Text Size: ππππ

CECM Home > About Us > CECM's Printers > Kerberos Printing FAQ

Awards Computing Facilities Printers Contact Info Employment Photo Galleries Logo Visitor Information

CECM Kerberos Printing FAQ

Q #1: What is Kerberos?

In Greek mythology, Kerberos is the 3-headed dog that guards the gates of hell.

Kerberos the 3-headed dog guarding the gates of hell

Kerberos is also a widely-used secure cryptographic system.

Q #2: Why would I want to use Kerberos pre-authentication for printing?

If you are using any of the SFU_Print queues, you need to authenticate so that the university can track printing and ensure that the service isn't being abused.

Kerberos Authentication is used by Microsoft Active Directory, which is central to the SFU Campus computing systems. In the near future, we will be switching the CECM logins to Active Directory, and then you'll automatically acquire a Kerberos Ticket upon login, without any extra effort on your part.

Q #3: How do I verify whether or not a print queue will accept Kerberos pre-authentication?

Some print queues will accept Kerberos pre-authentication and some will not. It depends upon many factors, such as how the print queue was set up, what Linux version your computer is using, and what state the print queue is in.

Suppose you want to verify whether or not the SFU_Print queue is accepting Kerberos pre-authentication. First, make sure there aren't any jobs stuck in the queue, by typing lpstat -o SFU_Print. If there is a stuck job there, you won't be able to print anyway, and so there's no point in trying until the stuck job is cleared. (But you should still be able to print to SFU_Print using a different CECM computer, if it doesn't also have stuck jobs in its queue.)

Second, check the status of the queue by typing lpstat -a SFU_Print. If it is accepting requests, you'll see something like this:

 SFU_Print accepting requests since Fri 22 Mar 2019 05:36:59 PM PDT

Third, check the printer options by typing lpoptions -p SFU_Print, and look for auth-info-required=negotiate, as in:

 lpoptions -p SFU_Print

 auth-info-required=negotiate copies=1 device-uri=smb://ADSFU/cs-sfuprint-p.dc.sfu.ca/SFU_Print finishings=3
 job-cancel-after=10800 job-hold-until=no-hold job-priority=50 job-sheets=none,none marker-change-time=0
 number-up=1 printer-commands=none printer-info='SFU Print Queue for 2-sided greyscale printing'
 printer-is-accepting-jobs=true printer-is-shared=false printer-is-temporary=false printer-location='Multiple
 Locations on Campus' printer-make-and-model='Ricoh MP C6004ex PDF' printer-state=3
 printer-state-change-time=1631836675 printer-state-reasons=none printer-type=2109692
 printer-uri-supported=ipp://localhost/printers/SFU_Print

This means that the printer will accept Kerberos pre-authentication.

If, however, you see auth-info-required=username,password, as in:

 lpoptions -p SFU_Print

 auth-info-required=username,password copies=1 device-uri=smb://ADSFU/cs-sfuprint-p.dc.sfu.ca/SFU_Print
 finishings=3 job-hold-until=no-hold job-priority=50 job-sheets=none,none marker-change-time=0 number-up=1
 printer-commands=none printer-info='SFU Print Queue for 2-sided greyscale printing'
 printer-is-accepting-jobs=true printer-is-shared=false printer-location='Multiple Locations on Campus'
 printer-make-and-model='Ricoh MP C6004ex PDF' printer-state=3 printer-state-change-time=1551926708
 printer-state-reasons=none printer-type=2109692 printer-uri-supported=ipp://localhost:631/printers/SFU_Print

then the print queue will not accept Kerberos pre-authentication and you'll need to type your username and password into the Job Authentication Window.

Q #4: How do I pre-authenticate with Kerberos before printing to an SFU_Print queue?

To pre-authenticate, you need to open a Terminal and type kinit in order to acquire a Kerberos Ticket. You'll be asked for a password. Use your Campus password here. (The same password you use to read your SFU e-mail.)

Q #5: What is a Kerberos Ticket?

A Kerberos Ticket is a chunk of encrypted data. When you type kinit, you acquire a Kerberos Ticket-Granting Ticket (TGT) which allows you to acquire other Kerberos Tickets for services such as printing. Your Kerberos Tickets are stored within the Linux kernel keyring. This is kept in RAM and is not written out to disk.

Kerberos Tickets are kind of like an encrypted password, except they are more secure because they have a limited lifetime and won't work after they expire.

Q #6: How do I acquire a Kerberos Ticket for printing?

After you have a Kerberos TGT (via kinit), just print. If things are working correctly, and the printer's options have auth-info-required=negotiate, you'll automatically acquire a Kerberos Ticket for printing.

Q #7: How do I view my Kerberos Tickets?

Just open a Terminal and type klist. You'll see something like this:

  Ticket cache: KEYRING:persistent:5256:5256
  Default principal: hebron@AD.SFU.CA
  
  Valid starting       Expires              Service principal
  2021-11-23 23:44:05  2021-11-24 09:44:05  krbtgt/AD.SFU.CA@AD.SFU.CA
          renew until 2021-11-30 23:44:05

"krbtgt..." is the Kerberos Ticket-Granting Ticket (TGT).

After you successfully print to one of the SFU_Print Queues, then klist will show something like this:

  Ticket cache: KEYRING:persistent:5256:5256
  Default principal: hebron@AD.SFU.CA

  Valid starting       Expires              Service principal
  2021-11-23 23:44:29  2021-11-24 09:44:05  cifs/cs-sfuprint-p.dc.sfu.ca@AD.SFU.CA
          renew until 2021-11-30 23:44:05
  2021-11-23 23:44:05  2021-11-24 09:44:05  krbtgt/AD.SFU.CA@AD.SFU.CA
          renew until 2021-11-30 23:44:05

"cifs..." is the Kerberos Ticket for the printing service.

Q #8: How long does a Kerberos Ticket last?

As illustrated above, SFU Campus Kerberos Tickets have a 10 hour lifetime before they expire, and a maximum renewal period of 1 week.

If you want to renew your Kerberos Ticket before it expires, just type kinit -R. (You could do this from a cron job, for example.) No password required. However, after 1 week, you'll no longer be able to do this and you'll have to kinit and type your password.

Q #9: What happens if I try to print without a valid Kerberos Ticket?

If you try to print to SFU_Print without a valid Kerberos Ticket, then your print job will become stuck in the local print queue on your printer. You'll need to cancel your print job, kinit, and try again.

Advanced Kerberos FAQ

Q #10: How do I auto-renew my Kerberos Ticket?

You could set up a cron job to auto-renew your kerberos ticket with kinit -R.

In order to do this, you need to edit your crontab with crontab -e. Before doing so, make sure that your EDITOR environment variable is set to your favourite Linux editor. Eg. setenv EDITOR emacs or setenv EDITOR vim, assuming that your shell is tcsh (or export EDITOR=emacs or export EDITOR=vim, if your shell is bash).

For example, you could set up the following crontab entry on your Linux computer:

  30 * * * * /usr/bin/kinit -R

This will renew your Kerberos TGT at 30 minutes past every hour of every day. (See man crontab for more information on what the various fields mean.) Note, however, that this will work for at most 1 week, until the renewal period expires, and then you'll have to manually kinit and type your password.

Q #11: What if I want to auto-renew my Kerberos Ticket indefinitely?

You can achieve this via a crontab entry and your own private keytab file.

Suppose you want to keep your keytab within your home directory in /cecm/home/username/myprivatestuff/username.keytab. (Substitute your real username for "username" here.) You can create it as follows

  mkdir myprivatestuff
  chmod 0700 myprivatestuff
  cd myprivatestuff
  ktutil
    addent -password -p username@AD.SFU.CA -k 1 -e aes256-cts-hmac-sha1-96
    addent -password -p username@AD.SFU.CA -k 1 -e aes128-cts-hmac-sha1-96
    (enter your password here when asked)
    wkt username.keytab
    q

You can call the directory whatever you want; just make sure it's private -- that's what the "chmod 0700" is for. If somebody gains access to your keytab file then they could potentially use it to gain access your stuff!

You can then set up a crontab entry similar to the one above, but instead of using kinit -R, you use the following:

  30 * * * * /usr/bin/kinit username@AD.SFU.CA -k -t /cecm/home/username/myprivatestuff/username.keytab

(Again, substitute your real username for "username" here.)

This will get a new Kerberos Ticket for user "username" at 30 minutes past every hour of every day, without having to type a password, by using the credentials stored in username's private keytab file.

NOTE: you should also add this command into your .login file (assuming that your shell is tcsh) so that you'll get a Kerberos Ticket upon login without waiting for your cron job to run (which might take up to an hour if it only runs at 30 minutes past every hour).

(And if your shell is bash, then add this command to your .profile file.)

This will work virtually forever (unless one changes one's Campus password, in which case the steps of creating a private keytab need to be redone.)


John Hebron
Research Computing Group
IT Services, SFU
Last modified: Tue Nov 23 23:56:00 PST 2021