up and the job finishes successfully. What version of Gtk+ and CUPS do you have on your client and what CUPS is running on the print server? Regards Marek
I've tested this with serveral gtk 2/3 versions. E.g.: Cups 1.7.2-0ubuntu1 Gtk 3.10.8-0ubuntu1 But I think you are probably missing the AuthInfoRequired directly at the printer: <Printer samsung_auth> .... AuthInfoRequired negotiate .... </Printer> For this bug to occur the printer itself has to be configured for kerberos authentication. Just changing the DefaultAuthType to negotiate for example is not enough.
Review of attachment 296185 [details] [review]: Thank you for the patch and mentioning the "AuthInfoRequired negotiate". I had some other problems with configuration of the Kerberos-CUPS combination so I'm responding now. The patch fixes the specific problem described by this bug but I think that it needs some work yet. See corresponding comment. ::: modules/printbackends/cups/gtkprintbackendcups.c @@ +733,3 @@ + if (cups_printer->auth_info_required && + g_strv_length (cups_printer->auth_info_required) == 1 && + g_strcmp0 (cups_printer->auth_info_required[0], "negotiate") == 0) You should set "request->need_auth_info = FALSE" also for the case when "cups_printer->auth_info_required" is NULL or when its only member is "none". It would be good to set the "request->auth_info_required" to NULL instead of the g_strdupv() if the need_auth_info is FALSE.
Created attachment 298127 [details] [review] Patch to prevent the password request popup - V2 Thanks for reviewing. I also spent way more time on this bug trying to get a test setup then on the actual fix ;-) (In reply to Marek Kašík from comment #6) > Review of attachment 296185 [details] [review] [review]: > The patch fixes the specific problem described by this bug but I think that > it needs some work yet. See corresponding comment. > > ::: modules/printbackends/cups/gtkprintbackendcups.c > @@ +733,3 @@ > + if (cups_printer->auth_info_required && > + g_strv_length (cups_printer->auth_info_required) == 1 && > + g_strcmp0 (cups_printer->auth_info_required[0], "negotiate") == 0) > > You should set "request->need_auth_info = FALSE" also for the case when > "cups_printer->auth_info_required" is NULL I checked the pointer here. Made this an explicit check for != NULL now. auth_info_required[0] != NULL is checked with the g_strv_length check. > or when its only member is "none". Good catch! I had not thought of that. > It would be good to set the "request->auth_info_required" to NULL instead of > the g_strdupv() if the need_auth_info is FALSE. Changed this accordingly. Previously I just left it the way I found it ;-) There was also a logic error in the first patch. I did not check if auth_info_required was actually not NULL before setting need_auth_info to true in the else part. This is fixed now.
Marek, should we include this patch for 3.16 ?
Review of attachment 298127 [details] [review]: Hi Andre, thank you for the modifications you've done. I have just few trivial requests. I'll push the patch once you incorporate them there. ::: modules/printbackends/cups/gtkprintbackendcups.c @@ +735,3 @@ + + /* Check if auth_info_required is set and if it should be handled. + * For "negotiate" the cups libraries handle the ticket exchange. */ Could you place the 'For "negotiate"' part to the end of the sentence? @@ +739,3 @@ + g_strv_length (cups_printer->auth_info_required) == 1 && + (g_strcmp0 (cups_printer->auth_info_required[0], "negotiate") == 0 || + g_strcmp0 (cups_printer->auth_info_required[0], "none") == 0)) I was wrong. We already check for "none" in cups_printer_handle_attribute(), so there is no need for checking it here again. @@ +742,3 @@ + { + GTK_NOTE (PRINTING, + g_print ("CUPS Backend: Ignoring auth_info_required \"%s\"\n", You can say auth-info-required here.
(In reply to Matthias Clasen from comment #8) > Marek, should we include this patch for 3.16 ? Yes, I would like to get it into 3.16.
Created attachment 298857 [details] [review] Patch to prevent the password request popup - V3 Hi, Updated patch with the suggested changes. Thanks, Andre
Review of attachment 298857 [details] [review]: Hi Andre, thank you very much for the patch. I've pushed it to master branch. Regards Marek