[6518] in Release_7.7_team
Re: Kerberized printing, the saga continues
daemon@ATHENA.MIT.EDU (Geoffrey Thomas)
Tue Nov 17 15:35:30 2009
Date: Tue, 17 Nov 2009 15:34:22 -0500 (EST)
From: Geoffrey Thomas <geofft@MIT.EDU>
To: Jonathan Reed <jdreed@mit.edu>
cc: "Mark W. Manley" <mmanley@mit.edu>, Stuart Peloquin <peloquin@mit.edu>,
Garry Zacheiss <zacheiss@mit.edu>,
"release-team@mit.edu" <release-team@mit.edu>
In-Reply-To: <D10E68EE-5ADA-4B69-9EB2-A45BEFC2B246@mit.edu>
Message-ID: <alpine.DEB.1.10.0911171530360.26189@dr-wily.mit.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Spam-Flag: NO
X-Spam-Score: 0.00
On Nov 17, 2009, at 12:03 PM, Mark W. Manley wrote:
> The big change would be on users' desktops that hard-coded the older server
> names like mulch. The LPRng servers don't speak IPP, much less
> Kerberos-enabled IPP, so they'd be unable to bounce jobs to the CUPS
> servers if Kerberos-enabled in any meaningful way, leading to the reverse
> of the current situtation. It would also effectively de-support the LPRng
> client on Athena 9 for Kerberos-enabled queues in favor of the CUPS client
> on Athena 10.
Wait, I'm missing something -- if we make the CUPS servers blindly trust
the LPRng servers by IP (just as we're talking about doing the reverse,
and making LPRng blindly trust CUPS), but require authentication for other
people, can LPRng just continue to check authentication for KLPR clients
and then forward authorized jobs on to CUPS via unauthenticated lpd?
--
Geoffrey Thomas
geofft@mit.edu