confounding finding in print/cups-base (CUPS 1.4.2)

William Bulley web at umich.edu
Thu Feb 4 19:29:16 UTC 2010 

Since I need the GSSAPI (for Kerberos) feature of CUPS in FreeBSD
8.0-STABLE, I was somewhat taken aback when I found the cupsd server
failed to read its configuration file "cupsd.conf" when the line:

   DefaultAuthType Negotiate

was present in that file upon server start/restart.  The "Negotiate"
keyword is the way to indicate Kerberos support in CUPS according to
the CUPS documentation.

Attempting to start the CUPS server cupsd(8) from the command line
as root resulted in this error:

   freebsd# /usr/local/etc/rc.d/cupsd start
   Starting cupsd.
  
   Message from syslogd at itcom245 at Feb  4 10:35:31 ...
   itcom245 cupsd: Unable to read configuration file '/usr/local/etc/cups/cupsd.conf' - exiting!
   cupsd: Child exited with status 1!
   /usr/local/etc/rc.d/cupsd: WARNING: failed to start cupsd
   freebsd# /usr/local/etc/rc.d/cupsd stop
   cupsd not running?

and in the /var/log/cups/error.log file I found this line:

   Unknown default authorization type Negotiate on line 6.

Once line six (6) was removed, the cupsd server was able to start
without error (of course, Kerberos support was unavailable...)   :-(

The file print/cups-base/work/cups-1.4.2/scheduler/conf.c has this
section:

#ifdef HAVE_GSSAPI
    else if (!strcasecmp(value, "negotiate"))
    {
      loc->type = CUPSD_AUTH_NEGOTIATE;

      if (loc->level == CUPSD_AUTH_ANON)
        loc->level = CUPSD_AUTH_USER;
    }
#endif /* HAVE_GSSAPI */

which would normally be controlled by running ./configure at build
time and affecting lines such as these in work/cups-1.4.2/config.h:

   /*
    * Do we have the GSSAPI support library (for Kerberos support)?
    */

   /* #undef HAVE_GSSAPI */
   /* #undef HAVE_GSSAPI_H */
   /* #undef HAVE_GSSAPI_GSSAPI_H */
   /* #undef HAVE_GSSAPI_GSSAPI_GENERIC_H */
   /* #undef HAVE_GSSAPI_GSSAPI_KRB5_H */
   /* #undef HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY */
   /* #undef HAVE_GSS_C_NT_HOSTBASED_SERVICE */
   /* #undef HAVE_KRB5_CC_NEW_UNIQUE */
   /* #undef HAVE_KRB5_IPC_CLIENT_SET_TARGET_UID */
   /* #undef HAVE_KRB5_H */
   /* #undef HAVE_HEIMDAL */

Interestingly the Makefile in print/cups-base has this line inside
the CONFIGURE_ARGS section which makes all the above irrelevant:

   --disable-gssapi

So, my question is: why is the GSSAPI feature disabled in CUPS
1.4.2 when it was a configurable OPTION in CUPS 1.3.9 last Fall?

What should I do if I desire Kerberos support in CUPS 1.4.2 ??

Regards,

web...

--
William Bulley                     Email: web at umich.edu

72 characters width template ----------------------------------------->|

More information about the freebsd-questions mailing list