This guide goes through the steps of installing and configuring a Windows network printer with CUPS on a Debian/Ubuntu desktop machine using Kerberos authentication.
All of the steps here are to be executed on a Debian/Ubuntu desktop machine. Some commands require sudo/pkexec (explicitly mentioned).
- AppArmor prevents usage of smbspool_krb5_wrapper: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998327
- The "usr.sbin.cupsd" AppArmor profile must be modified to allow CUPS to execute smbspool_krb5_wrapper
- The workaround below may be overwritten by future updates to the
cups-daemonpackage!
- smbspool_krb5_wrapper can't find Kerberos credentials cache with randomized names (KRB5CCNAME must be predictable)
- This seems to be unreported as of 2024-07-01!
- Source: https://git.samba.org/samba.git/?p=samba.git;a=blob;f=source3/client/smbspool_krb5_wrapper.c;hb=HEAD
- CUPS SMB backend symlink change may be overwritten by future updates to the
smbclientpackage!
- Active Directory Domain
- Windows Print Server which is joined to the domain
- Debian or Ubuntu Desktop machine joined to the domain with SSSD/Realmd: https://sssd.io/docs/ad/ad-provider.html
- KCM credential cache must not be configured (
sssd-kcmshould not be installed by default) - CUPS (Common UNIX Printing System):
cups cups-client cups-daemon - Samba client tools:
samba-common-bin smbclient - (Optional) Kerberos client tools:
krb5-user
This has to be done so the smbspool_krb5_wrapper utility can find and access the proper Kerberos cache.
The krb5_ccachedir and krb5_ccname_template variables set the path where the Kerberos credentials cache will be stored at.
By default this would have a randomized ending which smbspool_krb5_wrapper cannot find as of Debian 12 or Ubuntu 22.04.
sudo sed -i '/^krb5_realm/a\krb5_ccname_template = FILE:%d/krb5cc_%U' /etc/sssd/sssd.conf
sudo sed -i '/^krb5_realm/a\krb5_ccachedir = /tmp' /etc/sssd/sssd.conf
This has to be done because AppArmor prevents CUPS from using smbspool_krb5_wrapper by default.
The cups-daemon package for Debian and Ubuntu don't include the necessary rules as of Debian 12 and Ubuntu 22.04.
NOTE: Additional printer drivers may require additional rules. You may have to look at the troubleshooting section below.
sudo sed -i '/^ \/usr\/lib\/cups\/backend\/\* Cx -> third_party,/a \
/usr/lib/x86_64-linux-gnu/samba/smbspool_krb5_wrapper Cx -> third_party, \
/usr/libexec/samba/smbspool_krb5_wrapper Cx -> third_party,' /etc/apparmor.d/usr.sbin.cupsd
The smbspool_krb5_wrapper binary MUST be owned and executable only by root.
sudo chown root:root /usr/lib/x86_64-linux-gnu/samba/smbspool_krb5_wrapper
sudo chmod 700 /usr/lib/x86_64-linux-gnu/samba/smbspool_krb5_wrapper
sudo ln -sf /usr/lib/x86_64-linux-gnu/samba/smbspool_krb5_wrapper /usr/lib/cups/backend/smb
sudo chown root:root /usr/libexec/samba/smbspool_krb5_wrapper
sudo chmod 700 /usr/libexec/samba/smbspool_krb5_wrapper
sudo ln -sf /usr/libexec/samba/smbspool_krb5_wrapper /usr/lib/cups/backend/smb
The SSSD and AppArmor configuration changes require service restarts and re-generation of Kerberos tickets. Easiest way to do this is to do a reboot.
reboot
Make sure the KRB5CCNAME path matches with the SSSD krb5_ccname_template and that the file exists.
$ id -u
1234567890
$ klist
Ticket cache: FILE:/tmp/krb5cc_1234567890
Default principal: user@CONTOSO.COM
$ echo $KRB5CCNAME
FILE:/tmp/krb5cc_1234567890
$ file /tmp/krb5cc_1234567890
/tmp/krb5cc_1234567890: data
In this example the print server is "print-server-01.contoso.com". The printer name will be shown in the "Sharename" column.
smbclient --kerberos --list print-server-01.contoso.com
lpinfo -m
In this example the domain is "CONTOSO.COM", print server is "PRINT-SERVER-01.CONTOSO.COM" and the network printer's name is "NetworkPrinter1".
pkexec lpadmin -p "NetworkPrinter1" -v "smb://CONTOSO.COM/PRINT-SERVER-01.CONTOSO.COM/NetworkPrinter1" -L "The office" -m foomatic-db-compressed-ppds:0/ppd/foomatic-ppd/Generic-PostScript_Printer-Postscript.ppd -o auth-info-required=negotiate -o PageSize=A4 -E
Above command explained.
| Argument | Example value | Description |
|---|---|---|
| -p | "NetworkPrinter1" | The name of the printer on this machine (can be anything) |
| -v | "smb://CONTOSO.COM/PRINT-SERVER-01.CONTOSO.COM/NetworkPrinter1" | The SMB printer address (smb://DOMAIN/SERVER/PRINTER) |
| -L | "The office" | The optional location text (can be anything) |
| -m | "foomatic-db-compressed-ppds:0/ppd/foomatic-ppd/Generic-PostScript_Printer-Postscript.ppd" | The printer driver (use lpinfo -m to list all available drivers) |
| -o auth-info-required | "negotiate" | Enable Kerberos Authentication ("smb" backend of CUPS will be used with this printer) |
| -o PageSize | "A4" | The paper size of the printer (see manufacturer's manual) |
| -E | Enable and accepts print jobs |
Use this if you already have configured a printer named "NetworkPrinter1" (without Kerberos authentication)
pkexec lpadmin -p "NetworkPrinter1" -o auth-info-required=negotiate
You can use various graphical programs to test printing such as a web browser or LibreOffice.
Alternatively you can use the lp command:
echo "This is a test" | lp -t "Test print" -d "NetworkPrinter1"
Here are a few places to look at to help troubleshooting on Debian/Ubuntu.
- CUPS logs:
/var/log/cups/error_log- You may increase log verbosity with command
cupsctl --debug-logging - Keywords: smb, backend, cupsdStartProcess, argv, envp
- You may increase log verbosity with command
- AppArmor logs:
journalctl --pager-end --dmesg --grep=apparmor- Authentication problems may appear as denied exec operations.
- Kerberos tickets:
klist- Must be executed as a domain user without sudo or pkexec!
- The command should show a valid Kerberos ticket in a predictable location.
This guide was originally published at: https://gist.github.com/santeri3700
The contents of the Gist (samba_krb5_printing_debian_and_ubuntu.md) are public domain.
No rights reserved. Comments and additional files may be licensed differently.